Ok I've developed an app and sent it to you to check out, but unfortunatelly it crashes on your system while on mine works great... familiar situation?
Well pretty familiar to me, I want program to report where exactly it crashed and to log all valuable information for me so I can track down the bug and fix it. I know this has to be done via SEH-ing, and donkey has some example but I didn't have time to check it out thoroughly, which will I do as soon as I catch some time.

I have one question though, not rarely, error occurs when you pass bad parameter to some API (eg, passing NULL to lstrcpy), this will produce crash withing Windows system code instead of my program code. So how can I track this bug down? Can I somehow log values on stack that represent return addresses of the code which executed API?

Btw can someone make a list of all information that need to be gathered when crash occurs, like:
1. Operating system
2. Address of instruction that caused crash
Posted on 2004-03-10 19:51:46 by Mikky

You can look at my graceful exit example on my web site, it gives critical information about the exception and the system state at the time of the exception. You will find it in the GoAsm projects at the bottom of the page. Also though it does not specify the OS version in the output it does check it to verify whether PSAPI or ToolHelp should be used so the info is already available.

Also you can check out Jeremy's SEH tutorial on his website...

Posted on 2004-03-10 20:14:42 by donkey
Hi Mikky,

You never said whether the code sample on my site solved your problem but I have expanded it a bit to include the Windows OS version and some other information in case of an exception:

This is a sample output:

Module name: Except.exe

Windows 2000 Service Pack 4
Exception code: C0000094h
Instruction pointer: 00401016h

eax=0000000Ah ebx=7FFDF000h ecx=00000000h
edx=000A0000h esi=00000005h edi=C0000000h
ebp=0012FFF0h esp=0012FFC4h eip=00401016h

Segment registers:
CS=001Bh DS=0023h SS=0023h
ES=0023h FS=0038h GS=0000h

Flags: PF ZF IF

7C5987E7 C0000000 00000005 7FFDF000
C0000094 0012FFC8 0012FC18 FFFFFFFF
7C5C1BB4 7C572B00 00000000 00000000
00000000 00401000 00000000 000000C8

As before it has a hyperlink to allow the user to email the exception information directly to you and it copies it to the clipboard on exit.
Posted on 2004-03-12 04:35:19 by donkey
i dunno if this could be use full for you or not
but windows default debugger creates a dump file of every crash that happens
with the help of drwatson.exe

you can locte this file most probably in allusers/applicationdata/drwatson

its named drwatson.log and drwatson.dmp

it has the info in this format

it is also used by microsoft report tool i think in some administrative options

may be find some way to harvest this info once it crashed in some remote computer or asking him to send this info explicitly may help to search for faulting location

and some links on where and what about these files on ossses


Application exception occurred:
App: D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe (pid=1952)
When: 2/19/2004 @ 18:06:54.503
Exception number: c00000fd (stack overflow)

*----> System Information <----*
Computer Name: USER5-XP
User Name: Admin
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 6 Model 8 Stepping 10
Windows Version: 5.1
Current Build: 2600
Service Pack: 1
Current Type: Uniprocessor Free
Registered Organization: really do you want to know this ??
Registered Owner: demon of death

*----> Task List <----*
0 System Process
4 Error 0xD0000022
476 Error 0xD0000022
532 Error 0xD0000022
556 Error 0xD0000022
600 Error 0xD0000022
612 Error 0xD0000022
784 Error 0xD0000022
848 Error 0xD0000022
972 Error 0xD0000022
1032 Error 0xD0000022
1140 Error 0xD0000022
1336 Error 0xD0000022
1504 Error 0xD0000022
1588 Explorer.EXE
684 Ad-watch.exe
1952 Ad-aware.exe
1272 drwtsn32.exe

*----> Module List <----*
(0000000000350000 - 0000000000368000: D:\Program Files\Lavasoft\Ad-aware 6\AAWHELPER.DLL
(0000000000400000 - 0000000000616000: D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
(0000000077e60000 - 0000000077f46000: D:\WINDOWS\system32\kernel32.dll
(0000000077f50000 - 0000000077ff7000: D:\WINDOWS\System32\ntdll.dll
(0000000078000000 - 0000000078086000: D:\WINDOWS\system32\RPCRT4.dll

*----> State Dump for Thread Id 0x4f4 <----*

eax=00000500 ebx=00000000 ecx=00403960 edx=77f79bb8 esi=00000000 edi=00000000
eip=77e7a2f9 esp=00032d8c ebp=0003329c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202

*** ERROR: Symbol file could not be found. Defaulted to export symbols for D:\WINDOWS\system32\kernel32.dll -
function: kernel32!GetTickCount
77e7a2d3 8bc1 mov eax,ecx
77e7a2d5 c20800 ret 0x8
77e7a2d8 680948e977 push 0x77e94809
77e7a2dd 64a100000000 mov eax,fs:[00000000]
77e7a2e3 50 push eax
77e7a2e4 64892500000000 mov fs:[00000000],esp
77e7a2eb 8b442410 mov eax,
77e7a2ef 896c2410 mov ,ebp
77e7a2f3 8d6c2410 lea ebp,
77e7a2f7 2be0 sub esp,eax
FAULT ->77e7a2f9 53 push ebx <---- it faulted here and so stack over flowed i dunno this is an example paste
77e7a2fa 56 push esi
77e7a2fb 57 push edi
77e7a2fc 8b45f8 mov eax,
77e7a2ff 8965e8 mov ,esp
77e7a302 50 push eax
77e7a303 8b45fc mov eax,
77e7a306 c745fcffffffff mov dword ptr ,0xffffffff
77e7a30d 8945f8 mov ,eax
77e7a310 c3 ret
77e7a311 8d45d4 lea eax,

*----> Stack Back Trace <----*
*** ERROR: Module load completed but symbols could not be loaded for D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for D:\WINDOWS\System32\ntdll.dll -
ChildEBP RetAddr Args to Child
Posted on 2004-03-12 06:12:54 by bluffer
If you just want DrWatson, which may or may not be enabled on the system depending on what the JIT debugger settings are. Also you have to have the user configure it properly and get the error at the right time because they are overwritten depending on the setup. Anyway I started to write a DrWatson log viewer but gave up and decided to do my own exception handling :
Posted on 2004-03-12 10:18:35 by donkey
when is drwatson activated after the app raises UnhandledExceptionFilter api
or before it

coz if it is activated after unhandled then that means the seh handler cannot harvest the info coz it need to return it as handled ??? i cant phrase my question

assume i use
xor eax,eax
mov eax,

its sure to create c000005 (access violation)
now my handler will get a chance to deal with

i can modify all the context even change eip etc etc

but i thought ill use CreateFile(drwatson.log,**,**,**)
search for recent log
read file
copy content to some where
close handle
ask user if he wants to send this info to the author and send it
or write file (dump of recent crash.txt ,**,**,) so that he can send it after editing if he likes
return back to zwContinue after changing eip or exit without crashing

but i dont think dr watso would have the info when my handler is handling the exception

any ideas or comments please
Posted on 2004-03-13 04:26:49 by bluffer
DrWatson is set up in the AeDebug registry entry as the JIT debugger, you will find it in the JIT debug key, so it is passed the exception after the standard exception handlers and the final handler. If you use SetUnhandledExceptionFilter and return EXCEPTION_EXECUTE_HANDLER you will effectively disable it. If you wish to have the exception passed to DrWatson anyway you can return EXCEPTION_CONTINUE_SEARCH from your final handler.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
Posted on 2004-03-13 10:43:36 by donkey