tag:blogger.com,1999:blog-74793829838543304832024-03-12T16:47:25.272-07:00Welcome to the Corner of ExcellenceBlog of System Information Problem and its Solving, and of other stuffs of interestexisthttp://www.blogger.com/profile/09946288432858107412noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-7479382983854330483.post-48728559730922556442008-07-03T16:50:00.000-07:002008-07-03T17:04:42.802-07:00Utilizing Log File for MS SQL Server Data Recovery (Part 1)In my previous posts, I already explain the method to enable the crashed database to be attached, especially crashed database caused by torn page error.<br /><br />The second phase (or second part) after this, is to examine the crashed data in terms of pages that is damaged or broken. For example, pages that has torn page error that we already 'fixed' in order that database can be attached.<br /><br />Please remember that what we do at this phase is only to fix the torn bits so that SQL server do not trip on this error, but the integrity of the data is still questionable. Now the question is, is it possible to correct, or at lease determine the causes of page damage ? In this post, I will describe how it is possible and the restrictions about this issue.<br /><br />The context of data recovery phase that I am about to explain is applied to MS SQL Server 2000 only, but this knowledge can also be expanded to be applied as a starting point for MS SQL Server 2005.<br /><br />First, the restrictions. The restrictions I am talking about is by assuming the integrity of the MS SQL Server's LOG data is intact. As we already know, MS SQL Server technology is using the write-ahead method when writing the database, i.e. the system first write to the log file and ensure that the log file (LDF) is written successfully before applied to the actual database (MDF).<br /><br />Using this assumption, theoretically, by using the database log file it is possible to view the modification that is about to be done/already done to the database seconds before the system crashed.<br /><br />So, in order to determine which data is valid in the event of database crash, or particularly the page damage, I am relying on the log file as the reference point of operation that is about to be or already done to actual MDF file, seconds before disaster. Or in short, I am relying to the log file as the only valid data to be checked against the data in MDF file.<br /><br />To present the sample case, I will have some quick review of the steps that I already elaborated on previous post, and then go on to second phase of data integrity checking. In the process of the sample case walkthrough, I am also present some caveat or issue that is emerged, and unless this issue is resolved, I can not go to next step.<br /><br />Usually, the surfaced issue is about the design of MS SQL Server 2000, for example, the inability to view the log file when the database mode is in emergency mode or bypass mode. I am hoping that, this will be resolved in the next version of MS SQL Server.<br /><br />First, I am trying to attached the damaged database file (MDF). And I am facing with torn page error :<br /><br /><span style="font-family:courier new;font-size:85%;">Server: Msg 823, Level 24, State 2, Line 1<br />I/O error (torn page) detected during read at offset 0x00000000012000 in file 'c:\Program Files\Microsoft SQL Server\MSSQL\Data\edoc_data.mdf'.</span><br /><br />I am recording this offset, so I can examine it later against the database log file. After fixing the tornbits (m_tornbits), and re-attached it :<br /><br /><span style="font-family:courier new;font-size:85%;">Server: Msg 1813, Level 16, State 2, Line 1<br />Could not open new database 'edoc'. CREATE DATABASE is aborted.<br />Device activation error. The physical file name 'D:\Program Files\Microsoft SQL Server\MSSQL\data\eDoc_Log.LDF' may be incorrect.</span><br /><br />This is the first issue that is I am talking about in MS SQL Server 2000. I tripped this error because, the damaged database is located at D: drive, whereas the server that the database I am about to be examine is using C: drive as location for the database. There are two ways to correct this issue, either create the exact location in D: drive in destination server, or using utility such as hex editor to change the drive in MDF file, when we have no D: drive in destination server.<br /><br />After resolving the above error and re-attach again :<br /><br /><span style="font-family:courier new;font-size:85%;">Server: Msg 823, Level 24, State 2, Line 1<br />I/O error (torn page) detected during read at offset 0x00000004142000 in file 'c:\Program Files\Microsoft SQL Server\MSSQL\Data\edoc_data.mdf'.</span><br /><br />This is the second issue pertaining to MS SQL Server 2000. Actually, the server is trying to redone or rollback, depends on transaction condition at the time of crash. But, alas, the page is already damaged and have the torn page checking enabled, this again, will tripped the torn page error, unless something has to be done to fix the m_tornbits value.<br /><br />Again, I am fixing the m_tornbits value, record the damaged offset (0x4142000) for later examination, and re-attach the database. This time, the database can be successfully attached with the messages below :<br /><br /><span style="font-family:courier new;font-size:85%;">604 transactions rolled forward in database 'edoc' (26).<br />0 transactions rolled back in database 'edoc' (26).</span><br /><br />Now, it's time to examine the damaged page(s) using the log file.<br /><br /><span style="font-family:courier new;font-size:85%;">DBCC TRACEON(3604)<br />dbcc log(edoc, 1)</span><br /><br />Instead of providing me with the log data before the database is crashed, I have only practically empty log data to be worked with :<br /><br /><span style="font-family:courier new;font-size:85%;">00000ec1:0000011a:0001 LOP_BEGIN_CKPT<br />00000ec1:0000011a:0002 LOP_MODIFY_ROW<br />00000ec1:0000011b:0001 LOP_END_CKPT </span><br /><br />It seems that every time the database is detached, then re-attached, the server is resetting the position of log recording, using the term 'Checkpoint'.<br /><br />By using option 2 of DBCC LOG command, it is possible to view the previous LSN value :<br /><br /><span style="font-family:courier new;font-size:85%;">DBCC TRACEON(3604)<br />dbcc log(edoc, 2)</span><br /><br />For example, the previous LSN for 00000ec1:0000011a:0001 is 00000ec1:00000117:0003. So, is it possible, using DBCC LOG to view the previous LSN ?<br /><br /><span style="font-family:courier new;font-size:85%;">DBCC TRACEON(3604)<br />dbcc log(edoc, 2, 'lsn', '0xec1:117:3')</span><br /><br />Nope, it can't. This became the third issue of MS SQL Server 2000. It can only filter the lsn from the last checkpoint onward, as proved by this statement :<br /><br /><span style="font-family:courier new;font-size:85%;">DBCC TRACEON(3604)<br />dbcc log(edoc, 2, 'lsn', '0xec1:11a:2')</span><br /><br />It will give :<br /><br /><span style="font-family:courier new;font-size:85%;">00000ec1:0000011a:0002<br />00000ec1:0000011b:0001</span><br /><br />This is also to prove that the above syntax to view the previous LSN is not a garbage one, but a valid syntax. The lsn option in DBCC LOG is clearly not intended to be used to view any lsn. So, there is no starting lsn option in DBCC LOG.<br /><br />Also, because of this kind of checkpointing mechanism, the information about the last checkpoint before the crash is also lost :<br /><br /><span style="font-family:courier new;font-size:85%;">DBCC TRACEON(3604)<br />DBCC PAGE ('edoc', 1, 9, 3)</span><br /><br /><span style="font-family:courier new;font-size:85%;">dbi_checkptLSN<br />--------------<br />m_fSeqNo = 3777 m_blockOffset = 282 m_slotId = 1</span><br /><span style="font-family:courier new;font-size:85%;"><br /></span>Converting the above value to hex value yield 0xEC1:11A:1 which is equal to the first record of log above. So, what is the checkpoint value at the time of crash ? Is it the same with previous LSN recorded in the active portion of log shown above ? (i.e. 00000ec1:00000117:0003).<br /></span><br />To get those value and to prove it, I am marking the current database to emergency mode :<br /><br /><span style="font-family:courier new;font-size:85%;">Sp_configure 'allow updates', 1<br />Reconfigure with override</span><br /><br />Marking the database as emergency mode or bypass mode :<br /><br /><span style="font-family:courier new;font-size:85%;">update master..sysdatabases set status = 32768 where name = 'edoc'</span><br /><br />After this, I am shutting down the MS SQL Server, re-copy the database from damaged one, and restart the server. This will bypass the recovery and allow me to view the data as it is :<br /><br /><span style="font-family:courier new;font-size:85%;">2008-07-03 17:01:50.80 spid8 Bypassing recovery for database 'edoc' because it is marked BYPASS.</span><br /><br /><span style="font-family:courier new;font-size:85%;">DBCC TRACEON(3604)<br />DBCC PAGE ('edoc', 1, 9, 3)</span><br /><br /><span style="font-family:courier new;font-size:85%;">dbi_checkptLSN<br />--------------<br />m_fSeqNo = 3776 m_blockOffset = 108 m_slotId = 6</span><br /><br />Again, by converting the above value to hex equals 00000ec0:000006c:0006 which is NOT equals to 00000ec1:00000117:0003.<br /><br />Now, is it possible, in emergency mode, to view the log from this checkpoint onward ?<br /><br /><span style="font-family:courier new;font-size:85%;">DBCC TRACEON(3604)<br />dbcc log(edoc, 2)</span><br /><br />Again, nope, it is impossible :<br /><br /><span style="font-family:courier new;font-size:85%;">2008-07-03 16:31:01.98 spid52 Cannot do a dbcc log() on a database in emergency mode</span><br /><br />This, if I am not mistaken, this will be the fourth issue in MS SQL Server 2000. In my opinion, the reason behind this error, is that in emergency or bypass mode, the log data is not initialized, and any attempt to view the log file is irrelevant :<br /><br /><span style="font-family:courier new;font-size:85%;">DBCC TRACEON(3604)<br />DBCC DBTABLE(edoc)</span><br /><br /><span style="font-family:courier new;font-size:85%;">LogTruncMgr @0x19FF10E8<br />-----------------------<br />m_replLSN = (0:0:0) <span style="color:#ff0000;">m_ckptLSN = (0:0:0)</span> m_oldActXact = (0:0:0)<br />m_backupLSN = (0:0:0) m_oldestBackupXactLSN = (0:0:0)</span><br /><br />So, I have the dead end situation. In order to breaktrough this barrier, I have to go back to the previous fixed database, and this will initialized the log, and make the DBCC LOG operation to read the intended LSN (i.e 00000ec0:000006c:0006).<br /><br />To make this post short, this is done by breaking to the DBCC LOG routine using WinDBG, and changing the in memory value of the current LSN to the LSN to be read. The detail of how this is done will be the subject of my next post.<br /><br />Before the re-copying to set the database to emergency mode, I already make a backup copy so that I can step back. For stepping back, I reset the database to online mode, shut down the server, re-copy the database of previous step, and restart the server.<br /><br />After that, firing the WinDBG, attach the sqlservr.exe program, and break into the DBCC LOG, setting the in memory of LSN to be read to 00000ec0:000006c:0006 and voila ! I have the log file for crosschecking to the damaged MDF file.<br /><br />For example, by converting the error page at offset 0x4142000 to m_pageId = 1:8393, which is in hex value is 1:20A1, I can track the log file, looking for any operation at those page, which is, subject of my next posting.<br /><br />So, keep in touch for my next two posting :)existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com22tag:blogger.com,1999:blog-7479382983854330483.post-21757872644641952892008-06-21T01:36:00.000-07:002008-06-21T02:06:51.556-07:00How to Suppress Transaction Log CheckingIn MS SQL Server, Transaction Log refers to the mechanism of undo and redo the data in the database. Sometime, in case of database crash, we just one to be able to view the data as it is so the recovery step can be carefully orchestrated. In this case, we have to find some ways to suppress undo/redo mechanism, if this became issue that crop up in data recovery session.<br /><br />In the event of database crash, MS SQL server will first marked the database as suspect. If we then detach the suspect database, and if crashes affect the important pages such as PFS page, then it is impossible to re-attach the database again, unless some supression of checking mechanism is to be done on that database.<br /><br />Recall that in my previous post, it is possible to bypass the checking mechanism by performing 'page transplantation' from backup database. But we are in big trouble if there are no backup available, i.e. we just have the crashed database and can not do anything about it because it can not be attached to be examined carefully (i.e. by DBCC PAGE command).<br /><br />The illustrated case below will explain why this kind of suppresion is important.<br /><br />I was faced with crashed database with no backup available. As usual, the database is marked as suspect (greyed icon), and after some futile attempt to do the recovery in order that the database is up again, I detach the database, upon trying to attach the database again I came upon this message :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNdGs209RKg5ZW4fQy53ocrmGicweB6M37v3IF7Qmk24fDl2W4MUb1_iiMs6Mr2Fns1-QiOjlkbVqMqvO5QukW_ep5adMZi0E7hMHhEtZ-xMPCfMrbRFmSvHjEK4D35lRjQLWCgaSwRI4/s1600-h/Log1.gif"><img id="BLOGGER_PHOTO_ID_5214251290563872114" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNdGs209RKg5ZW4fQy53ocrmGicweB6M37v3IF7Qmk24fDl2W4MUb1_iiMs6Mr2Fns1-QiOjlkbVqMqvO5QukW_ep5adMZi0E7hMHhEtZ-xMPCfMrbRFmSvHjEK4D35lRjQLWCgaSwRI4/s320/Log1.gif" border="0" /></a><br /><br />Recall that in my previous post, I already describe the way to 'fix' the torn page by examining and then synchronizing the sectors in that page. After examining each sector, it revealed that the m_tornbits (red box) value is not in synch with the rest of sectors' torn bits.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3qaJLPtdeDnlXHuHvY1FEr_X35YCBytL22WVFYiVxghhCL0evRJ83aL6qp_jePEbVmpikYXRS7wOOUhQ4bpfgZzXus18sWmv7c07t6h20mNj0j_h4Tk7mybL6qUpr-64Rl6BSmtRvymg/s1600-h/Log2.gif"><img id="BLOGGER_PHOTO_ID_5214251294491037954" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3qaJLPtdeDnlXHuHvY1FEr_X35YCBytL22WVFYiVxghhCL0evRJ83aL6qp_jePEbVmpikYXRS7wOOUhQ4bpfgZzXus18sWmv7c07t6h20mNj0j_h4Tk7mybL6qUpr-64Rl6BSmtRvymg/s320/Log2.gif" border="0" /></a><br /><br />One of the torn bits of sample sector is shown here (green box) :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE8F83p9HwdtkML9H3ZfcQO4OepKwa8NihV3kPKoguG8rqviDgMO9rJOeyCLHfgDMZoKP86AwbTQcfu9NCtJw8h-Ro5sOSVzVwYfy9tZs6zMd83z96HHoDf9wQzwj1JMkjytsD4CSCOog/s1600-h/Log3.gif"><img id="BLOGGER_PHOTO_ID_5214251296459386610" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE8F83p9HwdtkML9H3ZfcQO4OepKwa8NihV3kPKoguG8rqviDgMO9rJOeyCLHfgDMZoKP86AwbTQcfu9NCtJw8h-Ro5sOSVzVwYfy9tZs6zMd83z96HHoDf9wQzwj1JMkjytsD4CSCOog/s320/Log3.gif" border="0" /></a><br /><br />All of the torn bits in the end of each sectors evaluated to 0x02 where as the m_tornbits value is 0x01 which is why MS SQL server give the above error.<br /><br />To get rid of this nasty torn page error that preventing me to attach the database, I change the m_tornbits value from 0x01 to 0x02, and re-attach the database again using SQL Enterprise Manager. Then, I arrived with this message :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqDNIaDBvgrPGh2XFamta3xfBBajw3CUnXaQqRHeATsL3K6CeVoHop5zDFiqo7XW5YMpStmuCyBkyv7u-1LnJxdgeIsAg3CgK1Ibe1jIxS9J-sw9zpfxF-aqjASQCJWT723lakhEZPSWI/s1600-h/Log4.gif"><img id="BLOGGER_PHOTO_ID_5214251298046218354" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqDNIaDBvgrPGh2XFamta3xfBBajw3CUnXaQqRHeATsL3K6CeVoHop5zDFiqo7XW5YMpStmuCyBkyv7u-1LnJxdgeIsAg3CgK1Ibe1jIxS9J-sw9zpfxF-aqjASQCJWT723lakhEZPSWI/s320/Log4.gif" border="0" /></a><br /><br />It seems that I already bypass the torn page checking, but tripped with another checks that preventing successful attach process. Upon examining the error log :<br /><br /><span style="font-family:courier new;font-size:85%;">2008-06-21 15:10:35.43 spid51 Error while redoing logged operation in database 'MBS'. Error at log record ID (2387:408:4)</span><br /><br />So, I am faced with transaction log issue. It seems that MS SQL server is trying to redo the transaction on this page, that is already corrupted, which is fortunately, unsuccesful, because even if it is successful, it will make things more complicated. It is because we only want to check the database as it is, seconds before disaster.<br /><br />In order to bypass this mechanism, now it is time to consult the 'Oracle' Kalen Delaney (Inside Microsoft SQL Server 2000) again about transaction log :<br /><br /><span style="font-family:courier new;font-size:85%;">If the LSN in the page is less than that of log LSN, then the transaction should be redone. Otherwise, if LSN in the page is greater, transaction should not be redone.</span><br /><br />This 'law' implied that it is possible to bypass the redo mechanism, because this is the exact thing I expected. By somehow change the LSN in that page to be of higher value, then by theory, it will be able to bypass the redo mechanism.<br /><br />If you see the page header in the above picture, the yellow box denotes the LSN of that defected page. Hence, by changing the value of 2387 = 0x00000953 to for example 2388 = 0x00000954 (to 0x54090000 in big endian in physical file), it is possible to bypass the transaction redone mechanism. I change the LSN value, firing up the attach database dialogue box, and bingo ! The database can be attached !<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdwEoubnKsvgOQCQ4HJ1Arn6NFTa_3RfmAVE0_VVrChT3zYO-m2PBS9xXd_WBJVkdqz7qKG6KFtuatKHuZvw5MowcLjSZJ7KYmfY6SmlikuMrp3pniGFhA4Tz0qubeSOM5_peJuRCL9Pw/s1600-h/Log5.gif"><img id="BLOGGER_PHOTO_ID_5214251296388175954" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdwEoubnKsvgOQCQ4HJ1Arn6NFTa_3RfmAVE0_VVrChT3zYO-m2PBS9xXd_WBJVkdqz7qKG6KFtuatKHuZvw5MowcLjSZJ7KYmfY6SmlikuMrp3pniGFhA4Tz0qubeSOM5_peJuRCL9Pw/s320/Log5.gif" border="0" /></a><br /><br />Now, with database successfully attached, I can examine more closely which data is corrupted.<br /><br />Happy transaction log-ing :)existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com4tag:blogger.com,1999:blog-7479382983854330483.post-24261187363291398632008-06-19T16:50:00.000-07:002008-06-19T17:02:15.065-07:00Which Sector is "torn" in Torn Page Error ?Recently I'm doing the analysis of the "torn page" thing again. If the SQL server throws the torn page error, it doesn't show which sector the page is torn. Let's review again the definition of "torn page" from Kalen Delaney's "Inside Microsoft SQL Server 2000" :<br /><br /><span style="font-family:courier new;font-size:85%;">..it causes a bit to be flipped for each 512 byte sector in a database page (8 KB) whenever the page is written to disk..</span><br /><br />In practice, there are two kinds of torn page error events. By this event, I am referring to the behaviour of MS SQL 2000.<br /><br />First, torn page error during the database attachment process. Usually, this is caused by some corrupted data that occur in MS SQL server's important pages, such as PFS pages.<br /><br />Second, torn page during accessing records, i.e. ours important pages :)<br /><br />Since the data is of utmost important, the precise determination of which sector of size 512 bytes that gets torn apart is required.<br /><br />To perform this kind of analysis, I am creating the testing database (named Test), create table and input some record using SQL Enterprise Manager. Next, I am determining the first page that contain my data :<br /><br /><span style="font-family:courier new;font-size:85%;">use test<br />dbcc checkalloc </span><br /><span style="font-family:courier new;font-size:85%;"><br /><snip>***************************************************************<br />Table TestTbl Object ID 357576312.<br />Index ID 0. FirstIAM (1:91). <span style="color:#ff0000;">Root (1:90)</span>. Dpages 1.<br />Index ID 0. 2 pages used in 0 dedicated extents.<br />Total number of extents is 0.<br />***************************************************************</span><br /><span style="font-family:courier new;font-size:85%;"><snip></span><br /><span style="font-family:courier new;font-size:85%;"><br /></span>So, the first page of my data is located at page 90 which is at offset 90 * 8192 = 737280 = 0xB4000 in physical file.<br /><br />Now, lets see the physical page created by MS SQL Server using hex editor :<br /><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjerXgn7OVuwO8bMxQTENGaN7Ur6-nYVxhoJxoc2NcSwpxU3FGtyt26HbzlqryWl0jVZBzxB7NjgqoK2qpeuaTlh_-_LbVA0p2cfLFqJIdYb3ir4AzTlJWY7GFD2DuT8NM-NDLPHPgKAYM/s1600-h/torn1.gif"><img id="BLOGGER_PHOTO_ID_5213745447688506322" style="WIDTH: 341px; CURSOR: hand; HEIGHT: 87px" height="79" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjerXgn7OVuwO8bMxQTENGaN7Ur6-nYVxhoJxoc2NcSwpxU3FGtyt26HbzlqryWl0jVZBzxB7NjgqoK2qpeuaTlh_-_LbVA0p2cfLFqJIdYb3ir4AzTlJWY7GFD2DuT8NM-NDLPHPgKAYM/s320/torn1.gif" width="360" border="0" /></a><br /><br />Here, the offset 5 (marked with green box) in the page header is somehow related to the torn page checking. Turning the first nibble to zero (i.e. from 0x81 to 0x80) should bypass the torn page checking. But it is not, see the paragraph below for further information.<br /><br />OK, let's go back to the original question. To determine which sector is get torn, we have to examine the calculation of m_tornbits flag in relation to the last offset at each 512 sector. Here is how it is done :<br /><br />First byte of m_tornbits is masked with 0x03, so any byte will end up with either the value 0x00, 0x01, 0x02 or 0x03. For the above example, first byte is 0x01, with this operation, it will give 0x01. This value is used to compare with the last byte offset of second sector onward (or sector 1, if I count first sector as zero) (starting from offset 0x03FF onward).<br /><br />The last byte of each sector is performed using the same operation as above and compared with the value from masked first byte of m_tornbits. If there are any differences, the torn page error will be thrown.<br /><br />So, using the above operation, it is possible to determine which sector is not in synch with the rest of the sector or in other word, which sector is a torn page. But, it is inevitable with the assumption that, the first sector which contains the page header, hence the m_tornbits value, is a valid one.<br /><br />However, it is not possible to temporarily turn off torn page checking by resetting the byte in offset 5 at page header. SQL server seems perform the consistency checking :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguOgf0wiW1xcAnIErM9glcdOrArZqEIDLAhKg6KzQvulyAQwHSGqwmY3HRhf_g6DjmpUwXgQKUUgN5szx6WfNS8-UWSGcwm5fHArzAzZtiKbQu8gHjH3ai51vk6J3r-2JCD-RueB_QVws/s1600-h/torn2.gif"><img id="BLOGGER_PHOTO_ID_5213745456888622674" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguOgf0wiW1xcAnIErM9glcdOrArZqEIDLAhKg6KzQvulyAQwHSGqwmY3HRhf_g6DjmpUwXgQKUUgN5szx6WfNS8-UWSGcwm5fHArzAzZtiKbQu8gHjH3ai51vk6J3r-2JCD-RueB_QVws/s320/torn2.gif" border="0" /></a><br /><br />So, you should change the last offset of defected sector one by one in order to be accessed by MS SQL Server.<br /><br />Happy torn page-ing :)existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com10tag:blogger.com,1999:blog-7479382983854330483.post-54685364597032615552008-06-06T16:52:00.000-07:002008-06-06T17:14:27.220-07:00Reverse Engineering Lotus NotesThe above title will provoke some hard criticisms, or even some warning letters sent to me to delete, or maybe otherwise, instruct the company that host my web site be blocked.<br /><br />Some will opinioned that I has perform something forbidden by law. But as I already written on previous posts in this blog, actually all human activities for the namesake to increase the prosperity and better living can be categorized as many forms of reverse engineering activities.<br /><br />Ok, enough of the preaching. Let's back to the above topic. Now, the question is, is it possible ? The very first step in reverse engineering is to identify the function name. This is important because the name will convey some internal working intended by the programmer or developer of those functions.<br /><br />Is it possible to identify the function name in the myriads of hex codes of calls in assemblies of Lotus Notes applications ? I would like to say, it is possible.<br /><br />First of all, I will define the scope of my discussion to Lotus Notes that is running using Windows OS, in other word, windows version of Lotus Notes. And I am not discussing the server site runtime routine, but the client side.<br /><br />So, let's start with the beginning when the Lotus Notes program is invoked via windows icon. In this discussion, I am using Lotus Notes version 7. Executable file that spawned the Lotus Notes Client is NLNOTES.EXE.<br /><br />Using the WinDBG debugger, we can determine the entry point, i.e. where all of the Lotus Notes routine resides, so we don't get lost into identifying the windows runtime instead of Lotus Notes runtime.<br /><br /><br /><span style="font-family:courier new;font-size:85%;">Executable search path is:<br />ModLoad: <span style="color:#ff0000;">00400000</span> 0050f000 nlnotes.exe<br />ModLoad: 7c900000 7c9b0000 ntdll.dll</span><br /><br />Here, at my current computer memory configuration, the NLNOTES.EXE file is loaded at hex address 400000. We can determine the address of entry point using the !dh macro in WinDBG :<br /><br /><span style="font-family:courier new;font-size:85%;">0:000> !dh 00400000<br />File Type: EXECUTABLE IMAGE<br />FILE HEADER VALUES<br />14C machine (i386)<br />4 number of sections<br />4304A8DE time date stamp Thu Aug 18 22:27:26 2005<br />0 file pointer to symbol table<br />0 number of symbols<br />E0 size of optional header<br />10F characteristics<br />Relocations stripped<br />Executable<br />Line numbers stripped<br />Symbols stripped<br />32 bit word machine<br />OPTIONAL HEADER VALUES<br />10B magic #<br />7.10 linker version<br />1000 size of code<br />10D000 size of initialized data<br />0 size of uninitialized data<br /><span style="color:#3333ff;">1C94 address of entry point</span><br />1000 base of code<br />----- new -----<br />00400000 image base<br />1000 section alignment<br />1000 file alignment<br />2 subsystem (Windows GUI)<br />4.00 operating system version<br />0.00 image version<br />4.00 subsystem version<br />10F000 size of image<br />1000 size of headers<br />...</span><br /><br />Searching the "address of entry point" string in the result gives hex 1C94. So, we can calculate the actual address in the memory where the entry point reside :<br /><br /><span style="font-family:courier new;font-size:85%;">400000 + 1C94 = 401C94</span><br /><br />Now, we can perform break point and goes directly to the entry point of Lotus Notes Application :<br /><br /><span style="font-family:courier new;font-size:85%;">0:000> bp 00401c94<br />0:000> g<br />ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll<br />ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL<br />ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL<br />ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll<br />ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll<br />Breakpoint 0 hit<br />eax=00000000 ebx=7ffdd000 ecx=0013ffb0 edx=7c90eb94 esi=7c9118f1 edi=00011970<br />eip=00401c94 esp=0013ffc4 ebp=0013fff0 iopl=0 nv up ei pl zr na pe nc<br />cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246<br />nlnotes+0x1c94:<br />00401c94 6a74 push 74h<br />0:000> u 401c94<br />*** WARNING: Unable to verify checksum for nlnotes.exe<br />*** ERROR: Module load completed but symbols could not be loaded for nlnotes.exe<br />nlnotes+0x1c94:<br />00401c94 6a74 push 74h<br />00401c96 68c0214000 push offset nlnotes+0x21c0 (004021c0)<br />00401c9b e8e8020000 call nlnotes+0x1f88 (00401f88)<br />00401ca0 33db xor ebx,ebx<br />00401ca2 895de0 mov dword ptr [ebp-20h],ebx<br />00401ca5 53 push ebx<br />00401ca6 8b3d24204000 mov edi,dword ptr [nlnotes+0x2024 (00402024)]<br />00401cac ffd7 call edi</span><br /><br />Here is our sample Lotus Notes function to be identified :<br /><br /><span style="font-family:courier new;font-size:85%;">00401c9b e8e8020000 call nlnotes+0x1f88 (00401f88)</span><br /><br />In Lotus Notes 7 client application, usually resides in C:\Lotus\Notes directory, there is the file called LotusNotes.sym file in compressed format. The first thing to do is to de-compressed this file using the MAP2ISYM.EXE :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5-PQleYIvolem7c6E1P163c4W7LgMP5Q6x2gNSZfcwQ4eR9nLVgC4p5BIUTkaEWxKVXfbaSRSr29dbgtif9rhhbRKc3blkSlilI5PUG7owmM9lRPrE6CQQ8plh8zJNG8EkVwZnLhVkZ4/s1600-h/Image2.gif"><img id="BLOGGER_PHOTO_ID_5208923536839072946" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5-PQleYIvolem7c6E1P163c4W7LgMP5Q6x2gNSZfcwQ4eR9nLVgC4p5BIUTkaEWxKVXfbaSRSr29dbgtif9rhhbRKc3blkSlilI5PUG7owmM9lRPrE6CQQ8plh8zJNG8EkVwZnLhVkZ4/s320/Image2.gif" border="0" /></a><br /><br />For the one who is curious, MAP2ISYM.EXE can be obtained from Lotus Notes official sites.<br /><br />Next, we have to determine the start and end offset of NLNOTES.EXE module, so we can avoid wrong identification of function names.<br /><br />This is the portion of LotusNotes.sym raw data shown using hex file that determine the start offset and end offset of NLNOTES.EXE module :<br /><br /><span style="font-family:courier new;font-size:85%;">Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F<br />00000650 04 43 00 00 40 00 <span style="color:#ff0000;">37 A8 B7 00</span> 07 00 00 00 4E 4C C @ 7¨· NL<br />00000660 4E 4F 54 45 53 7F 5D 00 43 00 00 C5 62 <span style="color:#3333ff;">F4 B8 B7</span> NOTES] C Åbô¸·<br />00000670 <span style="color:#3333ff;">00</span> 08 00 00 00 4E 4C 53 43 43 53 54 52 59 61 00 NLSCCSTRYa<br />00000680 43 C<br /></span><br />The hex marked with red and blue one denotes the start and end offset of NLNOTES.EXE module which is B7A837 and B7B8F4 respectively. So, the relative address for NLNOTES.EXE should resides in this range.<br /><br />For the above call, the relative address is 1F88, because base address is already determined, which is 400000.<br /><br />This relative address should be transformed to 00001F88 and transposed become big endian format 88 1F 00 00. This value could be used to search using hex editor :<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F<br />00B7AB40 84 1F 00 00 0A 00 5F 5F 73 65 74 61 72 67 76 00 „ __setargv<br />00B7AB50 88 0F 00 00 <span style="color:#ff0000;">88 1F 00 00</span> 0D 00 5F 5F 53 45 48 5F ˆ ˆ __SEH_<br />00B7AB60 70 72 6F 6C 6F 67 00 C3 0F 00 00 C3 1F 00 00 0D prolog Ã</span> Ã </span><br /><br />The red one denotes the translation between the relative to the function name, and the offset at location in the vicinity of 00B7AB50 is still well within the defined boundary of start and end offset of NLNOTES.EXE module. So, rest assured, we can deduct that the function name should be _SEH_prolog :<br /><br /><span style="font-family:courier new;font-size:85%;">00401c94 6a74 push 74h<br />00401c96 68c0214000 push offset nlnotes+0x21c0 (004021c0)<br /><span style="color:#ff0000;">00401c9b e8e8020000 call nlnotes+0x1f88 (00401f88) ;;_SEH_prolog</span></span><br /><br />Using this manual method, we can theoritically determine any function name of interest. And this conclude the answer of the possibility of reverse engineering Lotus Notes application, particularly determining the function name.<br /><br />As for the side comment, the identified function in this sample case (_SEH_prolog), although already reside in NLNOTES.EXE module, is still part of windows OS runtime. Maybe this executable is generated using Microsoft's Visual C++.<br /><br />Happy identifying :)existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com301tag:blogger.com,1999:blog-7479382983854330483.post-36356922188476398262008-06-05T17:25:00.000-07:002008-06-19T17:03:25.587-07:00Unraveling MS SQL 2000 Database Format (Part 1)This time, I would like to discuss about the physical format of Microsoft's SQL 2000 Database. As you probably already know, each MS SQL 2000 database corresponds to one or more file. The file has the default extention of .MDF.<br /><br />The raw data of MDF file is logically divided by blocks of size 8192 bytes and it is called page. In each block, the first 96 bytes is the header, and the rest of it, is the data, depends of the page type that is defined in the page header.<br /><br />Now, let's see the first block, which corresponds to the page 0 (zero) in some sample physical SQL 2000 database, using hex editor program :<br /><br /><span style="font-family:courier new;font-size:85%;">Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F<br />00000000 01 0F 00 00 08 01 00 00 00 00 00 00 00 00 00 00<br />00000010 00 00 00 00 00 00 01 00 63 00 00 00 01 1F DE 18 c Þ<br />00000020 00 00 00 00 01 00 00 00 67 00 00 00 78 01 00 00 g x<br />00000030 13 00 00 00 00 00 00 00 00 00 00 00 42 D2 00 00 BÒ<br />00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </span><br /><br />Please by reminded that I will not explain further about each variable in each bytes (for instance, I will not explain what is m_type, etc.). You can consult other documentation regarding these property.<br /><br />Offset 0 which is Hex 01 is headerVersion<br />Offset 1 which is Hex 0F is Page Type (m_type)<br />Offset 2 which is Hex 00 is m_typeFlagBits<br />Offset 3 which is Hex 00 is m_level<br />Offset 4 which is Hex 08 is m_flagBits<br />Offset 5 which is Hex 01 is at the time of writing is still not yet identified<br />Offset 6-7 which is Hex 00 00 is m_indexId<br />Offset 18-1B which is Hex 63 00 00 00 which is 00000063 Hex which is 99 Dec is m_objId<br />Offset 20-23 which is Hex 00 00 00 00 is second part of m_PageId<br />Offset 24-25 which is Hex 01 00 is first part of m_PageId or m_FileId<br /><br />If time permitted, I will continue with next deciphering task. That's all folks !existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com2tag:blogger.com,1999:blog-7479382983854330483.post-24483572937471753392008-06-04T16:50:00.000-07:002008-06-04T16:55:50.101-07:00Reverse Engineering the Adobe Acrobat ApplicationsBy limiting the scope to the computer technology, especially to programming languages, I personally considered Reverse Engineering as a means to convey more meaning to the otherwise lifeless assembly codes that is consists of numbers in hexadecimal format.<br /><br />Putting into more broader scope, I believe that every human searches for the meaning of life, every human pursues in each aspect of sciences is also a reverse engineering activities, also tries to convey meaning of the mechanism or inner workings of universe.<br /><br />So, based on the above title, I try to convey some meaning of the existing assembly codes of existing Adobe plug-ins. The most basic aspect is to find or identify functions that is used by any Acrobat Plug-ins.<br /><br />Based on the documentations given by Adobe, the concept of function calling in the Acrobat framework is using HFTs (Host Function Tables). If I created some plug-in, I can also, exports the HFTs, so when it is well documented, other plug-ins can use the functions in my plug-ins to perform some intended operations.<br /><br />To prove the Acrobat concept of the HFT mechanism, let us examined the smallest prototype plug-in supplied by Adobe in the SDK, named starter.api. After compiling it, then disasembled it, I am using DISASM.EXE provided by SangCho. On the original source, the starter.api is calling the most used Acrobat function called ASAtomFromString. In the compiled form, it is taking the form of :<br /><br /><span style="font-family:courier new;font-size:85%;">:1001266A 68E4410210 push 100241E4</span><br /><span style="font-family:courier new;font-size:85%;"> (StringData)"ADBE:Starter"</span><br /><span style="font-family:courier new;font-size:85%;">:1001266F 8B1520850210 mov edx, dword[10028520 {gCoreHFT} ]</span><br /><span style="font-family:courier new;font-size:85%;">:10012675 FF5214 call dword[edx+14]</span><br /><br />Surely, the edx register contains the index to the HFT, in this case is gCoreHFT. Now the hexadecimal value 14, or 20 in decimal should corresponds the enumerated index.<br /><br />The calling methods is using indexes of the enumerated types of function name plus the SEL suffix. For example, the enumerated name of ASAtomFromString will be ASAtomFromStringSEL. This enumerated names is supposed to be existent in the header files supplied by Adobe in the SDK.<br /><br />But if you try to search the string "ASAtomFromStringSEL" into any of the header files, you will find nothing. Why ? Because it is sophistically constructed using definition macro. So, there is no way you can find the value of enumerated name based on existing header files.<br /><br />Some compilers have the facillity to generate the pre-compiled header, i.e. file with .PCH extension. And if you want to find, you should consult this file, but, again, unfortunately, it is in the form of machine language that human can not understand. I don't know whether currently there a some program to decompile the .PCH file down to readable definitions out there.<br /><br />So, the most easiest method is assigned the ASAtomFromStringSEL to some value in the plug-in we have, in this case is starter.api, and have it inspected during debugging session, or have it printed or written to some temporary file. Using this method, we can find that ASAtomFromStringSEL corresponds to value 5. And the relation of 5 with 20 is 20/4 or divided by 4. Why 4 ? Because each index is a multiply of words.<br /><br />So, provided we have all the enumerated values in each of HFT index category, such as Core, AcroSupport, etc, theoritically we can identify any HFTs in the plug-ins, hence, serve the purpose to convey some meaning to the lifeless assembly codes in the Adobe plug-ins, the Reverse Engineering.existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com38tag:blogger.com,1999:blog-7479382983854330483.post-5863604240422601332008-02-01T15:47:00.000-08:002008-06-05T17:34:30.903-07:00How to do Recovery on MS SQL Server Database ?One day, our server that hosts MS SQL is crashed. May be this is caused by some worms that infected the Windows system, or maybe it is caused by crashed in physical media storage, or maybe whatever.<br /><br />Upon restarted, about 40% instances of the database collection in MS SQL Server (we are using SQL 2000) turned gray or suspected. So I choosed one of the database to be examined.<br />After many failed attempt to access the data in one instanced of the grayed database, I tried to detach this database. When tried to attach it again, I got this message :<br /><br /><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvgPUG5K9kTKh395-gN2nuUYsN4PfZ5YFKElk-rAjZVyjWHUypHKbpJjzGuGlWmbHbaCW49AYrgO8Kc6Z84kBv1aE5I-2FciJnqW3ia9UfbuG1Vlg8izGT6T_hK-4wAeMUlWjqhvVPWlA/s1600-h/Crash1.gif"><img id="BLOGGER_PHOTO_ID_5162163744818313954" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvgPUG5K9kTKh395-gN2nuUYsN4PfZ5YFKElk-rAjZVyjWHUypHKbpJjzGuGlWmbHbaCW49AYrgO8Kc6Z84kBv1aE5I-2FciJnqW3ia9UfbuG1Vlg8izGT6T_hK-4wAeMUlWjqhvVPWlA/s320/Crash1.gif" border="0" /></a><br /><br /><br />So the reason that this database is grayed out in SQL Enterprise Manager (EM) is because of this problem. Next, I am trying to do this using the stored procedure "sp_attach_db" in Query Analyzer :<br /><br /><span style="font-family:courier new;font-size:85%;color:#663333;">sp_attach_db 'edoc_test3', 'c:\mydata\edoc_data.mdf'</span><br /><br />It gives the following error message :<br /><br /><span style="font-family:courier new;font-size:85%;">Server: Msg 823, Level 24, State 2, Line 1<br />I/O error (torn page) detected during read at offset 0x00000000012000 in file 'c:\mydata\edoc_data.mdf'.</span><br /><br /><span style="font-family:courier new;font-size:85%;">Connection Broken</span><br /><br />It says there is torn page on offset 12000 hex on this file. I don't want to elaborate about this "torn page" things that already torn apart many lives that depends on MS SQL Server, rather than to say that SQL refuses to accept the defected database because some small parts of it is damaged.<br /><br />The greyed status (suspect) and this problem is mean the same thing, i.e. I can't perform DBCC CHECKDB or DBCC PAGE on either the greyed (suspect) database and when the database is not attached.<br /><br />In the above case, the error message given by Query Analyzer is more specific than Enterprise Manager.<br /><br />The idea is to find out which page is damaged and replaced it with clean one. This technics will pass the preliminary checking of database during attach process so that the database can, at least be attached and the status icon turned yellow. Yellow means we can perform DBCC CHECKDB and DBCC PAGE.<br /><br />We remember that from MS SQL Documentation of internal storage structure, the physical file is organized on blocks with size of 8192 bytes. These blocks is called pages and it is start from 0 to n.<br /><br />And we also have to derive the exact location in the file where the page is defected. From the above information, offset 12000 hex = 73728 dec offset in the file.<br /><br />Using the raw hexadecimal editor as WinHex, we can perform the 'surgery' of this page, provided that we have the backup of the good one. The back up of the good one have to be as close as the damaged one, the more close, the better.<br /><br />From the good one, we go to the same offset, copy the 8192 bytes block and patch it to the same offset on the damaged one. This is performed with the hexa utility such as WinHex.<br /><br />Repeat these steps to patch the damaged page with the good one from backup until the database can be successfully attached. Perform DBCC CHECKDB and DBCC PAGE to examine and extract the damaged data.<br /><br />Some points to remember is to compare between good and damaged blocks.<br /><br />Happy recoverying :)existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com4tag:blogger.com,1999:blog-7479382983854330483.post-2804218464978134872007-09-13T16:48:00.000-07:002007-09-13T16:51:49.755-07:00Lotus Notes 7 Functions Gallery (Part 1)For the first part of this article, I want to perform brief explanation about some functions that is being used in Lotus Notes version 7.0 which is :<br /><br /><span style="font-family:courier new;font-size:85%;">BootstrapCstrncmp<br />BootstrapMatchesKeyword<br />BootstrapCstrlen<br />BootstrapCmovmem<br />BootstrapCstrncpy<br />BootstrapCstrncat</span><br /><br />The above functions is called at WinMain function in NLNOTES.EXE, and belongs to the BootStrap Group.<br />That's all folks and see you later :)existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com1tag:blogger.com,1999:blog-7479382983854330483.post-21596734907679131012007-07-04T23:10:00.000-07:002007-07-04T23:27:55.921-07:00Visual Studio 2003 Debugging ProblemOne clear sunny day, when I was tried to debug on to the remote computer using MS Visual Studio 2003, I came across this message :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu3N3R43lYKt8yJqu4msogNa_eZ3OWtIAB3Swfg5W4Wo2ek4NPyjACuPjNcwYi3wPwrbfpW29Es2tBC4btGlHRfbwq5ddeXRct_Enu8EJm_tFEQNELRAgd8jAP5xqUCQ3fgi9TMQKWZtM/s1600-h/debug-problem1.gif"><img id="BLOGGER_PHOTO_ID_5083593355574214258" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu3N3R43lYKt8yJqu4msogNa_eZ3OWtIAB3Swfg5W4Wo2ek4NPyjACuPjNcwYi3wPwrbfpW29Es2tBC4btGlHRfbwq5ddeXRct_Enu8EJm_tFEQNELRAgd8jAP5xqUCQ3fgi9TMQKWZtM/s320/debug-problem1.gif" border="0" /></a><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEJ-MmSDmp4v3ON_dzK__VJ3sBB5lO-m9JEFBYVOfwjeI7POPRR_O_ePc1dDYyJmar3D0Ow8eKqxdySYp4NX7h4_CGy7rn6TnzS3C7UsrV48IX9JHUIS1-FDDZP-pawsLuUn3a2rYibR8/s1600-h/debug-problem1.gif"></a><br /><p>The error message says, verify that you are an administrator or a member of the 'Debugger Users' group on the machine you are trying to debug.</p><p>Clearly, as member of administrator it is not an option, because of the server nature and also restricted priviledge given to the Application Developer Group, or also it violates the priviledge efficiency, to give the priviledge as required, not more than that, in this case, the priviledge to do the debugging of the application.</p><p>So, I followed the instruction to add my domain id to the Debugger Users Group on that remote computer, fire up the debugging windows, and still no success, the error is still as above.<br />After doing an indepth check using WinDBG and appropriate symbol files from Microsoft, I came to know that the problem resides in the routine <span style="font-family:courier new;">sdm2!CDebugManager::GetM</span>achine that is giving the 0x80040021 error code, which is ridiculous, because I ALREADY add my domain id to the member of "Debugger Users". </p>OK, now in the routine <span style="font-family:courier new;">sdm2!CDebugManager::GetMachine</span> gives error message 0x80040021, but exactly when it is happened ? The problem came up upon calling the routine :<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;font-size:78%;"></span><span style="font-size:85%;">518a84b8 e8393b0000 call sdm2!ATL::CComBSTR::operator+=+0x1e (518abff6)</span></span><br /><br />Which in return calls :<br /><br /><span style="font-family:courier new;font-size:85%;">518ac066 ff1538118951 call dword ptr [sdm2!_imp__CoCreateInstanceEx (51891138)]<br />518ac06c 689cc08a51 push 0x518ac09c<br />518ac071 8bf8 mov edi,eax</span><br /><br />Which gives eax=0x80070005, and this means "Access Denied", and DEVENV.EXE then doing the additional checking and returns 0x80040021 with misleading above.<br /><br />But, at exactly what <span style="font-family:courier new;font-size:85%;">sdm2!_imp__CoCreateInstanceEx</span> that causes the "Access Denied" ?<br /><br /><span style="font-family:courier new;font-size:85%;">518ac056 8d45f4 lea eax,[ebp-0xc]<br />518ac059 50 push eax ;;pResults<br />518ac05a 6a01 push 0x1 ;;cmq<br />518ac05c 8d45e4 lea eax,[ebp-0x1c]<br />518ac05f 50 push eax ;;pServerInfo<br />518ac060 6a14 push 0x14 ;;dwClsCtx<br />518ac062 56 push esi ;;punkOuter<br />518ac063 ff750c push dword ptr [ebp+0xc] ;;refClassID<br />518ac066 ff1538118951 call dword ptr [sdm2!_imp__CoCreateInstanceEx (51891138)]<br />518ac063 ff750c push dword ptr [ebp+0xc]{sdm2!CLSID_MsMachineDebugManager (5189742c)}<br />ss:0023:0012f270=5189742c<br />0023:5189742c fd 5f b2 73-01 f5-7b 43-8b 11-7f 0d e3 83 96 4f -> Reference Class ID<br />73B25FFD-F501-437B-118B-7F0DE383964F -> MDM.EXE (Machine Debug Manager)<br />0:000> d ds:eax<br />0023:0012f248 00 00 00 00 08 5a cb 06-2c f2 12 00 00 00 00 00 .....Z..,.......<br />0023:0012f258 78 ef 89 51 00 00 00 00-00 00 00 00 90 f2 12 00 x..Q............<br />0023:0012f268 bd 84 8a 51 08 5a cb 06-2c 74 89 51 78 ef 89 51 ...Q.Z..,t.Qx..Q<br />0023:0012f278 8c f2 12 00 01 00 00 00-74 f5 12 00 00 00 00 00 ........t.......<br />0023:0012f288 a8 7f 83 01 00 00 00 00-ac f2 12 00 9d 7b 89 51 .............{.Q<br />00000000 -> dwReserved1<br />06CB5A08 -> Machine Name<br />0012F22C -> pAuthInfo<br />Authentication Info Structure :<br />0023:0012f22c 0a 00 00 00 - 00 00 00 00 - 00 00 00 00 - 02 00 00 00<br />0023:0012f23c 03 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />00 00 00 0A -> RPC_C_AUTHN_WINNT (Authentication Service to Use)<br />00 00 00 00 -> RPC_C_AUTHZ_NONE (Authorization Service to Use)<br />00 00 00 00 -> Server Principal Name (Must be NULL) if using RPC_C_AUTHN_WINNT<br />00 00 00 02 -> RPC_C_AUTHN_LEVEL_CONNECT (Authenticates the credentials of the client only when the client establishes a relationship with the server)<br />00 00 00 03 -> Impersonation Level (must be RPC_C_IMP_LEVEL_IMPERSONATE)<br />00 00 00 00 -> Client Identity (If NULL, the actual identity of the client is used)<br /></span><br />This happens when the client tries to create the RPC to the server using COM Interface. So, using the WinDBG, what happens at the server is :<br /><br /><span style="font-family:courier new;font-size:85%;">7c822583 cc int 3<br />0:014> bm /a rpcss!RemoteInterfaceOnlySecCallback<br />breakpoint 1 redefined<br />1: 76d6595d @!"rpcss!RemoteInterfaceOnlySecCallback"<br />0:014> g<br />ModLoad: 76c90000 76cb7000 C:\WINDOWS\system32\msv1_0.dll<br />ModLoad: 76cf0000 76d0a000 C:\WINDOWS\system32\iphlpapi.dll<br />Breakpoint 1 hit<br />eax=0063fd70 ebx=0009b4a8 ecx=0009b5a4 edx=00000002 esi=0009b5a4 edi=0063fd80<br />eip=76d6595d esp=0063fd4c ebp=0063fda0 iopl=0 nv up ei pl zr na pe nc<br />cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246<br />rpcss!RemoteInterfaceOnlySecCallback:<br />76d6595d 8bff mov edi,edi<br />0:009> bp 76d35026<br />*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -<br />0:009> bp 76d35050<br />0:009> g<br />Breakpoint 0 hit<br />eax=0063fce8 ebx=0008f870 ecx=000004f4 edx=7c82ed54 esi=000edd18 edi=00000000<br />eip=76d35026 esp=0063fcb8 ebp=0063fcf0 iopl=0 nv up ei pl nz na pe nc<br />cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206<br />rpcss!CheckForAccess+0x1f:<br />76d35026 50 push eax<br />0:009> d ds:eax<br />0023:0063fce8 30 3d 08 00 01 16 d3 76-48 fd 63 00 66 5a d6 76 0=.....vH.c.fZ.v<br />0023:0063fcf8 f4 04 00 00 e8 f7 08 00-04 00 00 00 a8 b4 09 00 ................<br />0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............<br />0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............<br />0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M<br />0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...<br />0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....<br />0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.<br />0:009> g<br />Breakpoint 2 hit<br />eax=00000001 ebx=0008f870 ecx=0063fcd8 edx=0063fce8 esi=00000001 edi=00000000<br />eip=76d35050 esp=0063fcbc ebp=0063fcf0 iopl=0 nv up ei pl nz na po nc<br />cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202<br />rpcss!CheckForAccess+0x49:<br />76d35050 85c0 test eax,eax<br />0:009> d ds:0063fce8<br />0023:0063fce8 fc f7 08 00 01 00 00 00-48 fd 63 00 66 5a d6 76 ........H.c.fZ.v<br />0023:0063fcf8 f4 04 00 00 e8 f7 08 00-04 00 00 00 a8 b4 09 00 ................<br />0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............<br />0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............<br />0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M<br />0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...<br />0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....<br />0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.<br />0:009> !acl 0008f7fc<br />ACL is:<br />ACL is: ->AclRevision: 0x2<br />ACL is: ->Sbz1 : 0x0<br />ACL is: ->AclSize : 0x48<br />ACL is: ->AceCount : 0x3<br />ACL is: ->Sbz2 : 0x0<br />ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE<br />ACL is: ->Ace[0]: ->AceFlags: 0x0<br />ACL is: ->Ace[0]: ->AceSize: 0x14<br />ACL is: ->Ace[0]: ->Mask : 0x00000007<br />ACL is: ->Ace[0]: ->SID: S-1-5-7<br />ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE<br />ACL is: ->Ace[1]: ->AceFlags: 0x0<br />ACL is: ->Ace[1]: ->AceSize: 0x18<br />ACL is: ->Ace[1]: ->Mask : 0x00000007<br />ACL is: ->Ace[1]: ->SID: S-1-5-32-562<br />ACL is: ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE<br />ACL is: ->Ace[2]: ->AceFlags: 0x0<br />ACL is: ->Ace[2]: ->AceSize: 0x14<br />ACL is: ->Ace[2]: ->Mask : 0x00000007<br />ACL is: ->Ace[2]: ->SID: S-1-1-0<br />0:009> !acl 0008f7fc 1<br />ACL is:<br />ACL is: ->AclRevision: 0x2<br />ACL is: ->Sbz1 : 0x0<br />ACL is: ->AclSize : 0x48<br />ACL is: ->AceCount : 0x3<br />ACL is: ->Sbz2 : 0x0<br />ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE<br />ACL is: ->Ace[0]: ->AceFlags: 0x0<br />ACL is: ->Ace[0]: ->AceSize: 0x14<br />ACL is: ->Ace[0]: ->Mask : 0x00000007<br />ACL is: ->Ace[0]: ->SID: S-1-5-7 (Well Known Group: NT AUTHORITY\ANONYMOUS LOGON)<br />ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE<br />ACL is: ->Ace[1]: ->AceFlags: 0x0<br />ACL is: ->Ace[1]: ->AceSize: 0x18<br />ACL is: ->Ace[1]: ->Mask : 0x00000007<br />ACL is: ->Ace[1]: ->SID: S-1-5-32-562 (Alias: BUILTIN\Distributed COM Users)<br />ACL is: ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE<br />ACL is: ->Ace[2]: ->AceFlags: 0x0<br />ACL is: ->Ace[2]: ->AceSize: 0x14<br />ACL is: ->Ace[2]: ->Mask : 0x00000007<br />ACL is: ->Ace[2]: ->SID: S-1-1-0 (Well Known Group: localhost\Everyone)<br />0:009> g<br />Breakpoint 0 hit<br />eax=0063fce8 ebx=0008f7d0 ecx=000004f4 edx=7c82ed54 esi=0063fd80 edi=00000000<br />eip=76d35026 esp=0063fcb8 ebp=0063fcf0 iopl=0 nv up ei pl nz na pe nc<br />cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206<br />rpcss!CheckForAccess+0x1f:<br />76d35026 50 push eax<br />0:009> d ds:eax<br />0023:0063fce8 30 3d 08 00 01 16 d3 76-48 fd 63 00 fa 5a d6 76 0=.....vH.c..Z.v<br />0023:0063fcf8 f4 04 00 00 60 f7 08 00-10 00 00 00 a8 b4 09 00 ....`...........<br />0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............<br />0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............<br />0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M<br />0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...<br />0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....<br />0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.<br />0:009> g<br />Breakpoint 2 hit<br />eax=00000001 ebx=0008f7d0 ecx=0063fcd8 edx=0063fce8 esi=00000001 edi=00000000<br />eip=76d35050 esp=0063fcbc ebp=0063fcf0 iopl=0 nv up ei pl nz na po nc<br />cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202<br />rpcss!CheckForAccess+0x49:<br />76d35050 85c0 test eax,eax<br />0:009> d ds:0063fce8<br />0023:0063fce8 74 f7 08 00 01 00 00 00-48 fd 63 00 fa 5a d6 76 t.......H.c..Z.v<br />0023:0063fcf8 f4 04 00 00 60 f7 08 00-10 00 00 00 a8 b4 09 00 ....`...........<br />0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............<br />0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............<br />0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M<br />0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...<br />0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....<br />0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.<br />0:009> !acl 0008f774 1<br />ACL is:<br />ACL is: ->AclRevision: 0x2<br />ACL is: ->Sbz1 : 0x0<br />ACL is: ->AclSize : 0x34<br />ACL is: ->AceCount : 0x2<br />ACL is: ->Sbz2 : 0x0<br />ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE<br />ACL is: ->Ace[0]: ->AceFlags: 0x0<br />ACL is: ->Ace[0]: ->AceSize: 0x18<br />ACL is: ->Ace[0]: ->Mask : 0x0000001f<br />ACL is: ->Ace[0]: ->SID: S-1-5-32-562 (Alias: BUILTIN\Distributed COM Users)<br />ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE<br />ACL is: ->Ace[1]: ->AceFlags: 0x0<br />ACL is: ->Ace[1]: ->AceSize: 0x14<br />ACL is: ->Ace[1]: ->Mask : 0x0000000b<br />ACL is: ->Ace[1]: ->SID: S-1-1-0 (Well Known Group: localhost\Everyone)</span><br /><span style="font-family:courier new;font-size:85%;"><br /></span>Conclusion, at least in this case :<br /></span><br />Error message from DEVENV.EXE is misleading, and it is not conform to the fact on operational side. That COM service is handled by RPCSS.EXE on server side, and RPCSS.EXE checks to <strong><span style="color:#3333ff;">BUILTIN\Distributed COM Users</span></strong>, <span style="color:#ff0000;"><strong>NOT BUILTIN\Debugger Use</strong>rs</span>.<br /><br />The relevant information about DCOM Security and its relationshipb with CoCreateInstanceEx is here :<br /><br /><a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/1917834c-5216-4ef3-a0c2-d8ca63cef53d.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/1917834c-5216-4ef3-a0c2-d8ca63cef53d.asp</a><br /><br />Summary of important command in WinDBG as below :<br /><br /><span style="font-family:courier new;font-size:85%;">x (examine symbol)<br />kv (view callstack)<br />uf <function> (dissasemble function)<br />!dh (Display Header, it is used to get information of executable property of certaion module in action)<br />!acl (Display Access Control List of Given Access Control List Pointer)</span>existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com0tag:blogger.com,1999:blog-7479382983854330483.post-35279742760486796102007-06-30T02:31:00.000-07:002007-06-30T02:40:12.441-07:00Which W3WP.EXE to Debug ?Here is the scenario. Some Web Service program runs in IIS 6.0 having cryptic error, and you have to figured it out using MS Visual Studio 2003 debugger. As you may all already know, to debug some Web Application Process in remote computer, you have to debug process that is resides in W3WP.EXE.<br /><br />Well, after you fire out the Debug Process screen, to your dismay, you found more than one W3WP.EXE with different Process ID. The question is, which W3WP.EXE to be the debugger attached to ?<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLulRcz6T7ul06evytviNoXLE8THVvfhg8wwdKNNlUrbZuJlzuXU7qoC-rvwJvsqoesRsnqbDNVVKmItml79jlWVbn8QNhRj8dAmFpitkKrpEBzYB1m7s4aKfFKrlUNrWeGKfASUcJUf8/s1600-h/which-w3wp1.gif"><img id="BLOGGER_PHOTO_ID_5081788288193887778" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLulRcz6T7ul06evytviNoXLE8THVvfhg8wwdKNNlUrbZuJlzuXU7qoC-rvwJvsqoesRsnqbDNVVKmItml79jlWVbn8QNhRj8dAmFpitkKrpEBzYB1m7s4aKfFKrlUNrWeGKfASUcJUf8/s320/which-w3wp1.gif" border="0" /></a><br /><br />You can find it using command line utility called IISApp :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUbv6KM8_5SuoBYQMqA0NOL9fbSA99Fw39Nw54M6lm_QzdhYJOLKti1k58VvxnFJ-JD9CDgZguY0wwRGl-b5UdUKWHmnAB2Ig4xYHfFjDjVzZbQQj3hNffBfh-QRsAJQefwULScc1C7RI/s1600-h/which-w3wp2.gif"><img id="BLOGGER_PHOTO_ID_5081788292488855090" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUbv6KM8_5SuoBYQMqA0NOL9fbSA99Fw39Nw54M6lm_QzdhYJOLKti1k58VvxnFJ-JD9CDgZguY0wwRGl-b5UdUKWHmnAB2Ig4xYHfFjDjVzZbQQj3hNffBfh-QRsAJQefwULScc1C7RI/s320/which-w3wp2.gif" border="0" /></a><br /><br />The AppPoolId refers to the Application Pool where your web application resides. Usually it resides in DefaultAppPool. To verify that your application is indeed resides in certain Application Pool, you can use IIS Manager 6.0 snap in :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlIOzH1doQ1ziW-VRrM0SIK9uWG6shHg6_5ZmO9MOsHAUr2EAg8DXjJP2L1nzRYe-mr4kxS450wGWDnLrWUAkWIY0FpnkAtT3nS1xYHuF5AxipIIX4pwC9x7aMZU8ONV-3UNgWV2n4faQ/s1600-h/which-w3wp3.gif"><img id="BLOGGER_PHOTO_ID_5081788296783822402" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlIOzH1doQ1ziW-VRrM0SIK9uWG6shHg6_5ZmO9MOsHAUr2EAg8DXjJP2L1nzRYe-mr4kxS450wGWDnLrWUAkWIY0FpnkAtT3nS1xYHuF5AxipIIX4pwC9x7aMZU8ONV-3UNgWV2n4faQ/s320/which-w3wp3.gif" border="0" /></a><br /><br />In the above example, the gear below the "DefaultAppPool" is all of the web application that resides in that particular Application Pool.<br /><br />After determining which application pool that your web application resides, you can write down the PID shown by IISApp, and perform the right choose, and hence, your debugger will break to your desired location.<br /><br />Whereas about precisely how you do the debugging, you can consult another posting in this blog. Wish you a happy web service debugging :) !existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com12tag:blogger.com,1999:blog-7479382983854330483.post-22069610814875732742007-06-30T00:39:00.000-07:002007-06-30T01:11:05.968-07:00How to Do Web Service Debug in Remote Computer (Visual Studio 2003) ?This works on MS Visual Studio 2003, and assuming that the remote server is running the IIS 6.0.<br /><br />First, find W3WP.EXE process that is associated with that Web Service, if there are many W3WP.EXE in the process list, you can find it using the IISAPP command line. If you don't know how to to it, you can find it in another article in my blog :)<br /><br />Please note that the "SPS" in this screen refers to the Remote Computer name. You have to be member of Debugger Users in that remote computer, if successful, the process on the Remote Computer will be displayed as shown :<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3BxcXFrA1_N14RdOKw_2YrXjHPFRC5mij90WF7BZJ1FZMx98UEwzENpOBuJ6b9GmFqZ4vJroDsOhyphenhyphenxCCagfaadXP-cEvOG1e01YCYni5YWUWfP56yK6dUKDVk48a414UFplLnTfSpU1s/s1600-h/web-svcdbg1.gif"><img id="BLOGGER_PHOTO_ID_5081759292869672386" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3BxcXFrA1_N14RdOKw_2YrXjHPFRC5mij90WF7BZJ1FZMx98UEwzENpOBuJ6b9GmFqZ4vJroDsOhyphenhyphenxCCagfaadXP-cEvOG1e01YCYni5YWUWfP56yK6dUKDVk48a414UFplLnTfSpU1s/s320/web-svcdbg1.gif" border="0" /></a><br /><br />What if instead an error message is show up ? Well, no problem, that is already solved in yet another article in this blog :)<br /><br />Next, set the Project that contanis the Web Service as default, then using the Break to the Web Service Method that will be debug. You have to type the method completely (i.e. start from outermost parent, such as Aaaa.Bbbb.MethodName and case sensitively. Sorry, I can't show you exact function name in this screen because of the proprietary nature of this application. You can inquire more about this using comment that is is provided in this blog.<br /><br /><div></div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmNbfm_Xs6hsHwIqGDGBCepJZX0UlagbmZrGbuU4_ggnIu3s0byTtKw1c4DXs-pcxGDBUYlLdpj-hvDpCk6QYuP8Qjl5s_P2oQv1SkurXkAuLnWe-l1g_ZDvlE6H-AyFj9Ak02D_Wwa70/s1600-h/web-svcdbg2.gif"><img id="BLOGGER_PHOTO_ID_5081766113277738514" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmNbfm_Xs6hsHwIqGDGBCepJZX0UlagbmZrGbuU4_ggnIu3s0byTtKw1c4DXs-pcxGDBUYlLdpj-hvDpCk6QYuP8Qjl5s_P2oQv1SkurXkAuLnWe-l1g_ZDvlE6H-AyFj9Ak02D_Wwa70/s320/web-svcdbg2.gif" border="0" /></a><br /><br /><div>Run application (using your favorite web browser) that use that Web Service Method, and you're done :) </div><div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNEzPYF2NJESELvSv72kLnSH9zofTIR-MWP1mvKd3CKthSERhOENoEAO8yoeXJdthXLGVqnzOAx3ZzMrwJ4N5zTIrjwIEZ7Tas8J3IbLEkp9RlNMQhjDmacKtX5LREHakdnLHgP0ny0k4/s1600-h/web-svcdbg3.gif"><img id="BLOGGER_PHOTO_ID_5081762943591874034" style="CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNEzPYF2NJESELvSv72kLnSH9zofTIR-MWP1mvKd3CKthSERhOENoEAO8yoeXJdthXLGVqnzOAx3ZzMrwJ4N5zTIrjwIEZ7Tas8J3IbLEkp9RlNMQhjDmacKtX5LREHakdnLHgP0ny0k4/s320/web-svcdbg3.gif" border="0" /></a></div><br /><br /><div><br /><br /></div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3YOG8mU86xN-vOEx2oPafLizGLwMTeIFKVorNKpKBnFT4aSI1M206ibOQGt4wlDhq7xoWw2loixrPQfHVhWG1xBFGptfUVDNk_eR65hdh_GAuRpUxKNODcJ9i3SFVwwFgk3bGtV0ARS4/s1600-h/web-svcdbg3.gif"></a>existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com1tag:blogger.com,1999:blog-7479382983854330483.post-90606180649240456852007-06-29T23:44:00.000-07:002007-06-30T00:19:21.209-07:00Which Service that is Hosted by SVCHOST.EXE ?If you view the tasklist using MS Windows 2003, you would seeing typical screen like this :<br /><div><br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxn5H6utbrBySqodzN0oeLb4YnjZLDuKeKeoG6ke2IpFG-K00TPaMA2KDxfimgxG9CQyocM7zvRUMGsIFNVB0ACmHBYbFSMdu4YDfO9ziZtef50wlCoPDFvZU5hpRq0VjTH-YyLGPsneo/s1600-h/which-svc1.gif"><img id="BLOGGER_PHOTO_ID_5081751841101413778" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" height="175" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxn5H6utbrBySqodzN0oeLb4YnjZLDuKeKeoG6ke2IpFG-K00TPaMA2KDxfimgxG9CQyocM7zvRUMGsIFNVB0ACmHBYbFSMdu4YDfO9ziZtef50wlCoPDFvZU5hpRq0VjTH-YyLGPsneo/s320/which-svc1.gif" width="345" border="0" /></a><br /></div><br /><div></div><br /><div></div><br /><div></div><br /><div></div><br /><div></div><br /><div></div><br /><div></div><br /><div></div><br /><div></div><br /><div>To show which service that is hosted by SVCHOST.EXE, you can use the /svc in the tasklist command line as shown in this picture :</div><br /><div></div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1-QlNye-RbTJP8LQQ1FS18ZqGWW4eOuXZAWiV7nYty3dKymIsH9jCsPGum-kg9XfHdrK6VuT38gygn_KUy-FhAi1tPUAI7YBmzXDATZxWm9XWr2MqIBMBZL9sXKyiQADBVmZ4wbeP9R0/s1600-h/which-svc2.gif"><img id="BLOGGER_PHOTO_ID_5081752777404284338" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 373px; CURSOR: hand; HEIGHT: 186px" height="144" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1-QlNye-RbTJP8LQQ1FS18ZqGWW4eOuXZAWiV7nYty3dKymIsH9jCsPGum-kg9XfHdrK6VuT38gygn_KUy-FhAi1tPUAI7YBmzXDATZxWm9XWr2MqIBMBZL9sXKyiQADBVmZ4wbeP9R0/s320/which-svc2.gif" width="403" border="0" /></a><br /><div></div><br /><div></div><br /><div><br /></div><br /><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDNCSb1f-4lUOVa_2a3ue6x20bHagURWagf_XQ7M_aFBTJtXraHXnQuE2Csz0neXS9ycmu3GgvJZrhtbvFZIPEJZGVJmiJo09Ura-nDsNFttmol9-44P-Lfm-0zzMLINmCbutF1kJYk7g/s1600-h/which-svc2.gif"></a> </div>existhttp://www.blogger.com/profile/09946288432858107412noreply@blogger.com1