Please enable JavaScript to view this site.

MAP File Browser Help

Navigation: How to use MapFileBrowser

Decoding an Event Viewer XML crash log

Scroll Prev Top Next More

Scenario:

 

A customer has supplied you with data from Windows Event Viewer about a crash. The log contains XML and you don't know which values are relevant.

 

The event log data will have a provider name of "Windows Error Reporting" or "Application Error".

 

The XML data is found on the "Details" tab with the XML View radio box selected.

 

Example Data:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
  <System> 
    <Provider Name="Application Error" /> 
    <EventID Qualifiers="0">1000</EventID> 
    <Level>2</Level> 
    <Task>100</Task> 
    <Keywords>0x80000000000000</Keywords> 
    <TimeCreated SystemTime="2020-02-11T10:42:39.000000000Z" /> 
    <EventRecordID>260330</EventRecordID> 
    <Channel>Application</Channel> 
    <Computer>hydra</Computer> 
    <Security /> 
  </System> 
  <EventData> 
    <Data>testDeliberateCrashVS6.exe</Data> 
    <Data>1.0.0.1</Data> 
    <Data>5e42850d</Data> 
    <Data>testDeliberateCrashVS6.exe</Data> 
    <Data>1.0.0.1</Data> 
    <Data>5e42850d</Data> 
    <Data>c0000005</Data> 
    <Data>00001d07</Data> 
    <Data>1490</Data> 
    <Data>01d5e0c7fa70e745</Data> 
    <Data>E:\om\c\testApps\testDeliberateCrashVS6\Debug\testDeliberateCrashVS6.exe</Data> 
    <Data>E:\om\c\testApps\testDeliberateCrashVS6\Debug\testDeliberateCrashVS6.exe</Data> 
    <Data>390bde30-4cbb-11ea-83d3-001e4fdb3956</Data> 
    <Data /> 
    <Data /> 
  </EventData> 
</Event>

 

This is data from a test program that is designed to crash.

 

Question:

There the event log indicates a DLL, but no load address, two different addresses, an exception code and an offset from the start of the DLL. How do you decode this relative offset?

 

Answer:

MapFileBrowser has an option specifically for this occasion.
 
The XML data indicates the crash happened in testDeliberateCrashVS6.exe. Load this into MapFileBrowser being sure to load the correct build version and that the PDB file can be found so that symbols get loaded.

 

From the Query menu choose Find Symbol from Event Viewer XML crash log....

 

 FindSymbolWithSymbolEventViewerXMLCrashLog

 

The Query Symbol by Absolute Address dialog is displayed.

 

 QuerySymbolByEventViewerXMLCrashLogDialog

 

Paste the XML data from the Event Viewer into the text field.

 

Click the Find Symbol button.

 

 QuerySymbolByEventViewerXMLCrashLogDialogWithData

 

The appropriate location in the code is found and displayed.

 

 deliberateCrashSourceCodeLocation