Using Process Explorer without an Internet Connection

Last year when we wrote our post on Memory Management – Understanding Pool Resources we mentioned that it was possible to use Process Explorer to view the limit for both Paged and NonPaged Pool.  In that post  we mentioned that you would need to install the Microsoft Debugging Tools and configure the Symbol Path so that Process Explorer could pull the information for the Paged and NonPaged Pool limits.  That all seemed fairly straightforward, right?  Well, that doesn’t always work so well for every customer – we have many customers who have systems that have no Internet connectivity at all, and in some cases no connectivity to any systems outside of the subnet on which they sit.  So short of capturing a dump file (which is not always feasible) and using the !vm command to view the memory information, how can we get this information?

The answer lies in the Debugging Tools themselves.  Install the Debugging Tools and Process Explorer on the system with no Network access (which we will call ISLAND for the purposes of this post) for which you want to view the information.  You will also need to install the Debugging Tools on a system that has access to the Internet (we’ll call this system CLOUD).  Once everything is installed, we can use the SYMCHECK.EXE utility with a couple of switches and our second machine to get the symbols we need.

On ISLAND, run the following command from a command prompt.  You’ll need to change directories to the folder in which you installed the Debugging Tools:  symchk.exe /om c:\symlist /if c:\windows\system32\ntoskrnl.exe as shown below:

This will create a manifest file called SYMLIST in the C: drive that has what looks like gibberish in it if you open it up in Notepad.

The information after the file name is the checksum for the file.  This is important information because we need to make sure that we pull down the proper symbols.  Take the C:\SYMLIST file over to CLOUD and run the following command: symchk.exe /im c:\symlist /s SRV*c:\symbols*http://msdl.microsoft.com/download/symbols – what we are doing here is telling SYMCHK.EXE to read the manifest file (C:\Symlist) and then get the appropriate symbols from Microsoft’s public symbol server (http://msdl.microsoft.com/download/symbols) and create a local symbol store (C:\Symbols).  This local store will be populated with the symbols for NTOSKRNL.EXE.

Now, take the C:\Symbols folder from CLOUD and copy it over to ISLAND.  The rest of the process involves configuring Process Explorer in the same way we did earlier – point to the proper DBGHELP.DLL file and our new C:\Symbols folder and we’re ready to view our Pool limits.

You can use these same commands to generate symbols if you want to view the thread stack of a process inside Process Explorer or even if you want to debug an application on the server itself.  Below are some other useful switches for SYMCHK.EXE:

• /if <Filename> - Input is a file name.  Wildcards can be used to specify the file name
• /id <DumpFile> - Input is a dump file
• /ih <HotFix> - Input is a self-extracting Hotfix cab
• /ie <ExeName> - Input is an application name that is currently running.  If the provided ExeName is '*', all currently running processes will be checked
• /im <ManifestList> - Input is a manifest previously created using the /om <file> option
• /ip <ProcessId> - Input is a process id. If the provided ProcessID is '*', all currently running processes will be checked
• /it <TextFileList>   Input is a list of files, one per line, inside of a text file

Hopefully this helps you out if you happen to be one of those customers with isolated networks!

- Sumesh P.

Share this post :