Thursday, February 28, 2008

Windbg Symbols for ntoskrnl.exe

In this case the OS was Windows Vista 64-bit with SP1 RTM applied,
so the kernel was "6001.18000.amd64fre.longhorn_rtm.080118-1840".

I tried setting WinDbg to load sysmbols across the Internet
from Microsoft's symbol server. But I got errors like the following:

ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Kernel symbols are WRONG. Please fix symbols to do analysis.
Your debugger is not using the correct symbols
Type referenced: nt!_KPRCB

So I decided to download the symbols, from here:

I extracted them onto my hard drive, updated my symbols path,
but I still got the same errors.

I discovered that to fix this, you need to go into
the SYMBOLS\EXE folder and copy file 'ntkrnlmp.pdb'
to 'ntoskrnl.pdb'.