"Fortunate are those who take the first steps.” ― Paulo Coelho

What is GDI Object leaks and tips to detect..

Recently I worked for an office issue where Excel 2013 goes to frozen state after executing some time consuming VBA code/macro. It did some operations like – copy ranges and pasted over another sheet within the same workbook. The copy and paste operation iterates over some 100 thousand times depends on the data row etc. It took nearly 3-4 hours to complete the whole copy operation due to data density spreads to x columns with x number of rows.

Problem identification: We saw the application was very much alive but could not able to click or respond to our mouse events like maximize/minimize. Moreover it was slowing the system performance as well. We could not able to figure out the cause in the initial stage. But we tried tools like Procmon, windbg dumps, VMMAP etc could not give that heads up. But after checking the task manager GDI count, we come to know that this is sort of object leak – GDI Leaks creating this hang state/lock situation.

How to identify the GDI object leaks? It is so simple to check such leaks from the task manager itself. Launch the taskmanager > details tab > right click any of the existing column > then ‘Select Columns” enable GDI Object to get added to the details process grid. From there you can keep a note of the count to conclude whether its a GDI leak or not. Typically, you would find this count in hundreds, but in case if you notice them in thousands and also incremented, then something sure to do with GDI leak fix.

What is GDI Objects? According to this MSDN article – GDI Objects are resources that are managed by GDI32.DLL on behalf of an application. Some of the common GDI Objects we consume directly/indirectly through code – Device Contexts (DCs), Bitmaps, Brushes, Fonts, Metafiles, Pens, and Regions etc. These objects gets created using API call but when never gets destructed after usage – this would lead to this leak situation. As like in .NET, it is recommended to dispose of when not interested with that ready to cleaned objects. Of-course, we do this very judiciously, but at times when our code path not cleaned after some exception or some condition branching stops us to do so, then this would be a show stopper for sure :).

What is the limit? It is limited to 64,536 (64k) GDI handles per user session- across all process. But for any individual process, the upper limit is 10000. System allows us to create these many handles and then halts after reaching this limit. You could also try tweaking this limit from registry, but generally not advised to do so due to various reasons like -affects other application performance etc.

What happens after reaching this 10,000 limit? The application would be alive as I said earlier but of no use. It is starving to create further GDI Objects to render it but indefinite halt after that due to no more Create handles permitted. When an application goes out of resources, then the create API call to functions like CreateFont, CreateDC etc would fail with this error : ERROR_INVALID_HANDLE.

There are some tools and guidance to research more on this, but I see very limited materials around this in net. I suggest the below links.

Very old cached MSDN article(thanks to google cache)

Debugging a GDI Resource Leak

Suggested to try these Office June updates in case of such leaks (enhances copy paste operation speed) (some fixes around object leaks)

This slideshow requires JavaScript.

Update : 19-July
From scott blog, I found this nice tool to see the GDI count under types –

July 2, 2015 Posted by | .NET General, Memory, windbg | , , , | Leave a comment

How to debug an unmanaged exe under Windbg

Assume that we have got an exe(unmanaged/managed) which is crashing/hang/wanted to debug and see the intermediate values etc. For this example, I have used the below simple cpp program compiled to exe.

Steps for debugging this complied exe in Windbg:

1) Launch Windbg, -> Open Executable, browse and select our cpp program output “ConsoleApplication1.exe”

2) Now set the symbol path and source path pointing to its corresponding directory.

3) Reload the symbol to make sure the relevant symbols loaded.

4) If you press “g” mean go/F5 would run the program and displays the output.

5) Let us put some breakpoints at Main method and also Swap2Numbers to step in line by line debugging.

 >bp ConsoleApplication1!main 

  >bp ConsoleApplication1!Swap2numbers

6) Since we have mapped the source code path also, now on typing “t” would execute/step in line by line. You would also notice the source code window opened up and breakpoint indicator set.

7) If you wanted to unassemble, then use> uf ConsoleApplication1!main (assembly code).

8) When you go line by line debugging, you can view the intermediate value of the function by typing >dv  (display variable)

This slideshow requires JavaScript.

April 26, 2015 Posted by | windbg | | Leave a comment

WPF and IE Memory leak -tools & links

Worth mentioning –

1) WPF:

2) Internet Explorer client side memory leak detector /tool -> IE Sieve –

3) WPF progress bar memory leak-

<ProgressBar Name=”Progress” Width=”250″ Height=”15″ Minimum=”0″ Maximum=”1″ Margin=”10″ IsIndeterminate=”True”>


4) Tracking down managed memory leaks (how to find a GC leak) —>

5) What do the Task Manager memory columns mean?


October 24, 2013 Posted by | Memory, windbg | Leave a comment

Generating memory dump using DebugDiag 1.2 in steps

DebugDiag 1.2
1. On a computer demonstrating the problem, install DebugDiag 1.2 from and accept the default options for installation.
2. Select Start->Programs->Debug Diagnostics Tool 1.2->DebugDiag 1.2.
3. When DebugDiag starts, it should display a wizard to create a rule. If it does not show this, then click the Add Rule button on the Rules tab.
4. Select “Crash”.
5. Click Next and select “A specific process” and click Next.
6. Enter the process name of your application, ie “NotePad.exe” (or whatever the name is, without full path), in the Selected Process text box and click Next.
7. For “Unconfigured First Chance Exceptions”, set Action Type to “Log Stack Trace” with “Action Limit” to 0. Then click Next.
8. Please note the user dump path and click Next.
9. Select “Activate the rule now” and click Finish.
10. Open the Tools menu -> Preferences -> Select the “Enable raw debugger logs. Include debugger output and Engine messages”.
11. At this point, have the users run the application and try to reproduce the issue.
12. When the issue reproduces, it will generate a memory dump to the folder from step
8. Zip up the Logs folder (by default C:\Program Files\DebugDiag\Logs)
9. Analyse it.

October 24, 2013 Posted by | .NET General, windbg | Leave a comment

DebugDiag 2.0 is out..

DebugDiag 2.0 comes now with the new analysis engine fully converted to .NET to allow for faster analysis rule development. New features > Collection and Analysis modules such as .NET 4.5 supportCLRMD integrationC# and XAML sample rules,Detailed 1st chance exception logging.

Download from here>

Note: I personally used DD and felt really useful for quicker dump analysis instead windbg way of getting out.

October 4, 2013 Posted by | Uncategorized, windbg | Leave a comment

About Glowcode

GlowCode is a complete real-time performance and memory profiler for Windows and .NET programmers who develop applications with C++, C#, or any .NET Framework-compliant language. GlowCode helps programmers optimize application performance, with tools to detect memory leaks and resource flaws, isolate performance bottlenecks, profile and tune code, trace real-time program execution, ensure code coverage, isolate boxing errors, identify excessive memory usage, and find hyperactive and loitering objects. For native, managed, and mixed code.

We have used it in our development project and seems useful.

July 28, 2013 Posted by | .NET General, windbg | Leave a comment

ClrMD – advanced APIs for programmatically inspecting a crash dump of a .NET program

Lee Culver, software developer on the .NET Runtime team, will introduce you to a new managed library that allows you to automate inspection tasks and access even more debugging information. –Immo

Today are we excited to announce the beta release of the Microsoft.Diagnostics.Runtime component (called ClrMD for short) through the NuGet Package Manager.

ClrMD is a set of advanced APIs for programmatically inspecting a crash dump of a .NET program much in the same way as the SOS Debugging Extensions (SOS). It allows you to write automated crash analysis for your applications and automate many common debugger tasks.

I’ll try and post my reviews on the same.

May 8, 2013 Posted by | windbg | Leave a comment

Debugging tools -cheat sheat


  1. Performance Monitor -( part of OS, helps to know the app health. Run >Perfmon )
  2. PAL – (Performance Analysis of Logs - )
  3. Process Monitor – (capture of process details, including image path, command line, user and session ID, downloaded from technet site)
  4. Process Explorer -(captures cpu usage, dll info, handles)
  5. MPSReport ( batch utility to automate the gathering of diagnostic information from Windows for troubleshooting.-from MSFT site)
  6. SPSReport (SPS Reporting Tool is utilized to gather detailed information regarding a systems current configuration-
  7. SPDisposeCheck (assist you dig through your custom SharePoint MSIL assemblies)
  8. Dependency Walker (  Useful for troubleshooting system errors related to loading and executing modules
  9. SQL Nexus (Tool for isolating problems on the SQL Server side -
  10. CLRProfiler (focused on managed heap, Who allocates what,What objects survive,What is on the heap,Who is holding on to objects)
  11. LogParser -universal query access to text-based data such as log files, XML files and CSV files
  12. Indihiang (Great tool to analyze IIS logs –
  13. PowerShell – scripting language, less code than Jscript or vbscript, greate for admin and dev’s -
  14. Application Verifier –  Whether there are memory corruptions or issues in the heap, invalid handles, critical sec – for native coded app debugging
  15. Logger/LogViewer – logs every API call done by the target application



  1. XPerf – Windows Performance Analyzer – efficient tracing infrastructure provided by Windows
  2. PerfView – Low Level Profiler for .NET applications
  3. DebugDiag – Debug Diagnostic – Crash rule,IIS Performance rule,Memory and Handle Leak rule ,Manual Dump collection ,Automated Analysis feature
  4. ProcDump – Process Dump ( C:\>procdump -h hang.exe hungwindow.dmp)-collect dump files when a specific application is consuming high CPU
  5. WinDbg – Windows Debugging Tools -Psscor2.dll ,Sosex.dll ,
  6. WinDbg Scripts – Automate the Debugging -
  7. Netmon – Microsoft Network Monitor – Easy way to visualize HTTP, TCP/IP and other types of network communication
  8. Fiddler – HTTP Debugger Proxy-Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet.


Some of the .NET debugging videos also here – For more ref, read from here.

October 10, 2012 Posted by | windbg | Leave a comment

Info regarding gflags to catch heap issues(Windbg)

This post is about info regarding gflags to catch hard to find heap corruption issues. Here are the two articles that explain the steps.!/2008/05/fuzzing-and-detecting-heap-corruption.html

In steps,

1) Shutdown or close your “Winword.exe” or any target process that we are trying to analyze

2) Launch Appverifier and specify the following.

Setup gflags [options] process name  module name this is preferred if you know which module.

3) For if component “Spellcheck in Word” is a suspect example:-

  gflags –p /enable winword.exe /full /dlls spellcheck.dll or

4) If we have no clue what is causing the heap corruption then track the whole process.

  gflags –p /enable winword.exe /full

5)Make sure to launch the target application with windbg.

6) Monitor all access violations caught in windbg.

October 4, 2012 Posted by | windbg | Leave a comment

Windbg config & ways to create dump

Setting up Windbg for the first time and work easily with batch file trick.

  1. Install 32 bit/62bit version of windbg from the following site
  2. For debugging 32 bit use x86 windbg and for 64 bit use 64 bit to avoid confusion
  3. Allow to install default under Debugging tools for windows folder under  program files folder
  4. run cmd.exe, goto: cd c:\program files\debugging tools for windows\
  5. Get the symbols downloaded, cmd> symchk.exe /q /ie myapplication.exe /s SRV*c:\websymbols\*;C:\progra~1\ Myapplication ~1\;  This command may take a few minutes depending on ur internet connection.
  6. Create this batch file on the user’s desktop call it WinDBG.BAT and launch this AFTER myapplication is started.

@echo on

c:\progra~1\debugg~1\adplus.vbs -quiet -crash -pn myapplication.exe -o c:\crashfolder -y c:\websymbols;c:\progra~1\ Myapplication ~1\ -NoDumpOnFirst

Note: All the logs will be in c:\crash_folder directory on your local machine the logs will be automatically time stamped

What are the various option available to capture dumps of a crashing/froozen(hang) application in Windows?

1) Adplus
2) ProcDump – memory, high cpu -command utility, simple to download
3) Windbg
4) CDB -p 6088 “exe * -c2
5) RightClick task manager in Win7/2008
6) using dbdiag – ( it runs even if restart the comp also ) -rules are powerful
7) Process explorer- right click

How to load extn for .NET 4 in windbg?


0:000> lmvm clr
0:000> .loadby sos clr
0:000> !pe

Few cmds: 1)  sxe av 2) sxd sv 3) sxe clr (attach to an application and run side by side) 4) sx -Com exception

September 15, 2012 Posted by | windbg | Leave a comment

What is editbin /LARGEADDRESSAWARE and when to use.

This is been discussed already here  EDITBIN used to modify object files, exe and dll.

editbin /LARGEADDRESSAWARE – used to edit the image to indicate that the application can handle addresses larger than 2 gigabytes.

by default, a x86/32 bit app can consume or memory allocated by OS is 2 GB in 32bit, where as in 64 bit it can go upto 8 TB.

If you have an application consuming huge memory and developed in 32 bit, then we can this option to increase the roam for more memory using this command.

32-bit application on 32-bit Windows: 2GB – > can be tweaked to 3 GB
32-bit application on 64-bit Windows: 2GB – > can be tweaked to 4 GB
64-bit application on 64-bit Windows: 8TB —- No change required.

>dumpbin.exe and editbin.exe.

To add – > editbin /LARGEADDRESSAWARE [application]
To remove it-> editbin /LARGEADDRESSAWARE:no [application]

To check: dumpbin /headers [application]

September 6, 2012 Posted by | windbg | 1 Comment

Windbg commands -Part 2

>NTSD,CDB,KD – from chm
>.sympath c:\symbols;c:\program files; ->To set/display display sympath
>.chain -> to see the list of extn
>.hh -> to load chm & .help /D (very useful one)
>.q, .restart
>.chain /D
>ld * (loaded modules)
>.sympath (to display the path)
>.symfix (this automatically point to
>x*l (list all modules)
>!analyze (most used) -v, -hang, -f (switches)
>exr -1 (display most recent exception)
>lm (list modules)
>!runaway [flags:0|1|2] -> display info about time consumed by each thread(0-user time, 1-kernal time,2-time elapsed since thread creation)
>~*K -> call stack for all threads
>!findstack kernel32 2 -> displays all stacks that contain “kernel32”
>.frame (show current frame)
>d* -> memory
>!heap -stat (dump heap handle list)

userful links ->, C:\Program Files\Debugging Tools for Windows (x86)\debugger.chm, type simply .hh inside windbg cmd prompt
DUMPBIN, EDITBIN -> for header analysis
srv*[DOWNLOAD PATH LOCAL]*[SYMBOL SERVER LOCATION] -> for Downloading symbols
Symstore.exe ->Setting up private symbol store -> create own symbol server
IMAGE_FILE_LARGE_ADDRESS_AWARE – setting 32 bit/64 bit target

September 5, 2012 Posted by | windbg | Leave a comment

Advanced Windbg-Part 1

Would like to share the key take away’s from my training provided by Microsoft. As you all know and read earlier here about Windbg. I’m going to talk about usage of Extension for more detailed debugging techniques.

What is sosex.dll and how to load as windbg extensions? 

It’s a quite useful exten to debug deadlock related issues deeply,  you can download here  and copy the downloaded file to your windbg exe folder and call .load sosex.dll from windbg command prompt. Here is some of the handy commands ready to use.
> load sosex.dll  (Load first this dll as extension)
>.chain ( to see whether added to the extension list)
>!dlk (to check the deadlock situation)
>~* e !clrstack to view the CLR stack of all the threads and where they are
>~<ThreadId> e !clrstack to view the CLR stack of that thread.
> !finq

here is the full command list for sosex & sos.dll 

Starting, Attaching, Executing and Exiting

Start -> All Programs -> Debugging Tools for Windows -> WinDbg
F6 attach to process
Ctrl-Break interrupt debugee
.detach detach from a process
g continue debugee execution
q exit WinDbg

Getting Help

? help on commands that affect the debugee
.help help on commands that affect the debugger
.hh command view the on line help file
!help help on the extension dll at the top of the chain (e. g., SOS)

Issuing Commands

up arrow, down arrow, enter scroll through command history
Right mouse button paste into command window

Examining the Unmanaged Environment

lmf list loaded modules with full path
lmt list loaded modules with last modified timestamp
~ list unmanaged threads
~thread s select a thread for thread specific commands
!token -n view thread permissions
k view the unmanaged call stack
!runaway view thread CPU consumption
bp set a breakpoint
.dump path dump small memory image
.dump /ma path dump complete memory image

Working with Extension DLLs (e. g., SOS)

.chain list extensions dlls
.load clr10\sos load SOS for debugging framework 1.0 / 1.1
.unload clr10\sos unload SOS
.loadby sos mscorwks load SOS for debugging framework 2.0

SOS Commands

!threads view managed threads
!clrstack view the managed call stack
!dumpstack view combined unmanaged & managed call stack
!clrstack -p view function call arguments
!clrstack –l view stack (local) variables
!name2ee module class view addresses associated with a class or method
!dumpmt –md address view the method table & methods for a class
!dumpmd address view detailed information about a method
!do address view information about an object
!dumpheap –stat view memory consumption by type
!dumpheap –min size view memory consumption by object when at least size
!dumpheap –type type view memory consumption for all objects of type type
!gcroot address view which object are holding a reference to address
!syncblk view information about managed locks

SOS 2.0 Commands

!bpmd module method set breakpoint
!DumpArray address view contents of an array
!PrintException view information about most recent exception

This slideshow requires JavaScript.

September 5, 2012 Posted by | windbg | Leave a comment

How to download Microsoft Lib symbols for Crash analysis.

To use the Symbol Server Web site from within WinDbg, follow these steps:

  1. Start the Windows Debugger (WinDbg.exe).
  2. On the File menu, click Symbol File Path.
  3. In the Symbol path box, type the following command:
    SRV*your local folder for symbols*

    where your local folder for symbols is the folder in which you copy your local symbol cache. The debug symbols are downloaded to this location.

    Note You can point to any local path or share that your computer can reach; it does not have to be a location on the computer’s hard disk.

Alternatively, you can also use the .sympath command at a command prompt to set the symbol path.

You can combine the symsrv syntax with other symbol paths. For example, use the following syntax to specify two or more symbol paths:

some useful commands,
  1. !analyze -v
  2. lmvm <modulename>
  3. K
  4. .ecxr
  5. kb
  6. ~*k
  7. .symfix
  8. .reload
  9. !sym noisy
  10. .cxr; r; kbn99; .echo ~~~; ub 102627d0 L18; u 102627d0 L5; .echo ~~~; ub

August 14, 2012 Posted by | windbg | Leave a comment

About Windows Debugging Tools (windbg,adplus)

There are four Microsoft debuggers availabe for debugging as part of Windows SDK download.
1)WinDbg (Windbg.exe) -A user-mode and kernel-mode debugger with a graphical interface.
2)KD (Kd.exe) -A kernel-mode debugger with a console interface.
3)CDB (Cdb.exe) -A user-mode debugger with a console interface.
4)NTSD (Ntsd.exe) -A user-mode debugger with a console interface. CDB and NTSD are virtually identical.

>Out of this, Windbg is often used by programmer to analyze dumps
Download it from here –
Easier Steps..
1) Instal Windows Debugging tools from web
2) Go the installed folder and invoke adplus tool to start capture the crash/hang
ex: C:\Program Files\Debugging Tools for Windows (x86)>adplus -crash -pn “LogViewer.exe” -o d:\dumps
3) Wait till it crash, so it will write the dumps after crash
4) Now launch Windbg from start menu,
4.1)Set the Symbol File path (where pdb’s available) in Windbg > file -symbol path specifies the directories where the symbol files are located.
4.2)Set the Source File path (where application pdb’s & .NET pdb’s available). You can specify more than one path with ‘;’ separator.
4.3)Set the Executale Image path -executable file path. These files typically have the .exe, .dll, or .sys file name extension
5) For better debugging & complete trace, download the whole .NET symbol path from net – so you’ll get all pdb’s for all microsoft .net assemblies.
4) Last step in debugging a crashed target computer or application is to use the !analyze extension command (inside Windbg after loading dump)
ex: 0:000> !analyze -v
Now start investigating the stack trace from the dump file for understanding the issue.

About Adplus: ADPlus (adplus.vbs), also known as Autodump+, is a console-based Microsoft Visual Basic script. This tool automates the CDB debugger
to produce memory dumps and log files that contain debug output from one or more processes.
– using this we can trace user-mode process(.exe) or service such as IIS, or MTS, or Microsoft COM+ applications.
When Should You Use ADPlus? You should use ADPlus to capture debugging information if you are experiencing the following problems:
1) Processes that stop responding (that is, hang).
2) Processes that have 100 % CPU utilization on a single processor computer, 50 % utilization on a dual processor computer, 25 % utilization on a quad processor computer, and so on.
3) Processes that fail (that is, crash) or shut down unexpectedly.

Usefil ADPlus command line options:
ADPlus -hang -iis -pn myapp.exe -o c:\temp
ADPlus -crash -iis -pn myapp.exe -o c:\temp
ADPlus -quiet -crash -iis -notify RemoteComputer -o c:\temp
ADPlus -quiet -crash -iis -notify RemoteComputer -o c:\temp

February 14, 2012 Posted by | windbg | Leave a comment


What is DUMPBIN?
The DUMPBIN utility, which is provided with the 32-bit version of Microsoft Visual C++, combines the abilities of the LINK, LIB, and EXEHDR utilities. The combination of these tools features the ability to provide information about the format and symbols provided in executable, library, and DLL files.
– use for verifying the stack reserve using Header options
What is EDITBIN?
The Microsoft COFF Binary File Editor (EDITBIN.EXE) modifies Common Object File Format (COFF) binary files. You can use EDITBIN to modify object files, executable files, and dynamic-link libraries (DLL).
An application’s stack size is set when the executable is built. The stack size is typically specified in the Module-Definition File (.DEF) when you use the STACKSIZE command or the /STACK Linker command. You can modify an executable’ s stack size after it has been built by using the EDITBIN tool that is included with Visual C+
– Use for changing the stack size to your desired size. ( this can be done at the time of Stack overflow exception in some exe )

Syntax and usage ?

dumpbin /HEADERS “Your.exe” ( Get the Header and see the stack reserve )
editbin /STACK:262144 “Your.exe”
dumpbin /HEADERS “Your.exe” ( Get again the header and see the stack reserve changed this time )

I see the stack reserve changed from 100000 size of stack reserve
40000 size of stack reserve

Note: This needs to be run it under .NET command prompt.

February 9, 2012 Posted by | windbg | 1 Comment

Tools used for .NET Memory profiling managed/unmanaged objects..

1) RedGate- Ants Memory Profiler
2) Eqatec,
3) JetBrains-dot Trace Memory 3.5
4) VMMap
5) Debug Diagnostic Tool v1.2..
Out of this, Debug Diag is a free tool and very useful – many doesn’t aware of this. In fact MS guys use this for critical debugging,
crash analysis memory profiling etc
I vouch Debug Diagnostic..

October 31, 2011 Posted by | .NET General, windbg | Leave a comment

%d bloggers like this: