Home             Change View

Print

Log Format

Previous  Top  Next

General API Log Message Format

The general format for API calls looks like this:

000257 0a88 mydll.dll :4ad0576d->kernel32.dll:7c81b1f0 SetConsoleMode (IN HANDLE hConsoleHandle=7h, IN DWORD dwMode=3h)
000258 0a88 mydll.dll :4ad0576d<-kernel32.dll:7c81b1f0 SetConsoleMode ->BOOL=1h ()


000257 - Indicates the log entry number. Each log entry will have a unique number. The "---- Potential Errors Detected ---" will refer back to individual log entries using its log entry number.
0a88 - Indicates the currently executing thread ID. If the application has only one thread, this number will never change. Since log entries are recorded in order of execution, if two or more threads are recording data to the log file then you may need to use the thread ID to follow thread-specific sequential actions.
mydll.dll - Indicates the DLL which is making the API call
4ad0576d - Indicates the return address for the API call made by mydll.dll. Typically this will tell you the address in the code where the call is originating.

-> Indicates the call is being entered. For call entry log element, all of the input parameters are displayed (in and in/out parameters)
<- Indicates the call is returning to the original caller. For call exit log entries, all of the output parameters are displayed (out and in/out parameters).

kernel32.dll - Indicates the DLL where the API call is landing.
7c81b1f0 - Indicates the address of the API inside of kernel32 where the call is landing. If you disassemble kernel32.dll at address 7c81b1f0, you will find the code for the function SetConsoleMode

->BOOL=1h Indicates the API returned the value "1" and the return code has type "BOOL".


Application Startup Information

000001 0a88 Logging started for Module=C:\test\cmd_test\bin\cmd.exe
Using archive=
PID=0xec
CommandLine = cmd
000002 0a88 Logging options: CAP_LEVEL=9 MAX_CAP_ARY=25 MAX_CAP_STR=150 MAX_NEST=100 VERSION=3.090

---

000003 0a88 System Current Directory = C:\test\cmd_test\bin
Virtual Current Directory = C:\test\cmd_test\bin

---

000004 0a88 |start_env_var| =::=::\
000005 0a88 |start_env_var| =C:=C:\test\cmd_test\bin
000006 0a88 |start_env_var| =ExitCode=00000000
000007 0a88 |start_env_var| ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
...
...
...

List of DLLs loaded into memory during runtime

The section labeled "--- Modules loaded ---" is located near the end of the log and will describe all of the DLLs which were loaded into memory at runtime and the addresses they were loaded to. This list also describes whether DLLs were loaded by Windows or by Thinstall.

--- Modules loaded ---
PRELOADED_MAP 00400000-00452fff, C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
PRELOADED_BY_SYSTEM 00400000-00452fff, C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
SYSTEM_LOADED 00400000-00452fff, C:\test\AcroRd32.exe
SYSTEM_LOADED 00df0000-00df8fff, C:\WINDOWS\system32\Normaliz.dll
MEMORY_MAPPED_ANON 013b0000-020affff, C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.dll
SYSTEM_LOADED 035a0000-035b4fff, C:\WINDOWS\system32\nvwddi.dll
SYSTEM_LOADED 035a0000-03698fff, C:\WINDOWS\system32\nvwimg.dll
SYSTEM_LOADED 035e0000-03ba9fff, C:\WINDOWS\system32\ieframe.dll
SYSTEM_LOADED 04730000-04828fff, C:\WINDOWS\system32\nvwimg.dll
MEMORY_MAPPED_ANON 05000000-050a8fff, C:\Program Files\Adobe\Reader 8.0\Reader\ACE.dll
MEMORY_MAPPED_ANON 06000000-064b0fff, C:\Program Files\Adobe\Reader 8.0\Reader\AGM.dll
MEMORY_MAPPED_ANON 07000000-07019fff, C:\Program Files\Adobe\Reader 8.0\Reader\BIB.dll
MEMORY_MAPPED_ANON 08000000-08239fff, C:\Program Files\Adobe\Reader 8.0\Reader\CoolType.dll
SYSTEM_LOADED 0ffd0000-0fff7fff, C:\WINDOWS\system32\rsaenh.dll
SYSTEM_LOADED 10000000-10165fff, C:\WINDOWS\system32\nview.dll
SYSTEM_LOADED 20000000-202c4fff, C:\WINDOWS\system32\xpsp2res.dll
MEMORY_MAPPED_ANON 20800000-20fdafff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api
MEMORY_MAPPED_ANON 22100000-224f2fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api
MEMORY_MAPPED_ANON 23000000-2311afff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api
MEMORY_MAPPED_ANON 23800000-23951fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api
MEMORY_MAPPED_ANON 24000000-24023fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api
MEMORY_MAPPED_ANON 25800000-25817fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api
MEMORY_MAPPED_ANON 26800000-2680ffff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api
MEMORY_MAPPED_ANON 28000000-285d1fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api
MEMORY_MAPPED_ANON 28800000-2885dfff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api
MEMORY_MAPPED_ANON 29000000-29227fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api
MEMORY_MAPPED_ANON 29800000-2985afff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api
MEMORY_MAPPED_ANON 29a00000-29a1dfff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api
MEMORY_MAPPED_ANON 2a000000-2a018fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api
MEMORY_MAPPED_ANON 2a300000-2a359fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api
MEMORY_MAPPED_ANON 2a800000-2a821fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api
MEMORY_MAPPED_ANON 2b000000-2b045fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api
MEMORY_MAPPED_ANON 2b800000-2b865fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api
MEMORY_MAPPED_ANON 2d800000-2d94efff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api
MEMORY_MAPPED_ANON 2e000000-2e02ffff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api
MEMORY_MAPPED_ANON 30800000-30829fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api
MEMORY_MAPPED_ANON 31800000-31810fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api
MEMORY_MAPPED_ANON 32000000-3204dfff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api
MEMORY_MAPPED_ANON 40800000-40821fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api
MEMORY_MAPPED_ANON 45800000-458cffff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api
MEMORY_MAPPED_ANON 46800000-46873fff, C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API
SYSTEM_LOADED 59a60000-59b00fff, C:\WINDOWS\system32\dbghelp.dll
SYSTEM_LOADED 5ad70000-5ada7fff, C:\WINDOWS\system32\uxtheme.dll
SYSTEM_LOADED 5d090000-5d129fff, C:\WINDOWS\system32\COMCTL32.dll
SYSTEM_LOADED 61410000-61533fff, C:\WINDOWS\system32\urlmon.dll
SYSTEM_LOADED 629c0000-629c8fff, C:\WINDOWS\system32\LPK.DLL
SYSTEM_LOADED 63380000-633f7fff, C:\WINDOWS\system32\jscript.dll
SYSTEM_LOADED 6e850000-6e894fff, C:\WINDOWS\system32\iertutil.dll
SYSTEM_LOADED 71aa0000-71aa7fff, C:\WINDOWS\system32\WS2HELP.dll
SYSTEM_LOADED 71ab0000-71ac6fff, C:\WINDOWS\system32\ws2_32.dll
SYSTEM_LOADED 71bf0000-71c02fff, C:\WINDOWS\system32\SAMLIB.dll
SYSTEM_LOADED 746c0000-746e8fff, C:\WINDOWS\system32\msls31.dll
SYSTEM_LOADED 746f0000-74719fff, C:\WINDOWS\system32\msimtf.dll
SYSTEM_LOADED 74720000-7476afff, C:\WINDOWS\system32\MSCTF.dll
SYSTEM_LOADED 74d90000-74dfafff, C:\WINDOWS\system32\USP10.dll
SYSTEM_LOADED 755c0000-755edfff, C:\WINDOWS\system32\msctfime.ime
SYSTEM_LOADED 75cf0000-75d80fff, C:\WINDOWS\system32\MLANG.dll
SYSTEM_LOADED 75e90000-75f3ffff, C:\WINDOWS\system32\SXS.DLL
SYSTEM_LOADED 76390000-763acfff, C:\WINDOWS\system32\IMM32.DLL
SYSTEM_LOADED 76780000-76788fff, C:\WINDOWS\system32\shfolder.dll
SYSTEM_LOADED 769c0000-76a72fff, C:\WINDOWS\system32\USERENV.dll
SYSTEM_LOADED 76b40000-76b6cfff, C:\WINDOWS\system32\WINMM.dll
SYSTEM_LOADED 76bf0000-76bfafff, C:\WINDOWS\system32\PSAPI.DLL
SYSTEM_LOADED 76f60000-76f8bfff, C:\WINDOWS\system32\WLDAP32.dll
SYSTEM_LOADED 76fd0000-7704efff, C:\WINDOWS\system32\CLBCATQ.DLL
SYSTEM_LOADED 77050000-77114fff, C:\WINDOWS\system32\COMRes.dll
SYSTEM_LOADED 77120000-771abfff, C:\WINDOWS\system32\OLEAUT32.dll
SYSTEM_LOADED 771b0000-7727efff, C:\WINDOWS\system32\WININET.dll
SYSTEM_LOADED 773d0000-774d2fff, C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
SYSTEM_LOADED 774e0000-7761cfff, C:\WINDOWS\system32\ole32.dll
SYSTEM_LOADED 77690000-776b0fff, C:\WINDOWS\system32\NTMARTA.DLL
SYSTEM_LOADED 77920000-77a12fff, C:\WINDOWS\system32\SETUPAPI.dll
SYSTEM_LOADED 77b40000-77b61fff, C:\WINDOWS\system32\appHelp.dll
SYSTEM_LOADED 77c00000-77c07fff, C:\WINDOWS\system32\VERSION.dll
SYSTEM_LOADED 77c10000-77c67fff, C:\WINDOWS\system32\msvcrt.dll
SYSTEM_LOADED 77dd0000-77e6afff, C:\WINDOWS\system32\ADVAPI32.dll
SYSTEM_LOADED 77e70000-77f00fff, C:\WINDOWS\system32\RPCRT4.dll
SYSTEM_LOADED 77f10000-77f56fff, C:\WINDOWS\system32\GDI32.dll
SYSTEM_LOADED 77f60000-77fd5fff, C:\WINDOWS\system32\SHLWAPI.dll
SYSTEM_LOADED 77fe0000-77ff0fff, C:\WINDOWS\system32\Secur32.dll
MEMORY_MAPPED_ANON 78130000-781cafff, C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
MEMORY_MAPPED_ANON 7c420000-7c4a6fff, C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
MEMORY_MAPPED_ANON 7c4c0000-7c53cfff, C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
SYSTEM_LOADED 7c800000-7c8f3fff, C:\WINDOWS\system32\kernel32.dll
SYSTEM_LOADED 7c900000-7c9affff, C:\WINDOWS\system32\ntdll.dll
SYSTEM_LOADED 7c9c0000-7d1d4fff, C:\WINDOWS\system32\SHELL32.dll
SYSTEM_LOADED 7e410000-7e49ffff, C:\WINDOWS\system32\USER32.dll
SYSTEM_LOADED 7e830000-7eb9efff, C:\WINDOWS\system32\mshtml.dll

SYSTEM_LOADED - Indicates the DLL was loaded by Windows, the file must exist on the disk.
MEMORY_MAPPED_ANON - Indicates the DLL was loaded by Thinstall, the file may be loaded from the virtual file system.
46800000-46873fff - Indicates the address ranges in virtual memory where the DLL was loaded.


---- Timing Report: list of slowest 150 objects profiled ---
8255572220 total cycles (2955.56 ms): |sprof| thinstall_LoadLibrary2
765380728 cycles (274.01 ms) on log entry 21753
428701805 cycles (153.48 ms) on log entry 191955
410404281 cycles (146.93 ms) on log entry 193969
231503734 cycles (82.88 ms) on log entry 188438
227419794 cycles (81.42 ms) on log entry 190209
211952538 cycles (75.88 ms) on log entry 197416
202095103 cycles (72.35 ms) on log entry 189394
200356604 cycles (71.73 ms) on log entry 194646
192420627 cycles (68.89 ms) on log entry 190812
183214731 cycles (65.59 ms) on log entry 195836
... 438 total calls
7847975891 total cycles (2809.64 ms): |sprof| ts_load_internal_module
764794646 cycles (273.80 ms) on log entry 21753
426837866 cycles (152.81 ms) on log entry 191955
408570540 cycles (146.27 ms) on log entry 193969
228790905 cycles (81.91 ms) on log entry 188438
224240114 cycles (80.28 ms) on log entry 190209
209789307 cycles (75.11 ms) on log entry 197416
200287437 cycles (71.70 ms) on log entry 189394
198429210 cycles (71.04 ms) on log entry 194646
190612618 cycles (68.24 ms) on log entry 190812
180322247 cycles (64.56 ms) on log entry 195836
... 94 total calls
4451728477 total cycles (1593.76 ms): |sprof| ts_lookup_imports
544327945 cycles (194.87 ms) on log entry 21758
385149968 cycles (137.89 ms) on log entry 193970
187246661 cycles (67.04 ms) on log entry 190210
173617241 cycles (62.16 ms) on log entry 194647
173481875 cycles (62.11 ms) on log entry 19065
148587579 cycles (53.20 ms) on log entry 195837
133165053 cycles (47.67 ms) on log entry 189395
126806624 cycles (45.40 ms) on log entry 197417
125894370 cycles (45.07 ms) on log entry 200296
121213253 cycles (43.40 ms) on log entry 200657
... 34 total calls
1099873523 total cycles (393.76 ms): |sprof| new_thread_start
561664565 cycles (201.08 ms) on log entry 151922
531551734 cycles (190.30 ms) on log entry 152733
1619002 cycles (0.58 ms) on log entry 72875
1554448 cycles (0.56 ms) on log entry 637896
1481627 cycles (0.53 ms) on log entry 72881
1091972 cycles (0.39 ms) on log entry 580771


Potential Errors

The potential errors is a collection of all log entries which have "***" in their string. Thinstall marks entries that could potentially be a problem by adding "***" to the log entry output. See Locating Errors for more tips on interpreting this section.

---- Potential Errors Detected ---
006425 0000075c LoadLibraryExW 'C:\Program Files\Adobe\Reader 8.0\Reader\Microsoft.Windows.Common-Controls.DLL' flags=2 -> 0 (failed ***)
006427 0000075c LoadLibraryExW 'C:\Program Files\Adobe\Reader 8.0\Reader\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.DLL' flags=2 -> 0 (failed ***)
006428 0000089c nview.dll :1005b94b<-kernel32.dll:7c80ae4b *** LoadLibraryW ->HMODULE=7c800000h () *** GetLastError() returns 2 [0]: The system cannot find the file specified.
007062 0000075c LoadLibraryExW 'C:\Program Files\Adobe\Reader 8.0\Reader\en-US\Microsoft.Windows.Common-Controls.DLL' flags=2 -> 0 (failed ***)
010649 0000075c LoadLibraryExW 'C:\Program Files\Adobe\Reader 8.0\Reader\en-US\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.DLL' flags=2 -> 0 (failed ***)
019127 0000075c MSVCR80.dll :781348cc<-msvcrt.dll :77c10396 *** GetEnvironmentVariableA ->DWORD=0h (OUT LPSTR lpBuffer=*0h <bad ptr>) *** GetLastError() returns 203 [0]: The system could not find the environment option that was entered.
019133 0000075c MSVCR80.dll :78133003<-nview.dll :1000058c *** GetProcAddress ->FARPROC=*0h () *** GetLastError() returns 127 [203]: The specified procedure could not be found.
019435 0000075c MSVCR80.dll :78136e08<-dbghelp.dll :59a60360 *** GetFileType ->DWORD=0h () *** GetLastError() returns 6 [0]: The handle is invalid.
019500 0000075c MSVCR80.dll :78134481<-nview.dll :1000058c *** GetProcAddress ->FARPROC=*0h () *** GetLastError() returns 127 [0]: The specified procedure could not be found.
019530 0000075c MSVCR80.dll :78131dcd<-dbghelp.dll :59a603a1 *** GetModuleHandleA ->HMODULE=0h () *** GetLastError() returns 126 [0]: The specified module could not be found.