How to extract, count, and sort strings pulled from a managed dump file

  • Article

 

If these steps look familiar, they’re based off a post I wrote a few years back for parsing Exchange transaction logs. Who knew 1) they’d still be relevant, 2) I’d still resort to such hacky means, and 3) others may actually find value in this ...

 

1. Download the "Unix for Win32" utilities from https://downloads.sourceforge.net/unxutils/UnxUtils.zip?modtime=1172730504&big_mirror=0

 

2. Extract all files from the UnxUtils\usr\local\wbin subsirectory to C:\Unix

 

3. Download strings.exe from https://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx, and place strings.exe into C:\Unix

 

4. Make a C:\TMP directory (The Win32 versions of Unix tools need the Windows equivalent of the /tmp directory on Unix)

 

5. Download the sosex.dll Windbg extension from https://www.stevestechspot.com/SOSEXV2NowAvailable.aspx; save sosex.dll to your directory where Windbg.exe resides

 

6. In Windbg, open the .dmp file, '!load sosex.dll', do '.logopen managed-strings.log', then do '!sosex.strings'

 

Opened log file 'c:\drop\customers\internal\managed-strings.log'

0:000> !sosex.strings

Address Gen Value

---------------------------------------

7f2290c8 0

7f229108 0

7f22911c 0 Filters/IncludeExtensions

7f229160 0 Filters/IncludeExtensions

7f229394 0 true

7f22c778 0

7f22c7d4 0 true

7f22c7f0 0 Filters/CrawlWebApplication

7f22c838 0 Filters/CrawlWebApplication

...

 

7. Once the sosex.dll extension completes, do '.logclose'

 

8. In your filename.log, you'll see output similar to the following:

 

0:000> !sosex.strings

Address Gen Value

---------------------------------------

7f2290c8 0

7f229108 0

7f22911c 0 Filters/IncludeExtensions

7f229160 0 Filters/IncludeExtensions

7f229394 0 true

7f22c778 0

7f22c7d4 0 true

7f22c7f0 0 Filters/CrawlWebApplication

7f22c838 0 Filters/CrawlWebApplication

7f22cd6c 0

7f230150 0

7f230190 0

7f2301a4 0 Filters/ExcludeListTypes

7f2301e8 0 Filters/ExcludeListTypes

7f23041c 0 true

7f233800 0

7f23385c 0 true

7f233878 0 Filters/IndexItemView

7f2338b4 0 Filters/IndexItemView

7f233d9c 0 logs

7f237180 0

7f2371dc 0 logs

7f2371f8 0 ConnectorExecution/WorkFolder

7f237244 0 ConnectorExecution/WorkFolder

 

 

9. Open an elevated command prompt, change to your C:\Unix directory, and then issue the following command:

 

strings -q -n 16 C:\path-to-logfile\managed-strings.log | cut -d " " -f7 | sort | uniq -c | sort | tee c:\users\your-username\sorted-managed-strings.txt

 

For example:

 

strings -q -n 16 C:\drop\customers\internal\managed-strings.log | cut -d " " -f7 | sort | uniq -c | sort | tee c:\users\scottos\sorted-managed-strings.txt

...

202564 Database/DataSource

202564 Database/InitialCatalog

202564 Database/Password

202564 Database/PersistenceHandlerDB

202564 Database/PurgeAtStart

202564 Database/RetryPeriodWhenDBIsDown

202564 Database/TableNamePrefix

202564 Database/Username

202564 ESPSubmit/Collection

202564 Filters/CrawlWebApplication

202564 id;listtitle;listdescription;listid;listitemcount;modifiedby;createdby;id;name;created

202564 Logging/FileMode

202564 Logging/LogFile

202564 Logging/LogLevel

202564 Logging/LogServer

202564 espconn-1:16100

202564 teamsites

202565 50

202565 5000

202565 548513

202565 AUTOFLUSHFILE

202565 sql08ma1-1.eelab.fastesc.com

202565 FAST_SEARCH_QA

202565 logs

202565 MOSSConnector.log

202565 my_fast_search

202565 prod

202565 SqlServer

202566 5

202566 FAST_Hello_QA

202566 kerberos

202569 TRACE

202572 1

405130 3600

2025650 true