Offline Symbols for Windows Update

This topic describes how you can work with offline symbols for Windows Update. It describes a procedure that can be used to decode Windows Update logs on machines that don’t have access to the Microsoft symbol server.

If you find yourself needing to do this often, you should see if setting up a Symbol Proxy Server is viable for your networking configuration. For more information see SymProxy.

All the options below require you to have one machine that can connect to Microsoft’s symbol server, and have the ability to copy files to or from the machine that has the logs. The machine that doesn’t have access to the symbol server will be referred to as the offline machine, and the machine that does have access as the online machine.

We recommend using a single online machine per OS build version so the WU symbol cache will build month-by-month and contain the WU symbols from multiple update releases.

If you have access to an online machine with the same exact patch level as the offline machine, you have two options:

Verify the online and offline PCs the same version level by running winver or ver on both machines.

If you don’t have access to an online machine with the same version, you’ll need to go through some extra steps to create a SymChk manifest file, described later in this topic in Option 3: Create a SymChk manifest file.

Option 1: Copy the ETL event log to the online machine

Copy all the WindowsUpdate ETL files from C:\Windows\logs\WindowsUpdate\ to your online machine.

On the online machine, open a PowerShell prompt and run the following Get-WindowsUpdateLog PowerShell command.

This will download the symbols needed for log analysis.

Option 2: Copy the symbols to the offline machine

On the online machine, open a PowerShell prompt and run “Get-WindowsUpdateLog”. This will cache the symbols needed for log analysis.

Copy all the files in %temp%\WindowsUpdateLog\SymCache from the online machine to %temp%\WindowsUpdateLog\SymCache on the offline machine.

On the offline machine, open a PowerShell prompt and run “Get-WindowsUpdateLog” to analyze the logs.

Option 3: Create a SymChk manifest file

On the offline machine, follow steps at Using a Manifest File with SymChk to create a manifest for these files in the system32 directory:

Copy the manifest to your online machine.

With the manifest file, use SymChk to download the symbols locally to your online PC.

Copy the folder and symbols you passed to SymChk to %temp%\WindowsUpdateLog\SymCache on your offline PC.

On the offline machine, open a PowerShell prompt and run “Get-WindowsUpdateLog” to analyze the logs.

Installing Windows Symbol Files

Before you debug the Windows kernel, a driver or app, you need access to the proper symbol files. The official way to get Windows symbols is to use the Microsoft Symbol Server. The symbol server makes symbols available to your debugging tools as needed. After a symbol file is downloaded from the symbol server it is cached on the local computer for quick access.

You can connect to the Microsoft Symbol Server with one simple use of the .symfix (Set Symbol Store Path) command. For full details, see Microsoft Public Symbols.

We are no longer publishing the offline symbol packages for Windows. The faster Windows update cadence means the Windows debugging symbols are quickly made out of date. We have made significant improvements to the online Microsoft Symbol Server where symbols for all Windows versions and updates are available. You can find more about this in this blog entry.

For information on how to retrieve symbols for a machine that is not connected to the Internet, see Using a Manifest File with SymChk.

If you are going to debug a user-mode app, you need to install the symbols for this app as well.

You can debug an app if you have its symbols but not Windows symbols. However, your results will be much more limited. You will still be able to step through the app code, but any debugger activity which requires analysis of the kernel (such as getting a stack trace) is likely to fail.

How to quickly insert symbols on Windows 10

Can’t remember the Alt key code? Or you keep using the internet just to copy and paste a symbol? Then here are two quick ways to insert symbols on Windows 10.

On Windows 10, if you ever wrote an email or document, you know how inconvenient can be to remember the Alt key codes or having to search online to insert symbols (such as em dash, more than and less than, arrows, etc.) into your text or social media post.

Starting with version 1903, May 2019 Update, Windows 10 is updating the emoji panel to include symbols and kaomoji (face characters), so you no longer have to remember Alt key codes or use extra steps.

In this guide, you’ll learn the easy steps to insert symbols and kaomoji into your documents, text files, emails, and social media posts on Windows 10.

How to insert symbols using emoji panel

To insert symbols or kaomoji on Windows 10, use these steps:

Open a text file, document, or email.

Use the Windows key + (period) or Windows key + (semicolon) keyboard shortcut to open the emoji panel.

Click the Omega button to access the symbols. (Or the character face button to access the available kaomoji.)

Emoji panel with symbols on WIndows 10

Select the symbols you want to insert.

After completing the steps, the symbols you use more frequently will appear in the most recently used tab to make it even easier to select them the next time.

How to insert symbols using Character Map

Alternatively, you can still use the old Character Map app to insert symbols on any text file or social media post using these steps:

Open Start.

Search for Character Map and click the top result to open the experience.

Select the symbol that you want to use.

Character Map app on Windows 10

Click the Select button.

Click the Copy button.

Once you’ve completed the steps, you can insert the symbol by right-clicking and selecting the Paste option (or using the Ctrl + V keyboard shortcut).

If you don’t see the symbol or kaomoji sections using the emoji panel, it’s because you’re not running the version that supports this feature. Symbols and face characters are available starting with Windows 10 version 1903, May 2019 Update, more specifically with build 18305 and later.

We may earn commission for purchases using our links to help keep offering the free content. Privacy policy info.

All content on this site is provided with no warranties, express or implied. Use any information at your own risk. Always backup of your device and files before making any changes. Privacy policy info.

Symbol Support

When Windows Performance Analyzer (WPA) is correctly configured, WPA shows symbolic names from the symbol files for addresses that are found in the recording.

To decode symbols, the tools must locate the program database files, known as program database (PDB) files or symbol files, to build complete call stacks. The compiler and linker generate PDB files when the system builds a component. Microsoft provides the program database files for many Microsoft products in an online symbol server. The Microsoft Debugging Tools for Windows and WPA use the online symbol server to look up symbol information. Therefore, the computer must be connected to the Internet if the symbol files are not copied locally. The Windows Performance Toolkit uses the same symbol decoding infrastructure as the Windows debugger, Windbg.exe. For more information, see WinDbg.

To configure symbol support, you must define the _NT_SYMBOL_PATH environment variable. The following example sets the symbol path to use the Microsoft public symbol server together with a downstream store in C:\symbols:

Note that this example is a single command line.

The URL in this symbol path specifies the online Microsoft symbol server. The path between the asterisks (C:\symbols) specifies the downstream store. This is a local cache in which the symbol resolution system keeps symbol files. WPA Tools also decode symbols from components that you develop. Add one or more paths to _NT_SYMBOL_PATH that contain the PDB files for the components that you want to record. For example, the following example shows how the path was set up for the previous example:

When Xperf or WPA decodes symbols, Xperf or WPA caches a condensed version of the original symbol files, or PDBs, on disk in the \symcache directory. To do this, Xperf or WPA uses the symbols that are available at the time. The operating system symbols that are available outside Microsoft are public symbols. These symbols contain less information than internal private symbols. In black-box testing, public symbols can also include incorrect information. Private symbols, which are more reliable, can be obtained under non-disclosure agreements. If a user has decoded a recording by using public symbols, and the user then obtains private symbols, the user must clear the \symcache directory before Xperf or WPA can discover the new private symbols.

Troubleshooting Symbol Decoding

Symbol decoding support is complex. The following requirements must be met:

You must specify -symbols on the Xperf command line or select Load Symbols on the Trace menu in WPA after you open a recording.

The environment variables must be configured correctly. For more information for Xperf, see symbols.

The ETW kernel recording file must have been stopped and merged correctly. For more information, see Stopping a Recording.

Windows Performance Recorder (WPR) or WPA merges the ETW user recording file together with a kernel recording file that is taken at the same time on the same computer.

You must have access to the binary and symbol sources that _NT_SYMBOL_PATH specifies. If you use a symbol server, the symbol server is often just a redirector. In this case, you must have access to both the symbol server and the sites that the symbol server points to that host the binaries and symbols.

_NT_SYMBOL_PATH must point to the correct files. If the files exist from a different build or architecture, the files will not work. If the version of the application binary files is not the same version as the symbols that _NT_SYMBOL_PATH points to, you cannot view call stacks.

To rule out a symbol mismatch, use Symchk.exe from the Debugging Tools for Windows distribution to ensure that the symbols match the symbol files on the computer on which the recording was taken. For example:

To rule out a binary mismatch, use the fc /b command to ensure that the binaries on the computer on which the recording was taken match the binaries on the drop share. For example:

In Xperf, you must capture the ETW kernel recording by using at least the PROC_THREAD+LOADER flags. These flags provide basic information about process lifetime and image virtual address ranges in process memory. This information helps XPerf to decode virtual addresses to images and symbols.

To verify that these flags have been enabled in the ETW kernel recording, check that Xperf -process events (Create, Delete, Start Rundown, End Rundown) and Image events (Load, Unload, Start Rundown, End Rundown) are present in the table that is generated by using the following command:

NoteВ В All of these events might not be listed in the table, depending on whether these events occurred.

Limitation in Xperf Symbol Decoding

Xperf defaults to the system drive if a drive is not specified for an executable image (such as \Path\Library.dll). When you run the -d/-merge command, if Xperf cannot find an executable image that existed in a running process during the recording, Xperf cannot retrieve the corresponding image and symbol file identity information and add the information to the merged recording. Without that information, Xperf cannot perform symbol decoding for that image in that recording.

This issue does not affect other file paths, such as the paths in disk I/O or file I/O.

To enable symbol decoding and to help enable correct image load and unload paths in Xperf ETW recordings, you should store all executable images for which you might require symbol decoding or image load and unload paths on the system drive. Then, run the images from that drive. If that is not possible, create a mirror of the images on the system drive, even if you run the images from another drive. For example, if C: is your system drive, create an identical copy of D:\game\bin\binkw32.dll at C:\game\bin\binkw32.dll.

x (Examine Symbols)

The x command displays the symbols in all contexts that match the specified pattern.

Parameters

Options
Specifies symbol searching options. You can use one or more of the following options:

/0
Displays only the address of each symbol.

/1
Displays only the name of each symbol.

/2
Displays only the address and name of each symbol (not the data type).

/D
Displays the output using Debugger Markup Language.

/t
Displays the data type of each symbol, if the data type is known.

/v
Displays the symbol type (local, global, parameter, function, or unknown) of each symbol. This option also displays the size of each symbol. The size of a function symbol is the size of the function in memory. The size of other symbols is the size of the data type that the symbol represents. Size is always measured in bytes and displayed in hexadecimal format.

/s Size
Display only those symbols whose size, in bytes, equals the value of Size. The Size of a function symbol is the size of the function in memory. The Size of other symbols is the size of the data type that the symbol represents. Symbols whose size cannot be determined are always displayed. Size must be a nonzero integer.

/q
Displays symbol names in quoted format.

/p
Omits the space before the opening parenthesis when the debugger displays a function name and its arguments. This kind of display can make it easier if you are copying function names and arguments from the x display to another location.

/f
Displays the data size of a function.

/d
Displays the data size of data.

/a
Sorts the display by address, in ascending order.

/A
Sorts the display by address, in descending order.

/n
Sorts the display by name, in ascending order.

/N
Sorts the display by name, in descending order.

/z
Sorts the display by size, in ascending order.

/Z
Sorts the display by size, in descending order.

Module
Specifies the module to search. This module can be an .exe, .dll, or .sys file. Module can contain a variety of wildcard characters and specifiers. For more information about the syntax, see String Wildcard Syntax.

Symbol
Specifies a pattern that the symbol must contain. Symbol can contain a variety of wildcard characters and specifiers. For more information about the syntax, see String Wildcard Syntax.

Because this pattern is matched to a symbol, the match is not case sensitive, and a single leading underscore (_) represents any quantity of leading underscores. You can add spaces within Symbol, so that you can specify symbol names that contain spaces (such as «operator new» or «Template») without using wildcard characters.

Environment

User mode, kernel mode

Live, crash dump

Remarks

The following command finds all of the symbols in MyModule that contain the string «spin».

The following command quickly locates the «DownloadMinor» and «DownloadMajor» symbols in MyModule.

You can also show all symbols in the MyModule by using the following command.

The preceding commands also force the debugger to reload symbol information from MyModule. If you want to reload the symbols in the module with a minimal display, use the following command.

A few symbols always contain the string «start». Therefore, the preceding command always displays some output to verify that the command works. But the preceding command avoids the excessive display length of x mymodule!*.

The display shows the starting address of each symbol and the full symbol name. If the symbol is a function name, the display also includes a list of its argument types. If the symbol is a global variable, its current value is displayed.

There is one other special case of the x command. To display the addresses and names of all local variables for the current context, use the following command.

NoteВ В In most cases, you cannot access local variables unless private symbols have been loaded. For more information about this situation, see dbgerr005: Private Symbols Required. To display the values of local variables, use the dv (Display Local Variables) command.

The following example illustrates the /0, /1, and /2 options.

The /0, /1, and /2 options are useful if you want to use the output of the x command as input to the .foreach command.

The following example demonstrates the switch /f when used to filter functions on the module notepad.exe.

When you use the /v option, the first column of the display shows the symbol type (local, global, parameter, function, or unknown). The second column is the address of the symbol. The third column is the size of the symbol, in bytes. The fourth column shows the module name and symbol name. In some cases, this display is followed by an equal sign (=) and then the data type of the symbol. The source of the symbol (public or full symbol information) is also displayed.

In the preceding example, the size is given in hexadecimal format, while the data type is given in decimal format. Therefore, in the last line of the preceding example, the data type is an array of 42 pointers to unsigned short integers. The size of this array is 42*4 = 168, and 168 is displayed in hexadecimal format as 0xA8.

You can use the /sSize option to display only those symbols whose size, in bytes, is a certain value. For example, you can restrict the command in the preceding example to symbols that represent objects whose size is 0xA8.

Working With Data Types

The /t option causes the debugger to display information about each symbol’s data type. Note that for many symbols, this information is displayed even without the /t option. When you use /t, such symbols have their data type information displayed twice.

The x command will display an instance of a type.

The x command does not display anything based on just the name of a type.

To display type information using the name of a type, consider using dt (Display Type), it provides information for both types and instances of types:

Working With Templates

You can use wild cards with the x command to display template classes as shown in this sample.

Consider using the dt (Display Type) command when working with templates, as the x command does not display individual template class items.