Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Recovering Text From A Unresponsive Application

Posted by William Diaz on May 2, 2012


A couple weeks ago a co-worker asked me if it was possible to recover text from a hung application. The user had spent a good amount of time typing into text field and upon trying to submit the information, IE became hung and would not recover. The user didn’t want to have to retype everything from scratch again. The short answer to this is yes. The long answer is “Yes, if you can be patient.” I have never actually needed to perform this myself because it’s not always that practical and, to be honest, the task can be somewhat tedious. But if you really need to recover text and Word didn’t auto-recover or Outlook lost the draft after you clicked send, or IE is in the process of a “GUI crash”, then turn to the power of the dump.

The idea here is if the application is still running but stalled, it still resides in memory, along with anything you typed into it. When you dump the process, you are dumping its presence in memory to a file that you can pick apart. Dumping a hung process is simple enough. On an XP system, open Process Explorer, right-click the process, and choose Create Dump. In Vista & Windows 7, this option is now built into the Task Manager. You can then copy the dump to a system where WinDbg is installed to open it.

In this example, I was composing an email in IE when it became unresponsive:
image
I’m feeling really lazy today and don’t want to start from scratch again. Or maybe I typed something really unique and can’t recall it. I dump the hung process with the Task Manager and open it. To find text, employ the search memory command (s) with the desired parameter and specify a memory range. See the WinDbg help file for details. In this case, I’m looking for unicode characters in the entire memory address space for a term I recall in the message I was composing:

0:000> s -u 0x00000000 L?0xffffffff "Who can help me?"
00000000`04175178  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`041836b8  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`04330178  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`04335188  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0433a188  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`04341188  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`04347188  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0434e188  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`04357188  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`066fbe00  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0674acd4  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`06793670  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0679564e  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0cd5d804  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0cd9b138  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0ced25be  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0d2fa188  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0d36d838  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0d36d9e8  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0d36db98  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0d36dd48  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0d36def8  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0e74a348  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0e74a8b8  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`0e77e176  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`1007c228  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`10080238  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`1008c268  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .
00000000`100b8318  0057 0068 006f 0020 0063 0061 006e 0020  W.h.o. .c.a.n. .

 

There’s many fragments and I need to examine one of these address spaces until I find the body of the message. The easiest way to do this is to use the Memory window in WinDbg via the View menu or from the toolbar. I randomly choose any address space above (00000000`1007c228) and copy it into the Virtual address bar to find the message body (a little scrolling may be required depending on the position of the text you are searching for):
SNAGHTML3f2730
You can change the display format if you prefer, for example Unicode:
SNAGHTML4194e0
I mentioned earlier this can be tedious, not because the process so far has been difficult, but because extracting the text is not as simple as cut and paste. Here, what you see is what you get and a good amount of work needs to be done as far as formatting goes. I’m sure there is a scripted way to perform this in WinDbg, however, but that’s beyond me.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: