Recovering Text From A Unresponsive Application
Posted by William Diaz on May 2, 2012
A couple weeks ago a co-worker asked me if it was possible to recover text from a hung application. The user had spent a good amount of time typing into text field and upon trying to submit the information, IE became hung and would not recover. The user didn’t want to have to retype everything from scratch again. The short answer to this is yes. The long answer is “Yes, if you can be patient.” I have never actually needed to perform this myself because it’s not always that practical and, to be honest, the task can be somewhat tedious. But if you really need to recover text and Word didn’t auto-recover or Outlook lost the draft after you clicked send, or IE is in the process of a “GUI crash”, then turn to the power of the dump.
The idea here is if the application is still running but stalled, it still resides in memory, along with anything you typed into it. When you dump the process, you are dumping its presence in memory to a file that you can pick apart. Dumping a hung process is simple enough. On an XP system, open Process Explorer, right-click the process, and choose Create Dump. In Vista & Windows 7, this option is now built into the Task Manager. You can then copy the dump to a system where WinDbg is installed to open it.
In this example, I was composing an email in IE when it became unresponsive: 
I’m feeling really lazy today and don’t want to start from scratch again. Or maybe I typed something really unique and can’t recall it. I dump the hung process with the Task Manager and open it. To find text, employ the search memory command (s) with the desired parameter and specify a memory range. See the WinDbg help file for details. In this case, I’m looking for unicode characters in the entire memory address space for a term I recall in the message I was composing:
|
0:000> s -u 0x00000000 L?0xffffffff "Who can help me?" |
There’s many fragments and I need to examine one of these address spaces until I find the body of the message. The easiest way to do this is to use the Memory window in WinDbg via the View menu or from the toolbar. I randomly choose any address space above (00000000`1007c228) and copy it into the Virtual address bar to find the message body (a little scrolling may be required depending on the position of the text you are searching for): 
You can change the display format if you prefer, for example Unicode: 
I mentioned earlier this can be tedious, not because the process so far has been difficult, but because extracting the text is not as simple as cut and paste. Here, what you see is what you get and a good amount of work needs to be done as far as formatting goes. I’m sure there is a scripted way to perform this in WinDbg, however, but that’s beyond me.
Windows Explored 
Leave a Reply