In a previous article, I explained some of the quirky set up procedures associated with the Windows debugging program called Dr. Watson. However, in order to get the most out of the program, a decent background of the debugging results is a logical next step for consultants wanting to know more. To help with the learning process I thought a graphical representation of each section would be appropriate.

When a program error transpires, a text-based log file entitled Drwtsn32.log is created by the OS. You will typically find that log file in the Documents and Settings\All Users\Application Data\Microsoft\Dr Watson directory, or by simply using the Windows Search utility and searching for the Drwtsn32.log file. Once the log file is found, the results can appear very cryptic. However, there is a certain logic to the log files’ madness.

Error information by section
After the initial title and copyright information, Dr. Watson will inform you that an “application exception occurred” followed by pertinent data on the offending program as shown in Figure A.

Figure A
The first line lists the program that caused the error, while the last line lists the actual system-generated error code.

Figure B lists generic system and user information that might be helpful if you are working on a new or unfamiliar machine.

Figure B
This information does not help much for debugging, but it is nice to have on hand.

As shown in Figure C, the next part of the log file contains the list of tasks that were running on the system at the time the program error occurred.

Figure C
The first column is the Task Identifier, and the second column is the Task name.

Next, we move on to the Module list, as shown in Figure D.

Figure D
The module list contains the starting address and ending address along with the module’s full directory path.

State dump for the thread ID
Perhaps the most complicated section of the log file is next. It’s called the state dump for the thread ID, and it consists of four subsections. The first subsection is entitled the register dump, and it contains register name and value information as shown in Figure E.

Figure E
The left side of the equation in the register dump corresponds to the register name, while the right side is the register value.

The next subsection handles the disassembly of the code surrounding the current program counter. What that jumbled mess of words gives you is the thread ID’s faulting instruction information, function name, address, and raw machine-instruction code of the offending program. Figure F includes a sample of what this disassembly might look like.

Figure F
The disassembly might or might not contain faulting instructions depending on the error. The address information is located in the left column of the data, while the raw machine instruction is on the right.

The next subsection in the state dump section is called the stack back trace. As explained in Figure G, the stack back trace provides a snapshot of the threads’ frame parameters.

Figure G
The first column contains the frame pointer. Column two shows the frame return address. The next four columns represent actual parameters, and the last column displays the function name.

The final part of the state dump is called the raw stack dump, which contains the hard core ASCII and hexadecimal data for each thread. Figure H displays an example of the raw stack dump.

Figure H
For each address in the first column of the raw stack dump there is corresponding hexadecimal data located in the middle. The ASCII data appears on the far right.

At the end of the log file you may or may not see a symbol table depending on the program error involved.

Let the troubleshooting begin
Use this article as a starting point for deciphering the Dr. Watson log file. Keep in mind each application error is different, so your results may vary. Nonetheless, the structure of the log file should remain consistent with the previous graphics.