Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 General Forum
 Frequently Asked Questions
 windbg - a primer on reading dump files		  Forum Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

adegutis
Administrator

USA
2405 Posts
Status: offline
Posted - 04/09/2003 :  2:02:34 PM  Show Profile  Visit adegutis's Homepage
Here are the basic steps I've used to analyze a dump file (memory.dmp or mini122503-01.dmp files) to try and find the cause of a system crash.

Disclaimer - I am a novice just getting started with debugging memory dumps

  1. Get the latest version of Debugging Tools for Windows (windbg): http://www.microsoft.com/ddk/debugging/installx86.asp

  2. Get the latest symbol files from the same link

  3. Install the Debugging Tools and extract the symbol files

  4. Launch windbg passing it the location of the symbol files, the source files (i386 directory) and the dumpfile. Example:

    windbg -y SRV*c:\winnt\symbols -i d:\i386 -z "c:\winnt\minidump\Mini011603-01.dmp"

    Note: the i386 directory should be at the same level (i.e. Service Pack) as the system that created the .dmp file. I use an SP3 slipstreamed install CD.


    5. I have no idea what to do with the Disassembly window that comes up so I close it and go to the main window.

  5. At the bottom of the Command window there is a kd> prompt. The following commands are entered into that prompt


  6. kd>!analyze -v

  7. Two things to look for in the results: the memory referenced and the FAULTING_IP

  8. kd>lvm

    This will produce a listing of modules and their memory location. Look to see which module's memory the memory referenced identified above falls in. That usually indicates the process that caused the crashed and will probably match the FAULTING_IP if listed.


  9. Also informative: kd>.reload -l

    Note - again, I just close and ignore the Disassembly window.


Also, meese posted a link to the following article in one of the forum threads:

Using Microsoft's x86 Kernel Debugger
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=5131&pg=1

IG88
Old Timer

Canada
523 Posts
Status: offline
Posted - 04/14/2003 :  07:38:54 AM  Show Profile  Visit IG88's Homepage  Click to see IG88's MSN Messenger address  Look at the Skype address for IG88
Great, Thanks a-lot adegutis! I'll be putting this information to use NOW, on my NT 4 SP6a Server.

-=< IG88 >=-
Go to Top of Page
  Previous Topic Topic Next Topic  
 Forum Locked
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2009 Mark Minasi Go To Top Of Page
This page was generated in 0.05 seconds. Snitz Forums 2000