Crash-dump analysis of Windows memory
How often do you have to see the Blue Screen of Death Windows (BSoD)? BSoD can occur in the different situations, for example, in the process of loading the operating system or during working with the OS. How do you determine what caused the occurrence of BSoD and fix this problem? The OS of Windows is capable to store a memory dump when an error occurs, and the system administrator can analyze the data dump and find the cause of BSoD.
There are two types of memory dumps, such as a minidump and a full dump. Depending on your operating system, it can store the full or small dumps, or take no actions when an error occurs.
The minidump is located in %systemroot%\minidump, and it has a name like Minixxxxxx-xx.dmp.
The full dump is located in %systemroot%, and it has a name like Memory.dmp.
In order to analyze the contents of memory dumps you should use a special utility that is Microsoft Kernel Debugger.
You can get this program and the components that are necessary for its operation directly from the site of Microsoft - Debugging Tools.
When you choose the debugger you should take into account the version of the operating system on which you will need to analyze the memory dumps. For example, if you have 32-bit OS you need to download 32-bit version of the debugger, and a 64-bit operating system requires using 64-bit version of the debugger.
In addition to the package of Debugging Tools for Windows, you will also need a set of Debugging Symbols. This debugging set is specific to each operating system, where BSoD occurred. Therefore, you will need to download a set of symbols for each operating system in order to analyze your system. If you have 32-bit Windows XP you will need the set of symbols for 32-bit Windows XP, and 64-bit OS requires the set of symbols for 64-bit Windows XP. You can download the debugging symbols right from here. It is recommended to install them at the address %systemroot%\symbols.
After installation of the debugger and the debugging symbols, you should run the debugger, and its Windows will look like this:
Before you start analyzing the contents of the memory dump, you will need to setup the debugger. Namely, you need to tell the program specifically what path it should use to look for the debug symbols. To do this, you select the menu File> Symbol File Path ... Click Browse button... then you indicate the folder where the debug symbols were installed for considered memory dump.
You can inquire the information about debugging symbols directly over the Internet from a public server of Microsoft. So you will have the latest version of the symbols. You can do it like this - in the menu File> Symbol File Path ... then enter: SRV*%systemroot%\symbols*http://msdl.microsoft.com/download/symbols.
After you indicated the path to the debug symbols, you select the menu File> Save workspace and confirm the action by pressing OK.
In order to begin to analyze the memory dump, you select the menu File> Open Crash Dump ... then select the desired file for review.
The system will analyze the content, and at the end it will give the result of the supposed cause of the error.
A command !analyze –v that was given to the debugger will display more detailed information.
You can finish the debugging by choosing the menu item Debug> Stop Debugging.
So, using a package of Debugging Tools for Windows, you can always get a fairly complete picture of the causes of system errors.
|Vote for this post
Bring it to the Main Page