Search This Blog

Wednesday, November 4, 2009

How to read Memory Dumps

A small memory dump file records the smallest set of useful information that may help identify why your computer has stopped unexpectedly. This option requires a paging file of at least 2 megabytes (MB) on the boot volume. On computers that are running Microsoft Windows 2000 or later, Windows create a new file every time your computer stops unexpectedly. A history of these files is stored in a folder.

This dump file type includes the following information:

  • The Stop message and its parameters and other data
  • A list of loaded drivers
  • The processor context (PRCB) for the processor that stopped
  • The process information and kernel context (EPROCESS) for the process that stopped
  • The process information and kernel context (ETHREAD) for the thread that stopped
  • The Kernel-mode call stack for the thread that stopped

The small memory dump file can be useful when hard disk space is limited. However, because of the limited information that is included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.

If a second problem occurs and if Windows creates a second small memory dump file, Windows preserves the previous file. Windows gives each file a distinct, date-encoded file name. For example, Mini022900-01.dmp is the first memory dump file that was generated on February 29, 2000. Windows keeps a list of all the small memory dump files in the %SystemRoot%\Minidump folder.

http://support.microsoft.com/kb/315263

To configure startup and recovery options to use the small memory dump file, follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click System.
  3. Click the Advanced tab, and then click Settings under Startup and Recovery.
  4. In the Write debugging information list, click Small memory dump (64k).

Install the debugging tools

To download and install the Windows debugging tools, visit the following Microsoft Web site:

http://www.microsoft.com/whdc/devtools/debugging/default.mspx

http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a

Install the Symbols for the OS or Use the Microsoft Symbol Server to obtain debug symbol files http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx#f

Note http://msdl.microsoft.com/download/symbols is not browsable and is only intended for access by the debugger.

Then start the Windbg (Windows Debugging Tools) and load the symbol file path.

Open the mini-dump and Examine the dump file

There are several commands that you can use to gather information in the dump file, including the following commands:

Here you can see the culprit was a Sound driver trying to write to a readonly section of the RAM

The mini dump analysis follows:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Mini110409-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Machine Name:

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Wed Nov 4 07:26:14.453 2009 (GMT-6)

System Uptime: 134 days 15:49:08.781

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Loading Kernel Symbols

...............................................................

Loading User Symbols

Loading unloaded module list

..................................................

* Bugcheck Analysis *


Use !analyze -v to get detailed debugging information.

BugCheck 100000BE, {aba870d2, 10c14121, a7f777d4, a}


*** WARNING: Unable to verify timestamp for hal.dll

*** WARNING: Unable to verify timestamp for sysaudio.sys

Unable to load image ks.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ks.sys

Unable to load image wdmaud.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for wdmaud.sys

Probably caused by : sysaudio.sys ( sysaudio!CFilterInstance::FilterDispatchIoControl+53 )


Followup: MachineOwner


3: kd> !analyze -v

* Bugcheck Analysis *


ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)

An attempt was made to write to readonly memory. The guilty driver is on the

stack trace (and is typically the current instruction pointer).

When possible, the guilty driver's name (Unicode string) is printed on

the bugcheck screen and saved in KiBugCheckDriver.

Arguments:

Arg1: aba870d2, Virtual address for the attempted write.

Arg2: 10c14121, PTE contents.

Arg3: a7f777d4, (reserved)

Arg4: 0000000a, (reserved)


Debugging Details:

------------------

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xBE

PROCESS_NAME: Ventrilo.exe

LAST_CONTROL_TRANSFER: from 8054b75f to 8054b10f

STACK_TEXT:

a7f77888 8054b75f 00000001 8918a310 88bc7cf8 nt!MiReleaseSystemPtes+0x114

a7f778c8 804f4c20 88bc7900 893de3e0 88b86cd8 nt!ExAllocatePoolWithTag+0x3df

a7f77920 804ff853 88b86cd8 a7f7796c a7f77960 nt!CcSetFileSizes+0x1a6

a7f77970 806e6ef2 00000000 00000000 a7f77988 nt!CcPerformReadAhead+0x16d

a7f77988 806e6ae4 badb0d00 00000000 88bc7cf8 hal!HalBuildMdlFromScatterGatherList+0xde

a7f77a18 804f17f6 88b86cd8 8918a310 00000000 hal!HalpAllocateAdapterCallback+0x82

a7f77a4c a8b1efe7 8918a310 89c2ae98 89bd3b70 nt!Magic86400000+0x2ee

a7f77a90 b7deff95 89bd3b70 88b86c98 a7f77adc sysaudio!CFilterInstance::FilterDispatchIoControl+0x53

a7f77aa0 804ef19f 89bd3b70 88b86c98 88b86c98 ks!DispatchDeviceIoControl+0x28

a7f77adc a84b24df 8918a310 00000000 002f0003 nt!MiFlushSectionInternal+0x256

a7f77b30 a84b227e 8918a310 00000002 e3fb3960 wdmaud!GetTopologyProperty+0x84

a7f77b58 a84b231e 8918a310 89c93708 00000009 wdmaud!ControlNodeFromGuid+0x3f

a7f77b7c a84b2417 8918a310 89c93708 00000009 wdmaud!GetControlNodes+0x2a

a7f77bb0 a84b2813 00000000 00000009 00000001 wdmaud!OpenSysAudioPin+0xe5

a7f77bec a84b1a83 00000092 00000009 88e64708 wdmaud!OpenWavePin+0x3e2

a7f77c18 a84b1382 88d55860 88e64708 00000000 wdmaud!Dispatch_OpenPin+0xb7

a7f77c40 804ef19f 00000010 88b10000 806e6410 wdmaud!SoundDispatch+0x430

a7f77c64 805807f7 890c1230 88d55860 89c86e08 nt!MiFlushSectionInternal+0x256

a7f77d00 80579274 0000034c 000002e4 00000000 nt!NtSetInformationThread+0x125

a7f77d34 8054162c 0000034c 000002e4 00000000 nt!SepOpenTokenOfThread+0x87

a7f77d64 7c90e4f4 badb0d00 0012ec78 a91f7d98 nt!RtlIpv4StringToAddressExW+0xad

WARNING: Frame IP not in any known module. Following frames may be wrong.

a7f77d78 00000000 00000000 00000000 00000000 0x7c90e4f4


STACK_COMMAND: kb


FOLLOWUP_IP:

sysaudio!CFilterInstance::FilterDispatchIoControl+53

a8b1efe7 ?? ???

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: sysaudio!CFilterInstance::FilterDispatchIoControl+53

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: sysaudio

IMAGE_NAME: sysaudio.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025beb

FAILURE_BUCKET_ID: 0xBE_sysaudio!CFilterInstance::FilterDispatchIoControl+53

BUCKET_ID: 0xBE_sysaudio!CFilterInstance::FilterDispatchIoControl+53

Followup: MachineOwner

--------

No comments:

Giveaway of the Day

Giveaway of the Day

Soduko

Sudoku puzzles courtesy of Sudoku Shack