Windbg Minidump Tutorial – Setting Up & Reading Minidump Files

Windbg Minidump Tutorial – Setting Up & Reading Minidump Files

This can be a tutorial on how you can arrange and skim your minidump information if you obtain a BSOD (blue display of loss of life) within the makes an attempt to realize additional perception as to the reason for the issue. Very first thing is first. Obtain the most recent debugging instruments from the Microsoft web site.

Then go to Begin/Begin Search. Kind i

the command cmd.

Then change directories to:

C:Program FilesDebugging Instruments for Home windows (x86)

through the use of the command:

cd c:program filesdebugging instruments for home windows (x86)

It is case insensitive when utilizing the cd command.

Then sort in:

windbg.exe z c:windowsminidumpmini06190901.dmp c “!analyze v”

Your minidump file is situated at C:WindowsMinidumpMini06200901.dmp. It will be within the kind “MiniMMDDYY01.dmp”.

KERNEL SYMBOLS ARE WRONG. PLEASE FIX SYMBOLS TO DO ANALYSIS

If someplace within the output of the Bugcheck Evaluation you see an error like:

Kernel symbols are WRONG. Please repair symbols to do evaluation.

Then it is almost definitely that you’re utilizing earlier and incompatible symbols or corrupt information or you do not have the correct symbols on the specified location when the Windbg program was making an attempt to research the minidump file. So what I did was open up the Windbg program situated at C:Program FilesDebugging Instruments for Home windows (x86) (in Vista and I consider it is the identical location for XP).

SETTING THE SYMBOL FILE PATH VIA WINDBG COMMAND LINE:

This is a vital step so be certain that your image path file is ready accurately lest you get the kernel symbols are WRONG error or different sorts of errors. Now set the Image File Path (File/Image File Path) to:

SRVe:symbols[path to microsoft symbols path]

Nonetheless, for some purpose I discovered that so as to set the Image File Path within the “File/Image File Path” subject you can not change it instantly with the sector of “File/Image File Path”. So what I discovered that you want to change it by way of the Windbg command window by going to:

“View/Command”

Within the backside of the command window beside the “kd>” immediate sort this in:

.sympath SRVe:symbols[path to microsoft symbols path].

The half between the 2 asterisks () is the place the symbols from Microsoft’s servers will likely be downloaded to. It is pretty giant (roughly 22MB) so just remember to have enough disk area.

SETTING SYMBOL FILE PATH IN THE ENVIRONMENT VARIABLE:

Alternatively, you’ll be able to set it in your surroundings variable both in your system or person surroundings variable. To do that, click on the WINDOWS KEY+e. The WINDOWS KEY is the important thing to the proper of the LEFT CTRL key of the keyboard. It will open up Home windows Explorer.

Then click on on the “Superior system settings” on the high left of the window. This step applies to Vista solely. For XP customers, merely click on on the Superior tab.

Then click on on the button “Surroundings variable” on the backside of the window.

Then click on on the “New” button below System Variables. Once more you’ll be able to create the surroundings as a person surroundings variable as a substitute.

Within the “Variable Identify” sort:

_NT_SYMBOL_PATH

Within the “Variable Worth” sort:

symsrvsymsrv.dlle:symbols[path to microsoft symbols path]

For those who set the image file path as a system surroundings variable I consider you will have to reboot your pc to ensure that it to take impact.

OUTPUT OF WINDBG COMMAND

So the next is the output for my crash:

Microsoft (R) Home windows Debugger Model 6.11.0001.404 X86

Copyright (c) Microsoft Company. All rights reserved.

Loading Dump File [c:windowsminidumpmini06260901.dmp]

Mini Kernel Dump File: Solely registers and stack hint can be found

Image search path is: SRVe:symbols[path to microsoft symbols]

Executable search path is:

Home windows Server 2008/Home windows Vista Kernel Model 6001 (Service Pack 1) MP (2 procs) Free x86 appropriate

Product: WinNt, suite: TerminalServer SingleUserTS Private

Constructed by: 6001.18226.x86fre.vistasp1_gdr.0903021506

Machine Identify:

Kernel base = 0x8201d000 PsLoadedModuleList = 0x82134c70

Debug session time: Fri Jun 26 16:25:11.288 2009 (GMT7)

System Uptime: zero days 21:39:36.148

Loading Kernel Symbols

………………………………………………………

……………………………………………………….

…………………………………………………..

Loading Person Symbols

Loading unloaded module record

……………………….

Bugcheck Evaluation

Use !analyze v to get detailed debugging info.

BugCheck A, 8cb5bcc0, 1b, 1, 820d0c1f

Unable to load picture SystemRootsystem32DRIVERSSymIMv.sys, Win32 error 0n2

WARNING: Unable to confirm timestamp for SymIMv.sys

ERROR: Module load accomplished however symbols couldn’t be loaded for SymIMv.sys

Unable to load picture SystemRootsystem32DRIVERSNETw3v32.sys, Win32 error 0n2

WARNING: Unable to confirm timestamp for NETw3v32.sys

ERROR: Module load accomplished however symbols couldn’t be loaded for NETw3v32.sys

Processing preliminary command ‘!analyze v’

Most likely attributable to : tdx.sys ( tdx!TdxMessageTlRequestComplete+94 )

Followup: MachineOwner

zero: kd> !analyze v

Bugcheck Evaluation

IRQL_NOT_LESS_OR_EQUAL (a)

An try was made to entry a pageable (or utterly invalid) handle at an

interrupt request degree (IRQL) that’s too excessive. That is often

attributable to drivers utilizing improper addresses.

If a kernel debugger is offered get the stack backtrace.

Arguments:

Arg1: 8cb5bcc0, reminiscence referenced

Arg2: 0000001b, IRQL

Arg3: 00000001, bitfield :

bit zero : worth zero = learn operation, 1 = write operation

bit three : worth zero = not an execute operation, 1 = execute operation (solely on chips which help this degree of standing)

Arg4: 820d0c1f, handle which referenced reminiscence

Debugging Particulars:

WRITE_ADDRESS: GetPointerFromAddress: unable to learn from 82154868

Unable to learn MiSystemVaType reminiscence at 82134420

8cb5bcc0

CURRENT_IRQL: 1b

FAULTING_IP:

nt!KiUnwaitThread+19

820d0c1f 890a mov dword ptr [edx],ecx

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

TRAP_FRAME: 4526c4 (.lure 0xffffffff4526c4)

ErrCode = 00000002

eax=85c5d4d8 ebx=00000000 ecx=8cb5bcc0 edx=8cb5bcc0 esi=85c5d420 edi=ed9c7048

eip=820d0c1f esp=452738 ebp=45274c iopl=zero nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=000zero efl=00010206

nt!KiUnwaitThread+0x19:

820d0c1f 890a mov dword ptr [edx],ecx ds:0023:8cb5bcc0=????????

Resetting default scope

LAST_CONTROL_TRANSFER: from 820d0c1f to 82077d24

STACK_TEXT:

4526c4 820d0c1f badb0d00 8cb5bcc0 87952ed0 nt!KiTrap0E+0x2ac

45274c 8205f486 00000002 85c5d420 ed9c7048 nt!KiUnwaitThread+0x19

452770 8205f52a ed9c7048 ed9c7008 00000000 nt!KiInsertQueueApc+0x2a0

452790 8205742b ed9c7048 00000000 00000000 nt!KeInsertQueueApc+0x4b

4527c8 8f989cd0 e79e1e88 e79e1f70 00000000 nt!IopfCompleteRequest+0x438

4527e0 8a869ce7 00000007 00000000 00000007 tdx!TdxMessageTlRequestComplete+0x94

452804 8a869d33 e79e1f70 e79e1e88 00000000 tcpip!UdpEndSendMessages+0xfa

45281c 8a560c7f e79e1e88 00000001 00000000 tcpip!UdpSendMessagesDatagramsComplete+0x22

STACK_COMMAND: kb

FOLLOWUP_IP:

tdx!TdxMessageTlRequestComplete+94

8f989cd0 6804010000 push 104h

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: tdx!TdxMessageTlRequestComplete+94

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: tdx

IMAGE_NAME: tdx.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 479190ee

FAILURE_BUCKET_ID: 0xA_tdx!TdxMessageTlRequestComplete+94

BUCKET_ID: 0xA_tdx!TdxMessageTlRequestComplete+94

Followup: MachineOwner

It seems to be like a bunch of hieroglyphic mumbo jumbo. Nonetheless, in case you look intently you’ll be able to acquire some additional perception into the potential drawback or reason behind it. The PROCESS_NAME is System suggesting a system course of. The MODULE_NAME is tdx.

OUTPUT KD COMMAND: LMVM TDX

The tdx was clickable for me which executes the command:

kd> lmvm tdx

as a kd command. The ‘lm’ in “lmvm” is Loaded Module. The ‘v’ is Verbose. The ‘m’ is a sample match. From the debugger chm guide it states it as:

m Sample

Specifies a sample that the module identify should match. Sample can include a wide range of wildcard characters and specifiers. For extra details about the syntax of this info, see String Wildcard Syntax.

Yow will discover numerous info from the chm guide if you obtain the windbg from Microsoft. It should situated right here:

C:Program FilesDebugging Instruments for Home windows (x86)debugger.chm

The output from the above command is:

zero: kd> lmvm tdx

begin finish module identify

8f97f000 8f995000 tdx (pdb symbols) c:Program FilesDebugging Instruments for Home windows (x86)symtdx.pdbCFB0726BF9864FDDA4B793D5E641E5531tdx.pdb

Loaded image picture file: tdx.sys

Mapped reminiscence picture file: c:Program FilesDebugging Instruments for Home windows (x86)symtdx.sys479190EE16000tdx.sys

Picture path: SystemRootsystem32DRIVERStdx.sys

Picture identify: tdx.sys

Timestamp: Fri Jan 18 21:55:58 2008 (479190EE)

CheckSum: 0001391F

ImageSize: 00016000

File model: 6.zero.6001.18000

Product model: 6.zero.6001.18000

File flags: zero (Masks 3F)

File OS: 40004 NT Win32

File sort: three.6 Driver

File date: 00000000.00000000

Translations: 0409.04b0

CompanyName: Microsoft Company

ProductName: Microsoft® Home windows® Working System

InternalName: tdx.sys

OriginalFilename: tdx.sys

ProductVersion: 6.zero.6001.18000

FileVersion: 6.zero.6001.18000 (longhorn_rtm.0801181840)

FileDescription: TDI Translation Driver

LegalCopyright: © Microsoft Company. All rights reserved.

So we glean some extra perception. Who makes the module and the potential reason behind the issue.

I take a look at the STACK_TEXT and there are references to tcpip and NETIO which appears to allude to a community drawback. So I googled others with a BSOD and tdx.sys drawback and there’s a hotfix for this drawback. Nonetheless, a BIG phrase of warning please don’t obtain the hotfix if this specific drawback doesn’t apply to you. Microsoft suggests to make use of the Microsoft Replace procedures which is able to embrace all hotfixes.

To acquire the hyperlink to the hotfix for the community drawback Google “Hotfix 934611 microsoft”.

I didn’t obtain this hotfix however somewhat opted to up to date my service pack. At the moment, Vista is at Service Pack 2. I solely had Service Pack 1. So I will see if this fixes the issue.

To test what Service Pack you might have put in and what bit model (32bit or 64bit) go to:

“Begin/Pc”. Rightclick “Pc” after which click on “Properties”. You may see the Service Pack info below the heading “Home windows Version”. Underneath the heading “System” (round halfway by way of the web page) you may see “System sort:” which is able to show whether or not you might have 32bit or 64bit variations put in.

To acquire the Service Pack 2 for Vista Google “sp2 Vista Microsoft”.

No Comments

Post a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.