How to debug a memory dump ?

G

Guest

I had a blue screen with the error : DRIVER_IRQL_NOT_LESS_OR_EQUAL .
On the Microsoft knowledge base, there are different articles and I don't
which one is the right one.
So I saw the article 314084 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;314084&sd=ee ) which
explains how to gather information after a memory dump in Windows XP. It says
that using dumpchk.exe , one can get a value for ExceptionAddress. The
problem is that when I use dumpchk.exe, I don't see any field called
ExceptionAddress.
Probably dumpchk.exe has been updated for Service Pack 2 and the Microsoft
article doesn't apply to SP 2.
I would liek to identify the driver that caused the exception.
Can you help ?
 
G

Guest

I don't know because it appeared 1 second.
The dump file is :

Loading dump file Mini072705-01.dmp
----- 32 bit Kernel Mini Dump Analysis

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000a28
DirectoryTableBase 00039000
PfnDataBase 81d53000
PsLoadedModuleList 8055a420
PsActiveProcessHead 805604d8
MachineImageType 0000014c
NumberProcessors 00000001
BugCheckCode 100000d1
BugCheckParameter1 f6775328
BugCheckParameter2 00000002
BugCheckParameter3 00000000
BugCheckParameter4 f6775328
PaeEnabled 00000000
KdDebuggerDataBlock 8054c060
MiniDumpFields 00000dff

TRIAGE_DUMP32:
ServicePackBuild 00000200
SizeOfDump 00010000
ValidOffset 0000fffc
ContextOffset 00000320
ExceptionOffset 000007d0
MmOffset 00001068
UnloadedDriversOffset 000010a0
PrcbOffset 00001878
ProcessOffset 000024c8
ThreadOffset 00002728
CallStackOffset 00002980
SizeOfCallStack 000005a0
DriverListOffset 000031b0
DriverCount 00000095
StringPoolOffset 00005df0
StringPoolSize 000014d0
BrokenDriverOffset 00000000
TriageOptions 00000041
TopOfStack 8054fee0
DebuggerDataOffset 00002f20
DebuggerDataSize 00000290
DataBlocksOffset 000072c0
DataBlocksCount 00000003


Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Wed Jul 27 12:13:39 2005
System Uptime: 0 days 1:21:09
start end module name
804d7000 806eb100 nt Checksum: 002198AF Timestamp: Wed Mar 02
01:
59:37 2005 (42250FF9)

Unloaded modules:
f054d000 f0577000 kmixer.sys Timestamp: unavailable (00000000)
f054d000 f0577000 kmixer.sys Timestamp: unavailable (00000000)
f7e47000 f7e48000 drmkaud.sys Timestamp: unavailable (00000000)
f11fe000 f1228000 kmixer.sys Timestamp: unavailable (00000000)
f14fe000 f150b000 DMusic.sys Timestamp: unavailable (00000000)
f150e000 f151c000 swmidi.sys Timestamp: unavailable (00000000)
f12c8000 f12eb000 aec.sys Timestamp: unavailable (00000000)
f7d90000 f7d92000 splitter.sys Timestamp: unavailable (00000000)
f7f11000 f7f12000 SiSPort.sys Timestamp: unavailable (00000000)
f10be000 f10ce000 Serial.SYS Timestamp: unavailable (00000000)
f78a8000 f78b1000 processr.sys Timestamp: unavailable (00000000)
f7bf0000 f7bf5000 Cdaudio.SYS Timestamp: unavailable (00000000)
f7be8000 f7bed000 Flpydisk.SYS Timestamp: unavailable (00000000)
f7be0000 f7be7000 Fdc.SYS Timestamp: unavailable (00000000)

Finished dump check
 
W

Wesley Vogel

http://support.microsoft.com/search...query=DRIVER_IRQL_NOT_LESS_OR_EQUAL&x=13&y=13

Look in the Event Viewer.

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | Clcik OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the second
arrow (looks like two pages) [[Copies the details of the event to the
Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related Knowledge
Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example, Print)
and/or the Event code (for example, 20) into the ID field, then click the Go
button. Source and Event codes may be found in the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
G

Guest

The event is shown below but it's not helpful :

Event Type: Information
Event Source: Save Dump
Event Category: None
Event ID: 1001
Date: 7/27/2005
Time: 12:14:56 PM
User: N/A
Computer: COMPAQ-VDHFEUVA
Description:
The computer has rebooted from a bugcheck. The bugcheck was: 0x100000d1
(0xf6775328, 0x00000002, 0x00000000, 0xf6775328). A dump was saved in:
C:\WINDOWS\Minidump\Mini072705-01.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Wesley Vogel said:
http://support.microsoft.com/search...query=DRIVER_IRQL_NOT_LESS_OR_EQUAL&x=13&y=13

Look in the Event Viewer.

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | Clcik OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the second
arrow (looks like two pages) [[Copies the details of the event to the
Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related Knowledge
Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example, Print)
and/or the Event code (for example, 20) into the ID field, then click the Go
button. Source and Event codes may be found in the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Jacques said:
I had a blue screen with the error : DRIVER_IRQL_NOT_LESS_OR_EQUAL .
On the Microsoft knowledge base, there are different articles and I don't
which one is the right one.
So I saw the article 314084 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;314084&sd=ee )
which explains how to gather information after a memory dump in Windows
XP. It says that using dumpchk.exe , one can get a value for
ExceptionAddress. The problem is that when I use dumpchk.exe, I don't see
any field called ExceptionAddress.
Probably dumpchk.exe has been updated for Service Pack 2 and the Microsoft
article doesn't apply to SP 2.
I would liek to identify the driver that caused the exception.
Can you help ?
Click to expand...
Click to expand...
 
W

Wesley Vogel

Oops. Just found this in my drafs folder. I thought I sent it.

Was there an error in the Event Viewer in Application or System around the
time that you see the Save Dump? I.e. Date: 7/27/2005 Time: 12:14:56 PM

DRIVER_IRQL_NOT_LESS_OR_EQUAL brings up a lot of hits.
http://support.microsoft.com/search...uery=DRIVER_IRQL_NOT_LESS_OR_EQUAL+&x=15&y=11

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Jacques said:
The event is shown below but it's not helpful :

Event Type: Information
Event Source: Save Dump
Event Category: None
Event ID: 1001
Date: 7/27/2005
Time: 12:14:56 PM
User: N/A
Computer: COMPAQ-VDHFEUVA
Description:
The computer has rebooted from a bugcheck. The bugcheck was: 0x100000d1
(0xf6775328, 0x00000002, 0x00000000, 0xf6775328). A dump was saved in:
C:\WINDOWS\Minidump\Mini072705-01.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Wesley Vogel said:
http://support.microsoft.com/search...query=DRIVER_IRQL_NOT_LESS_OR_EQUAL&x=13&y=13

Look in the Event Viewer.

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | Clcik OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the
second arrow (looks like two pages) [[Copies the details of the event to
the Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related
Knowledge Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example,
Print) and/or the Event code (for example, 20) into the ID field, then
click the Go button. Source and Event codes may be found in the Event
Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Jacques said:
I had a blue screen with the error : DRIVER_IRQL_NOT_LESS_OR_EQUAL .
On the Microsoft knowledge base, there are different articles and I
don't which one is the right one.
So I saw the article 314084 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;314084&sd=ee )
which explains how to gather information after a memory dump in Windows
XP. It says that using dumpchk.exe , one can get a value for
ExceptionAddress. The problem is that when I use dumpchk.exe, I don't
see any field called ExceptionAddress.
Probably dumpchk.exe has been updated for Service Pack 2 and the
Microsoft article doesn't apply to SP 2.
I would liek to identify the driver that caused the exception.
Can you help ?
Click to expand...
Click to expand...
Click to expand...
 
G

Guest

As I said in my first post, I knew there was all these articles. But to know
which one to use, I need to identify the driver that caused the exception.
For that, I followed the article 314084 but I don't have the field
ExceptionAddress , as I shown in my second post. Does anyone know how to
debug a memory dump in Windows XP SP2 ?

Wesley Vogel said:
Oops. Just found this in my drafs folder. I thought I sent it.

Was there an error in the Event Viewer in Application or System around the
time that you see the Save Dump? I.e. Date: 7/27/2005 Time: 12:14:56 PM

DRIVER_IRQL_NOT_LESS_OR_EQUAL brings up a lot of hits.
http://support.microsoft.com/search...uery=DRIVER_IRQL_NOT_LESS_OR_EQUAL+&x=15&y=11

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Jacques said:
The event is shown below but it's not helpful :

Event Type: Information
Event Source: Save Dump
Event Category: None
Event ID: 1001
Date: 7/27/2005
Time: 12:14:56 PM
User: N/A
Computer: COMPAQ-VDHFEUVA
Description:
The computer has rebooted from a bugcheck. The bugcheck was: 0x100000d1
(0xf6775328, 0x00000002, 0x00000000, 0xf6775328). A dump was saved in:
C:\WINDOWS\Minidump\Mini072705-01.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Wesley Vogel said:
http://support.microsoft.com/search...query=DRIVER_IRQL_NOT_LESS_OR_EQUAL&x=13&y=13

Look in the Event Viewer.

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | Clcik OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the
second arrow (looks like two pages) [[Copies the details of the event to
the Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related
Knowledge Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example,
Print) and/or the Event code (for example, 20) into the ID field, then
click the Go button. Source and Event codes may be found in the Event
Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Jacques <[email protected]> hunted and pecked:
I had a blue screen with the error : DRIVER_IRQL_NOT_LESS_OR_EQUAL .
On the Microsoft knowledge base, there are different articles and I
don't which one is the right one.
So I saw the article 314084 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;314084&sd=ee )
which explains how to gather information after a memory dump in Windows
XP. It says that using dumpchk.exe , one can get a value for
ExceptionAddress. The problem is that when I use dumpchk.exe, I don't
see any field called ExceptionAddress.
Probably dumpchk.exe has been updated for Service Pack 2 and the
Microsoft article doesn't apply to SP 2.
I would liek to identify the driver that caused the exception.
Can you help ?
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to debug a memory dump ? 3
help with memory dump! 4
Using dumpchk.exe 0
analysing memory dumps 2
Debugging Memory Dump 1
Searching a Memory Dump 4
bug check problem 1
Memory Dump on opening Internet Explorer 14

Top