How to debug a memory dump ?

G

Guest

I had a blue screen .
On the Microsoft knowledge base, I saw the article 314084 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;314084&sd=ee ) which
explains how to gather information after a memory dump in Windows XP. It says
that using dumpchk.exe , one can get a value for ExceptionAddress. The
problem is that when I use dumpchk.exe, I don't see any field called
ExceptionAddress.
I would like to identify the driver that caused the exception.
Can you help ?
Here is the content of the dumpcheck :
C:\WINDOWS\Minidump>dumpchk Mini092005-01.dmp
Loading dump file Mini092005-01.dmp
----- 32 bit Kernel Mini Dump Analysis

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000a28
DirectoryTableBase 00039000
PfnDataBase 81d53000
PsLoadedModuleList 8055a420
PsActiveProcessHead 805604d8
MachineImageType 0000014c
NumberProcessors 00000001
BugCheckCode 100000d1
BugCheckParameter1 f676b328
BugCheckParameter2 00000002
BugCheckParameter3 00000000
BugCheckParameter4 f676b328
PaeEnabled 00000000
KdDebuggerDataBlock 8054c060
MiniDumpFields 00000dff

TRIAGE_DUMP32:
ServicePackBuild 00000200
SizeOfDump 00010000
ValidOffset 0000fffc
ContextOffset 00000320
ExceptionOffset 000007d0
MmOffset 00001068
UnloadedDriversOffset 000010a0
PrcbOffset 00001878
ProcessOffset 000024c8
ThreadOffset 00002728
CallStackOffset 00002980
SizeOfCallStack 000005a0
DriverListOffset 000031b0
DriverCount 0000009c
StringPoolOffset 00006000
StringPoolSize 000015c8
BrokenDriverOffset 00000000
TriageOptions 00000041
TopOfStack 8054fee0
DebuggerDataOffset 00002f20
DebuggerDataSize 00000290
DataBlocksOffset 000075c8
DataBlocksCount 00000003


Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Tue Sep 20 20:46:24 2005
System Uptime: 0 days 12:46:09
start end module name
804d7000 806eb100 nt Checksum: 002198AF Timestamp: Wed Mar 02
01
59:37 2005 (42250FF9)

Unloaded modules:
efac8000 efaf2000 kmixer.sys Timestamp: unavailable (00000000)
efac8000 efaf2000 kmixer.sys Timestamp: unavailable (00000000)
efac8000 efaf2000 kmixer.sys Timestamp: unavailable (00000000)
efac8000 efaf2000 kmixer.sys Timestamp: unavailable (00000000)
efd9a000 efdc4000 kmixer.sys Timestamp: unavailable (00000000)
f7f10000 f7f11000 SiSPort.sys Timestamp: unavailable (00000000)
efd9a000 efdc4000 kmixer.sys Timestamp: unavailable (00000000)
efd9a000 efdc4000 kmixer.sys Timestamp: unavailable (00000000)
efd9a000 efdc4000 kmixer.sys Timestamp: unavailable (00000000)
efd9a000 efdc4000 kmixer.sys Timestamp: unavailable (00000000)
efd9a000 efdc4000 kmixer.sys Timestamp: unavailable (00000000)
efd9a000 efdc4000 kmixer.sys Timestamp: unavailable (00000000)
efd9a000 efdc4000 kmixer.sys Timestamp: unavailable (00000000)
f02c4000 f02ee000 kmixer.sys Timestamp: unavailable (00000000)
f7f32000 f7f33000 SiSPort.sys Timestamp: unavailable (00000000)
f02c4000 f02ee000 kmixer.sys Timestamp: unavailable (00000000)
f038e000 f03b8000 kmixer.sys Timestamp: unavailable (00000000)
f0700000 f072a000 kmixer.sys Timestamp: unavailable (00000000)
f7e1d000 f7e1e000 SiSPort.sys Timestamp: unavailable (00000000)
f0a9a000 f0ac4000 kmixer.sys Timestamp: unavailable (00000000)
f0c43000 f0c53000 Serial.SYS Timestamp: unavailable (00000000)
f118b000 f11b5000 kmixer.sys Timestamp: unavailable (00000000)
f7e1c000 f7e1d000 drmkaud.sys Timestamp: unavailable (00000000)
f1603000 f1610000 DMusic.sys Timestamp: unavailable (00000000)
f1613000 f1621000 swmidi.sys Timestamp: unavailable (00000000)
f1255000 f1278000 aec.sys Timestamp: unavailable (00000000)
f7d24000 f7d26000 splitter.sys Timestamp: unavailable (00000000)
f7988000 f7991000 processr.sys Timestamp: unavailable (00000000)
f7ac0000 f7ac5000 Cdaudio.SYS Timestamp: unavailable (00000000)
f7ab8000 f7abd000 Flpydisk.SYS Timestamp: unavailable (00000000)
f7ab0000 f7ab7000 Fdc.SYS Timestamp: unavailable (00000000)

Finished dump check
 
D

David Candy

Dumpchk does nothing. You need to read 4 codes from it but they are in english in the Event Log. Yours are
BugCheckCode 100000d1
BugCheckParameter1 f676b328
BugCheckParameter2 00000002
BugCheckParameter3 00000000
BugCheckParameter4 f676b328

1nnnnnnn numbers have same meaning as 0nnnnnnn numbers. So you need to research 100000d1 and 000000d1 errors.

If you want to solve a blue screen do this

Type verifier in Start Run, follow the wizard but choose All Drivers. This will slow down your computer and cause more blue screen crashes but will pinpoint what is causing the crash (if the original error message didn't). Once you fix it you rerun verifier and turn it off.

If you can't start after enabling verifier
choose Last Known Good Configuration at the Failed Boot menu (which will
start without verifier).


You will be creating a crash dump file in c:\windows\minidump every blue screen. Make sure you are set to record minidumps (Small Memory Dumps) - type it in Help to see how.

Then

If you have the XP SP2 Security Update CD (else see
http://www.microsoft.com/whdc/­devtools/debugging/symbolpkg.m­spx
)


Install symbols from <CD Drive Letter>:\SUPPORT\SYMBOLS

Download
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

Load the crash dump file into windbg
and read what it says. You may need to tell it where the symbols are. Read it.
Type
!Analyze -v
into Windbg's command line.
(this will hopefully tell you the faulty component)

If the above is too technical then email the crash dump files to davidc @ mvps.org. Don't send me lots of them. Just the one from your last crash after you turn verifier on. And only one per mail.

You can look up specific details here
http://msdn.microsoft.com/library/d..._ea8b9fd0-2d81-4a04-a7ed-c1c6a80bd501.xml.asp

If it indicates faulty memory might be the cause you can get a memory tester
here
http://oca.microsoft.com/en/wi­ndiag.asp


If it mentions a core windows system file, meaning it a MS fix is required,
upload a minidump to

http://oca.microsoft.com

Also try typing the main error code in Help while online (ie,
Stop 0x50
and also try in the 8 digit form
stop 0x00000050)
and if there are too many hits use a filename if available. Generally memory
addresses are different for each computer (as each computer has a different
mix of drivers) so parameters that are memory addresses aren't that useful for searching, but NTStatus codes are (plus you can look them up here http://cvs.sourceforge.net/viewcvs.py/mingw/w32api/include/ddk/ntstatus.h?rev=1.2).
 
G

Guest

Need help...
Under Event viewer, picking up a system error causing my XP Pro to reboot
and hang at times. Need HELP understanding what the error code means.
Error Code 100000d1, parameter1 00000010, parameter2 00000002, parameter3
000000000, parameter4 f25facfe.

What does this all mean and how can it help?
 
R

Rick \Nutcase\ Rogers

Hi,

Did you read the steps posted by David in the post you tagged on to? That's
where you need to start in order to figure out what's causing the trouble.
Like David, I would be willing to look at the dump file if you want to
forward it. Send it to the address used here, and use the subject line "per
req".

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top