Monday, September 14, 2009

Using Debugging Tools for Windows to study memory dump files

11


READ BELOW

..

Download and install Debugging Tools for Windows. And then run it from Start >> All Programs >> Debugging Tools for Windows >> WinDbg.

A WinDbg window will open. Now use following procedure:

1. Click on File menu >> Symbol File Path. Symbol Search path window will be open. Copy and paste following matter in that window.

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

It will look like (open image in new tab for original view)


Click OK.


2. Connect to Internet (go online) and again click on File menu >> Save Workspace. This will save the symbol path for future use.


3. Click on the File menu and select the Open Crash Dump and brows for memory dump files and open it. If it ask for save choose NO. That are located here-

a. A complete memory dump or a kernel memory dump that are usually saved in the C:\Windows directory and named MEMORY.DMP.

b. A small memory dump, aka a minidump, which are usually saved in the C:\Windows\Minidump directory.

Sometimes these are hidden by Windows. To show /unhide these hidden files click here.


4. A debugging window will start. Wait and watch. You will get error like -

Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini083009-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sun Aug 30 11:55:10.140 2009 (GMT-7)
System Uptime: 0 days 0:28:20.880
Loading Kernel Symbols
...............................................................
.........................................................
Loading User Symbols
Loading unloaded module list
...........
Unable to load image bdfndisf.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for bdfndisf.sys
*** ERROR: Module load completed but symbols could not be loaded for bdfndisf.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.


Click on !analyze -v to get more information about error.

Submit this error here using Comments so that we can study it and find a solution.

11 comments:

Anonymous said...

Here is my error

BUGCHECK_STR: 0x7f_0

TRAP_FRAME: b1eb0b74 -- (.trap 0xffffffffb1eb0b74)
ErrCode = 00000000
eax=00000000 ebx=e5d44300 ecx=e5d411c0 edx=00000000 esi=00000000 edi=e5b8ada8
eip=bd0ca609 esp=b1eb0be8 ebp=00000000 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nv4_disp+0xb8609:
bd0ca609 f7f5 div eax,ebp
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: Overlord.exe

LAST_CONTROL_TRANSFER: from 805a26c3 to 804f9f1e

STACK_TEXT:
b1eb0b10 805a26c3 0000007f bd0ca609 00000000 nt!KeBugCheck+0x14
b1eb0b68 80542254 b1eb0b74 00000000 bd0ca609 nt!Ki386CheckDivideByZeroTrap+0x41
b1eb0b68 bd0ca609 b1eb0b74 00000000 bd0ca609 nt!KiTrap00+0x84
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 nv4_disp+0xb8609


STACK_COMMAND: kb

FOLLOWUP_IP:
nv4_disp+b8609
bd0ca609 f7f5 div eax,ebp

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nv4_disp+b8609

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nv4_disp

IMAGE_NAME: nv4_disp.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4c379230

FAILURE_BUCKET_ID: 0x7f_0_nv4_disp+b8609

BUCKET_ID: 0x7f_0_nv4_disp+b8609

Followup: MachineOwner
---------

iBlogger said...

In your case the problem is with Overlord.exe

It is a game and had problem with your graphics card.

Luka said...

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {0, 2, 1, 805226e8}

Unable to load image nv4_disp.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nv4_disp.dll
*** ERROR: Module load completed but symbols could not be loaded for nv4_disp.dll
Probably caused by : nv4_disp.dll ( nv4_disp+264a6 )

Followup: MachineOwner
---------

Please help

Raman said...

It is due to the nVidia graphics card drivers

To fix it update the graphics card drivers.

Anonymous said...

Hi guys, here's my report, any help would be greatly appreciated. Thanks!

BugCheck 1000008E, {e0000001, b8390925, b12fdea8, 0}

*** WARNING: Unable to verify timestamp for nv4_disp.dll
*** ERROR: Module load completed but symbols could not be loaded for nv4_disp.dll
Probably caused by : nv4_disp.dll ( nv4_disp+1db0ec )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: e0000001, The exception code that was not handled
Arg2: b8390925, The address that the exception occurred at
Arg3: b12fdea8, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xe0000001 -

FAULTING_IP:
watchdog!RaiseExceptionInThread+b
b8390925 c3 ret

TRAP_FRAME: b12fdea8 -- (.trap 0xffffffffb12fdea8)
ESP EDITED! New esp=b12fe258
ErrCode = 00000000
eax=e16f5800 ebx=00000001 ecx=00000828 edx=00000001 esi=e2d7ae50 edi=0000ffff
eip=b8390925 esp=b12fdf1c ebp=b12fe270 iopl=0 nv up ei pl nz na pe nc
cs=0000 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
watchdog!RaiseExceptionInThread+0xb:
b8390925 c3 ret
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: plugin-containe

LAST_CONTROL_TRANSFER: from b8390622 to b8390925

STACK_TEXT:
b12fdf18 80547156 b12fdf2c b12fdf7c 00000001 watchdog!RaiseExceptionInThread+0xb
b12fe270 bd1ed0ec e2d78c00 e2d79f40 bd1926d0 nt!ExRaiseStatus+0xca
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 nv4_disp+0x1db0ec


STACK_COMMAND: .trap 0xffffffffb12fdea8 ; kb

FOLLOWUP_IP:
nv4_disp+1db0ec
bd1ed0ec ?? ???

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nv4_disp+1db0ec

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nv4_disp

IMAGE_NAME: nv4_disp.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4e390d56

FAILURE_BUCKET_ID: 0x8E_nv4_disp+1db0ec

BUCKET_ID: 0x8E_nv4_disp+1db0ec

Followup: MachineOwner
---------

Raman said...

The problem is due to your graphics card, Post your system specs and the games you are playing.

Anonymous said...

Hi Raman, thank you for the reply.
I'm running a Quad Q6600 at 2.4GHz, 3.5GB RAM, NVIDIA GeForce 8500 GT video card, XP Home Edition. I don't really play games at all, but I get a blue screen every now and then.

iBlogger said...

This is due to NVIDIA GeForce 8500 GT drivers.

Just update your drivers using following link:
http://www.wegamers.com/2011/06/how-to-check-which-graphics-card-you_28.html

Anonymous said...

Thank you!

Anonymous said...

Hi my problem...,....

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 00041284, A PTE or the working set list is corrupt.
Arg2: 0ce20001
Arg3: 840c3b10
Arg4: c0802000

Debugging Details:
------------------


BUGCHECK_STR: 0x1a_41284

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: ehshell.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 82a874b8 to 82ae41cb

STACK_TEXT:
a2f94b44 82a874b8 0000001a 00041284 0ce20001 nt!KeBugCheckEx+0x1e
a2f94b6c 82a87706 c0c34880 c0067100 842bbb2c nt!MiLocateWsle+0xc6
a2f94b84 82a54f2d 0ce20000 84c17d88 840c3b10 nt!MiTerminateWsle+0x1b
a2f94cb4 82aa933e 0ce20000 0ce2ffff b1e22771 nt!MiDeleteVirtualAddresses+0x24e
a2f94d4c 82a6ea2a ffffffff 0518e85c 0518e868 nt!NtFreeVirtualMemory+0x652
a2f94d4c 771896f4 ffffffff 0518e85c 0518e868 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0518e7b8 00000000 00000000 00000000 00000000 0x771896f4


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiLocateWsle+c6
82a874b8 cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiLocateWsle+c6

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4cb715e0

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0x1a_41284_nt!MiLocateWsle+c6

BUCKET_ID: 0x1a_41284_nt!MiLocateWsle+c6

Followup: MachineOwner
---------

Raman said...

Is this a new PC, or have you recently added some sort of hardware...
or software? When did the BSOD's start? May be your RAM not working properly.

Post a Comment

Do you have Answers..?