29 October, 2010

Debug Memory Dumps

Sometimes your computer may get stop error with Blue screen of death then system creates a file which is called minidump. Now I am going to tell you how to debug memory dumps. This will help you to find out the actual cause of error of your pc when no error cause is given by pc and no filename is mentioned and undocumented. You can contact with Microsoft for this serious error but they may not response you for the error or they may take longer time.

At first your have to be certain that your computer is recording memory dumps files. Those tiny dumps are needed to stop the error of blue screen and it takes very small of your hard disk. In doing so right click My Computer, click properties. Now click on the advance tab and select startup and recovery settings. You will see the default setting there. But I have unchecked only automatically restart for XP. For Vista, there is an extra step involved, you must click start, right click computer. Then from the next screen, click Advanced system settings. Then, its in the same location as XP. Mention should be made here that make sure that your computer pagefile still resides on the system partition, otherwise windows will fail to save debig files.

Second step is go to the address below and download and install the Microsoft Debugging Tools


After you have downloaded and installed these tools then go to start>programs and open Debugging Tools for Windows. Once the Windbg will open, it will show you a blank screen. Now click to File>Symbol File Path. Here enter the sysbols path. Symbols are mostly needed to debug. The path will be:


Now click OK.
(I suggest you to download the symbols from http://msdl.microsoft.com/download/symbols and show the path your saved symbols file in your pc.)

Now go to File and save Workspace so that symbols path is saved for future use. Now you have to locate your memory dump file. The memory dump file is usally located in %systemroot%/minidump. Just write %systemroot%/minidump is Start>Run nad you can find dump file. For example dump files are named as Mini061904-01.dmp

Now open the Windg and go toFile, open Crash Dump and load the dump file. It will show you a message to save base workspace information. Choose No. you will get a debugging screen. It take a little bit time to run as the symbols have to be downloaded. It better to download the symbol file first to do fast work. You can find the following information when the process will go on:

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\Minidump\Mini061904-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.030422-1633
Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
Debug session time: Sat Jun 19 19:06:57 2004
System Uptime: 0 days 1:03:36.951
Loading Kernel Symbols
Loading unloaded module list
Loading User Symbols
* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck 86427532, {1db, 2, 3, b} <--this data-blogger-escaped----------="" data-blogger-escaped--v="" data-blogger-escaped-2="" data-blogger-escaped-:="" data-blogger-escaped-a="" data-blogger-escaped-already="" data-blogger-escaped-analyze="" data-blogger-escaped-at="" data-blogger-escaped-av="" data-blogger-escaped-be="" data-blogger-escaped-but="" data-blogger-escaped-by="" data-blogger-escaped-can="" data-blogger-escaped-case="" data-blogger-escaped-caused="" data-blogger-escaped-code="" data-blogger-escaped-command="" data-blogger-escaped-completed="" data-blogger-escaped-could="" data-blogger-escaped-depth="" data-blogger-escaped-error:="" data-blogger-escaped-error="" data-blogger-escaped-fc0="" data-blogger-escaped-file.="" data-blogger-escaped-followup:="" data-blogger-escaped-for="" data-blogger-escaped-further="" data-blogger-escaped-get="" data-blogger-escaped-if="" data-blogger-escaped-image="" data-blogger-escaped-in="" data-blogger-escaped-is="" data-blogger-escaped-it="" data-blogger-escaped-kd="" data-blogger-escaped-likely="" data-blogger-escaped-load="" data-blogger-escaped-loaded="" data-blogger-escaped-machineowner="" data-blogger-escaped-module="" data-blogger-escaped-most="" data-blogger-escaped-my="" data-blogger-escaped-not="" data-blogger-escaped-now="" data-blogger-escaped-panda="" data-blogger-escaped-pavdrv51.sys="" data-blogger-escaped-pavdrv51="" data-blogger-escaped-probably="" data-blogger-escaped-see="" data-blogger-escaped-stop="" data-blogger-escaped-symbols="" data-blogger-escaped-the="" data-blogger-escaped-timestamp="" data-blogger-escaped-to="" data-blogger-escaped-unable="" data-blogger-escaped-use="" data-blogger-escaped-verify="" data-blogger-escaped-want="" data-blogger-escaped-warning:="" data-blogger-escaped-was="" data-blogger-escaped-we="" data-blogger-escaped-what="" data-blogger-escaped-which="" data-blogger-escaped-win32="" data-blogger-escaped-your=""> prompt to delve more info about the error:

kd> !analyze -v
* *
* Bugcheck Analysis *
* *

Unknown bugcheck code (86427532)
Unknown bugcheck description <--its data-blogger-escaped-all.="" data-blogger-escaped-and="" data-blogger-escaped-at="" data-blogger-escaped-br="" data-blogger-escaped-kb="" data-blogger-escaped-listed="" data-blogger-escaped-ms="" data-blogger-escaped-not="" data-blogger-escaped-on="" data-blogger-escaped-the="" data-blogger-escaped-unknown="">Arguments:
Arg1: 000001db
Arg2: 00000002
Arg3: 00000003
Arg4: 0000000b

Debugging Details:



BUGCHECK_STR: 0x86427532

LAST_CONTROL_TRANSFER: from f4198fc0 to 804f4103

f41f0964 f4198fc0 86427532 000001db 00000002 nt!KeBugCheckEx+0x19
WARNING: Stack unwind information not available. Following frames may be wrong.
f41f0ba0 f419920b 864db520 f419ccf0 00000000 pavdrv51+0x7fc0
f41f0c34 804ea221 865b8910 864a52c0 806ad190 pavdrv51+0x820b
f41f0c44 8055d0fe 864a5330 86305028 864a52c0 nt!IopfCallDriver+0x31
f41f0c58 8055de46 865b8910 864a52c0 86305028 nt!IopSynchronousServiceTail+0x5e
f41f0d00 80556cea 000000a4 00000000 00000000 nt!IopXxxControlFile+0x5c2
f41f0d34 8052d571 000000a4 00000000 00000000 nt!NtDeviceIoControlFile+0x28
f41f0d34 7ffe0304 000000a4 00000000 00000000 nt!KiSystemService+0xc4
00cdff70 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4

f4198fc0 ?? ???



SYMBOL_NAME: pavdrv51+7fc0

MODULE_NAME: pavdrv51

IMAGE_NAME: pavdrv51.sys



BUCKET_ID: 0x86427532_pavdrv51+7fc0

Followup: MachineOwner

The information may be more than you need. If you fail to do the whole process then you should better to call an expert. But make sure to show the exact symbol path. If the symbol path is wrong then it will show error massage.

No comments:

Post a Comment