How to Read Memory Dump Files in Windows 10
Wednesday, February 26, 2020
9:22 AM
Method 2: Analyze Memory Dump Files Using Windows Debugger
1.Download Windows 10 SDK from here.
Note: This program contains WinDBG program that we will be using to analyze the .dmp files.
2.Run the sdksetup.exe file and specify the installation location or use default.
3.Accept License agreement then at “Select the features you want to install” screen select only the Debugging Tools for Windows option and then click Install.
4.The application will begin downloading the WinDBG program, so wait for the program to be installed on your system.
5.Press Windows Key + X then select Command Prompt (Admin).
6.Type the following command into cmd and hit Enter:
cd\Program Files (x86)\Windows Kits\10\Debuggers\x64\
Note: Specify the correct installation of the WinDBG program.
7.Now once you’re inside the correct directory type the following command in order to associate WinDBG with .dmp files:
windbg.exe -IA
8.As soon as you enter the above command, a new blank instance of WinDBG will open with a confirmation notice which you can close.
9.Type windbg in Windows Search then click on WinDbg (X64).
10.In the WinDBG panel click on File then select Symbol File Path.
11.Copy and paste the following address into the Symbol Search Path box:
SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
12.Click OK and then save the symbol path by clicking File > Save Workspace.
13.Now find the dump file you want to analyze, you could either use the MiniDump file found in C:\Windows\Minidump or you could use the Memory dump file found in C:\Windows\MEMORY.DMP.
14.Double click the .dmp file and the WinDBG should launch and begin processing the file.
Note: Since this is the first .dmp file being read on your system, WinDBG appears to be slow but do not interrupt the process as these processes are being carried out in the background:
A folder called Symcache is being created in C:
Symbols are being downloaded and saved to C:\Symcache
Once the symbols have been downloaded and the dump is ready to analyze you will see the message Followup: MachineOwner at the bottom of the dump text.
15.Also, the next .dmp file is processed, it will be quicker as it will have already downloaded the required symbols. Over time the C:\Symcache folder will grow in size as more symbols are added.
16.Press Ctrl + F to open Find then type “Probably caused by” (without quotes) and hit Enter. This is the quickest way to find what caused the crash.
17.Above the Probably caused by line you will see a BugCheck code eg: 0x9F. Use this code and visit Microsoft Bug Check Code Reference for verifying the bug check refer.
Commands:
!analyze -v = Automatic crash analysis, works on kernel or user dumps
!analyze -hang = Automatic hang analysis, works on kernel or user dumps
!process 0 0 = List all processes in a kernel dump
!process <address> 17 = List all the threads in one process from the list produced by the above command
.process <address> = Switch to a particular process context
.reload /user = Loads user mode symbols after switching to a process
lmu = Lists the dlls for a process once you've switched to it (Needs a full dump)
lm = List all the kernel modules in a kernel dump or dlls in a user dump
!uniqstack = List all unique looking threads in a user mode dump
!runaway 7 - shows the CPU usage for different threads in a user dump
!locks - Shows if a deadlock is detected in either a kernel or user dump
!handle 0 7 839afbf8
!process 0 0 pgdriver
Symbol paths:
SRV*C:\symcache*http://msdl.microsoft.com/download/symbols;C:\symbols
Created with OneNote.
No comments:
Post a Comment