However, there are several alternative behaviors that can be selected:<\/p>\n
- \n
- A kernel debugger (such as WinDbg or KD) can be contacted.<\/li>\n
- A memory dump file can be written.<\/li>\n
- The system can automatically reboot.<\/li>\n
- A memory dump file can be written, and the system can automatically reboot afterwards.<\/li>\n<\/ul>\n
This section covers how to create and analyze a kernel-mode memory dump file. There are three different varieties of crash dump files. However, it should be remembered that no dump file can ever be as useful and versatile as a live kernel debugger attached to the system that has failed.<\/p>\n
User-Mode Dump Files<\/h4>\n
![\"Analyze](\"https:\/\/efmsoft.com\/wp-content\/uploads\/2022\/02\/maxresdefault-1-300x169.jpg\")
User-mode memory dump files can be analyzed by WinDbg. The processor or Windows version that the dump file was created on does not need to match the platform on which WinDbg is being run.<\/p>\nBefore analyzing the memory dump file, you will need to access the symbol files for the version of Windows that generated the dump file. These files will be used by the debugger you choose to use to analyze crash the dump file. For information about working with the symbol server, see see Microsoft Public Symbols<\/a>..<\/p>\n
You will also need to install all the symbol files for the user-mode process, either an application or system service, that caused the system to generate the dump file. If this code was written by you, the symbol files should have been generated when the code was compiled and linked. If this is commercial code, check on the product CD-ROM or contact the software manufacturer for these particular symbol files.<\/p>\n
Starting WinDbg<\/h4>\n
To analyze a crash dump file, start WinDbg with the -z<\/strong>\u00a0command-line option:<\/p>\n
windbg -y<\/strong>\u00a0SymbolPath<\/em>\u00a0-i<\/strong>\u00a0ImagePath<\/em>\u00a0-z<\/strong>\u00a0DumpFileName<\/em><\/p>\n
The\u00a0-v<\/strong>\u00a0option (verbose mode) is also useful. For a full list of options, see\u00a0WinDbg Command-Line Options<\/strong>.<\/p>\n
If WinDbg is already running and is in dormant mode, you can open a crash dump by selecting the\u00a0File | Open Crash Dump<\/strong>\u00a0menu command or pressing the CTRL+D shortcut key. When the\u00a0Open Crash Dump<\/strong>\u00a0dialog box appears, enter the full path and name of the crash dump file in the\u00a0File name<\/strong>\u00a0text box, or use the dialog box to select the proper path and file name. When the proper file has been chosen, select\u00a0Open<\/strong>.<\/p>\n
You can also open a dump file after the debugger is running by using the\u00a0.opendump (Open Dump File)<\/strong>\u00a0command, followed with\u00a0g (Go)<\/strong>.<\/p>\n
It is possible to debug multiple dump files at the same time. This can be done by including multiple\u00a0-z<\/strong>\u00a0switches on the command line (each followed by a different file name), or by using\u00a0.opendump<\/strong>\u00a0to add additional dump files as debugger targets. For information about how to control a multiple-target session, see\u00a0Debugging Multiple Targets.<\/p>\n
Dump files generally end with the extension .dmp or .mdmp. You can use network shares or Universal Naming Convention (UNC) file names for the memory dump file.<\/p>\n
It is also common for dump files to be packed into a CAB file. If you specify the file name (including the .cab extension) after the\u00a0-z<\/strong>\u00a0option or as the argument to an\u00a0.opendump<\/strong>\u00a0command, the debugger can read the dump files directly out of the CAB. However, if there are multiple dump files stored in a single CAB, the debugger will only be able to read one of them. The debugger will not read any additional files from the CAB, even if they were symbol files or executables associated with the dump file.<\/p>\n","protected":false},"excerpt":{"rendered":"
You can analyze crash dump files by using WinDbg and other Windows debuggers. Kernel-Mode Dump Files When a kernel-mode error occurs, the default behavior of Microsoft Windows is to display the blue screen with bug check data. However, there are… Continue Reading