Windbg Minidump Tutorial – Setting Up & Reading Minidump Files

This is an educational on learn how to arrange and skim your minidump recordsdata whilst you obtain a BSOD (blue display of loss of life) within the makes an attempt to achieve additional perception as to the reason for the issue. First factor is first. Download the newest debugging gear from the Microsoft website.

Then pass to Start/Start Search. Type i

the command cmd.

Then trade directories to:

C:Program FilesDebugging Tools for Windows (x86)

by way of the use of the command:

cd c:program filesdebugging gear for home windows (x86)

It’s case insensitive when the use of the cd command.

Then kind in:

windbg.exe z c:windowsminidumpmini06190901.dmp c “!analyze v”

Your minidump document is positioned at C:WindowsMinidumpMini06200901.dmp. It’ll be within the shape “MiniMMDDYY01.dmp”.

KERNEL SYMBOLS ARE WRONG. PLEASE FIX SYMBOLS TO DO ANALYSIS

If someplace within the output of the Bugcheck Analysis you notice an error like:

Kernel symbols are WRONG. Please repair symbols to do research.

Then it is possibly that you’re the use of earlier and incompatible symbols or corrupt recordsdata otherwise you do not need the correct symbols on the specified location when the Windbg program was once seeking to analyze the minidump document. So what I did was once open up the Windbg program positioned at C:Program FilesDebugging Tools for Windows (x86) (in Vista and I consider it is the identical location for XP).

SETTING THE SYMBOL FILE PATH VIA WINDBG COMMAND LINE:

This is the most important step so be sure that your image trail document is about as it should be lest you get the kernel symbols are WRONG error or different kinds of mistakes. Now set the Symbol File Path (File/Symbol File Path) to:

SRVe:symbols[path to microsoft symbols path]

However, for some reason why I discovered that with a purpose to set the Symbol File Path within the “File/Symbol File Path” box you can not trade it immediately with the sphere of “File/Symbol File Path”. So what I discovered that you want to switch it in the course of the Windbg command window by way of going to:

“View/Command”

In the ground of the command window beside the “kd>” urged kind this in:

.sympath SRVe:symbols[path to microsoft symbols path].

The section between the 2 asterisks () is the place the symbols from Microsoft’s servers will probably be downloaded to. It’s quite huge (roughly 22MB) so just remember to have enough disk area.

SETTING SYMBOL FILE PATH IN THE ENVIRONMENT VARIABLE:

Alternatively, you’ll be able to set it for your setting variable both for your device or person setting variable. To do that, click on the WINDOWS KEY+e. The WINDOWS KEY is the important thing to the correct of the LEFT CTRL key of the keyboard. This will open up Windows Explorer.

Then click on at the “Advanced device settings” on the most sensible left of the window. This step applies to Vista most effective. For XP customers, merely click on at the Advanced tab.

Then click on at the button “Environment variable” on the backside of the window.

Then click on at the “New” button beneath System Variables. Again you’ll be able to create the surroundings as a person setting variable as a substitute.

In the “Variable Name” kind:

_NT_SYMBOL_PATH

In the “Variable Value” kind:

symsrvsymsrv.dlle:symbols[path to microsoft symbols path]

If you place the logo document trail as a device setting variable I consider you could have to reboot your pc to ensure that it to take impact.

OUTPUT OF WINDBG COMMAND

So the next is the output for my crash:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [c:windowsminidumpmini06260901.dmp]

Mini Kernel Dump File: Only registers and stack hint are to be had

Symbol seek trail is: SRVe:symbols[path to microsoft symbols]

Executable seek trail is:

Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 appropriate

Product: WinNt, suite: TerminalServer UnmarriedUserTS Personal

Built by way of: 6001.18226.x86fre.vistasp1_gdr.0903021506

Machine Name:

Kernel base = 0x8201d000 PlaystationLoadedModuleRecord = 0x82134c70

Debug consultation time: Fri Jun 26 16:25:11.288 2009 (GMT7)

System Uptime: Zero days 21:39:36.148

Loading Kernel Symbols

………………………………………………………

……………………………………………………….

…………………………………………………..

Loading User Symbols

Loading unloaded module record

……………………….

Bugcheck Analysis

Use !analyze v to get detailed debugging data.

BugCheck A, {8cb5bcc0, 1b, 1, 820d0c1f}

Unable to load symbol SystemRootsystem32DRIVERSSymIMv.sys, Win32 error 0n2

WARNING: Unable to ensure timestamp for SymIMv.sys

ERROR: Module load finished however symbols may just no longer be loaded for SymIMv.sys

Unable to load symbol SystemRootsystem32DRIVERSNETw3v32.sys, Win32 error 0n2

WARNING: Unable to ensure timestamp for NETw3v32.sys

ERROR: Module load finished however symbols may just no longer be loaded for NETw3v32.sys

Processing preliminary command ‘!analyze v’

Probably led to by way of : tdx.sys ( tdx!TdxMessageTlRequestComplete+94 )

Followup: MachineProprietor

0: kd> !analyze v

Bugcheck Analysis

IRQL_NOT_LESS_OR_EQUAL (a)

An try was once made to get entry to a pageable (or totally invalid) deal with at an

interrupt request stage (IRQL) this is too prime. This is most often

led to by way of drivers the use of fallacious addresses.

If a kernel debugger is to be had get the stack backtrace.

Arguments:

Arg1: 8cb5bcc0, reminiscence referenced

Arg2: 0000001b, IRQL

Arg3: 00000001, bitfield :

bit 0 : price 0 = learn operation, 1 = write operation

bit 3 : price 0 = no longer an execute operation, 1 = execute operation (most effective on chips which reinforce this stage of standing)

Arg4: 820d0c1f, deal with which referenced reminiscence

Debugging Details:

WRITE_ADDRESS: GetPointerFromDeal with: not able to learn from 82154868

Unable to learn MiSystemVaType reminiscence at 82134420

8cb5bcc0

CURRENT_IRQL: 1b

FAULTING_IP:

nt!KiUnwaitThread+19

820d0c1f 890a mov dword ptr [edx],ecx

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

TRAP_FRAME: 4526c4 (.lure 0xffffffff4526c4)

ErrCode = 00000002

eax=85c5d4d8 ebx=00000000 ecx=8cb5bcc0 edx=8cb5bcc0 esi=85c5d420 edi=ed9c7048

eip=820d0c1f esp=452738 ebp=45274c iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206

nt!KiUnwaitThread+0x19:

820d0c1f 890a mov dword ptr [edx],ecx ds:0023:8cb5bcc0=????????

Resetting default scope

LAST_CONTROL_TRANSFER: from 820d0c1f to 82077d24

STACK_TEXT:

4526c4 820d0c1f badb0d00 8cb5bcc0 87952ed0 nt!KiTrap0E+0x2ac

45274c 8205f486 00000002 85c5d420 ed9c7048 nt!KiUnwaitThread+0x19

452770 8205f52a ed9c7048 ed9c7008 00000000 nt!KiInsertQueueApc+0x2a0

452790 8205742b ed9c7048 00000000 00000000 nt!KeInsertQueueApc+0x4b

4527c8 8f989cd0 e79e1e88 e79e1f70 00000000 nt!IopfCompleteRequest+0x438

4527e0 8a869ce7 00000007 00000000 00000007 tdx!TdxMessageTlRequestComplete+0x94

452804 8a869d33 e79e1f70 e79e1e88 00000000 tcpip!UdpEndSendMessages+0xfa

45281c 8a560c7f e79e1e88 00000001 00000000 tcpip!UdpSendMessagesDatagramsComplete+0x22

STACK_COMMAND: kb

FOLLOWUP_IP:

tdx!TdxMessageTlRequestComplete+94

8f989cd0 6804010000 push 104h

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: tdx!TdxMessageTlRequestComplete+94

FOLLOWUP_NAME: MachineProprietor

MODULE_NAME: tdx

IMAGE_NAME: tdx.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 479190ee

FAILURE_BUCKET_ID: 0xA_tdx!TdxMessageTlRequestComplete+94

BUCKET_ID: 0xA_tdx!TdxMessageTlRequestComplete+94

Followup: MachineProprietor

It seems like a number of hieroglyphic mumbo jumbo. However, if you happen to glance intently you’ll be able to achieve some additional perception into the conceivable downside or explanation for it. The PROCESS_NAME is System suggesting a device procedure. The MODULE_NAME is tdx.

OUTPUT KD COMMAND: LMVM TDX

The tdx was once clickable for me which executes the command:

kd> lmvm tdx

as a kd command. The ‘lm’ in “lmvm” is Loaded Module. The ‘v’ is Verbose. The ‘m’ is a trend fit. From the debugger chm guide it states it as:

m Pattern

Specifies a trend that the module identify should fit. Pattern can include quite a lot of wildcard characters and specifiers. For extra details about the syntax of this data, see String Wildcard Syntax.

You can to find numerous data from the chm guide whilst you obtain the windbg from Microsoft. It will positioned right here:

C:Program FilesDebugging Tools for Windows (x86)debugger.chm

The output from the above command is:

0: kd> lmvm tdx

get started finish module identify

8f97f000 8f995000 tdx (pdb symbols) c:Program FilesDebugging Tools for Windows (x86)symtdx.pdbCFB0726BF9864FDDA4B793D5E641E5531tdx.pdb

Loaded image symbol document: tdx.sys

Mapped reminiscence symbol document: c:Program FilesDebugging Tools for Windows (x86)symtdx.sys479190EE16000tdx.sys

Image trail: SystemRootsystem32DRIVERStdx.sys

Image identify: tdx.sys

Timestamp: Fri Jan 18 21:55:58 2008 (479190EE)

CheckSum: 0001391F

ImageMeasurement: 00016000

File model: 6.0.6001.18000

Product model: 6.0.6001.18000

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File kind: 3.6 Driver

File date: 00000000.00000000

Translations: 0409.04b0

CorporateName: Microsoft Corporation

ProductName: Microsoft® Windows® Operating System

InternalName: tdx.sys

UniqueFileidentify: tdx.sys

ProductVersion: 6.0.6001.18000

FileVersion: 6.0.6001.18000 (longhorn_rtm.0801181840)

FileDescription: TDI Translation Driver

PrisonCopyright: &reproduction; Microsoft Corporation. All rights reserved.

So we glean some extra perception. Who makes the module and the conceivable explanation for the issue.

I take a look at the STACK_TEXT and there are references to tcpip and NETIO which turns out to allude to a community downside. So I googled others with a BSOD and tdx.sys downside and there’s a hotfix for this downside. However, a BIG phrase of warning please don’t obtain the hotfix if this actual downside does no longer observe to you. Microsoft suggests to make use of the Microsoft Update procedures which can come with all hotfixes.

To download the hyperlink to the hotfix for the community downside Google “Hotfix 934611 microsoft”.

I didn’t obtain this hotfix however moderately opted to up to date my carrier pack. Currently, Vista is at Service Pack 2. I most effective had Service Pack 1. So I’ll see if this fixes the issue.

To test what Service Pack you could have put in and what bit model (32bit or 64bit) pass to:

“Start/Computer”. Rightclick “Computer” after which click on “Properties”. You’ll see the Service Pack data beneath the heading “Windows Edition”. Under the heading “System” (round halfway in the course of the web page) you can see “System kind:” which can show whether or not you could have 32bit or 64bit variations put in.

To download the Service Pack 2 for Vista Google “sp2 Vista Microsoft”.