Step by step guide how to use Microsoft Windows Debugger (WinDbg) to
analyze Minidump a.k.a Crash Dump

1.Download and install Microsoft Windows Debugger (WinDbg) from
http://www.microsoft.com/whdc/devtools/deb...installx86.mspx

2.Run WinDbg.

3.Before analyze the minidump, you need to setup "Symbol File Path".
a.File -> Symbol File Path -> type

"SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols"

(without quotes) to the text box.

b.Check the Reload check box and click OK.



4.Now you can open a crash dump for analysis.
a.File -> Open Crash Dump.
b.Open a minidump file that you would like to analyze.



c.After you have opened a minidump file,
system will ask you to save "Base Workspace Information" and just click YES.

5.Now the debugger is analyzing your dump file and please waits...

6.If you see this screen, you can type "!analyze -v" in the kd> text box
and press ENTER.



7.After analyze -v operation is completed, the process of dump analysis is DONE
and you can find the crash information here.

8.This is the result:

Microsoft ® Windows Debugger Version 6.3.0017.0
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini091904-04.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
Debug session time: Sun Sep 19 23:34:08 2004
System Uptime: 0 days 0:15:39.343
Loading Kernel Symbols
..........................................
Loading unloaded module list
....................
Loading User Symbols
****************************************************************
* *
* Bugcheck Analysis *
* *
****************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {ac191633, 0, ac191633, 0}


Could not read faulting driver name
Probably caused by : win32k.sys ( win32k!IsRestricted+5 )

Followup: MachineOwner
---------

kd> .reload
Loading Kernel Symbols
..........................................
Loading unloaded module list
....................
Loading User Symbols
kd> !analyze -v
****************************************************************
* *
* Bugcheck Analysis *
* *
****************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ac191633, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: ac191633, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: ac191633

FAULTING_IP:
+ffffffffac191633
ac191633 ?? ???

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from bf8dc034 to ac191633

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ed332c14 bf8dc034 bf83ad9d 824ae420 e478aab8 0xac191633
ed332c84 bf83b0b7 0364a780 00000000 00000001 win32k!IsRestricted+0x5
ed332ca0 bf801a55 00000000 00000001 00000000 win32k!xxxCallHook+0x26
ed332ce8 bf80365e ed332d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x264
ed332d48 804df06b 052fec5c 00000000 00000000 win32k!NtUserPeekMessage+0x40
ed332d48 7c90eb94 052fec5c 00000000 00000000 nt!KiFastCallEntry+0xf8
052febdc 00000000 00000000 00000000 00000000 0x7c90eb94


FAILED_INSTRUCTION_ADDRESS:
+ffffffffac191633
ac191633 ?? ???

FOLLOWUP_IP:
win32k!IsRestricted+5
bf8dc034 51 push ecx

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!IsRestricted+5

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a

STACK_COMMAND: kb

BUCKET_ID: 0x50_CODE_AV_BAD_IP_win32k!IsRestricted+5

Followup: MachineOwner
---------

9.In this example, the error is PAGE_FAULT_IN_NONPAGED_AREA (50).
You can copy the exact error and search the related info from www.google.com.
This is the website that I found to tell you what this error is about.
http://www.dslreports.com/forum/remark,109...e=flat~start=20

10.The error that I got is related to MEMORY_CORRUPTION.

11.I have downloaded a memory test tool called MEMTEST86 from http://www.memtest86.com/memt31a.zip.
Please follow the guideline for how to create bootable CD and use the tool.

12.I have ran the test for my memory and found a lot of error in my 2nd slot Kingston KVR333X64C25/256.
Now I will bring my faulty memory and the test result for my memory warranty.



~ Good Luck & Happy Analyzing ~

This post has been edited by samurai1337: Nov 30 2006, 07:23 AM

I saw some post regarding someone asking should we send the error to Microsoft. my advise is DO NOT send the error to MS because you dont know what MS have coded with this feature. your info might leak to MS as well.

Disable the error reporting feature:
right click my computer -> properties -> click advanced tab -> click Error Reporting -> select Disable error reporting but do check "but notify me when critical errors occur".

at least we know some critical error happended.

this article might be useful to some of u, How to Use Dumpchk.exe to Check a Memory Dump File

its for memory dump file though. nonetheless its closely related to the topic

This post has been edited by disket: Sep 22 2004, 02:37 AM

Yepp, i'm connected to a LAN network which is connected to the internet via a proxy 24/7. Ermm, must be sumthin wrong wif attachments. Here it is again:

the websymbols folder created under c: drive?
try to close it and run again

Nope, there's no websymbols folder created. Ran it again a few times and still the same error pops out.

Edit: Got a new screenshot wif different error msg.

This post has been edited by leadaxer: Oct 3 2004, 04:28 PM


Attached thumbnail(s)

Your debugger is not using the correct symbols

In order for this command to work properly, your symbol path must point to .pdb files that have full type information.

Certain .pdb files (such as the public OS symbols) do not contain the required information. Contact the group that provided you with these symbols if you need this command to work.
------------------------------------------------------------------------------------------
hm.. how to deal with this?

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Unable to load image emDevice.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for emDevice.sys
*** ERROR: Module load completed but symbols could not be loaded for emDevice.sys
Unable to load image emStream.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for emStream.sys
*** ERROR: Module load completed but symbols could not be loaded for emStream.sys
Probably caused by : emDevice.sys ( emDevice+a0d4 )

Followup: MachineOwner
---------

kd> .reload
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
-------------------------------------------------------------------------------------
wow..lots of problem. dunno how to fix it.. now, this is how we tell the amateur , intermediate and pro. haha

post ur crash dump file here and let us help u

are you using Leadtek WinFast TV USB II?
should be video Driver corrupted.

post ur crash dump file here and let us help u since ur analysis is not complete

make sure websymbols folder is created under c:

How do i make certain of that? I've followed ur steps one-by-one. Btw, i'm using XP SP2.

Depending from case to case. if yours error is generated from hardware, driver or os, then 90% of the accuracy.

dont know how to make new folder in C:

go to C Drive, right click and select NEW and select FOLDER.
after that, rename the new folder to websymbols.

Yes. because need to download the symbols from microsoft website to analyse your dump file

http://www.microsoft.com/whdc/devtools/deb...ng/symbols.mspx

Thanx for the help but it's ok. I was just testing out some old dump files which reported some memory errors. I've found the problem out already. But i'll share it here if i do face any in the future.

Bluescreen or BSOD, blue screen of death occurs when u have a very serious problem mostly due to the hardware. The dump file is a file constructed which stores info on the BSOD error. This debugger functions to analyze the dump files to find out in detail what is the probable cause of the error.

hi there, i'm quite new to these debugger thingy. i got this message but i don't really understand what's the prob actually.

Microsoft ® Windows Debugger Version 6.3.0017.0
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\LEE\Local Settings\Temp\WER788a.dir00\Mini102104-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
Debug session time: Thu Oct 21 03:18:01 2004
System Uptime: 0 days 11:50:48.346
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
....................................................................................................................................
Loading unloaded module list
.................
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {0, 2, 0, b2d40937}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Unable to load image Klpf.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for Klpf.sys
*** ERROR: Module load completed but symbols could not be loaded for Klpf.sys
Probably caused by : Klpf.sys ( Klpf+3bc1 )

Followup: MachineOwner
---------

kd> .reload
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
....................................................................................................................................
Loading unloaded module list
.................
Loading User Symbols
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: b2d40937, address which referenced memory

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Unable to load image Klpf.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for Klpf.sys
*** ERROR: Module load completed but symbols could not be loaded for Klpf.sys

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MiSessionPoolStart
unable to get nt!MiSessionPoolEnd
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
00000000

CURRENT_IRQL: 2

FAULTING_IP:
afd!AfdDisconnectEventHandler+2d
b2d40937 668b07 mov ax,[edi]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f87d9bc1 to b2d40937

STACK_TEXT:
b2349c34 f87d9bc1 ff2788a8 ff297920 00000000 afd!AfdDisconnectEventHandler+0x2d
WARNING: Stack unwind information not available. Following frames may be wrong.
b2349c6c f87dabda fedac5b0 c0000001 00000000 Klpf+0x3bc1
fee5af68 00000000 00000000 00000000 00000000 Klpf+0x4bda


FOLLOWUP_IP:
Klpf+3bc1
f87d9bc1 ?? ???

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Klpf+3bc1

MODULE_NAME: Klpf

IMAGE_NAME: Klpf.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3fc740f1

STACK_COMMAND: kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

anyone care to enlighthen me, plz?

Hmm, i'm still new at it too but could it be a driver error?