You can also analyze memory dump files by using a kernel debugger. Kernel debuggers are primarily intended to be used by developers for in-depth analysis of application behavior. However, kernel debuggers are also useful tools for administrators troubleshooting Stop errors. In particular, kernel debuggers can be used to analyze memory dump files after a Stop error has occurred.
A debugger is a program that users with the Debug Programs user right (by default, only the Administrators group) can use to step through software instructions, examine data, and check for certain conditions. The following two examples of kernel debuggers are installed by installing Debugging Tools For Windows:
• Kernel Debugger. Kernel Debugger (Kd.exe) is a command-line debugging tool that you can use to analyze a memory dump file written to disk when a Stop message occurs. Kernel Debugger requires that you install symbol files on your system.
• WinDbg Debugger. WinDbg Debugger (WinDbg.exe) provides functionality similar to Kernel Debugger, but it uses a graphical user interface (GUI).
Both tools allow users with the Debug Programs user right to analyze the contents of a memory dump file and debug kernel-mode and user-mode programs and drivers. Kernel Debugger and WinDbg Debugger are just a few of the many tools included in the Debugging Tools For Windows installation. For more information about these and other debugging tools included with Debugging Tools For Windows, see Help in Debugging Tools For Windows.
To use WinDbg to analyze a crash dump, first install the debugging tools available at http://www.microsoft.com/whdc/devtools/debugging/.
To gather the most information from a memory dump file, provide the debugger access to symbol files. The debugger uses symbol files to match memory addresses to human friendly module and function names. The simplest way to provide the debugger access to symbol files is to configure the debugger to access the Microsoft Internet-connected symbol server.
To configure the debugger to use the Microsoft symbol server, follow these steps:
1. Click Start, point to All Programs, point to Debugging Tools For Windows, right-click WinDbg, and then click Run As Administrator.
2. Select Symbol File Path from the File menu.
3. In the Symbol Path box, type
SRV*localpath*http://msdl.microsoft.com/download/symbols
where localpath is a path on the hard disk that the debugger will use to store the downloaded symbol files. The debugger will automatically create localpath when you analyze a dump file.
For example, to store the symbol files in C:\Websymbols, set the symbol file path to
“SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols”.
4. Click OK.
Debuggers do not require access to symbol files to extract the Stop error number and parameters from a memory dump file. Often, the debugger can also identify the source of the Stop error without access to symbols.
To analyze a memory dump file, follow these steps:
1. Click Start, point to All Programs, point to Debugging Tools For Windows, right-click WinDbg, and then click Run As Administrator.
2. Select Open Crash Dump from the File menu.
3. Type the location of the memory dump file and then click Open. By default, this location is %SystemRoot%\Memory.dmp.
4. In the Save Workspace Information dialog box, click No.
5. Select the Command window.
Source of Information : Windows 7 Resource Kit 2009 Microsoft Press
Using Windows 7 Error Reporting
When enabled, the WER service monitors your operating system for faults related to operating system features and applications. By using the WER service, you can obtain more information about the problem or condition that caused the Stop error.
When a Stop error occurs, Windows displays a Stop message and writes diagnostic information to the memory dump file. For reporting purposes, the operating system also saves a small memory dump file. The next time you start your system and log on to Windows as Administrator, WER gathers information about the problem and performs the following actions:
1. Windows displays the Windows Has Recovered From An Unexpected Shutdown dialog box. To view the Stop error code, operating system information, and dump file locations, click View Problem Details. Click Check For Solution to submit the minidump file information and possibly several other temporary files to Microsoft.
2. You might be prompted to collect additional information for future errors. If prompted, click Enable Collection.
3. You might also be prompted to enable diagnostics. If prompted, click Turn On Diagnostics.
4. If prompted to send additional details, click View Details to review the additional information being sent. Then, click Send Information.
5. If prompted to automatically send more information about future problems, choose Yes or No.
6. When a possible solution is available, Action Center displays an icon in the system tray with a notification message.
7. Open Action Center to view the solution. Alternatively, you can search for View All Problem Reports in Control Panel.
If WER does not identify the source of an error, you might be able to determine that a specific driver caused the error by using a debugger.
Source of Information : Windows 7 Resource Kit 2009 Microsoft Press
When a Stop error occurs, Windows displays a Stop message and writes diagnostic information to the memory dump file. For reporting purposes, the operating system also saves a small memory dump file. The next time you start your system and log on to Windows as Administrator, WER gathers information about the problem and performs the following actions:
1. Windows displays the Windows Has Recovered From An Unexpected Shutdown dialog box. To view the Stop error code, operating system information, and dump file locations, click View Problem Details. Click Check For Solution to submit the minidump file information and possibly several other temporary files to Microsoft.
2. You might be prompted to collect additional information for future errors. If prompted, click Enable Collection.
3. You might also be prompted to enable diagnostics. If prompted, click Turn On Diagnostics.
4. If prompted to send additional details, click View Details to review the additional information being sent. Then, click Send Information.
5. If prompted to automatically send more information about future problems, choose Yes or No.
6. When a possible solution is available, Action Center displays an icon in the system tray with a notification message.
7. Open Action Center to view the solution. Alternatively, you can search for View All Problem Reports in Control Panel.
If WER does not identify the source of an error, you might be able to determine that a specific driver caused the error by using a debugger.
Source of Information : Windows 7 Resource Kit 2009 Microsoft Press
Subscribe to:
Posts (Atom)
Cloud storage is for blocks too, not just files
One of the misconceptions about cloud storage is that it is only useful for storing files. This assumption comes from the popularity of file...
-
Many of the virus, adware, security, and crash problems with Windows occu when someone installs a driver of dubious origin. The driver suppo...
-
The Berkeley motes are a family of embedded sensor nodes sharing roughly the same architecture. Let us take the MICA mote as an example. T...
-
To facilitate the development of network traffic filtering products, Microsoft created the Windows Filtering Platform (WFP). It is available...