mercredi 28 mars 2012

How to analyze memory dump after windows crash (Blue Screen of Death)

1) Download and install the Microsoft Debugging Tools : http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

2) Start > All programs > Debugging Tools for Windows (x86) > WinDbg > File > Symbol File Path
Then paste this line into Symbol path : SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

3) File > Open Crash Dump > Select your crash dump (usually under %systemroot%/minidump)
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [G:\tmp\Mini032911-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100216-1514
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
Debug session time: Tue Mar 29 11:42:28.210 2011 (UTC + 2:00)
System Uptime: 4 days 2:09:35.447
Loading Kernel Symbols
...............................................................
..............................................................
Loading User Symbols
Loading unloaded module list
.........................................
Unable to load image ATMFD.DLL, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ATMFD.DLL
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {e20937b4, 0, bf83cc83, 1}


Could not read faulting driver name
Probably caused by : ATMFD.DLL ( ATMFD+125e9 )

Followup: MachineOwner
---------

You can obtain the detailed debugging information by enter in the prompt KD> the command !analyze -v

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e20937b4, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf83cc83, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: e20937b4

FAULTING_IP:
win32k!EngUnmapFontFileFD+1c
bf83cc83 8b482c mov ecx,dword ptr [eax+2Ch]

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: csrss.exe

LAST_CONTROL_TRANSFER: from bffb25e9 to bf83cc83

STACK_TEXT:
b9144b6c bffb25e9 e2093788 e2093788 00006eb0 win32k!EngUnmapFontFileFD+0x1c
WARNING: Stack unwind information not available. Following frames may be wrong.
b9144ba0 bffafaba 00000000 000004a8 00000001 ATMFD+0x125e9
b9144c00 bffa5ab1 00000001 bf977f53 00000000 ATMFD+0xfaba
b9144c34 bffa2fab 00000001 bf977f53 b9144cf4 ATMFD+0x5ab1
b9144c64 bf8d1267 e3f33968 00000002 00000000 ATMFD+0x2fab
b9144c7c bf8e0428 e3f33968 b9144ca8 bf8e0491 win32k!PDEVOBJ::UnloadFontFile+0x2a
b9144c88 bf8e0491 e26d5008 e103f550 e26d5008 win32k!vCleanupFontFile+0x23
b9144ca8 bf9657f8 b9144cec 00000001 00000000 win32k!PUBLIC_PFTOBJ::bLoadAFont+0x24c
b9144ce4 bf9420a4 00000000 89ec8990 e26d6e58 win32k!PFTOBJ::bUnloadAllButPermanentFonts+0x1c8
b9144cf8 bf93261f 805b0b36 80527852 023b1f48 win32k!GreRemoveAllButPermanentFonts+0x29
b9144d10 bf861ff8 89d31558 00000000 bf861fa2 win32k!EndShutdown+0xe4
b9144d30 bf861fcc 89d31558 00000006 006afeb4 win32k!xxxSetInformationThread+0x17f
b9144d4c 8053d658 0000008c 00000006 006afeb4 win32k!NtUserSetInformationThread+0x31
b9144d4c 7c90e514 0000008c 00000006 006afeb4 nt!KiFastCallEntry+0xf8
006afeb8 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND: kb

FOLLOWUP_IP:
ATMFD+125e9
bffb25e9 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: ATMFD+125e9

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ATMFD

IMAGE_NAME: ATMFD.DLL

DEBUG_FLR_IMAGE_TIMESTAMP: 4802a0d3

FAILURE_BUCKET_ID: 0x50_ATMFD+125e9

BUCKET_ID: 0x50_ATMFD+125e9

Followup: MachineOwner
---------

The problem was a font problem

1 commentaire:

  1. Hey Pierre-Alexandre.
    I had an issue while installing windbg. It seems it can't be installed if a newer version of the "microsoft visual C++ 20010 redistributable" are installed. I uninstalled as mentionned by Peter here :

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/8f3350f9-0b47-40ae-b070-f2ccbf041875/windows-7-sdk-installation-failure?forum=windowssdk

    RépondreSupprimer