BSOD Kernel Dump Analysis - Discussion
21 - 40 of 291 Posts
Joined
·
34,634 Posts
Beware of FAKE BSODs -
http://windows7forums.com/windows-7...p-files-dmp-saved-after-crash.html#post143462
EDIT: New URL - Where are dump files (.dmp) saved after crash ? - Windows Forums
They could be someone playing a joke on us, or being played themselves by another.
jcgriff2
.
http://windows7forums.com/windows-7...p-files-dmp-saved-after-crash.html#post143462
EDIT: New URL - Where are dump files (.dmp) saved after crash ? - Windows Forums
They could be someone playing a joke on us, or being played themselves by another.
jcgriff2
.
Joined
·
34,634 Posts
More interesting reading from the great H2SO4 of SevenForums -
More Debugger Trickery For The Interested
Enjoy !
jcgriff2
.
More Debugger Trickery For The Interested
Enjoy !
jcgriff2
.
Joined
·
39 Posts
Yup H2SO4's debugging trick are always really helpful and most of us follow them !! Thanks for reminding it again John !!
- Captain
- Captain
Joined
·
34,634 Posts
`
Some analysis on the SYM errors re: NT - ntoskrnl.exe/ ntkrpamp.exe --> http://www.techsupportforum.com/2667350-post15.html
Note the timestamp for NT - ntoskrnl - 8 December 2009
I'll have to check, but I believe it to be the same date that shows in Windows 7 systems w/ NT Kernel SYM errors
Note "tcpip.sys - note AVG..? in one of the code boxes at end of post
From the kd> command line in Windbg -
Q. . . why does AVG show up under tcpip symbol file?
The OS = Windows XP Kernel Version 2600 SP3 - Bugcheck = 0xf4 (0x3,,,)
Comments appreciated.
John
.
NT Kernel Symbol Errors
Some analysis on the SYM errors re: NT - ntoskrnl.exe/ ntkrpamp.exe --> http://www.techsupportforum.com/2667350-post15.html
Note the timestamp for NT - ntoskrnl - 8 December 2009
I'll have to check, but I believe it to be the same date that shows in Windows 7 systems w/ NT Kernel SYM errors
Note "tcpip.sys - note AVG..? in one of the code boxes at end of post
From the kd> command line in Windbg -
Code:
[font=lucida console]
[B]!sym noisy[/B] (shows which symbol files dbghelp is loading)
[B].reload[/B]
[B]lmvm tcpip[/B]
[/font]The OS = Windows XP Kernel Version 2600 SP3 - Bugcheck = 0xf4 (0x3,,,)
Comments appreciated.
John
.
Joined
·
553 Posts
Joined
·
3,285 Posts
Thanks John. I'm in the process of learning myself (as you know).
Joined
·
553 Posts
Joined
·
34,634 Posts
`
Windows Service Branch info - RTM, LDR, GDR + the infamous 8 December 2009 timestamp for ntoskrnl, ntkrnlmp, etc. . . causing all of the recent SYM errors (not found on MSDL SYM site) + tcpip, tcpipreg and others -
File info w/ timestamps & version numbers -
http://support.microsoft.com/default.aspx/kb/974145?p=1
http://support.microsoft.com/kb/977165
jcgriff2
.
Windows Service Branch info - RTM, LDR, GDR + the infamous 8 December 2009 timestamp for ntoskrnl, ntkrnlmp, etc. . . causing all of the recent SYM errors (not found on MSDL SYM site) + tcpip, tcpipreg and others -
File info w/ timestamps & version numbers -
http://support.microsoft.com/default.aspx/kb/974145?p=1
http://support.microsoft.com/kb/977165
jcgriff2
.
Joined
·
4,053 Posts
Good to know, thanks for posting.
I just wish my symbols worked more than half the time :sigh:
I just wish my symbols worked more than half the time :sigh:
Joined
·
34,634 Posts
Thanks, John.
It appears that the SYM error issues are over as the most recently processed Windows 7 x86 dumps in particular show no symbol errors. They have apparently been added to the MSDL site. I have not yet gone back to re-run prior dumps, though.
__________________________
A 0xd1 bugcheck mini kernel dump analysis in depth (actually 34 of them!) showing how the 4th parm (object referencing the memory address in parm #1) can be tied to a loaded driver. The 1st parm was not as easily ID'd to what I believe is the Realtek driver as it may be a physical memory address (v. virtual, or vice-versa) and a full kernel dump (w/ page file info) would be needed to do so. The page file contains the table for physical and virtual memory address conversions.
http://www.techsupportforum.com/f217/bsod-in-win7-and-realtek-ndis-474928.html#post2677840
jcgriff2
.
It appears that the SYM error issues are over as the most recently processed Windows 7 x86 dumps in particular show no symbol errors. They have apparently been added to the MSDL site. I have not yet gone back to re-run prior dumps, though.
__________________________
A 0xd1 bugcheck mini kernel dump analysis in depth (actually 34 of them!) showing how the 4th parm (object referencing the memory address in parm #1) can be tied to a loaded driver. The 1st parm was not as easily ID'd to what I believe is the Realtek driver as it may be a physical memory address (v. virtual, or vice-versa) and a full kernel dump (w/ page file info) would be needed to do so. The page file contains the table for physical and virtual memory address conversions.
http://www.techsupportforum.com/f217/bsod-in-win7-and-realtek-ndis-474928.html#post2677840
jcgriff2
.
Joined
·
34,634 Posts
Thanks to Done_Fishin -
Acer FTP Driver Support site - Notebooks --> ftp://ftp.work.acer-euro.com/notebook/
Acer FTP main site, UK --> ftp://ftp.work.acer-euro.com
jcgriff2
.
Acer FTP Driver Support site - Notebooks --> ftp://ftp.work.acer-euro.com/notebook/
Acer FTP main site, UK --> ftp://ftp.work.acer-euro.com
jcgriff2
.
Hi!
Not sure if you patrol the Server board, I need some help debugging a memorydump there, would really appreciate it if you could take a look.
http://www.techsupportforum.com/f103/bsod-errors-occasionally-475493.html
Thanks!
Not sure if you patrol the Server board, I need some help debugging a memorydump there, would really appreciate it if you could take a look.
http://www.techsupportforum.com/f103/bsod-errors-occasionally-475493.html
Thanks!
Joined
·
34,634 Posts
Information on commands and additional interesting and informative BSOD threads -
Windbg commands that I find most useful - http://www.sevenforums.com/671427-post3.html
The first is the "usual" set of stringed commands that I use, including -
k = stack text of given thread
kv = " " + frame pointer omission (FPO) information
r = registers (I don't usually use much, if any info from this command
lmnt -
-- lm = loaded driver listing
-- n = displays image name
-- t = displays timestamp info
-- lmnt displays the loaded driver list in order of memory addresses
lmntsm -
- lmnt - see above
-- sm = Sorts the display by module name instead of by the start addresSorts the display by module name instead of by the start address
!for each module - displays various info for each module, including current and previous version numbers
Informative threads --> http://www.techsupportforum.com/f217/solved-symantec-endpoint-11-0x7e-vista-x64-bsod-370804.html
John
`
Windbg commands that I find most useful - http://www.sevenforums.com/671427-post3.html
Code:
[FONT=Lucida Console] !analyze -v; kv; k; r; lmnt; lmntsm
!for_each_module .echo @#ModuleIndex : @#Base @#End @#ModuleName @#ImageName @#LoadedImageName
!for_each_module .echo @#ModuleName fver = @#FileVersion pver = @#ProductVersion[/FONT]The first is the "usual" set of stringed commands that I use, including -
k = stack text of given thread
kv = " " + frame pointer omission (FPO) information
r = registers (I don't usually use much, if any info from this command
lmnt -
-- lm = loaded driver listing
-- n = displays image name
-- t = displays timestamp info
-- lmnt displays the loaded driver list in order of memory addresses
lmntsm -
- lmnt - see above
-- sm = Sorts the display by module name instead of by the start addresSorts the display by module name instead of by the start address
!for each module - displays various info for each module, including current and previous version numbers
Informative threads --> http://www.techsupportforum.com/f217/solved-symantec-endpoint-11-0x7e-vista-x64-bsod-370804.html
John
`
Joined
·
4,053 Posts
I've never played with !for_each_module before. I'll have to try it out. Thanks for sharing.
Joined
·
34,634 Posts
It is now official... I went back and re-ran many old dumps that showed SYM errors - and they do not have symbol errors now.
Case in point - a post showing "before" (w/ SYM errors) and "after" - same dumps, but now no symbol errors.
http://www.techsupportforum.com/2680515-post8.html
jcgriff2
.
Joined
·
34,634 Posts
`
jcgriff2
.
NO MEMORY DUMP FILES BEING PRODUCED UPON BSOD?
Please see --> http://www.techsupportforum.com/2687596-post2.htmljcgriff2
.
21 - 40 of 291 Posts
