Part 3: Configuration
WinDBG is setup and ready, now we need memory
dump file to analyze. When I started writing this demo, I didn’t have any real
world dump file, but in the end I found one and you can see demo in the last. for
Here there is a trick, you can have dump file, by crashing system manually. Source http://support.microsoft.com/kb/969028.
I
tried to download Notmyfault utility from
http://download.sysinternals.com/Files/Notmyfault.zip, but it is not available
there I found the software on http://www.afterdawn.com/software/system_tools/misc_system_tools/notmyfault.cfm download
and unzip it under c:\notmyfault folder (create notmyfault folder under c
drive).
Run NotMyfault.exe from c:\Notmyfault\x64.
Congrats you have just crashed your system and
created memory dump file.
Note: Do not try this on your pc or production
systems I am here crashing it in virtual machine Lab.
Once it will done writing to dump file, system
will restart automatically.
Currently my dump setting is set to minidump
file, and I crashed my computer twice, it has created 2 files. You can set dump
file settings to full memory dump or kernel memory dump and see the results.
After installation, you will find new programs
installed under Start>All
Programs>Windows Kits>Debugging tools for windows
Click WinDBG (X64). WinDBG is a pure debugger
tool, specially designed for Microsoft application developers.
What are symbol files?
In next stage you need symbols in order to be able to do effective
debugging. I will call it as WinDBG dictionary from where WinDBG decode dump
files.
Next you need to configure Symbol files location
and server path
You can alter the symbols store location, you
can set it to another drive. Here I am using srv*c:\symbols*http://msdl.microsoft.com/download/symbols
which will save symbols files to c:\symbols and download from http://msdl.microsoft.com/download/symbols,
There are also symbols available from citrix
if you want check bug files generated on citrix server. Below is the list.
- Value for non-Microsoft employees:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
For Microsoft employees:
For Microsoft employees:
srv*c:\symbols*http://symweb
- 2. Symbol Server (Citrix):
srv*c:\css*http://ctxsym.citrix.com/symbols
Click file>Open Crash Dump or press Ctrl+D.
Navigate to c:\dump\minidump and select latest
memory dump file. Press open.
It will download partial necessary symbol files to decode dump file. It will take time depending on your internet speed. you can check the c:\symbols folder size later as it is growing slowly.
As from above screenshot Windbg detected myfault.sys file is the culprit. Now you can google or search files and folders for the filename on your computer and determine what driver or software is associated to myfault.sys. when we run notmyfault.exe check the other file name located in the same folder. Once you get what application or driver is causing error upgrade it to stable version or also check Hardware relying on drivers or software.
Here we have successfully postmortem'ed minidump
file. Now we are going to capture Kernel memory dump file. For this change
write debugging information and dump file location.
This time I will show you another method of
crashing system, and don’t need any utility, simply go to Task manager and end
process tree of csrss.
This will generate BSOD and create Memory.dump
file under c:\dump. After restart open WinDGB>file> open crash dump>
Navigate to c:\dump and open Memory.dump file.
As you can see csrss.exe caused BSOD.
Download full PDF of this article from http://kunaludapi.weebly.com.
Download full PDF of this article from http://kunaludapi.weebly.com.
1 comment:
Thanks for shaaring this
Post a Comment