Memory Dump Prepared by Nitesh bhat Trainee at Itimpulse
Memory Dump It is very hard to analysis memory the dump Memory dump is located in c: drive in window’s folder If we know how to analysis the memory dump we easy come to know why window is crash ?
Why window is crash Something is wrong in kernel –modeExample :- Unhandled exception OS or driver detects severe inconsistency Invalid memory references hardware error
Memory Dump analysis 70% of window crash came from third party bugs 15% of window crash came which cant be explain 10% of window crash came from hardware s 5 % of window crash came from its windows code
Crash dump types Complete (full) (64 KB for a 32-bit operating system, 128 KB for a 64-bit operating system) Default for servers kernel OS/driver memory Small (mini dump ) Default for xp Minimal crash information
Mini dump Contents bug check code ,parameters list of drivers minimal information on current process Unique file for crash windows minidump Extract from kernel ,full dump Best memory dump for analysis is kernel dump If checksum does not match dump is not written
When ? “ DUMP “ Crash occurred before paging file was open spontaneous reboot hung system paging file is too small not enough free space to extract dump
Analysis Basics Analysis tools parts of debugging tools for windows (free) Two tools can open kernel crash dumps : winDbg - GUL kd - command line
Symbols When applications are linked The linker that creates the .exe and .dll files also creates a number of additional files known as symbol files. Symbol files hold a variety of data which are not actually needed when running the binaries, but which could be very useful in the debugging process. Typically, symbol files might contain: Global variables Local variables
Symbols Symbol files contain names and location of internal data debugging needs kernel symbol file to analyze dumps kernel image : ntoskrnl.exe ntoskrnl.pdb is symbol file
How we do manually generate DumpCopy and Paste the following into Notepad:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesi8042prtParameters]"CrashOnCtrlScroll"=dword:00000001Save as CrashOnCtrlScroll.reg and save as type All Files. Double-Click the file tomerge it with the Registry. Restart your computer and you will be able to use it. Togenerate the minidump file you will need to press and hold the Right Cntrl key andtap the Scroll Lock key twice. You will be presented with the Blue Screen and yourcomputer will Restart.
NowDemo with notmyfault Analysis Of memory Dump