In Part 1, I showed how to install and configure the debugging tools for windows, and setup the symbol files to download from Microsoft.
In this part, I’ll show how to use the debugging tools to analyze crash dumps from windows when it crashes and gives the ‘blue screen of death’
Precusor: Setup Windows to generate a crash dump file
Windows doesn’t necessarily need to create a crash dump file, but it’s a good idea to do so.
In the system properties control panel, On the advanced tab, click ‘Startup and Recovery->Settings’ (This is right above where you had to set the environment variable from part1)
Be sure there’s a memory dump type selected. Note that “Kernel memory Dump” = “full memory dump” and you’ll need a swap file on your C drive thats at least as big as your RAM.
Memory dump locations:
- Kernel/Full: c:\windows\MEMORY.DMP (Only one copy kept unless moved/renamed)
- Small/Minidump: c:\windows\minidumps
One more interesting tidbit – you can set windows up to allow you to crash it at will – That’s a topic for another article.
Checking out your first crash dump file:
(the first time you do this it takes a while as it downloads the symbols)
File->Open Crash Dump…
Find your crash dump file.
watch the output…
If you’re lucky, You’ll see a line such as:
Probably caused by: filename.ext
Many times, this first step of opening the crash dump tells you what you need to know.
Sometimes it doesn’t and you want to look a little deeper.
The next thing to try is often
think of the debugger as a CMD window – you won’t find !analyze -v in the menus, but you can type it in at the > prompt.
(You can also click it if you see it in the display)
If this doesn’t work the options get a little tricker…
In my next post, I’ll show a few hand picked commands that let you see what was running.