How to Analyze Windows Memory Dump

How to Analyze the Memory Dump

Welcome back guys :) Today here I am going to explain about how to analyze the memory dump. As in my previous post I have describe to you: How to create memory dump and where you can find that dump file. Lets say you have configured a memory dump on a server and server got unexpected down with BSOD. Now you need to go to the default location i.e. %SystemRoot %\Memory.dmp for the memory dump file. You can find the memory.dmp as below.

This memory.dmp file is the dump file for complete dump. Now you need to analyze it ;) There are bundle of software in the market for the same, some are free of cost and some are licensed. Microsoft has tool that we can use to analyze the memory dump on Microsoft platforms called as windows debugger (dbg_x86_6.11.1.404). You can download it from here. After downloading the debugger you need to do little bit configuration before analyzing the dump.

Now you need to configure the symbol path for it. Before doing it just do the following

1. 2. 3.

Create a folder named symbols without quotes in the root drive. Open the Windbg and then go to FileSymbol file path. Set the path to SRV*c:\symbols*http://msdl.microsoft.com/download/symbols without quotes.

Symbol Path:- Symbol files provide a footprint of the functions that are contained in executable files and dynamic-link libraries (DLLs).Additionally, symbol files can present a roadmap of the function calls that lead to the point of failure. Now the configuration is done, now you need to open the dump file in the debugger. Now you need to open dump file , To do this goto File-->Open Crash Dump

After you open the Memory.dmp, it will make some calculation and load the symbols as below.

Now you need to write the command "!analyze -v " to get the details After this command you will get the details about the reason behind the Crash :) The reason for the crash was fltmgr.sys file. As you all are System Admins so you must have good google search skills,Now just google it and get the reason for the same. I have found the reason and the there is some Hotfix from Microsoft for this error. http://support.microsoft.com/kb/955087

This is How we can Analyze the dump.Please comment if you need any other help from my side.
Posted by Vijay at 23:54 0 comments Email ThisBlogThis!Share to TwitterShare to Facebook Labels: How to Analyze Windows Memory Dump

Saturday, 10 December 2011

Windows Memory Dump

Hello Techies, It is very often we see the blue screen on the Microsoft based OS.Basically we called this blue screen as Blue Screen Of Death (BSOD).

I have asked the question "what is BSOD" from many guys during the interviews but usually they replied that it happened due to RAM or HDD failure, they simply reply that in this case they will replace either RAM or HDD to fix this issue on the server. So today i will give a idea about this BSOD and how to analyze this issue on windows platform. ->What is BSOD ? ->The Blue Screen of Death , displayed by the Microsoft Windows family of operating systems upon encountering a critical error,of a non-recoverable nature, that causes the system to crash.Stop errors are hardware or driver related, causing the computer to stop responding in order to prevent damage to the hardware or data. ->Type of memory dump ? ->There are three type of dumps created 1. Complete Memory Dump 2. Kernal Memory Dump 3. Small Memory Dump 1. Complete Memory Dump:-A Complete Memory Dump is the largest kernel-mode dump file. This file contains all the physical and virtual memory for the machine at the time of the fault.If you select the complete memory dump option, you must have a paging file on the boot volume The Complete Memory Dump file is written to %SystemRoot %\Memory.dmp by default.The Complete memory dump option is not available on computers that are running a 32bit operating system and that having 2 gigabytes (GB) or more of RAM (by default). 2. Kernal Memory Dump: A Kernel Memory Dump contains all the memory in use by the kernel at the time of the crash.The dump file will be around one-third the size of the physical memory on the system. This dump will not include unallocated memory or any memory allocated to applications. It only includes memory allocated to Windows kernel.The Kernel Memory Dump file is written to %SystemRoot%\Memory.dmp by (default) 3. Small Memory Dump:- A Small Memory Dump is much smaller than the other two crash dump files. It is exactly 64 KB in size (128KB on 64-bit systems) .This kind of dump file can be useful when space is greatly limited. However, it contains very less information for the reason of the crash.

How to enable memory dump on a windows server

Here i am going to configure the memory dump on Win-7/server 2008 1. Right click on my computer and click on properties then click on 2. Advance system setting option on left side ,then click on 3. Advance tab, Now click on 4. setting under Startup and recovery.Below are the screenshot

Same you can configure from the registery as well from the location as mentioned below

HKLM\System\CurrentControlSet\Control\CrashControl All the things that you can configure via GUI can be configured via registery as well.

Write an event to the System Log checkbox = LogEvent Automatically Restart checkbox = AutoReboot Write Debugging Information drop-down = CrashDumpEnabled Dump File text box = DumpFile Overwrite any existing file checkbox = Overwrite

How to Crash the server manually using keyboard

Now you have configured the memory dump on the server and now you can check as well if it is creating the memory dump file on the server or not.Also when you need to create memory dump file manually after a crash ,do the following to configure the same. Using PS/2 keyboard :1. Start Registry Editor. 2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters 3. On the Edit menu, click Add Value, and then add the following registry entry: Name: CrashOnCtrlScroll Data Type: REG_DWORD Value: 1 4. Exit Registry Editor, and then restart the computer.

Using USB keyboad:

1. Start Registry Editor. 2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters 3. Make sure that the following registry entry is enabled: Name: CrashOnCtrlScroll Data Type: REG_DWORD Value: 1 4. Exit Registry Editor. If You can generate a system memory dump by holding down the right CTRL key and pressing the SCROLL LOCK key twice. (Ctrl+Scroll lock twice) Note: Pressing left CTRL key does not generate the system memory dump.