目录

1 什么是dump文件... 1

2 如何让系统在崩溃时记录dump文件... 1

3 使用Debugging Tools for Windows (windebug)来分析dump文件... 2

3.1 什么是windebug. 2

3.2 windebug最新版安装方法(此方法为在线安装)... 2

3.3 windebugsymbol符号文件的路径配置... 8

3.4 dump文件的分析... 11

 

 

 


 1 什么是dump文件

当系统崩溃在蓝屏瞬间,系统会形成一个扩展名为dmp的存储器转储文件,默认存储位置为C\WINDOWS\Minidmp

 

 

2 如何让系统在崩溃时记录dump文件

A.右击“我的电脑”选择“属性”,在“系统属性”对话框中选择“高级”

clip_p_w_picpath002[8]

B.在“启动和故障恢复”中选择“设置”,具体设置如下图所示

 

clip_p_w_picpath004[8]

3 使用Debugging Tools for Windows (windebug)来分析dump文件

3.1什么是windebug

windebug是微软发布的一款相当优秀的源码级(source-level)调试工具,可以用于Kernel模式调试和用户模式调试,还可以调试Dump文件。

3.2 windebug最新版安装方法(此方法为在线安装)

A.http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8279下载

B.安装netFramework2.0

C.运行1中下载的winsdk_web.exe

clip_p_w_picpath006[8]

clip_p_w_picpath008[8]

clip_p_w_picpath010[8]

clip_p_w_picpath012[8]

clip_p_w_picpath014[8]

 

 

clip_p_w_picpath016[8]

 

clip_p_w_picpath018[8]

clip_p_w_picpath020[8]

clip_p_w_picpath022[8]

clip_p_w_picpath024[8]

clip_p_w_picpath026[8]

 

 

3.3windebugsymbol符号文件的路径配置

windebug 设置 symbol 路径可以提高对dump文件分析的准确性,给我们更多有价值的错误信息。

A.在http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx根据实际需要下载相应的版本

B.安装下载的symbol符号文件

clip_p_w_picpath028[8]

clip_p_w_picpath030[8]

clip_p_w_picpath032[8]

clip_p_w_picpath034[8]

clip_p_w_picpath036[8]

clip_p_w_picpath038[8]

clip_p_w_picpath040[8]

 

 

3.4dump文件的分析

clip_p_w_picpath042[8]

clip_p_w_picpath044[8]

clip_p_w_picpath046[8]

 

 

详细代码如下

Loading Dump File [C:\Documents and Settings\test-pc\桌面\dump文件\Mini102011-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is: C:\WINDOWS\Symbols;SRV*C:\Windows\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp_sp3_gdr.101209-1647

Machine Name:

Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720

Debug session time: Thu Oct 20 14:37:16.343 2011 (UTC + 8:00)

System Uptime: 0 days 0:00:43.312

Loading Kernel Symbols

...............................................................

..........................................

Loading User Symbols

Loading unloaded module list

....

*** WARNING: Unable to verify timestamp for nv4_disp.dll

*** ERROR: Module load completed but symbols could not be loaded for nv4_disp.dll

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 100000EA, {88a18908, 88ced810, b84fbcbc, 1}

 

ERROR - could not read driver name for bugcheck parameter 3

 

Probably caused by : nv4_disp.dll ( nv4_disp+28526 )

 

Followup: MachineOwner

---------

 

3: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

 

THREAD_STUCK_IN_DEVICE_DRIVER_M (100000ea)

The device driver is spinning in an infinite loop, most likely waiting for

hardware to become idle. This usually indicates problem with the hardware

itself or with the device driver programming the hardware incorrectly.

If the kernel debugger is connected and running when watchdog detects a

timeout condition then DbgBreakPoint() will be called instead of KeBugCheckEx()

and detailed message including bugcheck arguments will be printed to the

debugger. This way we can identify an offending thread, set breakpoints in it,

and hit go to return to the spinning code to debug it further. Because

KeBugCheckEx() is not called the .bugcheck directive will not return bugcheck

information in this case. The arguments are already printed out to the kernel

debugger. You can also retrieve them from a global variable via

"dd watchdog!g_WdBugCheckData l5" (use dq on NT64).

On MP machines it is possible to hit a timeout when the spinning thread is

interrupted by hardware interrupt and ISR or DPC routine is running at the time

of the bugcheck (this is because the timeout's work item can be delivered and

handled on the second CPU and the same time). If this is the case you will have

to look deeper at the offending thread's stack (e.g. using dds) to determine

spinning code which caused the timeout to occur.

Arguments:

Arg1: 88a18908, Pointer to a stuck thread object. Do .thread then kb on it to find

the hung location.

Arg2: 88ced810, Pointer to a DEFERRED_WATCHDOG object.

Arg3: b84fbcbc, Pointer to offending driver name.

Arg4: 00000001, Number of times "intercepted" bugcheck 0xEA was hit (see notes).

 

Debugging Details:

------------------

 

ERROR - could not read driver name for bugcheck parameter 3

 

 

FAULTING_THREAD: 88a18908

 

FAULTING_IP:

nv4_disp+28526

bd03a526 ?? ???

 

IMAGE_NAME: nv4_disp.dll

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4bb7e5d1

 

MODULE_NAME: nv4_disp

 

FAULTING_MODULE: bd012000 nv4_disp

 

DEFAULT_BUCKET_ID: GRAPHICS_DRIVER_FAULT

 

CUSTOMER_CRASH_COUNT: 1

 

BUGCHECK_STR: 0xEA

 

PROCESS_NAME: csrss.exe

 

LAST_CONTROL_TRANSFER: from e3a33010 to bd03a526

 

STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.

b816758c e3a33010 e3a33010 e3a33010 00000080 nv4_disp+0x28526

b8167590 e3a33010 e3a33010 00000080 bd04e0b0 0xe3a33010

b8167594 e3a33010 00000080 bd04e0b0 00000000 0xe3a33010

b8167598 00000000 bd04e0b0 00000000 00000000 0xe3a33010

 

 

STACK_COMMAND: .thread 0xffffffff88a18908 ; kb

 

FOLLOWUP_IP:

nv4_disp+28526

bd03a526 ?? ???

 

SYMBOL_STACK_INDEX: 0

 

SYMBOL_NAME: nv4_disp+28526

 

FOLLOWUP_NAME: MachineOwner

 

FAILURE_BUCKET_ID: 0xEA_IMAGE_nv4_disp.dll_DATE_2010_04_04

 

BUCKET_ID: 0xEA_IMAGE_nv4_disp.dll_DATE_2010_04_04

 

Followup: MachineOwner

通过红色的代码可以分析出这个蓝屏是由于显卡驱动引起的

--------