Daily Archives: November 15, 2010

Read memory dump file after a BSOD event

I decided to post about this problem since I saw many questions about this issue. There are several tools that can be used to read a memory dump like Windbg.exe or Dumpchk.exe. In this article I will explain the usage of the Windbg debugger.

First of all what is a memory dump and in what circumstances we have to deal with it?

The BSOD bluescreen or “blue screen of death” is a stop error screen of Windows Operating System, caused by a fatal system error of a non-recoverable nature, that causes the system to “crash.” When the recovery option is set to write debugging information, a program called SAVEDUMP.EXE is invoked during a fatal system error which writes the entire contents of memory to the system paging file. When the system is rebooted Windows copies the paging file to a file called MEMORY.DMP. This file can be found at this location: C:Windows

I will use a memory minidump file for analyze because it is smaller and easier to read: C:WindowsMinidumps

STEP – by – STEP guide:

  1. Set the Windows to create mini dump files: Control Panel -> System -> Advanced -> Startup and Recovery -> Settings -> Write debugging information -> Small memory dump.
  1. Windows  Memory Dump setting

2.   Download and install the Debugging Tools for Windows for 64 bits or 32 bits systems. Windbg is contained in this package.

3.   If you don’t have any dump files you can use Windows feature to create one to test how this all works. Open Task Manager -> select a process -> right click and press create Dump File. It will be located in c:usersyour userAppdataLocalTemp***.DMP

4.   Open from Start -> Programs -> Debugging Tools fro Windows -> Windbg Select from File -> Open Crash Dump and specify the location of your dump.

You will receive an error that no symbols have been loaded. Symbols are needed to effectively debug.

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll –
*** WARNING: symbols timestamp is wrong 0x4a5bdf57 0x4a5be125 for wow64cpu.dll
*** WARNING: symbols timestamp is wrong 0x4a5bdf57 0x4a5bda1b for IPHLPAPI.DLL
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for IPHLPAPI.DLL –

5.    Open File -> Symbol File Path and insert this path:

SRV*c:symbols*http://msdl.microsoft.com/download/symbols

6.    Press Reload. and Restart the analyze (CTRL + SHIFT + F5).

7.    You will receive a summary of the Bucheck Analysis and to view details press the !analyze-v link from the below message:

Use !analyze -v to get detailed debugging information.