I decided to post about this problem since I saw many questions about this issue. There are several tools that can be used to read a memory dump like Windbg.exe or Dumpchk.exe. In this article I will explain the usage of the Windbg debugger.
First of all what is a memory dump and in what circumstances we have to deal with it?
The BSOD bluescreen or “blue screen of death” is a stop error screen of Windows Operating System, caused by a fatal system error of a non-recoverable nature, that causes the system to “crash.” When the recovery option is set to write debugging information, a program called SAVEDUMP.EXE is invoked during a fatal system error which writes the entire contents of memory to the system paging file. When the system is rebooted Windows copies the paging file to a file called MEMORY.DMP. This file can be found at this location: C:Windows
I will use a memory minidump file for analyze because it is smaller and easier to read: C:WindowsMinidumps
- Set the Windows to create mini dump files: Control Panel -> System -> Advanced -> Startup and Recovery -> Settings -> Write debugging information -> Small memory dump.
3. If you don’t have any dump files you can use Windows feature to create one to test how this all works. Open Task Manager -> select a process -> right click and press create Dump File. It will be located in c:usersyour userAppdataLocalTemp***.DMP
4. Open from Start -> Programs -> Debugging Tools fro Windows -> Windbg Select from File -> Open Crash Dump and specify the location of your dump.
You will receive an error that no symbols have been loaded. Symbols are needed to effectively debug.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
*** WARNING: symbols timestamp is wrong 0x4a5bdf57 0x4a5be125 for wow64cpu.dll
*** WARNING: symbols timestamp is wrong 0x4a5bdf57 0x4a5bda1b for IPHLPAPI.DLL
*** ERROR: Symbol file could not be found. Defaulted to export symbols for IPHLPAPI.DLL -
5. Open File -> Symbol File Path and insert this path:
6. Press Reload. and Restart the analyze (CTRL + SHIFT + F5).
7. You will receive a summary of the Bucheck Analysis and to view details press the !analyze-v link from the below message:
Use !analyze -v to get detailed debugging information.