Minidump Analysis
From My notepad
Contents |
Turn On Minidumps
If you havn't already turned on minidumps, go to the Control Panel and follow this steps:
- System Icon
- Advanced Tab
- Startup and Recovery -> Settings
- Enable Write an Event to the system log
- Disable Automatically Restart
- Select the following debugging information:
* Small memory dump (64 Kb)
* Small Dump Directory : %SystemRoot%\Minidump - Confirm all and restart the computer.
Crash It
Do whatever to make it crash.
Install Tools
If you haven't got the windows debugging tools installed, then install the Microsoft Debugging Tools.
Analyse The MiniDump
To extract useful information out of the minidump file created:
- Open a command prompt (Start -> Run -> "cmd")
- cd \program files\debugging tools (Or wherever they are installed to)
- kd -z C:\WINDOWS\Minidump\Mini???????-??.dmp
.logopen debuglog.txt
.sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
.reload;!analyze -v;r;kv;lmnt;.logclose;q - You now have a debuglog.txt in c:\, open it in a text edit (Notepad?).
Post Mortem
Look for the MODULE_NAME and IMAGE_NAME headings. This is the program that caused the error. Sometimes when it's a device driver it means that that device is causing the BSOD and by disabling it or updating the driver your system will run stable. If you don't know what device that name relates to then Google it.
Example
This is an actual debuglog.txt. The line PROCESS_NAME: java.exe is what clued me in to where the problem was on this particular problem. Using a program procexp, I was able to find what directory the only running java.exe process was in, kill it and delete the program file. This particular problem was related to a product called Cyclone Activator.
Opened log file 'c:\debuglog.txt'
kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q
Loading Kernel Symbols
....................................................................................................
Loading User Symbols
Loading unloaded module list
..................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81e76731, The address that the exception occurred at
Arg3: f3a57c3c, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
+ffffffff81e76731
81e76731 f3a7 repe cmps dword ptr [esi],dword ptr es:[edi]
TRAP_FRAME: f3a57c3c -- (.trap 0xfffffffff3a57c3c)
.trap 0xfffffffff3a57c3c
ErrCode = 00000000
eax=00000000 ebx=5edad000 ecx=00000002 edx=00000004 esi=5edad000 edi=81e766fc
eip=81e76731 esp=f3a57cb0 ebp=f3a57cd8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
81e76731 f3a7 repe cmps dword ptr [esi],dword ptr es:[edi]
.trap
Resetting default scope
CUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: java.exe
LAST_CONTROL_TRANSFER: from 81e7689c to 81e76731
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f3a57cd8 81e7689c 81e76add 821bb620 81ccb1b8 0x81e76731
f3a57dac 8057dfed 00000000 00000000 00000000 0x81e7689c
f3a57ddc 804fa477 81e76b42 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: .trap 0xfffffffff3a57c3c ; kb
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: 0x8E_ANALYSIS_INCONCLUSIVE
BUCKET_ID: 0x8E_ANALYSIS_INCONCLUSIVE
Followup: MachineOwner
---------
eax=00000000 ebx=5edad000 ecx=00000002 edx=00000004 esi=5edad000 edi=81e766fc
eip=81e76731 esp=f3a57cb0 ebp=f3a57cd8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
81e76731 f3a7 repe cmps dword ptr [esi],dword ptr es:[edi]
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
f3a57cd8 81e7689c 81e76add 821bb620 81ccb1b8 0x81e76731
f3a57dac 8057dfed 00000000 00000000 00000000 0x81e7689c
f3a57ddc 804fa477 81e76b42 00000000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start end module name
804d7000 806eb780 nt ntoskrnl.exe Wed Aug 04 01:19:48 2004 (41108004)
806ec000 806ffd80 hal halacpi.dll Wed Aug 04 00:59:04 2004 (41107B28)
bf800000 bf9c0380 win32k win32k.sys Wed Aug 04 01:17:30 2004 (41107F7A)
bf9c1000 bf9d2580 dxg dxg.sys Wed Aug 04 01:00:51 2004 (41107B93)
bf9d3000 bfa7e940 i81xdnt5 i81xdnt5.dll Wed Aug 04 02:56:07 2004 (41109697)
f3478000 f34ca180 srv srv.sys Wed Aug 04 01:14:44 2004 (41107ED4)
f374b000 f3777400 mrxdav mrxdav.sys Wed Aug 04 01:00:49 2004 (41107B91)
f3b80000 f3b97480 dump_atapi dump_atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f3b98000 f3bbb000 Fastfat Fastfat.SYS Wed Aug 04 01:14:15 2004 (41107EB7)
f3bbb000 f3c83a60 avg7core avg7core.sys Wed Oct 10 11:23:39 2007 (470CFC8B)
f3cac000 f3cccf00 ipnat ipnat.sys Wed Aug 04 01:04:48 2004 (41107C80)
f3ccd000 f3d3b380 mrxsmb mrxsmb.sys Wed Aug 04 01:15:14 2004 (41107EF2)
f3d3c000 f3d67180 rdbss rdbss.sys Wed Aug 04 01:20:05 2004 (41108015)
f3d68000 f3d89d00 afd afd.sys Wed Aug 04 01:14:13 2004 (41107EB5)
f3d8a000 f3db1c00 netbt netbt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f3db2000 f3e09a80 tcpip tcpip.sys Wed Aug 04 01:14:39 2004 (41107ECF)
f3e0a000 f3e1c400 ipsec ipsec.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f7f91000 f7f93900 Dxapi Dxapi.sys Fri Aug 17 15:53:19 2001 (3B7D843F)
f7fad000 f7fe0200 update update.sys Wed Aug 04 00:58:32 2004 (41107B08)
f7fe1000 f8011100 rdpdr rdpdr.sys Wed Aug 04 01:01:10 2004 (41107BA6)
f8012000 f8022e00 psched psched.sys Wed Aug 04 01:04:16 2004 (41107C60)
f8023000 f8039680 ndiswan ndiswan.sys Wed Aug 04 01:14:30 2004 (41107EC6)
f803a000 f805ce80 USBPORT USBPORT.SYS Wed Aug 04 01:08:34 2004 (41107D62)
f805d000 f807f680 ks ks.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f8080000 f8093900 parport parport.sys Wed Aug 04 00:59:04 2004 (41107B28)
f8094000 f80a4400 el90xbc5 el90xbc5.sys Mon Jul 16 18:40:19 2001 (3B537B63)
f80a5000 f80b8780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 01:07:04 2004 (41107D08)
f80b9000 f80e04c0 i81xnt5 i81xnt5.sys Mon Mar 29 17:27:48 2004 (4068A2E4)
f80e5000 f80e7280 rasacd rasacd.sys Fri Aug 17 15:55:39 2001 (3B7D84CB)
f835d000 f8377580 Mup Mup.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f8378000 f83a4a80 NDIS NDIS.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f83a5000 f8431480 Ntfs Ntfs.sys Wed Aug 04 01:15:06 2004 (41107EEA)
f8432000 f8448780 KSecDD KSecDD.sys Wed Aug 04 00:59:45 2004 (41107B51)
f8449000 f845af00 sr sr.sys Wed Aug 04 01:06:22 2004 (41107CDE)
f845b000 f8479780 fltmgr fltmgr.sys Wed Aug 04 01:01:17 2004 (41107BAD)
f847a000 f8491480 atapi atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f8492000 f84b7700 dmio dmio.sys Wed Aug 04 01:07:13 2004 (41107D11)
f84b8000 f84d6880 ftdisk ftdisk.sys Fri Aug 17 15:52:41 2001 (3B7D8419)
f84d7000 f84e7a80 pci pci.sys Wed Aug 04 01:07:45 2004 (41107D31)
f84e8000 f8515d80 ACPI ACPI.sys Wed Aug 04 01:07:35 2004 (41107D27)
f8537000 f853fc00 isapnp isapnp.sys Fri Aug 17 15:58:01 2001 (3B7D8559)
f8547000 f8551500 MountMgr MountMgr.sys Wed Aug 04 00:58:29 2004 (41107B05)
f8557000 f8563c80 VolSnap VolSnap.sys Wed Aug 04 01:00:14 2004 (41107B6E)
f8567000 f856fe00 disk disk.sys Wed Aug 04 00:59:53 2004 (41107B59)
f8577000 f8583200 CLASSPNP CLASSPNP.SYS Wed Aug 04 01:14:26 2004 (41107EC2)
f8657000 f8661600 p3 p3.sys Wed Aug 04 00:59:18 2004 (41107B36)
f8667000 f8673e00 i8042prt i8042prt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f8677000 f8686d80 serial serial.sys Wed Aug 04 01:15:51 2004 (41107F17)
f8687000 f8693180 cdrom cdrom.sys Wed Aug 04 00:59:52 2004 (41107B58)
f8697000 f86a5080 redbook redbook.sys Wed Aug 04 00:59:34 2004 (41107B46)
f86a7000 f86b3880 rasl2tp rasl2tp.sys Wed Aug 04 01:14:21 2004 (41107EBD)
f86b7000 f86c1200 raspppoe raspppoe.sys Wed Aug 04 01:05:06 2004 (41107C92)
f86c7000 f86d2d00 raspptp raspptp.sys Wed Aug 04 01:14:26 2004 (41107EC2)
f86d7000 f86df900 msgpc msgpc.sys Wed Aug 04 01:04:11 2004 (41107C5B)
f86e7000 f86f0f00 termdd termdd.sys Wed Aug 04 00:58:52 2004 (41107B1C)
f86f7000 f8705100 usbhub usbhub.sys Wed Aug 04 01:08:40 2004 (41107D68)
f8707000 f8710480 NDProxy NDProxy.SYS Fri Aug 17 15:55:30 2001 (3B7D84C2)
f8747000 f874f700 netbios netbios.sys Wed Aug 04 01:03:19 2004 (41107C27)
f8767000 f876f880 Fips Fips.SYS Fri Aug 17 20:31:49 2001 (3B7DC585)
f8777000 f877f700 wanarp wanarp.sys Wed Aug 04 01:04:57 2004 (41107C89)
f87b7000 f87bd200 PCIIDEX PCIIDEX.SYS Wed Aug 04 00:59:40 2004 (41107B4C)
f87bf000 f87c3900 PartMgr PartMgr.sys Fri Aug 17 20:32:23 2001 (3B7DC5A7)
f8847000 f8848000 fdc fdc.sys unavailable (00000000)
f884f000 f8855000 kbdclass kbdclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f8857000 f885ca00 mouclass mouclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f885f000 f8864000 usbuhci usbuhci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f8867000 f886b880 TDI TDI.SYS Wed Aug 04 01:07:47 2004 (41107D33)
f886f000 f8873580 ptilink ptilink.sys Fri Aug 17 15:49:53 2001 (3B7D8371)
f8877000 f887b080 raspti raspti.sys Fri Aug 17 15:55:32 2001 (3B7D84C4)
f88b7000 f88bc000 flpydisk flpydisk.sys Wed Aug 04 00:59:24 2004 (41107B3C)
f88c7000 f88cd180 HIDPARSE HIDPARSE.SYS Wed Aug 04 01:08:15 2004 (41107D4F)
f88cf000 f88d4200 vga vga.sys Wed Aug 04 01:07:06 2004 (41107D0A)
f88d7000 f88dba80 Msfs Msfs.SYS Wed Aug 04 01:00:37 2004 (41107B85)
f88df000 f88e6880 Npfs Npfs.SYS Wed Aug 04 01:00:38 2004 (41107B86)
f88f7000 f88fdc80 avg7rsxp avg7rsxp.sys Tue Jan 30 09:08:42 2007 (45BF5F7A)
f88ff000 f8905500 usbprint usbprint.sys Wed Aug 04 01:01:23 2004 (41107BB3)
f890f000 f8913500 watchdog watchdog.sys Wed Aug 04 01:07:32 2004 (41107D24)
f8947000 f894a000 BOOTVID BOOTVID.dll Fri Aug 17 15:49:09 2001 (3B7D8345)
f89e3000 f89e6c80 serenum serenum.sys Wed Aug 04 00:59:06 2004 (41107B2A)
f89eb000 f89ed580 ndistapi ndistapi.sys Fri Aug 17 15:55:29 2001 (3B7D84C1)
f8a0b000 f8a0ec80 mssmbios mssmbios.sys Wed Aug 04 01:07:47 2004 (41107D33)
f8a37000 f8a38b80 kdcom kdcom.dll Fri Aug 17 15:49:10 2001 (3B7D8346)
f8a39000 f8a3a100 WMILIB WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f8a3b000 f8a3c580 intelide intelide.sys Wed Aug 04 00:59:40 2004 (41107B4C)
f8a3d000 f8a3e700 dmload dmload.sys Fri Aug 17 15:58:15 2001 (3B7D8567)
f8a55000 f8a56280 vncdrv vncdrv.sys Sat Jun 26 06:22:17 2004 (40DD5C69)
f8a5d000 f8a5e100 swenum swenum.sys Wed Aug 04 00:58:41 2004 (41107B11)
f8a5f000 f8a60280 USBD USBD.SYS Fri Aug 17 16:02:58 2001 (3B7D8682)
f8a61000 f8a62f00 Fs_Rec Fs_Rec.SYS Fri Aug 17 15:49:37 2001 (3B7D8361)
f8a63000 f8a64080 Beep Beep.SYS Fri Aug 17 15:47:33 2001 (3B7D82E5)
f8a65000 f8a66080 mnmdd mnmdd.SYS Fri Aug 17 15:57:28 2001 (3B7D8538)
f8a67000 f8a68080 RDPCDD RDPCDD.sys Fri Aug 17 15:46:56 2001 (3B7D82C0)
f8a69000 f8a6a080 avg7rsw avg7rsw.sys Tue Jul 26 07:10:51 2005 (42E6284B)
f8a6b000 f8a6c100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f8a75000 f8a76360 avgtdi avgtdi.sys Thu Aug 25 04:59:58 2005 (430D969E)
f8a8f000 f8a90780 vnccom vnccom.SYS Sat Jun 26 06:22:24 2004 (40DD5C70)
f8add000 f8adea80 ParVdm ParVdm.SYS Fri Aug 17 15:49:49 2001 (3B7D836D)
f8b63000 f8b63c00 audstub audstub.sys Fri Aug 17 15:59:40 2001 (3B7D85BC)
f8bba000 f8bbab80 Null Null.SYS Fri Aug 17 15:47:39 2001 (3B7D82EB)
f8bbb000 f8bbc000 avgclean avgclean.sys Mon Dec 03 06:09:01 2007 (4753F1DD)
f8bf9000 f8bf9d00 dxgthk dxgthk.sys Fri Aug 17 15:53:12 2001 (3B7D8438)
Unloaded modules:
f80f1000 f80f5000 wADV01nt.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f80f5000 f80f8000 wADV02NT.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f80f9000 f80fc000 wADV05NT.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f80fd000 f8100000 wSiINTxx.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f88af000 f88b4000 wVchNTxx.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f88a7000 f88af000 wATV01nt.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f889f000 f88a4000 wATV02NT.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8727000 f8730000 wATV04nt.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8897000 f889d000 wCh7xxNT.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f888f000 f8895000 wATV06nt.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8101000 f8104000 wADV07nt.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8105000 f8108000 wADV08nt.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8a33000 f8a36000 wADV09nt.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8887000 f888e000 wATV10nt.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8757000 f8762000 Imapi.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f80e9000 f80ed000 kbdhid.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f88bf000 f88c4000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f80ed000 f80f0000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt
