Minidump Analysis

From My Notepad
Jump to: navigation, search

Source article

Turn On Minidumps

If you havn't already turned on minidumps, go to the Control Panel and follow this steps:

  1. System Icon
  2. Advanced Tab
  3. Startup and Recovery -> Settings
  4. Enable Write an Event to the system log
  5. Disable Automatically Restart
  6. Select the following debugging information:
    * Small memory dump (64 Kb)
    * Small Dump Directory : %SystemRoot%\Minidump
  7. Confirm all and restart the computer.

Crash It

Do whatever to make it crash.

Install Tools

If you haven't got the windows debugging tools installed, then install the Microsoft Debugging Tools.

Analyse The MiniDump

To extract useful information out of the minidump file created:

  1. Open a command prompt (Start -> Run -> "cmd")
  2. cd \program files\debugging tools (Or wherever they are installed to)
  3. kd -z C:\WINDOWS\Minidump\Mini???????-??.dmp
    .logopen debuglog.txt
    .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    .reload;!analyze -v;r;kv;lmnt;.logclose;q
  4. You now have a debuglog.txt in c:\, open it in a text edit (Notepad?).

Post Mortem

Look for the MODULE_NAME and IMAGE_NAME headings. This is the program that caused the error. Sometimes when it's a device driver it means that that device is causing the BSOD and by disabling it or updating the driver your system will run stable. If you don't know what device that name relates to then Google it.

Example

This is an actual debuglog.txt.  The line PROCESS_NAME: java.exe is what clued me in to where the problem was on this particular problem. Using a program procexp, I was able to find what directory the only running java.exe process was in, kill it and delete the program file. This particular problem was related to a product called Cyclone Activator.

Opened log file 'c:\debuglog.txt'
kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q 
Loading Kernel Symbols
....................................................................................................
Loading User Symbols
Loading unloaded module list
..................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81e76731, The address that the exception occurred at
Arg3: f3a57c3c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP: 
+ffffffff81e76731
81e76731 f3a7            repe cmps dword ptr [esi],dword ptr es:[edi]

TRAP_FRAME:  f3a57c3c -- (.trap 0xfffffffff3a57c3c)
.trap 0xfffffffff3a57c3c
ErrCode = 00000000
eax=00000000 ebx=5edad000 ecx=00000002 edx=00000004 esi=5edad000 edi=81e766fc
eip=81e76731 esp=f3a57cb0 ebp=f3a57cd8 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
81e76731 f3a7            repe cmps dword ptr [esi],dword ptr es:[edi]
.trap
Resetting default scope

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  java.exe

LAST_CONTROL_TRANSFER:  from 81e7689c to 81e76731

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
f3a57cd8 81e7689c 81e76add 821bb620 81ccb1b8 0x81e76731
f3a57dac 8057dfed 00000000 00000000 00000000 0x81e7689c
f3a57ddc 804fa477 81e76b42 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  .trap 0xfffffffff3a57c3c ; kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x8E_ANALYSIS_INCONCLUSIVE

BUCKET_ID:  0x8E_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------

eax=00000000 ebx=5edad000 ecx=00000002 edx=00000004 esi=5edad000 edi=81e766fc
eip=81e76731 esp=f3a57cb0 ebp=f3a57cd8 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
81e76731 f3a7            repe cmps dword ptr [esi],dword ptr es:[edi]
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
f3a57cd8 81e7689c 81e76add 821bb620 81ccb1b8 0x81e76731
f3a57dac 8057dfed 00000000 00000000 00000000 0x81e7689c
f3a57ddc 804fa477 81e76b42 00000000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start    end        module name
804d7000 806eb780   nt       ntoskrnl.exe Wed Aug 04 01:19:48 2004 (41108004)
806ec000 806ffd80   hal      halacpi.dll  Wed Aug 04 00:59:04 2004 (41107B28)
bf800000 bf9c0380   win32k   win32k.sys   Wed Aug 04 01:17:30 2004 (41107F7A)
bf9c1000 bf9d2580   dxg      dxg.sys      Wed Aug 04 01:00:51 2004 (41107B93)
bf9d3000 bfa7e940   i81xdnt5 i81xdnt5.dll Wed Aug 04 02:56:07 2004 (41109697)
f3478000 f34ca180   srv      srv.sys      Wed Aug 04 01:14:44 2004 (41107ED4)
f374b000 f3777400   mrxdav   mrxdav.sys   Wed Aug 04 01:00:49 2004 (41107B91)
f3b80000 f3b97480   dump_atapi dump_atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f3b98000 f3bbb000   Fastfat  Fastfat.SYS  Wed Aug 04 01:14:15 2004 (41107EB7)
f3bbb000 f3c83a60   avg7core avg7core.sys Wed Oct 10 11:23:39 2007 (470CFC8B)
f3cac000 f3cccf00   ipnat    ipnat.sys    Wed Aug 04 01:04:48 2004 (41107C80)
f3ccd000 f3d3b380   mrxsmb   mrxsmb.sys   Wed Aug 04 01:15:14 2004 (41107EF2)
f3d3c000 f3d67180   rdbss    rdbss.sys    Wed Aug 04 01:20:05 2004 (41108015)
f3d68000 f3d89d00   afd      afd.sys      Wed Aug 04 01:14:13 2004 (41107EB5)
f3d8a000 f3db1c00   netbt    netbt.sys    Wed Aug 04 01:14:36 2004 (41107ECC)
f3db2000 f3e09a80   tcpip    tcpip.sys    Wed Aug 04 01:14:39 2004 (41107ECF)
f3e0a000 f3e1c400   ipsec    ipsec.sys    Wed Aug 04 01:14:27 2004 (41107EC3)
f7f91000 f7f93900   Dxapi    Dxapi.sys    Fri Aug 17 15:53:19 2001 (3B7D843F)
f7fad000 f7fe0200   update   update.sys   Wed Aug 04 00:58:32 2004 (41107B08)
f7fe1000 f8011100   rdpdr    rdpdr.sys    Wed Aug 04 01:01:10 2004 (41107BA6)
f8012000 f8022e00   psched   psched.sys   Wed Aug 04 01:04:16 2004 (41107C60)
f8023000 f8039680   ndiswan  ndiswan.sys  Wed Aug 04 01:14:30 2004 (41107EC6)
f803a000 f805ce80   USBPORT  USBPORT.SYS  Wed Aug 04 01:08:34 2004 (41107D62)
f805d000 f807f680   ks       ks.sys       Wed Aug 04 01:15:20 2004 (41107EF8)
f8080000 f8093900   parport  parport.sys  Wed Aug 04 00:59:04 2004 (41107B28)
f8094000 f80a4400   el90xbc5 el90xbc5.sys Mon Jul 16 18:40:19 2001 (3B537B63)
f80a5000 f80b8780   VIDEOPRT VIDEOPRT.SYS Wed Aug 04 01:07:04 2004 (41107D08)
f80b9000 f80e04c0   i81xnt5  i81xnt5.sys  Mon Mar 29 17:27:48 2004 (4068A2E4)
f80e5000 f80e7280   rasacd   rasacd.sys   Fri Aug 17 15:55:39 2001 (3B7D84CB)
f835d000 f8377580   Mup      Mup.sys      Wed Aug 04 01:15:20 2004 (41107EF8)
f8378000 f83a4a80   NDIS     NDIS.sys     Wed Aug 04 01:14:27 2004 (41107EC3)
f83a5000 f8431480   Ntfs     Ntfs.sys     Wed Aug 04 01:15:06 2004 (41107EEA)
f8432000 f8448780   KSecDD   KSecDD.sys   Wed Aug 04 00:59:45 2004 (41107B51)
f8449000 f845af00   sr       sr.sys       Wed Aug 04 01:06:22 2004 (41107CDE)
f845b000 f8479780   fltmgr   fltmgr.sys   Wed Aug 04 01:01:17 2004 (41107BAD)
f847a000 f8491480   atapi    atapi.sys    Wed Aug 04 00:59:41 2004 (41107B4D)
f8492000 f84b7700   dmio     dmio.sys     Wed Aug 04 01:07:13 2004 (41107D11)
f84b8000 f84d6880   ftdisk   ftdisk.sys   Fri Aug 17 15:52:41 2001 (3B7D8419)
f84d7000 f84e7a80   pci      pci.sys      Wed Aug 04 01:07:45 2004 (41107D31)
f84e8000 f8515d80   ACPI     ACPI.sys     Wed Aug 04 01:07:35 2004 (41107D27)
f8537000 f853fc00   isapnp   isapnp.sys   Fri Aug 17 15:58:01 2001 (3B7D8559)
f8547000 f8551500   MountMgr MountMgr.sys Wed Aug 04 00:58:29 2004 (41107B05)
f8557000 f8563c80   VolSnap  VolSnap.sys  Wed Aug 04 01:00:14 2004 (41107B6E)
f8567000 f856fe00   disk     disk.sys     Wed Aug 04 00:59:53 2004 (41107B59)
f8577000 f8583200   CLASSPNP CLASSPNP.SYS Wed Aug 04 01:14:26 2004 (41107EC2)
f8657000 f8661600   p3       p3.sys       Wed Aug 04 00:59:18 2004 (41107B36)
f8667000 f8673e00   i8042prt i8042prt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f8677000 f8686d80   serial   serial.sys   Wed Aug 04 01:15:51 2004 (41107F17)
f8687000 f8693180   cdrom    cdrom.sys    Wed Aug 04 00:59:52 2004 (41107B58)
f8697000 f86a5080   redbook  redbook.sys  Wed Aug 04 00:59:34 2004 (41107B46)
f86a7000 f86b3880   rasl2tp  rasl2tp.sys  Wed Aug 04 01:14:21 2004 (41107EBD)
f86b7000 f86c1200   raspppoe raspppoe.sys Wed Aug 04 01:05:06 2004 (41107C92)
f86c7000 f86d2d00   raspptp  raspptp.sys  Wed Aug 04 01:14:26 2004 (41107EC2)
f86d7000 f86df900   msgpc    msgpc.sys    Wed Aug 04 01:04:11 2004 (41107C5B)
f86e7000 f86f0f00   termdd   termdd.sys   Wed Aug 04 00:58:52 2004 (41107B1C)
f86f7000 f8705100   usbhub   usbhub.sys   Wed Aug 04 01:08:40 2004 (41107D68)
f8707000 f8710480   NDProxy  NDProxy.SYS  Fri Aug 17 15:55:30 2001 (3B7D84C2)
f8747000 f874f700   netbios  netbios.sys  Wed Aug 04 01:03:19 2004 (41107C27)
f8767000 f876f880   Fips     Fips.SYS     Fri Aug 17 20:31:49 2001 (3B7DC585)
f8777000 f877f700   wanarp   wanarp.sys   Wed Aug 04 01:04:57 2004 (41107C89)
f87b7000 f87bd200   PCIIDEX  PCIIDEX.SYS  Wed Aug 04 00:59:40 2004 (41107B4C)
f87bf000 f87c3900   PartMgr  PartMgr.sys  Fri Aug 17 20:32:23 2001 (3B7DC5A7)
f8847000 f8848000   fdc      fdc.sys      unavailable (00000000)
f884f000 f8855000   kbdclass kbdclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f8857000 f885ca00   mouclass mouclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f885f000 f8864000   usbuhci  usbuhci.sys  Wed Aug 04 01:08:34 2004 (41107D62)
f8867000 f886b880   TDI      TDI.SYS      Wed Aug 04 01:07:47 2004 (41107D33)
f886f000 f8873580   ptilink  ptilink.sys  Fri Aug 17 15:49:53 2001 (3B7D8371)
f8877000 f887b080   raspti   raspti.sys   Fri Aug 17 15:55:32 2001 (3B7D84C4)
f88b7000 f88bc000   flpydisk flpydisk.sys Wed Aug 04 00:59:24 2004 (41107B3C)
f88c7000 f88cd180   HIDPARSE HIDPARSE.SYS Wed Aug 04 01:08:15 2004 (41107D4F)
f88cf000 f88d4200   vga      vga.sys      Wed Aug 04 01:07:06 2004 (41107D0A)
f88d7000 f88dba80   Msfs     Msfs.SYS     Wed Aug 04 01:00:37 2004 (41107B85)
f88df000 f88e6880   Npfs     Npfs.SYS     Wed Aug 04 01:00:38 2004 (41107B86)
f88f7000 f88fdc80   avg7rsxp avg7rsxp.sys Tue Jan 30 09:08:42 2007 (45BF5F7A)
f88ff000 f8905500   usbprint usbprint.sys Wed Aug 04 01:01:23 2004 (41107BB3)
f890f000 f8913500   watchdog watchdog.sys Wed Aug 04 01:07:32 2004 (41107D24)
f8947000 f894a000   BOOTVID  BOOTVID.dll  Fri Aug 17 15:49:09 2001 (3B7D8345)
f89e3000 f89e6c80   serenum  serenum.sys  Wed Aug 04 00:59:06 2004 (41107B2A)
f89eb000 f89ed580   ndistapi ndistapi.sys Fri Aug 17 15:55:29 2001 (3B7D84C1)
f8a0b000 f8a0ec80   mssmbios mssmbios.sys Wed Aug 04 01:07:47 2004 (41107D33)
f8a37000 f8a38b80   kdcom    kdcom.dll    Fri Aug 17 15:49:10 2001 (3B7D8346)
f8a39000 f8a3a100   WMILIB   WMILIB.SYS   Fri Aug 17 16:07:23 2001 (3B7D878B)
f8a3b000 f8a3c580   intelide intelide.sys Wed Aug 04 00:59:40 2004 (41107B4C)
f8a3d000 f8a3e700   dmload   dmload.sys   Fri Aug 17 15:58:15 2001 (3B7D8567)
f8a55000 f8a56280   vncdrv   vncdrv.sys   Sat Jun 26 06:22:17 2004 (40DD5C69)
f8a5d000 f8a5e100   swenum   swenum.sys   Wed Aug 04 00:58:41 2004 (41107B11)
f8a5f000 f8a60280   USBD     USBD.SYS     Fri Aug 17 16:02:58 2001 (3B7D8682)
f8a61000 f8a62f00   Fs_Rec   Fs_Rec.SYS   Fri Aug 17 15:49:37 2001 (3B7D8361)
f8a63000 f8a64080   Beep     Beep.SYS     Fri Aug 17 15:47:33 2001 (3B7D82E5)
f8a65000 f8a66080   mnmdd    mnmdd.SYS    Fri Aug 17 15:57:28 2001 (3B7D8538)
f8a67000 f8a68080   RDPCDD   RDPCDD.sys   Fri Aug 17 15:46:56 2001 (3B7D82C0)
f8a69000 f8a6a080   avg7rsw  avg7rsw.sys  Tue Jul 26 07:10:51 2005 (42E6284B)
f8a6b000 f8a6c100   dump_WMILIB dump_WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f8a75000 f8a76360   avgtdi   avgtdi.sys   Thu Aug 25 04:59:58 2005 (430D969E)
f8a8f000 f8a90780   vnccom   vnccom.SYS   Sat Jun 26 06:22:24 2004 (40DD5C70)
f8add000 f8adea80   ParVdm   ParVdm.SYS   Fri Aug 17 15:49:49 2001 (3B7D836D)
f8b63000 f8b63c00   audstub  audstub.sys  Fri Aug 17 15:59:40 2001 (3B7D85BC)
f8bba000 f8bbab80   Null     Null.SYS     Fri Aug 17 15:47:39 2001 (3B7D82EB)
f8bbb000 f8bbc000   avgclean avgclean.sys Mon Dec 03 06:09:01 2007 (4753F1DD)
f8bf9000 f8bf9d00   dxgthk   dxgthk.sys   Fri Aug 17 15:53:12 2001 (3B7D8438)

Unloaded modules:
f80f1000 f80f5000   wADV01nt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f80f5000 f80f8000   wADV02NT.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f80f9000 f80fc000   wADV05NT.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f80fd000 f8100000   wSiINTxx.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f88af000 f88b4000   wVchNTxx.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f88a7000 f88af000   wATV01nt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f889f000 f88a4000   wATV02NT.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f8727000 f8730000   wATV04nt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f8897000 f889d000   wCh7xxNT.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f888f000 f8895000   wATV06nt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f8101000 f8104000   wADV07nt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f8105000 f8108000   wADV08nt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f8a33000 f8a36000   wADV09nt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f8887000 f888e000   wATV10nt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f8757000 f8762000   Imapi.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f80e9000 f80ed000   kbdhid.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f88bf000 f88c4000   Cdaudio.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f80ed000 f80f0000   Sfloppy.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
Closing open log file c:\debuglog.txt