I have been having a problem with a Windows 2000 server consistently rebooting itself from a bugcheck. It is pretty annoying, since it always seems to happen between 12am and 2am, so my monitoring software wakes me up with a phone call. After the bugcheck Windows dumps all the memory into a 1gb file in the c:\windows directory. I usually just delete the file and restart the applications. But today, after a 12:30am wakeup, I decided to find out what that memory.dmp file is about.
There is a command called dumpchk that will verify the dump and display information about it. This command can be found in the Windows XP Support Tools. The easiest way to run it is to copy the dumpchk.exe into the same folder as the memory.dmp file. At a command prompt in this folder run the command “dumpchk memory.dmp”. The output in the header at the beginning of the output will look like this:
DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000893
DirectoryTableBase 3f9a6000
PfnDataBase 85e3e000
PsLoadedModuleList 80485b80
PsActiveProcessHead 80487608
MachineImageType 0000014c
NumberProcessors 00000002
BugCheckCode 0000001e
BugCheckParameter1 c0000005
BugCheckParameter2 8046e05c
BugCheckParameter3 00000000
BugCheckParameter4 2988bd8c
PaeEnabled 00000000
KdDebuggerDataBlock 80471a70
This says that error c0000005 happened at memory location 8046e05c. I am not a developer, so this means very little to me.
Further down in the output I found:
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free x86 compatible
Kernel base = 0×80400000 PsLoadedModuleList = 0×80485b80
Debug session time: Sun Mar 12 23:57:08 2006
System Uptime: 4 days 5:36:24
start end module name
80400000 805a29c0 nt Checksum: 001A71A1 Timestamp: Thu Oct 06 05:20:25 2005 (4344EC59)
This shows Windows kernel version and some other info.
To really dig into the memory.dmp file you will need to use the Microsoft Debug Tools. You also need the correct symbols for the os that the memory dump came from. These can be downloaded here. After all that is installed, open up the Debug program windbg. It can be found in the start menu. First set the symbol path, by clicking File, symbol path; and add the path that you installed the symbols to. Default is c:\windows\symbols.
To open up the memory.dmp file, select File, Open Crash dump. It will first show the same info that dumpchk displayed. To get more detailed info, enter this command: !analyze -v. This will display a much more detailed analysis of the problem. Some other useful things you can look at are the call stack (View, Call Stack) to see what system calls were being run when the crash occured, registers (view, registers) to see what registers were being used, and the actually memory (view, memory) to view the contents of the memory when the crash occured. You could also view the dissassembly to see what code was running.
I’m not very knowledgable in these memory matters, so most of the output didn’t mean much to me. I never really figured out what my problem is, but I still have some digging to do. If you are interested in seeing what was going on when your system blue screened, this is the way to do that. There are also ways to dump the memory on your system, and this is a good way to do debugging on your system.
Thanks, this info really helped. I wasn’t sure what tools to use to debug a problem.
Thanks a lot , this message helped me a lot, thank you
Cheers this was very useful info.
thanks
Thanks a lot for your contribution, i found my server’s problem following your advice.
I follow all the procedures, but every time I try to run the “Open Crash Dump” I get is symbol path invalid.
I downloaded the Symbols for Win2K3 Sp1 and it contains 19 subfolders. I try to each one of the paths, but still got the same error.
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [M:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y argument when starting the debugger. *
* using .sympath and .sympath *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 3790.srv03_sp1_gdr.070304-2232
Kernel base = 0×80800000 PsLoadedModuleList = 0×808af988
Debug session time: Thu Oct 4 17:00:21.523 2007 (GMT-5)
System Uptime: 8 days 1:12:24.765
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y argument when starting the debugger. *
* using .sympath and .sympath *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols
……………………………………………………………………………………………………………….
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd800c). Type “.hh dbgerr001″ for details
Loading unloaded module list
……………………………..
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck AB, {10, 7000, 0, 1}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : ntkrnlmp.exe ( nt!RtlAreAllAccessesGranted 1c585 )
Followup: MachineOwner
———
Someone showed me that for the symbol path you can just put following so you dont have to actually download them:
SRV*c:\symcache*http://msdl.microsoft.com/download/symbols