<

How to take a DMP file--and understand a blue screen

Published on
8,273 Points
2,973 Views
8 Endorsements
Last Modified:
Rob Hutchinson
Current strengths are Lotus Notes, and Dell laptops: 7450, 7470, 7490
https://www.linkedin.com/in/getlinkedwithrobhutchinson/

This guide is for techies, and others who want to demystify what happens when a computer blue-screens…the dreaded BSOD! (Blue Screen Of Death!)


We will not be covering all the different types of BSOD’s, but we will be talking about how to analyze the BSOD computer’s .DMP file which is left on the hard drive after the BSOD occurs.


BSOD’s are normally varied in their difficulty to resolve although this is not always true though when working with a large group of computers that all blue screen for the same reason.


To begin, we need a DMP file usually called MEMORY.DMP. The DMP file is usually found in the C:\Windows folder. If you have trouble finding the DMP file, just search the hard drive for it using *.DMP  The DMP file may be really large, or may be a smaller DMP file( or files) called mini DMP files. If the hard drive is not bootable, use a USB drive adapter to view the contents of the hard drive to find the .DMP file using another computer.


Now we need a program to analyze this DMP file!

We’ll just focus on the free Microsoft debugging tool WinDBG although there are many commercial/free programs to perform .DMP file analysis.


Title: WDK and WinDBG downloads

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools

The above web page has several links to download WinDBG, but the one you will want, depends on your version of Windows:
In the section titled: "Debugging Tools for Windows 10 (WinDbg)" click the link that says:

"Get Debugging Tools for Windows (WinDbg) from the SDK: Windows 10 SDK."
https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk

For earlier versions of Windows, look for "Additional SDK requirements"

"Installation on Windows 8.1 and earlier operating systems requires KB2999226. To install through Windows Update, make sure you install the latest recommended updates and patches from Microsoft Update before you install the Windows SDK."
That KB2999226 takes you here:
https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

At the beginning of the installation, just choose the default installation path if desired.
When you come to the "Select the features you want to install", there are several installation check boxes.
For just WinDBG debugger installation, deselect everything except for “Debugging Tools for Windows” and click Install.


After the installation has completed, go into the program icon groups, and find the group titled Windows Kits > Debugging Tools for Windows (X64) or Debugging Tools for Windows (X86) then find the icon labeled WinDbg (X64) or WinDbg (X86)


Using WinDBG!

Using WinDBG the first time is not very intuitive. Opening it up, and staring at a blank grey background of nothiness wondering what to do next…first, before attempting to analyze the DMP file, we need the symbol download path…this text looks like gibberish, but we need it nonetheless.


From that same link page given at the beginning of the web page, we’ll also see this paragraph:


Windows symbols
Symbol files make it easier to debug your code. The easiest way to get Windows symbols is to use the Microsoft Symbol Server.If you prefer to download the entire set of symbols for a particular version of Windows, download a symbol package. Get Windows symbol packages

What we’re looking for is something that looks like this:


.sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols;
SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols



In the above example, this will tell WinDBG to download and store the symbols in a local folder. I use C:\localsymbols (this folder needs to be created manually before adding the path).


The location to type (or paste) this info is found from the WinDBG menu options “File > Symbol File Path…” The place where you type/paste in this info is just a blank box. Make sure that there are no trailing spaces at the end of your text, and make sure you have the correct info typed in. Then make sure that you choose, “File > Save Workspace” after typing/pasting this info in.


Now opening the DMP file is easy: take your DMP file, and just drag it into the grey area (workspace) of  WinDBG.

As an example, I took a .DMP file off of a computer here that blue screened recently. The file size is 600MB’s. I drug the file into the grey area of the workspace and bunch of text showed on the workspace.

Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\JoeUser\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
WARNING: Whitespace at start of path element
************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred .sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: .sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols;
SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18247.amd64fre.win7sp1_gdr.130828-1532
Machine Name:
Kernel base = 0xfffff800`0305b000 PsLoadedModuleList = 0xfffff800`0329e6d0
Debug session time: Fri Jul 11 10:45:54.730 2014 (UTC - 7:00)
System Uptime: 0 days 0:12:30.131
Loading Kernel Symbols
...............................................................
................................................................
.............................................................
Loading User Symbols

Loading unloaded module list
.......................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                     *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.
BugCheck 9F, {4, 258, fffffa80069d1b50, fffff80000b9c3d0}
Implicit thread is now fffffa80`069d1b50
*** ERROR: Module load completed but symbols could not be loaded for iusb3hub.sys
Probably caused by : iusb3hub.sys
Followup: MachineOwner
---------


The two things to notice in all that text, are the line:

Use !analyze -v to get detailed debugging information.

And this line:

Probably caused by : iusb3hub.sys


Typing in !analyze –v will give more info, and this info may confirm what the first test found, or give additional info about the bluescreen.


In the above example, we can suspect that the blue screen was caused by the file iusb3hub.sys so you can Google this file to see where the file comes from, or what hardware is supported by this file.


When I Googled this file, I found a useful link on the manufacturer’s website for the computer model  that blue-screened. This link actually referenced a blue screen topic too so it was a direct reference to the problem.


Even though the info in these Google links may, or may not, not have helpful info; at least you know more about what hardware is causing the bluescreen failure and also which driver is likely responsible for the bluescreen.


Hope this info helps!

8
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free