<

How to take a DMP file--and understand a blue screen

Published on
7,667 Points
2,367 Views
8 Endorsements
Last Modified:

This guide is for techies, and others who want to demystify what happens when a computer blue-screens…the dreaded BSOD! (Blue Screen Of Death!)


We will not be covering all the different types of BSOD’s, but we will be talking about how to analyze the BSOD computer’s .DMP file which is left on the hard drive after the BSOD occurs.


BSOD’s are normally varied in their difficulty to resolve although this is not always true though when working with a large group of computers that all blue screen for the same reason.


To begin, we need a DMP file usually called MEMORY.DMP. The DMP file is usually found in the C:\Windows folder. If you have trouble finding the DMP file, just search the hard drive for it using *.DMP  The DMP file may be really large, or may be a smaller DMP file( or files) called mini DMP files. If the hard drive is not bootable, use a USB drive adapter to view the contents of the hard drive to find the .DMP file using another computer.


Now we need a program to analyze this DMP file!

We’ll just focus on the free Microsoft debugging tool WinDBG although there are many commercial/free programs to perform .DMP file analysis.


Title: WDK and WinDBG downloads

http://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx

The above web page has a lot of links for related Microsoft downloads, but the link we want is half way down the page called, Standalone Debugging Tools for Windows (WinDbg)”.


Now, download the WinDBG program for your computer’s OS (in this example, we’ll install WinSDK for Windows 8.1 that works for Windows 8.1, 8, and 7)


For Windows XP, install SDK for Windows 7

( quote from the above link)


If you’re debugging Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008 (or using one of these operating systems to run the Debugging Tools for Windows), you need to use the Windows 7 release of the debugging tools. It’s included in the SDK for Windows 7 and .NET Framework 4.0. To install the Debugging Tools for Windows as a standalone component, in the SDK installation wizard, select Debugging Tools for Windows, and clear all other components.

Installation note: 

An annoying glitch run into during an install has always been fixed by making sure that the correct version of the Visual C++ runtime libraries were installed. So make sure to install the correct version Visual C++ runtime. This is the reason Microsoft has a small paragraph on this download page titled:


Important:  Newer versions of the Visual C++ 2010 Redistributable can cause issues when you install the SDK for Windows 7. For more information, see support for the Windows SDK.” 

There are several installation choices at the beginning of the installation. For just WinDBG debugger installation, deselect everything except for “Debugging Tools for Windows”.


After the installation has completed, go into the program icon groups, and find the group titled Windows Kits > Debugging Tools for Windows (X64) or Debugging Tools for Windows (X86) then find the icon labeled WinDbg (X64) or WinDbg (X86)


Using WinDBG!

Using WinDBG the first time is not very intuitive. Opening it up, and staring at a blank grey background of nothiness wondering what to do next…first, before attempting to analyze the DMP file, we need the symbol download path…this text looks like gibberish, but we need it nonetheless.


From that same link page given at the beginning of the web page, we’ll also see this paragraph:


Windows symbols
Symbol files make it easier to debug your code. The easiest way to get Windows symbols is to use the Microsoft Symbol Server.If you prefer to download the entire set of symbols for a particular version of Windows, download a symbol package. Get Windows symbol packages

What we’re looking for is something that looks like this:


.sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols;
SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols



In the above example, this will tell WinDBG to download and store the symbols in a local folder. I use C:\localsymbols (this folder needs to be created manually before adding the path).


The location to type (or paste) this info is found from the WinDBG menu options “File > Symbol File Path…” The place where you type/paste in this info is just a blank box. Make sure that there are no trailing spaces at the end of your text, and make sure you have the correct info typed in. Then make sure that you choose, “File > Save Workspace” after typing/pasting this info in.


Now opening the DMP file is easy: take your DMP file, and just drag it into the grey area (workspace) of  WinDBG.

As an example, I took a .DMP file off of a computer here that blue screened recently. The file size is 600MB’s. I drug the file into the grey area of the workspace and bunch of text showed on the workspace.

Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\JoeUser\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
WARNING: Whitespace at start of path element
************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred .sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: .sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols;
SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18247.amd64fre.win7sp1_gdr.130828-1532
Machine Name:
Kernel base = 0xfffff800`0305b000 PsLoadedModuleList = 0xfffff800`0329e6d0
Debug session time: Fri Jul 11 10:45:54.730 2014 (UTC - 7:00)
System Uptime: 0 days 0:12:30.131
Loading Kernel Symbols
...............................................................
................................................................
.............................................................
Loading User Symbols

Loading unloaded module list
.......................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                     *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.
BugCheck 9F, {4, 258, fffffa80069d1b50, fffff80000b9c3d0}
Implicit thread is now fffffa80`069d1b50
*** ERROR: Module load completed but symbols could not be loaded for iusb3hub.sys
Probably caused by : iusb3hub.sys
Followup: MachineOwner
---------


The two things to notice in all that text, are the line:

Use !analyze -v to get detailed debugging information.

And this line:

Probably caused by : iusb3hub.sys


Typing in !analyze –v will give more info, and this info may confirm what the first test found, or give additional info about the bluescreen.


In the above example, we can suspect that the blue screen was caused by the file iusb3hub.sys so you can Google this file to see where the file comes from, or what hardware is supported by this file.


When I Googled this file, I found a useful link on the manufacturer’s website for the computer model  that blue-screened. This link actually referenced a blue screen topic too so it was a direct reference to the problem.


Even though the info in these Google links may, or may not, not have helpful info; at least you know more about what hardware is causing the bluescreen failure and also which driver is likely responsible for the bluescreen.


Hope this info helps!

8
Comment
2 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
+1 for the coy title, which I'm sure was purely coincidental.
0
 

Expert Comment

by:David Reed
Shouldn't it be How to Analyze a DMP?
Anyway, ditto on the +1 for the title
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month