Solved

Debugging Minidump files

Posted on 2011-03-09
20
1,148 Views
Last Modified: 2012-05-11
I have a laptop that blue screens randomly.  I came across the following information:
Don't install dumpchk. windbg is the offical tool to format the minidumps.  

http://msdn.microsoft.com/msdnmag/issues/05/07/Debugging/

Debugging Tools from Microsoft
1) Create folder c:\symbols
2) Download and install the http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
3) Locate your latest memory.dmp file- C:\WINDOWS\Minidump\Mini011005-01.dmp or whatever
4) open a CMD prompt and cd\program files\debugging tools for windows\
5) type the following stuff:

Code:
c:\program files\debugging tools>kd -z C:\WINDOWS\Minidump\Mini011005-01.dmp
kd> .logopen c:\debuglog.txt
kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
kd> .reload;!analyze -v;r;!thread;lmnt;.logclose;q

You now have a debuglog.txt in c:\, open it in notepad and post to this thread.

My problem is that there is no c:\program files\debugging tools directory on this PC.  What am I missing?

Thanks
0
Comment
Question by:CPUAffinity
  • 7
  • 6
  • 3
  • +3
20 Comments
 
LVL 16

Assisted Solution

by:speshalyst
speshalyst earned 250 total points
ID: 35083827
0
 
LVL 16

Expert Comment

by:speshalyst
ID: 35083850
you can download the tool from the link above.. and read this link for details on usage
http://support.microsoft.com/kb/315263
0
 
LVL 22

Expert Comment

by:optoma
ID: 35084192
Do you want to upload some of those minidump (.dmp)files here .
0
 
LVL 35

Expert Comment

by:torimar
ID: 35084228
Did you follow step #2 in your post and install the debugging tools?

Then you may have changed the installation directory.
The easiest way to find the correct folder is by checking your Start menu > Programs folder for "Debugging Tools for Windows", right-click on any of the entries inside and select 'Properties': it will show you where the tools are installed.

Then replace the "c:\program files\debugging tools" in your "Code" above by the actual installation directory.


On a side note:
If you are not experienced in analyzing minidumps, this may not help you at all. It is a far better option to create a thread describing your problem here on E-E and attach your minidump files; this way, experts will analyze them.
0
 
LVL 35

Expert Comment

by:torimar
ID: 35084251
Alternatively, you could use the 'Blue Screen Viewer': http://www.nirsoft.net/utils/blue_screen_view.html

It is a breeze to set up. But still, you may not know what to do with the information.
0
 

Author Comment

by:CPUAffinity
ID: 35084313
0
 
LVL 35

Expert Comment

by:torimar
ID: 35084582
A first glance at the files indicates that the problems are related to Hewlett Packard programs, like the Power Assistant or the Wireless Assistant.

If this is a HP computer, check out the HP support site for updated versions of the HP assistants, utilities and drivers.
0
 
LVL 35

Expert Comment

by:torimar
ID: 35084638
Alternatively, you may consider disabling the HP assistants.
Windows itself has inbuilt features that take care of power options and wireless connectivity, normally, additional vendor tools are not required, although - sometimes - they may offer more options or comfort. But sometimes they also create instable systems.
0
 

Author Comment

by:CPUAffinity
ID: 35084738
I will try removing those.  We don't need the power assistant, but we've had problems with the wireless adapter becoming disabled out of nowhere - but is not shown as disabled in devmgmt.  The only way to turn it back on is with Wireless Assistant.  I'll give this a shot though.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 35085326
As has been suggested, there are many programs out there that will provide analysis of your dumps - I wrote a web page you can use as well - http://www.lwcomputing.com/minidumps/minidumpup.asp
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:CPUAffinity
ID: 35085394
Leew:
      Sweet site!  That will be very useful looking forward.
0
 
LVL 35

Expert Comment

by:torimar
ID: 35085548
That is why I suggested posting the minidump files in another thread: Now we have a mix in here of people still replying to the original question ("Debugging Minidump files") and those commenting on your actual BSOD problem.

You cannot fairly finalize a question that is dealing with two separate issues, which is why there is a rule on E-E to try and avoid such a situation.
0
 

Author Comment

by:CPUAffinity
ID: 35085598
No more blue screens yet.  
Leew, your site says a file belonging to Altiris Recovery Solution is the culprit.  

Torimar, how did you come to the conclusion it was the agents?
0
 

Author Comment

by:CPUAffinity
ID: 35085786
Torimar, The Power Manager & Connection Manager I mean, sorry.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 35085826
To be fair, it should be the LIKELY culprit.

It does appear that RSAFAL.sys has caused at least 3 of your crashes.  I would (as should have been suggested after the analysis) look at getting an upgrade or even downgrade for that file/the program that uses that file.  Temporarily, you could RENAME the file (RSAFAL.sys.bad) and see what breaks and if the crashing stops.
0
 

Author Comment

by:CPUAffinity
ID: 35085879
I'll give that a shot if it blue screens again.  That's a great idea.  I know that file belongs to our Altiris Recovery Solution.  I can always reinstall the client software on this laptop.  Unfortunately, this laptop belongs to a member of the outside sales force, so my time with it is limited.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 35085952
LogMeIn, GoToAssist, and other options exist for remote management.
0
 
LVL 35

Accepted Solution

by:
torimar earned 250 total points
ID: 35086363
>>  "Torimar, how did you come to the conclusion it was the agents?"

It wasn't a conclusion, it was a likely conjecture.

In practically all of the dumps the faulting module is either unknown or a system file - which means the faulty module cannot directly be determined. But the process in the context of which the crashes happen are always HP assistants.
Here's a sample analysis:

Loading User Symbols
Loading unloaded module list
................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007F, {8, ba350d70, 0, 0}

Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+1c )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: ba350d70
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


BUGCHECK_STR:  0x7f_8

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  HPWA_Main.exe

LAST_CONTROL_TRANSFER:  from 9a8d60a8 to 8054453c

STACK_TEXT:  
9a8d6028 9a8d60a8 e4fa4000 00000001 9a8d6160 nt!KiTrap0E+0x1c
WARNING: Frame IP not in any known module. Following frames may be wrong.
804dc640 00000000 805f8a81 00000000 ffffffff 0x9a8d60a8


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!KiTrap0E+1c
8054453c 53              push    ebx

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!KiTrap0E+1c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4d00d46f

FAILURE_BUCKET_ID:  0x7f_8_nt!KiTrap0E+1c

BUCKET_ID:  0x7f_8_nt!KiTrap0E+1c

Followup: MachineOwner
---------

3: kd> r
eax=00000000 ebx=9a8d6080 ecx=e4fa4000 edx=0000000f esi=e4fa4000 edi=e4fa4000
eip=8054453c esp=9a8d6000 ebp=9a8d6028 iopl=0         nv up di pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010046
nt!KiTrap0E+0x1c:
8054453c 53              push    ebx
3: kd> !thread
GetPointerFromAddress: unable to read from 80562134
THREAD 86566b00  Cid 048c.182c  Teb: 7ff4c000 Win32Thread: e5d469a0 RUNNING on processor 3
IRP List:
    Unable to read nt!_IRP @ 8599a4a8
Not impersonating
GetUlongFromAddress: unable to read from 805621cc
Owning Process            87438020       Image:         HPWA_Main.exe
Attached Process          N/A            Image:         N/A
ffdf0000: Unable to get shared data
Wait Start TickCount      476078       
Context Switch Count      1481                 LargeStack
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x5400b670
Start Address 0x7c8106f9
Stack Init 9a8d9000 Current 9a8d8c20 Base 9a8d9000 Limit 9a8d6000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child              
9a8d6028 9a8d60a8 e4fa4000 00000001 9a8d6160 nt!KiTrap0E+0x1c (FPO: [0,0] TrapFrame @ 9a8d6028)
WARNING: Frame IP not in any known module. Following frames may be wrong.
804dc640 00000000 805f8a81 00000000 ffffffff 0x9a8d60a8

Open in new window


I cannot confirm the RSAFIL.sys hypothesis at all. That name never occurred in an analysis (once there was a igxpmp32.sys, but never a rsafil.sys). Even an extended analysis with setting a trap on the trapframe revealed no known module:

3: kd> kv
ChildEBP RetAddr  Args to Child              
9a8d6028 9a8d60a8 e4fa4000 00000001 9a8d6160 nt!KiTrap0E+0x1c (FPO: [0,0] TrapFrame @ 9a8d6028)
WARNING: Frame IP not in any known module. Following frames may be wrong.
804dc640 00000000 805f8a81 00000000 ffffffff 0x9a8d60a8
3: kd> .trap 9a8d6028
ErrCode = 00000000
eax=0000001c ebx=80539b10 ecx=80564d20 edx=000000d0 esi=9a8d60e4 edi=8055a1e0
eip=9a8d60a8 esp=e4fa4000 ebp=804dc640 iopl=2     vif nv up di pl nz na pe nc
cs=6ac7  ss=6133  ds=104c  es=8b74  fs=6038  gs=60a8             efl=9a8d612c
6ac7:9a8d60a8 f4              hlt
3: kd> kb
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
804dc640 00000000 805f8a81 00000000 ffffffff 0x9a8d60a8

Open in new window

0
 
LVL 10

Expert Comment

by:pjasnos
ID: 35089749
Have you run memtest on it?
 http://www.memtest.org/#downiso
(needs to be run for a few hours).
0
 

Author Comment

by:CPUAffinity
ID: 35094523
The blue screens have stopped with the removal of the HP agents.

Torimar - Did not see your post about using a separate thread, but now see why it was suggested.  My apologies for that.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Migration of Exchange mailbox can be done with the ExProfre.exe tool. But at times, when the ExProfre.exe tool migrates the Exchange Server user profile, it results in numerous synchronization problems. Synchronization error messages appear in the e…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now