How to read Memory Dump file

The debugging information can be written to different file formats (also known as memory dump files) when your computer stops unexpectedly because of a Stop error (also known as a "blue screen," system crash, or bug check). We can also configure Windows not to write debugging information to a memory dump file.

Windows can generate any one of the following memory dump file types:
•Complete memory dump
•Kernel memory dump
•Small memory dump (64 KB)

Configure the dump type

To configure startup and recovery options (including the dump type), follow these steps.

Click Start, and then click Control Panel.

  1. Click Performance and Maintenance, and then click System.
  2. On the Advanced tab, click Settings under Startup and Recovery.
Tool Required to read memory dump file.
1. Install the debugging tools(Windbg)

Select the Typical installation. By default, the installer installs the debugging tools in the following folder:
C:\Program Files\Debugging Tools for Windows

Note: You must have symbol information when you debug applications with various Microsoft tools. Symbol files provide a footprint of the functions that are contained in executable files and dynamic-link libraries (DLLs). Additionally, symbol files can present a roadmap of the function calls that lead to the point of failure. For example, you must have the symbols when you dump call stacks inside a debugger.

You can use the following symbol path:


you can download symbols locally to your system and set path in Windbg.
To know more about symbols :
Steps to read dump file.
1. Open Windbg.exe from Start -> All Programs -> Debugging Tools for Windows -> windbg.exe

2. Set symbols path to Windbg.exe
    Press Ctrl+S then set SRV*c:\symbols*

3. Open memory dump file by pressing Ctrl+D then select the dump file where you have saved.

Now dump has been open its time to diagnose the root cause of the blue screen dump.

type  !analyze -v or click on !analyze -v as shown in given below screen shot

After putting command we will get sample output (given output as per my dump file).

1: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 888c3b02, address which referenced memory

Debugging Details:

READ_ADDRESS:  00000004
888c3b02 8b4b04          mov     ecx,dword ptr [ebx+4]

TRAP_FRAME:  8a77fbac -- (.trap 0xffffffff8a77fbac)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=888cf970 edx=878ecd60 esi=85fc1028 edi=888cf970
eip=888c3b02 esp=8a77fc20 ebp=8a77fc2c iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
888c3b02 8b4b04          mov     ecx,dword ptr [ebx+4] ds:0023:00000004=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 888c3b02 to 82c5e7eb
8a77fbac 888c3b02 badb0d00 878ecd60 8a77fbc8 nt!KiTrap0E+0x2cf
8a77fc2c 8ec535c1 00000000 8a77fc44 8ec3863f ndis!NdisFreeTimerObject+0x18
8a77fc38 8ec3863f 878ecf30 8a77fc50 8ec3dcac athr!ieee80211_scan_detach+0xa1
8a77fc44 8ec3dcac 878ecd60 8a77fc68 8ec3dc5f athr!StaFreeScanContext+0x5f
8a77fc50 8ec3dc5f 878ecd60 c000009a 878ecd60 athr!Sta11FreeStation+0x2c
8a77fc68 8ec3013e 85bd2778 8a77fc7c 00000001 athr!Sta11AllocateStation+0xef
8a77fc88 8ec2969c 85bd2778 00000001 8a77fca0 athr!Port11AllocatePort+0x4e
8a77fcc4 8ec29598 85bd2778 8a78738c 85bd2778 athr!MpCreateMacHandler+0x9c
8a77fcdc 8888e30a 85bd2778 85dcf0b0 8a77fd00 athr!MpOidRequestWorkItem+0x38
8a77fcec 82e387b5 85fc1028 85dcf0b0 84bd76d0 ndis!ndisDispatchIoWorkItem+0xf
8a77fd00 82c85f2b 860c9a88 00000000 84bd76d0 nt!IopProcessWorkItem+0x23
8a77fd50 82e2666d 00000000 abfd662f 00000000 nt!ExpWorkerThread+0x10d
8a77fd90 82cd80d9 82c85e1e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

8ec535c1 5d              pop     ebp

SYMBOL_NAME:  athr!ieee80211_scan_detach+a1
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  athr.sys
FAILURE_BUCKET_ID:  0xD1_athr!ieee80211_scan_detach+a1
BUCKET_ID:  0xD1_athr!ieee80211_scan_detach+a1
Followup: MachineOwner

athr is a culprit file market in blue color. It depends on your how to resolve the problem. I have checked athr is related with wireless network card drive so I uninstalled the driver, now problem has been resolved.

No comments:

Post a Comment