How do I read minidumps?

By Vigilante
Aug 17, 2005
Topic Status:
Not open for further replies.
  1. Hey I want to pick some brains. It's more about a BSOD, but here goes.

    I get a LOT of PCs that end up with a BSOD of 0X0000008E
    Sometimes they have a message, sometimes they don't. Usualy like "IRQ_NOT_LESS_OR_EQUAL" or maybe "IRQL_...". Something like that.

    I just happened to get this BSOD, with no message, while editing in Photoshop CS. Just up and crashes for no apparent reason. Here is the details:

    0X0000008E ( 0XC0000005, 0XBF90752C,0XB9B774D0, 0X0 )
    win32k.sys ... address BF90752C ... base BF800000

    So then, upon a restart, I get the "recovered from serious error" message like XP does (XP Pro btw). So I send an error report and it comes back blaming a device driver. But gives no clues.

    This is the first BSOD I've had in a LONG time, so it's not like it happens regularly. Probably just a freak thing. But you never know.

    It gave me the locations of the files that it was going to send in the error report, those files were:

    C:\DOCUME~1\user\LOCALS~1\Temp\WERab95.dir00\Mini081605-01.dmp
    C:\DOCUME~1\user\LOCALS~1\Temp\WERab95.dir00\sysdata.xml

    Neither of those files/folders existed when I looked. sysdata.xml did not exist anywhere. And I found the minidump in the Windows directory.
    ---------------------------------------------

    Now that being said, because I deal with a lot of BSODs in my work, I'd like to get started being able to analyze a minidump file. Sure it may have been a device driver that caused it and it might not have been. Maybe XP is guessing. But it did blame the win32k.sys file.
    I open the minidump in Notepad or Wordpad and it is just all code for the most part.

    So my question is, do any of you have a system, or a method, by which to troubleshoot BSODs and read minidump files? I know that those address in the BSOD say things like what is the calling address? Was it a read or write operation? And the like. Is that information even important? I mean, once I restart, what different does it make what part of memory made the call?

    So then oh wise ones, how do I take the info in a BSOD, and read a minidump, and get any kind of usefull information? How could I really track down what driver is the culprit, if any?

    thanks
  2. zephead

    zephead TechSpot Paladin Posts: 2,483

  3. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Send a PM to cpc2004, he is the furum 'guru' as far as dumps are concerned.
    He'd be able to put you on the right track.

    I've had only 1 BSOD ever (8E, same as you) since I installed XP-Pro/SP2 (7 May, 2005).
    I rebooted and ignored it. Been fine since.

    In my W2K/SP4 from October 2002 (!), which is still running, I've had maybe 3-4 BSODs over all those years. I think W2K is a lot more stable than XP.
  4. cpc2004

    cpc2004 Newcomer, in training Posts: 2,044

    1) Download and install the http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
    Debugging Tools from Microsoft[/url]
    2) Locate your latest memory.dmp file- C:\WINDOWS\ Minidump\Mini081505-01.dmp or whatever
    3) open a CMD prompt and cd\program files\debugging tools for windows\
    4) type the following stuff:
    Code:

    c:\program files\debugging tools>kd -z C:\WINDOWS\ Minidump\Mini081505-01.dmp
    (it will spew a bunch)
    kd> .logopen c:\debuglog.txt
    kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q

    5) You now have a debuglog.txt in c:\, open it in notepad and post the content here
  5. Vigilante

    Vigilante TechSpot Paladin Topic Starter Posts: 2,120

    Thanks Zephead, I've come across that site before, guess I'll have to do some reading.

    Thanks RBS, this dumb 0x8E I get so often. And what is microsoft's wise advice? Well basically swap ALL your hardware and reload. Well thanks!

    And cpc2004, I hope you don't like memorize this stuff. lol. Thanks for getting started, I downloaded and installed the tools, pretty handy. I don't think the symbols path was right cause it gave an error in the log. But here is the log anyway as an attachment.

    I'm learning, keep them suggestions rolling! CPC, if you could be verbose in your explaining my log file, it will help me understand.

    Thanks guys.

    Attached Files:

  6. cpc2004

    cpc2004 Newcomer, in training Posts: 2,044

    Create the folder c:\symbols

    use the following command within windbg and it will fix the symbol problem.
    .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    .reload
    !analyze -v

    Attach the output here
  7. Vigilante

    Vigilante TechSpot Paladin Topic Starter Posts: 2,120

    OK, I created the folder and retyped the original commands.

    How come you said type the commands within "windbg"? When we used a command called "kd" originally. Whats the diff between windbg and kd?

    Here is the new log file, no symbol error.

    Attached Files:

  8. Liquidlen

    Liquidlen TechSpot Paladin Posts: 1,646

  9. Vigilante

    Vigilante TechSpot Paladin Topic Starter Posts: 2,120

    Thanks for the link. I'll be reading it!

    Well I guess the only diff betwix "windbg" and "kd" is that one is graphical. Hey I learned something already!
  10. Vigilante

    Vigilante TechSpot Paladin Topic Starter Posts: 2,120

    Hey CPC, need lesson 4 bro....
  11. cpc2004

    cpc2004 Newcomer, in training Posts: 2,044

    I believe that it is faulty RAM.
  12. Vigilante

    Vigilante TechSpot Paladin Topic Starter Posts: 2,120

    Sorry to take so long. But anyhoo, why do you say that? I've never had the error before or after this one time. So how could it be faulty RAM? I'd like to think I've got pretty high quality parts in here. Could something else have happened and made it look like bad RAM? Like swap file corruption or overheat issues?

    If you could take the time to pull out the few lines of the log you are reading and tell me what about them makes you think RAM.
    Thanks.
  13. cpc2004

    cpc2004 Newcomer, in training Posts: 2,044

    From the stack trace, windows crashes at xxxUpdateThreadsWindows which is task manager. I don't have source code of this module. Unless it is stack overlaid by faulty device driver. The task manager does not fail unless hardware error such as ram, CPU or motherboard. Windows debugging is not as easy as what you think.

    STACK_TEXT:
    b9b77554 bf9077e8 e2ee32b0 bbefd2d0 c9040961 win32k!xxxUpdateThreadsWindows+0x46
    b9b775a4 bf9082a0 e2ee32b0 b9b775c4 00000001 win32k!xxxDrawDragRect+0x258
    b9b775d4 bf90823b e27c10a8 027b01ac e2ee32b0 win32k!xxxTM_MoveDragRect+0x65
    b9b77610 bf907d62 bbf1c420 00000200 00000001 win32k!xxxMS_TrackMove+0x4a6
    b9b776ac bf868420 bbf1c420 00000009 02760367 win32k!xxxMoveSize+0x483
    b9b776e4 bf80a3eb bbf1c420 0000f012 02760367 win32k!xxxSysCommand+0x18c
    b9b77744 bf80f504 bbf1c420 00000112 0000f012 win32k!xxxRealDefWindowProc+0xc97
    b9b7775c bf823b33 bbf1c420 00000112 0000f012 win32k!xxxWrapRealDefWindowProc+0x16
    b9b77778 bf80f74b bbf1c420 00000112 0000f012 win32k!NtUserfnNCDESTROY+0x27
    b9b777b0 804de7ec 000f072a 00000112 0000f012 win32k!NtUserMessageCall+0xae
    b9b777b0 7c90eb94 000f072a 00000112 0000f012 nt!KiFastCallEntry+0xf8
     
  14. Vigilante

    Vigilante TechSpot Paladin Topic Starter Posts: 2,120

    I don't want to learn how to debug applications. But I'd at least try to find out what module crashes. In other words, if I can trace it to a driver file, DLL or other file that actually gives me any clue. That would be good.

    I realise you're really smart about debugging Windows, I guess mabye you were a programmer once, or are? Or where did you learn what means what? And no offense, but it seems like almost every time you debug a minidump, you almost always say it's RAM. And often turns out not to be. So I guess minidumps can be really confusing too. Which is fine.

    One last question though, cause I want to know: In that STACK_TEXT of mine, how do you know it was the updatethreadswindows that crashed? I don't see any special characters to mark it. I cause cause the memory address?

    Thanks for your help though.
  15. cpc2004

    cpc2004 Newcomer, in training Posts: 2,044

    Hi,

    Even microsoft cannot provide the answer 100% correct. Most of system crashes reported at this forum are actually faulty ram and most of my answers are correct. I also resolve problem at another forum which are not free. Most of the their system crashes are related to software. It is remarkable result, if you can resolve half of the BSOD problem.

    Refer to the following case, they are related to device driver.
    http://www.techspot.com/vb/showthread.php?p=193142#post193142
    http://www.techspot.com/vb/topic33343.html
    http://www.techspot.com/vb/topic16994-pg12.html&pp=20
    http://www.techspot.com/vb/topic16994-pg9.html&pp=20
    http://www.techspot.com/vb/showthread.php?p=164285#post164285
    http://www.techspot.com/vb/topic17691-pg14.html&pp=20
    http://www.techspot.com/vb/topic16994-pg7.html&pp=20

    Faulty hardware not relate to ram
    http://www.techspot.com/vb/topic32555.html
    http://www.techspot.com/vb/showthread.php?p=187505#post187505
    http://www.techspot.com/vb/topic16994-pg9.html&pp=20
    http://www.techspot.com/vb/showthread.php?p=163666#post163666
  16. 42ongo

    42ongo Newcomer, in training

    Hi Folks I m really new to this and a bit of a dinosaur
    sorry if I m not in the right area
    can some kind person look at my dump files and let me know if the easiest thing would be just throw out the equipment due many BSOD
    which is IBM thinkpad T20
    XP Pro SP2
    Intel Pentium iii
    696 Mhz
    512 MB Ram
    tks brgds

    Attached Files:

  17. cpc2004

    cpc2004 Newcomer, in training Posts: 2,044

    TRAP_FRAME: b9b774d0 -- (.trap ffffffffb9b774d0)
    .trap ffffffffb9b774d0
    ErrCode = 00000000
    eax=e341f6a8 ebx=e27c10a8 ecx=bbe47220 edx=b9b77548 esi=0000029e edi=b4040d3b
    eip=bf90752c esp=b9b77544 ebp=b9b77554 iopl=0 nv up ei pl zr na po nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00050246
    win32k!xxxUpdateThreadsWindows+0x46:
    bf90752c 8b762c mov esi,[esi+0x2c] ds:0023:000002ca=????????
  18. Ernest Shackelt

    Ernest Shackelt Newcomer, in training

    hi guys, hey 'cpc2004'!
    i have problems with my machine for some time now.

    MSI 845PEMax2
    P4, 2.8 GHz, FSB 533Mhz (Northwood)
    2x Kingston KVR333X64C25/512
    MSI 6600GT-VTD128 (AGP)
    Maxtor 6L040J2 (2 partitions, System & Games) and 6Y080L0 (Storage) HDDs
    M-Audio Delta 2496

    from hanging up when playing games, to restarts within a frame to blue screens during boot up and even blue screens when installing WinXPProSP2 after formatting HDD, all 'randomly'.
    it's getting me puke: by now !
    i thought it must have something to do with my RAM, or so.
    i tested around, switching RAM slots, put one out etc... it seemed like the 1st and 2nd RAM-slots on the MoBo were broken, cause both modules worked fine on the 3rd one.
    i just bought the latest MSI 478 board (875P Neo FISR) but the problems continue as above.

    i have 3 minidumps from the last few days, written into debuglogs.
    it may discover my black sheeps, hopefully.
    thx in advance,
    ernesto

    Attached Files:

  19. cpc2004

    cpc2004 Newcomer, in training Posts: 2,044

    Hi,

    Open a new thread if you want me to help you.
  20. Ernest Shackelt

    Ernest Shackelt Newcomer, in training

    :eek:
    well, if you say so...
    i'm on it
  21. DfraGG3r

    DfraGG3r Newcomer, in training

    Hi there

    I just formatted my pc and added some new parts. I was playing oblivion and went in the menu to exit the game. It like jammed and few sec after a bsod popped up. Bad Pool Header with 0x00000019. Attached is the dump file with your steps. jope you can help me cpc or someone else :'(

    Cheers

    Attached Files:

  22. gila

    gila Newcomer, in training


    Thanks. Willstart learning to read minidumps....
  23. gila

    gila Newcomer, in training

    Thanks. Am going to try it!
  24. sanrick

    sanrick Newcomer, in training

    I have been having the same issue too. I will go ahead and try using the debugging tools again. I basically changed HD, PSU, RAM, FAN and Video Card, still I'm getting a lot of BSODs.
  25. Tedster

    Tedster Techspot old timer..... Posts: 10,067   +13

    This thread needs to be a sticky!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.