How do I read minidumps?

Status
Not open for further replies.

Vigilante

Posts: 1,634   +0
Hey I want to pick some brains. It's more about a BSOD, but here goes.

I get a LOT of PCs that end up with a BSOD of 0X0000008E
Sometimes they have a message, sometimes they don't. Usualy like "IRQ_NOT_LESS_OR_EQUAL" or maybe "IRQL_...". Something like that.

I just happened to get this BSOD, with no message, while editing in Photoshop CS. Just up and crashes for no apparent reason. Here is the details:

0X0000008E ( 0XC0000005, 0XBF90752C,0XB9B774D0, 0X0 )
win32k.sys ... address BF90752C ... base BF800000

So then, upon a restart, I get the "recovered from serious error" message like XP does (XP Pro btw). So I send an error report and it comes back blaming a device driver. But gives no clues.

This is the first BSOD I've had in a LONG time, so it's not like it happens regularly. Probably just a freak thing. But you never know.

It gave me the locations of the files that it was going to send in the error report, those files were:

C:\DOCUME~1\user\LOCALS~1\Temp\WERab95.dir00\Mini081605-01.dmp
C:\DOCUME~1\user\LOCALS~1\Temp\WERab95.dir00\sysdata.xml

Neither of those files/folders existed when I looked. sysdata.xml did not exist anywhere. And I found the minidump in the Windows directory.
---------------------------------------------

Now that being said, because I deal with a lot of BSODs in my work, I'd like to get started being able to analyze a minidump file. Sure it may have been a device driver that caused it and it might not have been. Maybe XP is guessing. But it did blame the win32k.sys file.
I open the minidump in Notepad or Wordpad and it is just all code for the most part.

So my question is, do any of you have a system, or a method, by which to troubleshoot BSODs and read minidump files? I know that those address in the BSOD say things like what is the calling address? Was it a read or write operation? And the like. Is that information even important? I mean, once I restart, what different does it make what part of memory made the call?

So then oh wise ones, how do I take the info in a BSOD, and read a minidump, and get any kind of usefull information? How could I really track down what driver is the culprit, if any?

thanks
 
Send a PM to cpc2004, he is the furum 'guru' as far as dumps are concerned.
He'd be able to put you on the right track.

I've had only 1 BSOD ever (8E, same as you) since I installed XP-Pro/SP2 (7 May, 2005).
I rebooted and ignored it. Been fine since.

In my W2K/SP4 from October 2002 (!), which is still running, I've had maybe 3-4 BSODs over all those years. I think W2K is a lot more stable than XP.
 
1) Download and install the http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
Debugging Tools from Microsoft[/url]
2) Locate your latest memory.dmp file- C:\WINDOWS\ Minidump\Mini081505-01.dmp or whatever
3) open a CMD prompt and cd\program files\debugging tools for windows\
4) type the following stuff:
Code:

c:\program files\debugging tools>kd -z C:\WINDOWS\ Minidump\Mini081505-01.dmp
(it will spew a bunch)
kd> .logopen c:\debuglog.txt
kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q

5) You now have a debuglog.txt in c:\, open it in notepad and post the content here
 
Thanks Zephead, I've come across that site before, guess I'll have to do some reading.

Thanks RBS, this dumb 0x8E I get so often. And what is microsoft's wise advice? Well basically swap ALL your hardware and reload. Well thanks!

And cpc2004, I hope you don't like memorize this stuff. lol. Thanks for getting started, I downloaded and installed the tools, pretty handy. I don't think the symbols path was right cause it gave an error in the log. But here is the log anyway as an attachment.

I'm learning, keep them suggestions rolling! CPC, if you could be verbose in your explaining my log file, it will help me understand.

Thanks guys.
 

Attachments

  • debuglog.txt
    20.2 KB · Views: 239
OK, I created the folder and retyped the original commands.

How come you said type the commands within "windbg"? When we used a command called "kd" originally. Whats the diff between windbg and kd?

Here is the new log file, no symbol error.
 

Attachments

  • debuglog.txt
    20.2 KB · Views: 155
Thanks for the link. I'll be reading it!

Well I guess the only diff betwix "windbg" and "kd" is that one is graphical. Hey I learned something already!
 
Vigilante said:
OK, I created the folder and retyped the original commands.

How come you said type the commands within "windbg"? When we used a command called "kd" originally. Whats the diff between windbg and kd?

Here is the new log file, no symbol error.

I believe that it is faulty RAM.
 
Sorry to take so long. But anyhoo, why do you say that? I've never had the error before or after this one time. So how could it be faulty RAM? I'd like to think I've got pretty high quality parts in here. Could something else have happened and made it look like bad RAM? Like swap file corruption or overheat issues?

If you could take the time to pull out the few lines of the log you are reading and tell me what about them makes you think RAM.
Thanks.
 
From the stack trace, windows crashes at xxxUpdateThreadsWindows which is task manager. I don't have source code of this module. Unless it is stack overlaid by faulty device driver. The task manager does not fail unless hardware error such as ram, CPU or motherboard. Windows debugging is not as easy as what you think.

STACK_TEXT:
b9b77554 bf9077e8 e2ee32b0 bbefd2d0 c9040961 win32k!xxxUpdateThreadsWindows+0x46
b9b775a4 bf9082a0 e2ee32b0 b9b775c4 00000001 win32k!xxxDrawDragRect+0x258
b9b775d4 bf90823b e27c10a8 027b01ac e2ee32b0 win32k!xxxTM_MoveDragRect+0x65
b9b77610 bf907d62 bbf1c420 00000200 00000001 win32k!xxxMS_TrackMove+0x4a6
b9b776ac bf868420 bbf1c420 00000009 02760367 win32k!xxxMoveSize+0x483
b9b776e4 bf80a3eb bbf1c420 0000f012 02760367 win32k!xxxSysCommand+0x18c
b9b77744 bf80f504 bbf1c420 00000112 0000f012 win32k!xxxRealDefWindowProc+0xc97
b9b7775c bf823b33 bbf1c420 00000112 0000f012 win32k!xxxWrapRealDefWindowProc+0x16
b9b77778 bf80f74b bbf1c420 00000112 0000f012 win32k!NtUserfnNCDESTROY+0x27
b9b777b0 804de7ec 000f072a 00000112 0000f012 win32k!NtUserMessageCall+0xae
b9b777b0 7c90eb94 000f072a 00000112 0000f012 nt!KiFastCallEntry+0xf8
 
I don't want to learn how to debug applications. But I'd at least try to find out what module crashes. In other words, if I can trace it to a driver file, DLL or other file that actually gives me any clue. That would be good.

I realise you're really smart about debugging Windows, I guess mabye you were a programmer once, or are? Or where did you learn what means what? And no offense, but it seems like almost every time you debug a minidump, you almost always say it's RAM. And often turns out not to be. So I guess minidumps can be really confusing too. Which is fine.

One last question though, cause I want to know: In that STACK_TEXT of mine, how do you know it was the updatethreadswindows that crashed? I don't see any special characters to mark it. I cause cause the memory address?

Thanks for your help though.
 
Hi,

Even microsoft cannot provide the answer 100% correct. Most of system crashes reported at this forum are actually faulty ram and most of my answers are correct. I also resolve problem at another forum which are not free. Most of the their system crashes are related to software. It is remarkable result, if you can resolve half of the BSOD problem.

Refer to the following case, they are related to device driver.
https://www.techspot.com/vb/showthread.php?p=193142#post193142
https://www.techspot.com/vb/topic33343.html
https://www.techspot.com/vb/topic16994-pg12.html&pp=20
https://www.techspot.com/vb/topic16994-pg9.html&pp=20
https://www.techspot.com/vb/showthread.php?p=164285#post164285
https://www.techspot.com/vb/topic17691-pg14.html&pp=20
https://www.techspot.com/vb/topic16994-pg7.html&pp=20

Faulty hardware not relate to ram
https://www.techspot.com/vb/topic32555.html
https://www.techspot.com/vb/showthread.php?p=187505#post187505
https://www.techspot.com/vb/topic16994-pg9.html&pp=20
https://www.techspot.com/vb/showthread.php?p=163666#post163666
 
Hi Folks I m really new to this and a bit of a dinosaur
sorry if I m not in the right area
can some kind person look at my dump files and let me know if the easiest thing would be just throw out the equipment due many BSOD
which is IBM thinkpad T20
XP Pro SP2
Intel Pentium iii
696 Mhz
512 MB Ram
tks brgds
 

Attachments

  • Mini092405-02.txt
    88 KB · Views: 36
  • Mini092405-01.txt
    88 KB · Views: 10
  • Mini092405-03.txt
    88 KB · Views: 6
Vigilante said:
I don't want to learn how to debug applications. But I'd at least try to find out what module crashes. In other words, if I can trace it to a driver file, DLL or other file that actually gives me any clue. That would be good.

I realise you're really smart about debugging Windows, I guess mabye you were a programmer once, or are? Or where did you learn what means what? And no offense, but it seems like almost every time you debug a minidump, you almost always say it's RAM. And often turns out not to be. So I guess minidumps can be really confusing too. Which is fine.

One last question though, cause I want to know: In that STACK_TEXT of mine, how do you know it was the updatethreadswindows that crashed? I don't see any special characters to mark it. I cause cause the memory address?

Thanks for your help though.
TRAP_FRAME: b9b774d0 -- (.trap ffffffffb9b774d0)
.trap ffffffffb9b774d0
ErrCode = 00000000
eax=e341f6a8 ebx=e27c10a8 ecx=bbe47220 edx=b9b77548 esi=0000029e edi=b4040d3b
eip=bf90752c esp=b9b77544 ebp=b9b77554 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00050246
win32k!xxxUpdateThreadsWindows+0x46:
bf90752c 8b762c mov esi,[esi+0x2c] ds:0023:000002ca=????????
 
Hi guys, hey 'cpc2004'!
I have problems with my machine for some time now.

MSI 845PEMax2
P4, 2.8 GHz, FSB 533Mhz (Northwood)
2x Kingston KVR333X64C25/512
MSI 6600GT-VTD128 (AGP)
Maxtor 6L040J2 (2 partitions, System & Games) and 6Y080L0 (Storage) HDDs
M-Audio Delta 2496

from hanging up when playing games, to restarts within a frame to blue screens during boot up and even blue screens when installing WinXPProSP2 after formatting HDD, all 'randomly'.
it's getting me puke: by now !
I thought it must have something to do with my RAM, or so.
I tested around, switching RAM slots, put one out etc... it seemed like the 1st and 2nd RAM-slots on the MoBo were broken, cause both modules worked fine on the 3rd one.
I just bought the latest MSI 478 board (875P Neo FISR) but the problems continue as above.

I have 3 minidumps from the last few days, written into debuglogs.
it may discover my black sheeps, hopefully.
thx in advance,
ernesto
 

Attachments

  • debuglog_Mini100205-01.txt
    14.7 KB · Views: 26
Hi there

I just formatted my pc and added some new parts. I was playing oblivion and went in the menu to exit the game. It like jammed and few sec after a bsod popped up. Bad Pool Header with 0x00000019. Attached is the dump file with your steps. jope you can help me cpc or someone else :'(

Cheers
 

Attachments

  • BSOD.txt
    4.9 KB · Views: 12
RealBlackStuff said:
Send a PM to cpc2004, he is the furum 'guru' as far as dumps are concerned.
He'd be able to put you on the right track.

I've had only 1 BSOD ever (8E, same as you) since I installed XP-Pro/SP2 (7 May, 2005).
I rebooted and ignored it. Been fine since.

In my W2K/SP4 from October 2002 (!), which is still running, I've had maybe 3-4 BSODs over all those years. I think W2K is a lot more stable than XP.


Thanks. Willstart learning to read minidumps....
 
cpc2004 said:
1) Download and install the http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
Debugging Tools from Microsoft[/url]
2) Locate your latest memory.dmp file- C:\WINDOWS\ Minidump\Mini081505-01.dmp or whatever
3) open a CMD prompt and cd\program files\debugging tools for windows\
4) type the following stuff:
Code:

c:\program files\debugging tools>kd -z C:\WINDOWS\ Minidump\Mini081505-01.dmp
(it will spew a bunch)
kd> .logopen c:\debuglog.txt
kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q

5) You now have a debuglog.txt in c:\, open it in notepad and post the content here

Thanks. Am going to try it!
 
I have been having the same issue too. I will go ahead and try using the debugging tools again. I basically changed HD, PSU, RAM, FAN and Video Card, still I'm getting a lot of BSODs.
 
Status
Not open for further replies.
Back