Windows : Dump Analysis using WinDbg Tool
Dump Analysis in Windows :
First of all there are 3 types of dumps can configured in windows
Complete memory dump - A complete memory dump records all the contents of system memory when your computer stops unexpectedly.
Kernel memory dump - A kernel memory dump records only the kernel memory. This speeds up the process of recording information in a log when your computer stops unexpectedly
Small memory dump - A small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly
Secondly you can only configure windows to generate only one kind of dump file when the unexpected shutdown occurs, to configure you need to open Advanced System Settings in Computer Properties and select the appropriate option from Startup and Recovery settings section as shown in left image.
Finally in this scenario this system is configured to write an event to system log and to generate kernel memory dump in C:\Windows location.
WinDbg Tool for Dump Analysis:
Now our system has generated dump during its unexpected shutdown. Let’s see how to analyze this dump? There is a tool called WinDbg which is available free for download from Microsoft.com. This tool has operating specific versions, if you are doing windows 7 dump analysis then you have to download windows 7 specific Windbg tool and vice versa.
The installation is pretty straight forward and you only need to select debugging tools when the options page comes up. I will upload a video on this so that it will be easier to understand.
Once the tool is installed you have to launch it from start menu .
Actual Dump Analysis using WinDbg Tool:
Now we have our tool installed and MEMORY.DMP file generated on the affected system. In order to analyze the dump we need to launch WinDbg and load the symbols first. Symbols are a mandatory requirement for analysis, microsoft provides a link to download them directly into the debugging tool. Without symbols debugger may not be able to understand whats there in the dump file.
To configure symbols open file menu and click on Symbols File Path to enter online location of symbols “srv*https://msdl.microsoft.com/download/symbols”
Lastly you have to open the memory dump file using Open Crash Dump option from File Menu and output is as follows. Remember without symbols the output will be different.
Send !analyze –v command to debugger for detailed analysis
In this case the unexpected reboot was caused by a Windows Driver, notice Default_Bucket_ID, let’s see what driver is it.
The driver is related to Symantec AutoProtect and it caused this unexpected shutdown/reboot.
This is how we do Dump Analysis / Root Cause Analysis in Windows using Windbg tool.
To do dump analysis a system must be configured with startup and recovery options.
Dump will be generated according to the settings configured in the system.
A tool called Windbg will be used for dump analysis.
Symbols are must for dump analysis.
Load the memory.dmp file into the debugger and find the root cause very easily.