Windows : Dump Analysis using WinDbg Tool

Hey folks, I'm back with another interesting topic of regular work lives as a windows administrator. It’s the great dump analysis using windbg tool. I found it doing very difficult when I am assigned this task, but as of now I am doing the dump analysis very comfortably, experience really matters guys !!!

Dump Analysis in Windows :


imageFirst of all there are 3 types of dumps can configured in windows

Complete memory dump - A complete memory dump records all the contents of system memory when your computer stops unexpectedly.

Kernel memory dump - A kernel memory dump records only the kernel memory. This speeds up the process of recording information in a log when your computer stops unexpectedly

Small memory dump - A small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly

Secondly you can only configure windows to generate only one kind of dump file when the unexpected shutdown occurs, to configure you need to open Advanced System Settings in Computer Properties and select the appropriate option from Startup and Recovery settings section as shown in left image.

Finally in this scenario this system is configured to write an event to system log and to generate kernel memory dump in C:\Windows location.

WinDbg Tool for Dump Analysis:


Now our system has generated dump during its unexpected shutdown. Let’s see how to analyze this dump? There is a tool called WinDbg which is available free for download from Microsoft.com.  This tool has operating specific versions, if you are doing windows 7 dump analysis then you have to download windows 7 specific Windbg tool and vice versa.


The installation is pretty straight forward and you only need to select debugging tools when the options  page comes up. I will upload a video on this so that it will be easier to understand.


imageimageimageimageimage

Once the tool is installed you have to launch it from start menu image.

Actual Dump Analysis using WinDbg Tool:


Now we have our tool installed and MEMORY.DMP file generated on the affected system. In order to analyze the dump we need to launch WinDbg and load the symbols first. Symbols are a mandatory requirement for analysis, microsoft provides a link to download them directly into the debugging tool. Without symbols debugger may not be able to understand whats there in the dump file.

To configure symbols open file menu and click on Symbols File Path to enter online location of symbols “srv*https://msdl.microsoft.com/download/symbols”

image

Lastly you have to open the memory dump file using Open Crash Dump option from File Menu and output is as follows. Remember without symbols the output will be different.

image

Send !analyze –v command to debugger for detailed analysis

image

In this case the unexpected reboot was caused by a Windows Driver, notice Default_Bucket_ID, let’s see what driver is it.

image

The driver is related to Symantec AutoProtect and it caused this unexpected shutdown/reboot.

This is how we do Dump Analysis / Root Cause Analysis in Windows using Windbg tool.

Conclusion:


To do dump analysis a system must be configured with startup and recovery options.

Dump will be generated according to the settings configured in the system.

A tool called Windbg will be used for dump analysis.

Symbols are must for dump analysis.

Load the memory.dmp file into the debugger and find the root cause very easily.

Comments

Popular posts from this blog

VMWare Interview Questions & Tips

Windows: 2012 Server: Restoration of server from ransomware brute force attack – Real time experience

Windows and VMware : System Admin Responsibilities