Note that Chapter 14 (Part Two of the book) thoroughly covers the use of NotMyFault and, more importantly, crash dump analysis.
WARNING: Using NotMyFault will create a system crash and while I’ve never seen a problem using the tool, there are no guarantees in life, especially in computers. So, prepare your system and have anyone who needs access to it log off for a few minutes. Save any files that contain information that you might otherwise lose and close all applications. Properly prepared, the machine should go down, reboot and both a minidump and a kernel (or whatever size you select) dump should be created.
Opening a dump file
Locating a dump file Dump files in Windows systems are located in two places, depending upon which type you open:
- All dump files except minidumps: c:\Windows\MEMORY.DMP
- Minidumps: c:\Windows\Minidump\[Minidump names vary]
Note that, unlike the other dump files that are named MEMORY.DMP, minidumps are automatically individually named so that previous files are not overwritten, which is fine since they are so small.
Open a dump file To open the file you’ve selected, go to
Select File | Open Crash Dump
If you see the following, STOP:
*** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe This is important. When you see these two messages near the beginning of the output from WinDbg, it means that you will not get the analysis that you need. This is confirmed after the “Bugcheck Analysis” is automatically run, and the message below is displayed.
***** Kernel symbols are WRONG. Please fix symbols to do analysis
Likely causes follow:
- No path/wrong path; a path to the symbol files has not been set or the path is incorrect (look for typos such as a blank white space). Check the Symbol Path (see Setting symbol file path above.)
- Failed connection; check your internet connection to make sure it is working properly.
- Access blocked; a firewall blocked access to the symbol files or the files were damaged during retrieval. See that that no firewall is blocking access to msdl.microsoft.com (it may only be allowing access to www.microsoft.com).
Note that if a firewall initially blocks WinDbg from downloading a symbol table, it can result in a corrupted file. If unblocking the firewall and attempting to download the symbol file again does not work; the file remains damaged. The quickest fix is to close WinDbg, delete the symbols folder (which you most likely set at c:\symbols), and unblock the firewall. Next, reopen WinDbg and a dump file. The debugger will recreate the folder and re-download the symbols. Do not go further with your analysis until this is corrected.
Sign up for CIO Asia eNewsletters.