Sunday, 18 December 2011

How to Analyze Windows Memory Dump


How to Analyze the Memory Dump



Welcome back guys :)

Today here I am going to explain about how to analyze the memory dump.
As in my previous post I have describe to you: How to create memory dump and where you can find that dump file.
Let’s say you have configured a memory dump on a server and server got unexpected down with BSOD.

Now you need to go to the default location i.e. %SystemRoot%\Memory.dmp for the memory dump file.
You can find the memory.dmp as below.











This memory.dmp file is the dump file for complete dump. Now you need to analyze it ;)
There are bundle of software in the market for the same, some are free of cost and some are licensed.
Microsoft has tool that we can use to analyze the memory dump on Microsoft platforms called as windows debugger (dbg_x86_6.11.1.404). You can download it from here.

After downloading the debugger you need to do little bit configuration before analyzing the dump.










Now you need to configure the symbol path for it. Before doing it just do the following
  1.      Create a folder named “symbols” without quotes in the root drive.
  2.      Open the Windbg and then go to FileàSymbol file path.
  3.     Set the path to “SRV*c:\symbols*http://msdl.microsoft.com/download/symbols “without quotes.
Symbol Path:- Symbol files provide a footprint of the functions that are contained in executable files and dynamic-link libraries (DLLs).Additionally, symbol files can present a roadmap of the function calls that lead to the point of failure.
Now the configuration is done, now you need to open the dump file in the debugger.

Now you need to open dump file , To do this goto File-->Open Crash Dump


















After you open the Memory.dmp, it will make some calculation and load the symbols as below.




























Now you need to write the command "!analyze -v " to get the details

After this command you will get the details about the reason behind the Crash :)

The reason for the crash was fltmgr.sys file.

As you all are System Admins so you must have good google search skills,Now just google it and get the reason for the same.
I have found the reason and the there is some Hotfix from Microsoft for this error.

http://support.microsoft.com/kb/955087

This is How we can Analyze the dump.Please comment if you need any other help from my side.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.