使用dump文件分析系統藍屏緣由

目錄

1 什麼是dump文件... 1

2 如何讓系統在崩潰時記錄dump文件... 1

3 使用Debugging Tools for Windows (windebug)來分析dump文件... 2

3.1 什麼是windebug. 2

3.2  windebug最新版安裝方法（此方法爲在線安裝）... 2

3.3  windebug的symbol符號文件的路徑配置... 8

3.4  dump文件的分析... 11

 

 

 

1 什麼是dump文件

當系統崩潰在藍屏瞬間，系統會造成一個擴展名爲dmp的存儲器轉儲文件，默認存儲位置爲C：\WINDOWS\Minidmp。

 

 

2 如何讓系統在崩潰時記錄dump文件

A．右擊「個人電腦」選擇「屬性」，在「系統屬性」對話框中選擇「高級」

B.在「啓動和故障恢復」中選擇「設置」，具體設置以下圖所示

 

3 使用Debugging Tools for Windows (windebug)來分析dump文件

3.1什麼是windebug

windebug是微軟發佈的一款至關優秀的源碼級(source-level)調試工具，能夠用於Kernel模式調試和用戶模式調試，還能夠調試Dump文件。

3.2 windebug最新版安裝方法（此方法爲在線安裝）

A.從http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8279下載

B.安裝netFramework2.0

C.運行1中下載的winsdk_web.exe

 

 

 

 

  

3.3  windebug的symbol符號文件的路徑配置

爲 windebug 設置 symbol 路徑能夠提升對dump文件分析的準確性，給咱們更多有價值的錯誤信息。

A．在http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx根據實際須要下載相應的版本

B．安裝下載的symbol符號文件

 

 

3.4  dump文件的分析

 

 

詳細代碼以下

Loading Dump File [C:\Documents and Settings\test-pc\桌面\dump文件\Mini102011-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is: C:\WINDOWS\Symbols;SRV*C:\Windows\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp_sp3_gdr.101209-1647

Machine Name:

Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720

Debug session time: Thu Oct 20 14:37:16.343 2011 (UTC + 8:00)

System Uptime: 0 days 0:00:43.312

Loading Kernel Symbols

...............................................................

..........................................

Loading User Symbols

Loading unloaded module list

....

*** WARNING: Unable to verify timestamp for nv4_disp.dll

*** ERROR: Module load completed but symbols could not be loaded for nv4_disp.dll

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 100000EA, {88a18908, 88ced810, b84fbcbc, 1}

 

ERROR - could not read driver name for bugcheck parameter 3

 

Probably caused by : nv4_disp.dll ( nv4_disp+28526 )

 

Followup: MachineOwner

---------

 

3: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

 

THREAD_STUCK_IN_DEVICE_DRIVER_M (100000ea)

The device driver is spinning in an infinite loop, most likely waiting for

hardware to become idle. This usually indicates problem with the hardware

itself or with the device driver programming the hardware incorrectly.

If the kernel debugger is connected and running when watchdog detects a

timeout condition then DbgBreakPoint() will be called instead of KeBugCheckEx()

and detailed message including bugcheck arguments will be printed to the

debugger. This way we can identify an offending thread, set breakpoints in it,

and hit go to return to the spinning code to debug it further. Because

KeBugCheckEx() is not called the .bugcheck directive will not return bugcheck

information in this case. The arguments are already printed out to the kernel

debugger. You can also retrieve them from a global variable via

"dd watchdog!g_WdBugCheckData l5" (use dq on NT64).

On MP machines it is possible to hit a timeout when the spinning thread is

interrupted by hardware interrupt and ISR or DPC routine is running at the time

of the bugcheck (this is because the timeout's work item can be delivered and

handled on the second CPU and the same time). If this is the case you will have

to look deeper at the offending thread's stack (e.g. using dds) to determine

spinning code which caused the timeout to occur.

Arguments:

Arg1: 88a18908, Pointer to a stuck thread object.  Do .thread then kb on it to find

the hung location.

Arg2: 88ced810, Pointer to a DEFERRED_WATCHDOG object.

Arg3: b84fbcbc, Pointer to offending driver name.

Arg4: 00000001, Number of times "intercepted" bugcheck 0xEA was hit (see notes).

 

Debugging Details:

------------------

 

ERROR - could not read driver name for bugcheck parameter 3

 

 

FAULTING_THREAD:  88a18908

 

FAULTING_IP:

nv4_disp+28526

bd03a526 ??              ???

 

IMAGE_NAME:  nv4_disp.dll

 

DEBUG_FLR_IMAGE_TIMESTAMP:  4bb7e5d1

 

MODULE_NAME: nv4_disp

 

FAULTING_MODULE: bd012000 nv4_disp

 

DEFAULT_BUCKET_ID:  GRAPHICS_DRIVER_FAULT

 

CUSTOMER_CRASH_COUNT:  1

 

BUGCHECK_STR:  0xEA

 

PROCESS_NAME:  csrss.exe

 

LAST_CONTROL_TRANSFER:  from e3a33010 to bd03a526

 

STACK_TEXT: 

WARNING: Stack unwind information not available. Following frames may be wrong.

b816758c e3a33010 e3a33010 e3a33010 00000080 nv4_disp+0x28526

b8167590 e3a33010 e3a33010 00000080 bd04e0b0 0xe3a33010

b8167594 e3a33010 00000080 bd04e0b0 00000000 0xe3a33010

b8167598 00000000 bd04e0b0 00000000 00000000 0xe3a33010

 

 

STACK_COMMAND:  .thread 0xffffffff88a18908 ; kb

 

FOLLOWUP_IP:

nv4_disp+28526

bd03a526 ??              ???

 

SYMBOL_STACK_INDEX:  0

 

SYMBOL_NAME:  nv4_disp+28526

 

FOLLOWUP_NAME:  MachineOwner

 

FAILURE_BUCKET_ID:  0xEA_IMAGE_nv4_disp.dll_DATE_2010_04_04

 

BUCKET_ID:  0xEA_IMAGE_nv4_disp.dll_DATE_2010_04_04

 

Followup: MachineOwner

經過紅色的代碼能夠分析出這個藍屏是因爲顯卡驅動引發的

--------