使用dump文件分析系统蓝屏原因

使用dump文件分析系统蓝屏原因

出处：/746253/709702

目录

1 什么是dump文件

2 如何让系统在崩溃时记录dump文件

3 使用Debugging Tools for Windows (windebug)来分析dump文件

3.1 什么是windebug

3.2 windebug最新版安装方法（此方法为在线安装）

3.3 windebug的symbol符号文件的路径配置

3.4 dump文件的分析

1 什么是dump文件

当系统崩溃在蓝屏瞬间，系统会形成一个扩展名为dmp的存储器转储文件，默认存储位置为C：\WINDOWS\Minidmp。

2 如何让系统在崩溃时记录dump文件

A．右击“我的电脑”选择“属性”，在“系统属性”对话框中选择“高级”

B.在“启动和故障恢复”中选择“设置”，具体设置如下图所示

3 使用Debugging Tools for Windows (windebug)来分析dump文件

3.1什么是windebug

windebug是微软发布的一款相当优秀的源码级(source-level)调试工具，可以用于Kernel模式调试和用户模式调试，还可以调试Dump文件。

3.2 windebug最新版安装方法（此方法为在线安装）

A.从/download/en/details.aspx?displaylang=en&id=8279下载

B.安装netFramework2.0

C.运行1中下载的winsdk_web.exe

3.3 windebug的symbol符号文件的路径配置

为 windebug 设置 symbol 路径可以提高对dump文件分析的准确性，给我们更多有价值的错误信息。

A．在/en-us/windows/hardware/gg463028.aspx根据实际需要下载相应的版本

B．安装下载的symbol符号文件

3.4 dump文件的分析

详细代码如下

Loading Dump File [C:\Documents and Settings\test-pc\桌面\dump文件

\Mini102011-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:

C:\WINDOWS\Symbols;SRV*C:\Windows\symbols*/download/sy mbols

Executable search path is:

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp_sp3_gdr.101209-1647

Machine Name:

Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720

Debug session time: Thu Oct 20 14:37:16.343 2011 (UTC + 8:00)

System Uptime: 0 days 0:00:43.312

Loading Kernel Symbols ............................................................... ..........................................

Loading User Symbols

Loading unloaded module list

....

*** WARNING: Unable to verify timestamp for nv4_disp.dll

*** ERROR: Module load completed but symbols could not be loaded for nv4_disp.dll

*************************************************************************** ****

* *

* Bugcheck Analysis *

* *

*************************************************************************** ****

Use !analyze -v to get detailed debugging information.

BugCheck 100000EA, {88a18908, 88ced810, b84fbcbc, 1}

ERROR - could not read driver name for bugcheck parameter 3

Probably caused by : nv4_disp.dll ( nv4_disp+28526 )

Followup: MachineOwner

---------

3: kd> !analyze -v

*************************************************************************** ****

* *

* Bugcheck Analysis *

* *

*************************************************************************** ****

THREAD_STUCK_IN_DEVICE_DRIVER_M (100000ea)

The device driver is spinning in an infinite loop, most likely waiting for

hardware to become idle. This usually indicates problem with the hardware

itself or with the device driver programming the hardware incorrectly.

If the kernel debugger is connected and running when watchdog detects a

timeout condition then DbgBreakPoint() will be called instead of KeBugCheckEx()

and detailed message including bugcheck arguments will be printed to the

debugger. This way we can identify an offending thread, set breakpoints in it,

and hit go to return to the spinning code to debug it further. Because

KeBugCheckEx() is not called the .bugcheck directive will not return bugcheck information in this case. The arguments are already printed out to the kernel debugger. You can also retrieve them from a global variable via

"dd watchdog!g_WdBugCheckData l5" (use dq on NT64).

On MP machines it is possible to hit a timeout when the spinning thread is

interrupted by hardware interrupt and ISR or DPC routine is running at the time

of the bugcheck (this is because the timeout's work item can be delivered and

handled on the second CPU and the same time). If this is the case you will have

to look deeper at the offending thread's stack (e.g. using dds) to determine

spinning code which caused the timeout to occur.

Arguments: