Of what use are WinXP/Win2k memory dumps?

[Antoneo]

Now, when windows suffers a blue screen of death soft error (or could that be due to a hard one as well?), it says it is dumping the memory. Just what exactly is Windows doing? Is the information inside of the memory dump useful; can someone tell me what they are able to do with that? I imagine developers/programmers can figure out what is wrong with their programs with it but is the dump of any worth of the average user who has a little background of C++?

I'm sorry if this is one of those "duh!!" questions but for those of you who have the key let me in on the secret.

 

[TJ69]

I used the dumps once to isolate some bad hardware or software on my system. There is a dumpchk utility which helps you decode the information.

You can read more here:
http://support.microsoft.com/default.aspx?kbid=315263

 

[TGHI]

I can't remember the URL, but it was in the MSDN that I saw all of the codes for blue screen errors in Win2k...though I am not sure how you get Win2k to crash. The only time I can get it to crash is when overclocking gets to far (usually too hard on the RAM) and Read/Write access fails, in which case memory addresses are unable to be accessed propely and the log is filled with such errors (eg, 0x9900FF write failure).

PS: Windows is written in C++, but compiled in Assembly. It's quite painful.

 

[imported_Phil]

Originally posted by: TGHI

PS: Windows is written in C++, but compiled in Assembly. It's quite painful.

So are a large proportion of the programs on the market. If it was written in C++ and compiled in C++ then it would just be C++. Not a program.

Antoneo: you want to speak to dclive, he debugs minidumps a lot and should be able to tell you what's wrong.

 

[Nothinman]

PS: Windows is written in C++, but compiled in Assembly. It's quite painful.

Technically everything is compiled to assembly before it's assembled into a binary and linked, what's your point?

 

[Arcanedeath]

The Memory dumps or the Blue screens tell you what caused the problem if you can interpret them correctly.

 

[kaziasif78]

Blue screen error has error codes say 0x0000007f etc this error codes have different meanings,Let me know whether u removed running hard disk from any of the system and placed in another system.

 

[Smilin]

No, a memory dump isn't much use to an average users. Even someone with quite a bit of C++ knowledge won't find it very helpful. The dump isn't typically viewed in assembler either although you can unassemble code from within the debugger. Debugging crash dumps is very much a "black art" and very few people can do more than just the basics. Microsoft has a special team called CPR that these dumps are often escalated to. Those guys are frickin scary-smart. Scary.

If you wan't to take a look at one, download the debugging tools from Microsoft. It's the same tools they use internally, although you only have access to the public symbols rather than the internal symbols and source code.

Download windbg here:
http://www.microsoft.com/whdc/...ugging/installx86.mspx

The very first thing you'll want to do is configure your symbols path. Choose File | Symbol File Path..
Set the path like so: SRV*<Local symbol cache location>*<Symbol server path>
For example, mine is set to: SRV*C:\debugger\symbols*http://msdl.microsoft.com/download/symbols

Then, just drag and drop the memory.dmp into the debugger. You'll find the helpfiles to be pretty strong. I also think the debugger helpfiles are probably THE best reference for STOP codes.

More information:
http://www.microsoft.com/whdc/...ugging/debugstart.mspx

 

[dclive]

Originally posted by: Antoneo
Now, when windows suffers a blue screen of death soft error (or could that be due to a hard one as well?), it says it is dumping the memory. Just what exactly is Windows doing? Is the information inside of the memory dump useful; can someone tell me what they are able to do with that? I imagine developers/programmers can figure out what is wrong with their programs with it but is the dump of any worth of the average user who has a little background of C++?

I'm sorry if this is one of those "duh!!" questions but for those of you who have the key let me in on the secret.

The information is tremendously useful - it will tell you why your computer crashed. As Smilin wrote, you'd get the Windows debugger (there are several, and windbg is a commonly used one), set it up, set up a symbols path, and open up the memory.dmp file, and you can then do all kinds of things.

The helpfiles are actually pretty good if you're patient and willing to wade thru them.

BSODs can be either HW or SW - it just means the machine crashed for some reason.

 

[kylef]

Just some clarification that I didn't see anyone mention yet.

[*]The information contained in the memory dump (and therefore its size) is configured in ControlPanel->System->Advanced->Startup and Recovery
[*]Small memory dumps ("minidumps") are what are sent via Error Reporting to MS for Online Crash Analysis in XP, are 64 kB in size, and contain relevant kernel-mode information like open handles, loaded device drivers, the stacks of all kernel threads, etc
[*]Kernel memory dumps provide all kernel memory at the time of the crash, including device driver data and state
[*]Full memory dumps will dump your entire commit charge (probably more than you want)
[*]The dumps are stored in the pagefile until you reboot, whereupon the "savedump" process furiously extracts this information from the page file so that your pagefile can return to normal use (which is why there is abnormally high disk activity after rebooting from a crash)
[*]Using Windbg/kd to analyze such dumps is probably only for advanced tinkerers, but if you want the lowdown, try loading a crash dump in Windbg and then typing "!analyze -v" at the debugger prompt. This runs an analysis similar to what OCA runs automagically when your system reports the crash to Microsoft

Edit: clarified minidump