EDN Admin
Well-known member
In this episode of Defrag Tools , Chad Beeder and Larry Larsen discuss analyzing kernel mode bugchecks (colloqually known as Blue Screens of Death) using WinDbg from the Debugging Tools For Windows . We use these commands: !analyze -v .hh .trap !pte !process !thread .formats .process .thread k ~ .reload Make sure you watch http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-Building-your-USB-thumbdrive Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx Debugging Tools for Windows http://support.microsoft.com/kb/969028 How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2 http://technet.microsoft.com/en-us/sysinternals/bb963901.aspx Windows Internals book tools (including NotMyFault) <span><span> Timeline: <span><span> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=00m50s [00:50] - What is a bugcheck (blue screen)?
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=03m23s [03:23] - Different types of memory dump files (complete, kernel-only, mini)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=05m16s [05:16] - Windows Error Reporting
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=07m17s [07:17] - Configuring your system for a memory dump
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=07m54s [07:54] - Enabling "Complete memory dump" option on Windows 7 and Server 2008 R2; see <a title="How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2 http://support.microsoft.com/kb/969028 KB 969028
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=10m45s [10:45] - Looking at a 32-bit memory dump created by <a title="Windows Internals Book http://technet.microsoft.com/en-us/sysinternals/bb963901.aspx NotMyFault
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=12m04s [12:04] - Symbol path
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=13m21s [13:21] - Step 1 is always: !analyze -v
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=15m40s [15:40] - Looking up bug check descriptions - Windows Debugger Help ( .hh )
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=19m45s [19:45] - Looking at the trap frame ( .trap )
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=20m18s [20:18] - Why did a memory access fail? (Using !pte command to look at virtual memory mappings)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=22m15s [22:15] - What is a trap frame? (64-bit systems do not store all registers in trap frames; see <a title="X64 Deep Dive http://www.codemachine.com/article_x64deepdive.html blog post here )
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=26m50s [26:50] - Showing all running processes with !process 0 0
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=28m48s [28:48] - View more details on a specific process with !process
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=31m43s [31:43] - Converting between numerical formats with .formats
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=32m55s [32:55] - Switching the debugger into a process or thread context: use .process or .thread
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=35m10s [35:10] - Switching between CPUs ( ~ command)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=38m13s [38:13] - Next week: Driver Verifier <img src="http://m.webtrends.com/dcs1wotjh10000w0irc493s0e_6x1g/njs.gif?dcssip=channel9.msdn.com&dcsuri=http://channel9.msdn.com/Feeds/RSS&WT.dl=0&WT.entryid=Entry:RSSView:a3501295a3184f6dabb0a0e7010748a9
View the full article
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=03m23s [03:23] - Different types of memory dump files (complete, kernel-only, mini)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=05m16s [05:16] - Windows Error Reporting
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=07m17s [07:17] - Configuring your system for a memory dump
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=07m54s [07:54] - Enabling "Complete memory dump" option on Windows 7 and Server 2008 R2; see <a title="How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2 http://support.microsoft.com/kb/969028 KB 969028
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=10m45s [10:45] - Looking at a 32-bit memory dump created by <a title="Windows Internals Book http://technet.microsoft.com/en-us/sysinternals/bb963901.aspx NotMyFault
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=12m04s [12:04] - Symbol path
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=13m21s [13:21] - Step 1 is always: !analyze -v
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=15m40s [15:40] - Looking up bug check descriptions - Windows Debugger Help ( .hh )
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=19m45s [19:45] - Looking at the trap frame ( .trap )
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=20m18s [20:18] - Why did a memory access fail? (Using !pte command to look at virtual memory mappings)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=22m15s [22:15] - What is a trap frame? (64-bit systems do not store all registers in trap frames; see <a title="X64 Deep Dive http://www.codemachine.com/article_x64deepdive.html blog post here )
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=26m50s [26:50] - Showing all running processes with !process 0 0
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=28m48s [28:48] - View more details on a specific process with !process
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=31m43s [31:43] - Converting between numerical formats with .formats
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=32m55s [32:55] - Switching the debugger into a process or thread context: use .process or .thread
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=35m10s [35:10] - Switching between CPUs ( ~ command)
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks#time=38m13s [38:13] - Next week: Driver Verifier <img src="http://m.webtrends.com/dcs1wotjh10000w0irc493s0e_6x1g/njs.gif?dcssip=channel9.msdn.com&dcsuri=http://channel9.msdn.com/Feeds/RSS&WT.dl=0&WT.entryid=Entry:RSSView:a3501295a3184f6dabb0a0e7010748a9
View the full article