Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How do I use WinDBG to properly analyze a kernal memory dump?

20 Jun 2014   #1
ThatBenderGuy

Windows 7 Professional 64-bit
 
 
How do I use WinDBG to properly analyze a kernal memory dump?

I've started getting in to analyzing my own memory dumps with WinDBG but the problem is I don't know which commands to use to properly utilize its features. For instance, (forgive me if I sound noobish about this I'm new to analyzing them) how do I view the call stacks for seeing if the probable cause lies in there?

For instance just opening the Kernel Dump in WinDbg tells me the probable cause is "ntkrnlmp.exe" But I doubt that it's the real cause of the BSOD.

Any tips would be appreciated and I apologize if this is in the wrong topic.

EDIT:
Also could anyone tell me if this driver seems to be the cause of this particular blue screen? This is the call stacks

Quote:
fffff880`04306790 fffff880`04e1e9d3 dxgmms1!VIDMM_GLOBAL::ReferenceAllocationForSubmission+0xa3
fffff880`043067d0 fffff880`04e387d9 dxgmms1!VIDMM_GLOBAL::PrepareDmaBuffer+0xe1b
fffff880`043069a0 fffff880`04e38514 dxgmms1!VidSchiSubmitRenderCommand+0x241
fffff880`04306b90 fffff880`04e38012 dxgmms1!VidSchiSubmitQueueCommand+0x50
fffff880`04306bc0 fffff800`0332d73a dxgmms1!VidSchiWorkerThread+0xd6
fffff880`04306c00 fffff800`030828e6 nt!PspSystemThreadStartup+0x5a
fffff880`04306c40 00000000`00000000 nt!KxStartSystemThread+0x16
Thanks again for any information


My System SpecsSystem Spec
.
20 Jun 2014   #2
derekimo

Microsoft Community Contributor Award Recipient

 
 

I'm not a pro either but looking at that dxgmms1, it is a microsoft driver and unlikely to be the actual cause.

Driver Reference Table - dxgmms1.sys

My suspicion would be graphics drivers or the card depending on the BugCheck Code.

Here's an excellent driver reference, Driver Reference Table (DRT)

And BSOD index for BugChecks, BSOD Index

Also here's some good info for finding offending drivers,

Debugging A BSOD - My way
My System SpecsSystem Spec
20 Jun 2014   #3
ThatBenderGuy

Windows 7 Professional 64-bit
 
 

Thanks for the links, WinDbg actually told me that the probable cause for my latest one wasn't a driver but it said the probable cause was "Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1df )"

That's the first time I've ever seen that type of possible cause, it's usually a .sys file. What on earth does "Pool_Corruption" mean?
My System SpecsSystem Spec
.

20 Jun 2014   #4
derekimo

Microsoft Community Contributor Award Recipient

 
 

The probably caused by can be misleading, specially when it points out a microsoft driver. Pool Corruption is a reference to memory,

The bugcheck is also important to look at, the link I gave you for that will show you usual causes for that bugcheck.

The other link with the !thread command is useful for digging deeper than the "Probably caused by" output.

Looking at the Kernel dump in your other thread here, Frequent BSOD while playing League of Legends [ntoskrnl.exe]

It has a bugcheck of 3b,

Code:
BugCheck 3B, {c0000005, fffff8000309a97c, fffff8800ab88ff0, 0}

Probably caused by : ntkrnlmp.exe ( nt!KeWaitForSingleObject+17c )

Followup: MachineOwner
---------
And the probably caused by is a microsoft file, you can be 99% sure that is not the actual cause.

Looking at the bugcheck 3b usual causes here, BSOD Index

Quote:
Usual causes: System service, Device driver, graphics driver, ?memory
The next step is look for an offending driver, testing your RAM with Memtest86+ would be good too to rule that out.

Try the instructions for the !thread command I pointed you to here,

Debugging A BSOD - My way

You will see a few drivers, let me know what you find.
My System SpecsSystem Spec
20 Jun 2014   #5
carwiz

Windows 7 Pro-x64
 
 

ntkrnlmp.exe is the kernel memory handler for 64-bit address (Non-PAE). As already mentioned by Derek, this is rarely the "cause" of the error. More often than not, it's the "result" of bad data passed to it. As in the example above, it accepted a string object or pool address. The rest is a domino effect but more often than not, it's caused by an errant driver. Not always the video driver, but usually is when the DX driver is involved. Can also be malware, an AV scanner or temperature related (physical memory starts breaking down).

The suggestions given by Derek are right on track and I can't add any more.
My System SpecsSystem Spec
21 Jun 2014   #6
ThatBenderGuy

Windows 7 Professional 64-bit
 
 

Alright guys thanks for all your help!
My System SpecsSystem Spec
Reply

 How do I use WinDBG to properly analyze a kernal memory dump?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
WinDbg Not Loading Properly
Hi, I have a new PC and I have installed WinDbg. Although when I open a Crash Dump it doesn't load past Loading User Symbols Loading unloaded module list I have set the symbol path to the same as I used to have it when it worked fine. Microsoft (R) Windows Debugger Version 6.12.0002.633...
BSOD Help and Support
Where do I retreive a core dump and how do I analyze it?
My PC keeps crashing with the blue screen of death. The BSOD dumps my physical memory somewhere. I assume that's so we can figure out what went wrong. Where is the physical memory dump? How do I analyze it (or, more accurately, who can analyze it for me)? The (important part of the) BSOD's...
BSOD Help and Support
Can someone please analyze this dump file?
For some reason, I can't get Windbg to work for me and its driving me nuts! >_< Much appreciated! My error: DBGHELP: c:\symbols\ntkrnlmp.pdb\47F5C3BF9E0A493C9F63BB8F6413358B2\ntkrnlmp.pdb - file system or network error reading pdb DBGHELP: ntkrnlmp.pdb - file not found *** ERROR:...
BSOD Help and Support
Can anyone analyze these dump files...
...and tell me the culprit? They are from a Dell Latitude D630, running XP SP3. Thank you!
BSOD Help and Support
Can anyone analyze dump files?
Hey all, new to the forums. I have an issue that's been around for a long time: 'nvlddmkm has stopped responding and has recovered' I've been through the ringer trying to pin this down on my specific system the past few weeks (I received the system less than a month ago). From updating...
Gaming
Can you please analyze this dump file .
ANd also explain how to read this ( what program is needed ) . I just see random stuff in the dmp file .. Thanks a million ..
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 16:04.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App