How do I use WinDBG to properly analyze a kernal memory dump?

ThatBenderGuy · 20 Jun 2014

I've started getting in to analyzing my own memory dumps with WinDBG but the problem is I don't know which commands to use to properly utilize its features. For instance, (forgive me if I sound noobish about this I'm new to analyzing them) how do I view the call stacks for seeing if the probable cause lies in there?

For instance just opening the Kernel Dump in WinDbg tells me the probable cause is "ntkrnlmp.exe" But I doubt that it's the real cause of the BSOD.

Any tips would be appreciated and I apologize if this is in the wrong topic.

EDIT:
Also could anyone tell me if this driver seems to be the cause of this particular blue screen? This is the call stacks

fffff880`04306790 fffff880`04e1e9d3 dxgmms1!VIDMM_GLOBAL::ReferenceAllocationForSubmission+0xa3
fffff880`043067d0 fffff880`04e387d9 dxgmms1!VIDMM_GLOBAL::PrepareDmaBuffer+0xe1b
fffff880`043069a0 fffff880`04e38514 dxgmms1!VidSchiSubmitRenderCommand+0x241
fffff880`04306b90 fffff880`04e38012 dxgmms1!VidSchiSubmitQueueCommand+0x50
fffff880`04306bc0 fffff800`0332d73a dxgmms1!VidSchiWorkerThread+0xd6
fffff880`04306c00 fffff800`030828e6 nt!PspSystemThreadStartup+0x5a
fffff880`04306c40 00000000`00000000 nt!KxStartSystemThread+0x16

Thanks again for any information

derekimo · 20 Jun 2014

I'm not a pro either but looking at that dxgmms1, it is a microsoft driver and unlikely to be the actual cause.

Driver Reference Table - dxgmms1.sys

My suspicion would be graphics drivers or the card depending on the BugCheck Code.

Here's an excellent driver reference, Driver Reference Table (DRT)

And BSOD index for BugChecks, BSOD Index

Also here's some good info for finding offending drivers,

Debugging A BSOD - My way

ThatBenderGuy · 20 Jun 2014

Thanks for the links, WinDbg actually told me that the probable cause for my latest one wasn't a driver but it said the probable cause was "Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1df )"

That's the first time I've ever seen that type of possible cause, it's usually a .sys file. What on earth does "Pool_Corruption" mean?

derekimo · 20 Jun 2014

The probably caused by can be misleading, specially when it points out a microsoft driver. Pool Corruption is a reference to memory,

The bugcheck is also important to look at, the link I gave you for that will show you usual causes for that bugcheck.

The other link with the !thread command is useful for digging deeper than the "Probably caused by" output.

Looking at the Kernel dump in your other thread here, Frequent BSOD while playing League of Legends [ntoskrnl.exe]

It has a bugcheck of 3b,

Code:

BugCheck 3B, {c0000005, fffff8000309a97c, fffff8800ab88ff0, 0}

Probably caused by : ntkrnlmp.exe ( nt!KeWaitForSingleObject+17c )

Followup: MachineOwner
---------

And the probably caused by is a microsoft file, you can be 99% sure that is not the actual cause.

Looking at the bugcheck 3b usual causes here, BSOD Index

Usual causes: System service, Device driver, graphics driver, ?memory

The next step is look for an offending driver, testing your RAM with Memtest86+ would be good too to rule that out.

Try the instructions for the !thread command I pointed you to here,

Debugging A BSOD - My way

You will see a few drivers, let me know what you find.

carwiz · 20 Jun 2014

ntkrnlmp.exe is the kernel memory handler for 64-bit address (Non-PAE). As already mentioned by Derek, this is rarely the "cause" of the error. More often than not, it's the "result" of bad data passed to it. As in the example above, it accepted a string object or pool address. The rest is a domino effect but more often than not, it's caused by an errant driver. Not always the video driver, but usually is when the DX driver is involved. Can also be malware, an AV scanner or temperature related (physical memory starts breaking down).

The suggestions given by Derek are right on track and I can't add any more.

ThatBenderGuy · 21 Jun 2014

Alright guys thanks for all your help!