How to Install and Configure WinDBG for BSOD Analysis
Information
WinDBG (Windows DeBuGger) is a Microsoft software tool that is needed to load and analyse the .dmp files that are created when a system BSOD's. The latest version of WinDBG allows debugging of Windows 10.x, Windows 8.x, Windows 7 and Windows Vista.
This tutorial will show you how to download, install, configure and test WinDBG in preparation for analysing BSOD's.
Note
WinDBG requires .NET Framework 4.5.2 in order to run. If it's not installed, download it from this location, and install it before downloading and installing WinDBG.
Step 1
Downloading and Installing WinDBG
1. Download the WinDBG sdksetup.exe setup file.
2. Run sdksetup.exe, and specify the installation location (this example uses the default location):
3. Once you have accepted the licence agreement, you will be prompted to select the features to install. Select only the Debugging Tools for Windows option, as shown. Proceed with installation.
4. The debugging tools will be downloaded and installed.
Step 2
Associate .dmp files with WinDBG
If configured correctly, Windows will write information to a .dmp file when the host system BSOD's. In order to read the information within the .dmp file, it needs to be associated with WinDBG.
Open an elevated cmd window. Copy the highlighted text below, and paste it into the cmd window and hit enter to change directory to the installation location path.
cd\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\
Now copy this highlighted text, paste it into the cmd window, and hit enter to make the association.
windbg.exe -IA
This is how it looks when executed in the cmd window.
If done correctly, a new blank instance of WinDBG will open with a confirmation box. WinDBG can now be closed.
Step 3
Configuring the WinDBG Symbol Path
The symbol path is the location in which WinDBG searches for symbols each time it reads a binary in the BSOD .dmp file. It is critical to get this step correct.
You can specify any location to create a cache/store of downloaded symbols, but I recommend using the default location (as used in this tutorial).
To create and set a symbol path, do the following.
1. Start a blank instance of WinDBG by going to:Start > All Programs > Windows Kits > Debugging Tools for x64 > WinDBG (x64)
2. In the WinDBG panel, go to:File > Symbol File Path
3. Copy the highlighted text below and paste it into the Symbol Search Path box, and click OK - there is no confirmation.
SRV*C:\SymCache*Symbol information
What that line means is :
- Create a folder called C:\SymCache
- Download new symbols from the msdl site and save them to C:\SymCache
5. Close WinDBG.
Step 4
Testing the WinDBG Installation
1. Download this small zip file.View attachment test.zip 2. Open it, and double click the .dmp file.
3 WinDBG should open automatically and you should see some text appearing in the workspace. Since this is the first .dmp file being read on your system, WinDBG appears to be - slow do not interrupt it. What is happening is:
- A folder called Symcache is being created on C:
- Symbols are being downloaded and saved to C:\Symcache
Tip
If you think your \Symbols folder is starting to take up too much disk space, simply delete the contents of the folder in Windows Explorer - WinDBG will automatically download the required symbols when you open a .dmp again.
You will know the reading of the .dmp file is complete when our output looks like this. Note the breakpoint that I have highlighted in bold text red - that means the .dmp file has been completely read.
Code:
Microsoft (R) Windows Debugger Version 6.3.9600.17029 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [F:\TEMP\7zO89606264\050114-17253-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18247.amd64fre.win7sp1_gdr.130828-1532
Machine Name:
Kernel base = 0xfffff800`02a53000 PsLoadedModuleList = 0xfffff800`02c966d0
Debug session time: Fri May 2 11:37:27.580 2014 (UTC + 9:30)
System Uptime: 0 days 0:04:04.718
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1904fb, fffff88008f94c48, fffff88008f944a0, fffff80002ddde2e}
Probably caused by : ntkrnlmp.exe ( nt!FsRtlNotifyFilterReportChange+122 )
[B][COLOR=red]Followup: MachineOwner[/COLOR][/B]
---------You are done. WinDBG has been installed, .dmp file associations created, and symbol path correctly setup.
Tip
If you open the .dmp files from within the .zip file, you never need to save individually .dmp files to your HDD/SSD - all you need to do is delete the original .zip file once you are finished with that BSOD. This will save you a lot of space in the long run.
Last edited:
