Blue screen Dump analysis tutorial using windbg analysis Tools

first, what is WinDbg? What can it do?

WinDbg is a powerful user-state and kernel-State debugging tool under the Windows platform. It can easily navigate to the root of the problem through the DMP file, can be used to analyze the blue screen, program crashes (ie crash) reasons, is an essential tool in our daily work, learn to use it, will effectively improve our problem solving efficiency and accuracy rate.

　　Third, set the symbol table:

The symbol table is windbg key "database", without it, WinDbg is basically a waste, unable to analyze the cause of more problems. So using WinDbg to set up a symbol table is a step you have to take.

1, run the WinDbg software, and then press the "Ctrl+s" Pop-up Symbol Table Setup window

2, the Symbol table address:srv*c:symbols*http://msdl.microsoft.com/download/symbols paste in the input box, click OK.

Note: The red font is the local storage path for the symbol table, it is recommended that the fixed path, can avoid the symbol table duplicate downloading.

　　Iv. Learn to open the first DMP file!

When you get a DMP file, you can use the "ctrl+d " shortcut key to open a DMP file, or click on the WinDbg interface "File=>open Crash Dump ..." button to open a DMP file. The first time you open the DMP file, you may receive the following prompts, when this prompts, check "Don" T ask again in this WINDBG session, and then click No.

When you want to open a second DMP file, you may be unable to parse the next DMP file directly because the previous profiling record is not cleared, and you can use the accelerator "Shift+f5 " to close the previous DMP analysis record.

At this point, the simple WinDbg use you have learned!

　　Learn to analyze some DMP files through a few simple steps.

　　Share a 8E blue screen DMP case Analysis Process:

When you open a DMP file, you may be overwhelmed by too much information, but it doesn't matter, we just need to focus on a few key messages.

　　First key information: System Uptime (boot time):

By observing this time you can know when the problem is to appear, such as the time is less than 1 minutes can basically be positioned as a blue screen, or more than one minute can prove to be on the machine or play the process of the problem.

Then use a simple example to learn simple DMP analysis, the following figure system Uptime : 0 days 0:14:23.581, meaning 0 day 0 hours 14 minutes 23 seconds 581 milliseconds when the blue screen, it seems to be on the machine not long time on the blue screen, The customer is very sad.

So what caused the blue screen? Next we need to pay attention to the second key message!

　　Second key message: Probaly caused by (possible cause of blue screen)

This information is a relatively important message, and if you are lucky, you can basically see the driver or program name that led to the blue screen, as in the following figure, the preliminary analysis has the result,probaly caused by followed by a named The kimsgprotect.sys driver file leads to a blue screen, which is a key driver of the Hengxin card. So the blue screen is likely to be related to a card.

The + number after the driver filename in parentheses is the offset address, and if multiple DMP files have the same driver file name and the offset address is the same, the problem is most likely the same one, the offset address is related to the assembly, here is not much to do introduction.

In fact, for the analysis of blue screen dmp not every luck is so good, if just open DMP file did not see the clear reason for blue screen, we need to use a command to further analyze the DMP, this command is:!analyze-v , This command can automatically analyze most of the blue screen reasons. When the initial analysis has no results, you can use this command to further analyze the cause of the failure, of course, you can also directly click on the link style !analyze-v to carry out the command, in order to let everyone more intuitive understanding of the information inside, you can directly look at the picture of the annotation information.

After reading so much information, what happened to this blue screen dmp? According to the information given by DMP, it should be: customer on the machine 0 Days (day) 0 hours 14 minutes 23 seconds 581 milliseconds, A bug named PinyinUp.exe triggers a Kimsgprotect.sys this driver, resulting in a blue screen.

So which manufacturers are PinyinUp.exe and Kimsgprotect.sys? The general need to know this information, can only go to the user's machine to find, I went to find after found PinyinUp.exe is Sogou Input method of automatic upgrade procedures, Kimsgprotect.sys is Heng Letter card This billing software driver, so this DMP means that it appears to be sogou Pinyin and Heng Letter card together, out of the question! Of course, the elimination method is very simple, the Sogou automatic upgrade procedures to remove the input, and then see if there is still a blue screen problem occurred on the OK!

Learn here, basically already can analyze most DMP file, but analysis blue screen dmp to be more cautious, the information needs to be verified once more insurance, verification method is very simple, in the WinDbg command input box, enter the !process command, You can verify that the program that triggers the blue screen is correct.

Information obtained after running the !process command:

At this point, master the above several simple analysis methods, basically most dmp everyone can independent analysis, of course, WinDbg is a powerful tool, at the same time, there are many reasons for blue screen, if you want to analyze enough accurate, then only learn more practice, more to analyze, Because WinDbg analysis is more important than knowing a few commands!

　　Reasonable to give you some analysis and suggestions:

And not necessarily every DMP file can analyze useful conclusions, so the analysis of DMP does not need to each DMP file the results of excessive entanglements, in fact, blue screen DMP analysis is also to observe a law or the size of the problem positioning method. For example, you analyzed 10 dmp, there are 5 dmp all point to the same blue screen reason, the other 5 dmp information in a variety of different, then you can deal with 5 times the blue screen, the same reason for the problem, because after solving this problem, the following problem may be solved!

VDISKBUS+DA6C This blue screen information refers to the network dimension Master Blue disk DMP capture mechanism, this is not a blue screen reason, there are a lot of friends because the article saw half to toss, the results come up with some wrong conclusions, so here deliberately remind everyone, see vdiskbus+ da6c this information, then do not judge the error, the information can be confirmed that the information is: This DMP file is captured by the network of the Master Blue Screen Eagle, and is captured on the network-dimensional diskless client, the other does not represent anything.