windbg-How to crawl dump files

Source: Internet
Author: User
Tags knowledge base

There are two situations:

The first case : if Vista or Windows2008 is a simple thing, in Task Manager, switch to the Processes tab, right click on the process you want to create the dump file, Then select "Create Dump File". If you want to create a dump file The process is w3wp.exe, you may see a lot of w3wp, but do not know which one is the site you want to catch, can be viewed by the command below, for Vista or win2008 system use:%windir%/system32/ Inetsrv/appcmd list wp and for win2k3 systems, you can use Iisapp to view them.

The second situation : for the WIN2K3 operating system is not mentioned above the function, of course, the above method is also imperfect, because it can not be in the moment of the program crashes to crawl the most suitable dump file. Can be crawled by the ADPlus command. For example:

ADPLUS-HANG-PN W3wp.exe-o C:\dumps
This command immediately crawls W3wp.exe's full dump into the C:\dumps folder.

Adplus-hang-p 81388-o C:\dumps
This command immediately crawls the full dump of the 81388 process into the C:\dumps folder.

ADPLUS-CRASH-PN W3wp.exe-fullonfirst-o C:\dumps
Adplus-crash-p 81388-fullonfirst-o C:\dumps
This command logs a complete dump when the first exception occurs by monitoring the run of the process w3wp.exe or 81388

ADPLUS-CRASH-PN W3wp.exe-o C:\dumps
The command also logs dump when the w3wp.exe crashes, but this is a mini dump

#一些常用的参数:
-crash: It means I'm capturing a Crash dump.
-P: Specifies the process ID to capture. -iis indicates that we are capturing all processes of IIS.
-quiet: Do not pop up the prompt window
-fullonfirst: I want to capture the full dump message at first chance, which is all the complete information about the process.
-O: followed by the dump file's storage path
-C: Specify configuration file

#配置环境变量:
Computer--high-level--environment variables--system environment variables--
_nt_symbol_path C: "Windows" symbols
Add C:\Program files\debugging Tools for Windows (x86) to the PATH system environment variable

#还能通过指定configuration file to flexibly use ADPlus, for example, to specify that a dump is logged when an exception occurs in the CLR.

#解决在抓取dump过程出现 the "ActiveX widget Cannot create object: ' Wscript.Shell '" error method, run the following command:
regsvr32%windir% "System32" Wshom.ocx

#注意: When you run ADPlus crawl dump, the corresponding W3wp.exe process will automatically reclaim the restart process

2, analysis dump file.

0:000>. Load C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\SOS.dll//Load Debug module
0:000>!EEHEAP-GC//View managed heap conditions (including size)
0:000>!dumpheap-min 85000-stat//display of diagonal master information with a size greater than 85000
0:000>!dumpheap-min 85000//display of diagonal master information with a size greater than 85000
0:000>!dumpheap-stat//This command displays statistics for all objects in the program, showing the size of the object itself, excluding the size of the value inside the object
0:000>!gcroot 0X34E9BEE0//To show the owning relationship of an instance
0:000>!DUMPHEAP-MT 790fcb30//This command shows details of MethodTable 790fcb30
0:000>! Dumparray//View array information
0:000>! ObjSize 012A1BA4//The actual size of the object in memory
0:000>LM//See which modules are loaded
0:000>!DUMPMT-MD 00976d48//Get the member function details of the class

-----------------------------------------------------------------------------------

First of all, the two main phenomena of program crash, understand the core value of these two phenomena is that can be faster, more accurate crawl dump file.

The first crash: When the program is running, the error window pops up suddenly, and then the error window is determined, and the program closes directly.
For example "Application Error", "C + + error such as Windows", "program No Response", "suspended animation" and so on, is an IE Application error example picture:

The characteristics of this collapse are:
The program is already abnormal, when you do not click on the error window of the determination or other buttons, all error messages are still in the memory of the PC, you can directly crawl the dump file. Of course, if you know how to operate can cause the program to crash, you can also use a wait-and-see method to catch dump to ask the file.
It is recommended to use the crawl method three, because this crawl method can be in the first time you see the error crawl to dump, as long as there is a problem, let people keep the error window, and then you go to catch on the line. Of course, if you fail to crawl this dump in time, you can use other methods as well.

second crash: When the program is running, the window or process suddenly disappears without any error forms.
The typical phenomenon is IE automatically shuts down, for example, you open a few IE windows in a row, close any of them, all IE windows disappear. Or play the game, the game interface automatically disappears and so on.
The characteristics of this collapse are:
Program is automatically crash, when the program crashes, all the error message disappears, if you want to crawl this crash dump, you must first set up the crawl environment, otherwise it is unable to crawl the dump file, so this phenomenon using method one, method two, method four can be, Because the method three is to have error interface to catch, so method three does not apply to this phenomenon.

This is the most common two kinds of program crashes, and then share with you the method of program dump.

Fetch method One:
The method features:
1, must specify the process or PID to crawl, and the program must already be running, or can not catch dump.
2, must be in the presence of problems before the first layout of the crawling environment.
3, the normal shutdown process will also appear dump files, so you need to determine the catch dump is generated when the program crashes.
The first step: Download the tools you need to use:
WINDBG: This tool is the protagonist of the crawl dump.
Tool Download 1:HTTP://115.COM/FILE/AN94SP48
Tool Download 2:http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.11.1.404.msi

Step Two: Set the WinDbg crawl environment.
Run a potentially problematic program, such as IE, without running the program first, you cannot catch the dump.
Then extract the WinDbg from the site to any drive letter, such as C drive, use the following parameters to grab the dump.

Copy content to Clipboard program code C:\WINDBG\ADPLUS.VBS-CRASH-PN iexplore.exe-o D:


After you run the command, WinDbg will jump out of the black window to monitor the health of the process, and be careful not to close the window, or dump will not be caught.
WinDbg parameter Description:
-crash:When the program hangs out of the flash crawl dump, this parameter can only catch the program error information, if the program does not error, you can not catch dump.
-hang:When the WinDbg is turned on, the dump is started, mainly for the crawler to stop responding, but the program does not crash, such as the CPU utilization of the process 100%.
See Microsoft Knowledge Base: HTTP://SUPPORT.MICROSOFT.COM/KB/286350/ZH-CN
(If you don't understand the difference between-crash and-hang, it's recommended to use-crashParameters. )
-PN:The PID or process name of the process, if it is a process name, is case sensitive.
- o:Dump output path.

Step Three: Collect the dump file.
When the program crashes, the dump file will be saved in the specified output path, the example dump save path is the D drive, and then package the dump file, submitted to the official software for official analysis.

Crawl method Two:
The method features:
1, no need to specify the process or PID to crawl, nor the need to set up the environment must exist process, as long as any program crashes can catch dump.
2, must be in the presence of problems before the first layout of the crawling environment.
3, the program normally shuts down, such as Point X, does not generate dump, only the program crashes will be generated.
The first step: Download the tools you need to use:
WINDBG: This tool is the protagonist of the crawl dump.
Tool Download 1:HTTP://115.COM/FILE/AN94SP48
Tool Download 2:http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.11.1.404.msi

Step Two: Set the WinDbg crawl environment.
Extract the WinDbg from the site to any drive letter, such as the C drive, using the following parameters to grab the dump.

Copy content to Clipboard program code C:\WinDbg\Windbg.exe-I



When running this parameter, WinDbg will pop up a prompt, click OK after the WinDbg interface disappears, such as:

At this point the environment has been set up, now you need to find ways to let the program crash, such as let IE crash.

WinDbg parameter Description:
-I : use WinDbg as the default debugging tool, note I must be uppercase, lowercase is invalid.

Step three: Collect the dump file.
When the program crashes, the WinDbg window bounces out again, using the following command to save the dump file.

Program code. Dump-ma D:\TEST.DMP


Such as:

When you start to save the dump file, the status information in the lower-left corner becomes *busy*, indicating that WinDbg is working, and that the dump successfully written will appear when it is complete, such as:


The next step is to wait for the dump to be saved and then package the dump file for the software official.

Fetch method Three:
The method features:
1, can be in the program error, directly crawl dump file, do not need additional settings, applicable to suddenly found an error, and not sure if the problem can be reproduced when crawling dump, this is a very important method of crawling, it is strongly recommended that you remember.
The first step: Download the tools you need to use:
Processexplorer: The tool is the process PID used to locate the error window.
Tool Download: http://www.clxp.net.cn/mytool/index/System_analysis_Tools/find Processexplorer in the Armory.
WINDBG: This tool is the protagonist of the crawl dump.
Tool Download 1:HTTP://115.COM/FILE/AN94SP48
Tool Download 2:http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.11.1.404.msi

The second step: using the Processexplorer error window belongs to the process PID (what is the PID see article tail)
Run the Processexplorer first, then the left mouse button to hold the lens icon on the interface, and then drag to the error window to release the mouse,


At this point, Processexplorer will automatically navigate to the wrong process, and then remember the PID of the error process, for example, the PID in QQ.exe is 2960.



Step three: Run WinDbg and crawl the dump file.
After running WinDbg, click "File" = "Attach to a Process", such as:



In the popup screen, locate the PID you just captured, then click OK.



After you click OK, you will see the interface to grab the dump, and then save the dump with the dump save parameter.

Program code. Dump-ma D:\TEST.DMP


WinDbg parameter Description:
-M: Default option to generate standard minidump, dump files are usually small and easy to transfer over the network by mail or other means. This file is less informative and contains only system information, loaded module (DLL) information, process information, and thread information.
-ma: MiniDump with as many options as possible (including full memory contents, handles, modules not loaded, etc.), files are large, but if conditions allow (native debugging, LAN environment), this dump is recommended.
-MFHUTWD: MiniDump with data segments, non-shared read/write memory pages, and other useful information. Contains the most information that can be obtained through minidump. is a compromise solution.

Fetch method Four:
The method features:
1, using the system comes with Dr Watson to crawl dump, simple, but sometimes not light, the nature of the deployment is a bit similar to method two.
The first step: Download the tools you need to use:
Although Dr Watson is the system comes with the tool, but the basic majority of operating systems have been reduced to this tool, you can download the green version of the attachment, decompression and run directly, after the run will be set up everything.
Click here to download the Green edition of Dr. Watson (484.87 KB)
[2012-02-12 02:27 AM; downloaded: £ º]

Step two: Take the dump file.
When you run the DrWtsn32 (Watson Debugger). exe from this site, when encountering a program crash, the dump file is automatically generated to the C: root directory, the file name is Drwtsn32.log and User.dmp, and the 2 files are packaged and submitted to an official analysis.

At this point, WinDbg very commonly used to catch the crash dump method is basically all, I hope you will encounter the program crashes, no longer only provide errors, but can provide dump for analysis!
In addition, the network dimension master user if encounter IE crash problem, can use the above dump crawl method, directly provide dump file to online customer service, this can improve the efficiency of problem solving, quickly help everyone solve the problem!

windbg-How to crawl dump files

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.