Keyword: System exception system exception memory dump (Information dump), windbg tool.
1. Why dump memory?
The system often has various problems, which may beProgramDuring the design, the system may be faulty due to program exceptions or system problems. So, when the system crash or exception occurs, how can we obtain the context of the system, give accurate diagnostics, and then propose a resolution?
What we call crash or exception includes various situations, such as a system process occupying a large amount of resources, a process low performance, or a program crash. To obtain the context of the process in which a crash or exception occurs, we must obtain the context of the process when an exception occurs. You can capture a snapshot for the process. The method used to capture the snapshot when an exception occurs is to dump the memory of the process at that time.
2. Dump memory method
Here we introduce a dump memory method, that is,. Dump in windbg. When an exception occurs in the program, we can use this method to Snapshot the context of the process when an exception occurs.
The specific method is:
When an exception occurs in the program, or before the exception occurs, we can set the windbg attach to a specific process in which en exception will occur. in the windbg command window, type G or press F5 to let the program execute. if there is no accident, an exception will occur, and we can use it. dump command to capture the snapshot. The following section is the usage about command. Dump.
.Dump (create dump file)
The. DumpCommand creates a user-mode or kernel-mode crash dump file.
Syntax
. Dump Options Filename
. Dump /?
Parameters
-
-
Options
- Represents one or more of the following options
-
-
/O
-
- Overwrites an existing dump file with the same name. If this is option not used and the there is a file with the same file name, the dump file is not written.
-
-
/F
-
-
(Kernel mode :)Creates Complete memory dump .
(User mode :)CreatesFull user-mode dump. Despite their names, the largest minidump file actually contains more information than a full user-mode dump. For example,. Dump/MFOr. Dump/MaCreates a larger and more complete file. Dump/F. In user mode,. Dump/m[Minioptions] Is always preferable. Dump/F.
-
-
/M[
Minioptions]
- Creates Small memory dump (In kernel mode) or Minidump (In user mode). If neither
/FNor
/MIs specified,
/MIs the default.
In user mode,/MCan be followed with additionalMinioptionsSpecifying extra data that to be pinned in the dump. If noMinioptionsAre pinned ded, the dump will include module, thread, and stack information, but no additional data. You can add any of the followingMinioptionsTo change the contents of the dump file; they are case-sensitive.
Minioption |
Effect |
A |
Creates a minidump with all optional additions./MaOption is equivalent/Mffhut-It adds full memory data, handle data, unloaded module information, basic memory information, and thread time information to the minidump. |
F |
Adds full memory data to the minidump. All accessible committed pages owned by the target application will be supported ded. |
F |
Adds all basic memory information to the minidump. this adds a stream to the minidump that contains all basic memory information, not just information about valid memory. this allows the debugger to reconstruct the complete virtual memory layout of the process when the minidump is being debugged. |
H |
Adds data about the handles associated with the target application to the minidump. |
U |
Adds unloaded module information to the minidump. This is available only in Windows Server 2003 and later versions of Windows. |
T |
Adds additional thread information to the minidump. This includes des thread times, which can be displayed by using! RunawayExtension or. TTime (display thread times)Command when debugging the minidump. |
I |
AddsSecondary memoryTo the minidump. Secondary memory is any memory referenced by a pointer on the stack or backing store, plus a small region surrounding this address. |
P |
Adds process environment block (peb) and thread environment block (Teb) data to the minidump. This can be useful if you need access to Windows system information regarding the application's processes and threads. |
W |
Adds all committed read-write private pages to the minidump. |
D |
Adds all read-write data segments within the executable image to the minidump. |
C |
Adds code sections within images. |
R |
Deletes from the minidump those portions of the stack and store memory that are not useful for recreating the stack trace. local variables and other data type values are deleted as well. this option does not make the minidump smaller (because these memory sections are simply zeroed), but it is useful if you want to protect the privacy of other applications. |
R |
Deletes the full module paths from the minidump. Only the moduleNamesWill be removed ded. This is a useful option if you want to protect the privacy of the user's directory structure. |
TheseMinioptionsCan only be used when creating a user-mode minidump. They shoshould follow/MSpecifier.
-
-
/U
-
- Appends the date, time, and PID to the dump file names. This ensures that dump file names are unique.
-
-
/
-
- Generates dumps
AllCurrently-debugged processes. If
/Is used,
/UOption shoshould also be used to ensure that each file has a unique name.
-
-
/B[
A]
-
- Creates
. CabFile. If this option is already ded,
FilenameIs interpreted as the cab file name, not the dump file name. A temporary dump file will be created, this file will be packaged into a cab, and then the dump file will be deleted. if
BOption is followed
A, All symbol and image files also will be packaged into the cab.
-
-
/C"
Comment
"
-
- Specifies a comment string that will be written to the dump file. If
CommentContains spaces, it must be enclosed in double quotes. When the dump file is loaded,
CommentString will be displayed.
-
-
/XC
Address
-
-
(User mode minidumps only)Adds a context record to the dump file.
AddressMust specify the address of the context record.
-
-
/XR
Address
-
-
(User mode minidumps only)Adds an exception record to the dump file.
AddressMust specify the address of the exception record.
-
-
/XP
Address
-
-
(User mode minidumps only)Adds a context record and an exception record to the dump file.
AddressMust specify the address of an exception_pointers structure which contains pointers to the context record and the exception record.
-
-
/XT
Threadid
-
-
(User mode minidumps only)Specifies the thread ID of a system thread that will be used as the exception thread for this dump file.
-
-
/Kpmf
File
-
-
(Only when creating a kernel-mode complete memory dump)Specifies a file that contains physical memory page data.
-
-
Filename
Specifies the name of the dump file. You can specify a full path and file name or just the file name. If the file name contains spaces,
FilenameShocould be enclosed in quotation marks. If no path is specified, the current directory is used.
-?
Displays help for this command. This text is different in kernel mode and in user mode.
Environment
Modes |
User Mode, Kernel Mode |
Targets |
Live, Crash Dump |
Platforms |
All |
Comments
This command can be used in a variety of situations:
- During live user-mode debugging, this command directs the target application to generate a dump file, but the target application does not terminate.
- During live kernel-mode debugging, this command directs the target computer to generate a dump file, but the target computer does not crash.
- During crash dump debugging, this command createsNewCrash dump file from the old one. This is useful if you have a large crash dump file and want to create a smaller one.
You can control what type of dump file will be produced:
- in kernel mode, to produce a complete memory dump , use the /F option. to produce a small memory dump , use the /m Option (or no options ). the. dump command cannot produce a kernel memory dump .
- In user mode,. Dump/m[Minioptions] Is the best choice. Although "M" stands for "minidump", the dump files created by using thisMinioptionCan vary in size from very small to very large. by specifying the properMinioptionsYou can control exactly what information is supported. For example,. Dump/MaProduces a dump with a great deal of information. The older command,. Dump/F, Produces a moderately large "Standard dump" file and cannot be customized.
You cannot specify which process is dumped. All running processes will be dumped.
The/XC,/XR,/XP, And/XTOptions are used to store exception and context information in the dump file. This allows. Ecxr (display exception context record)To be run on this dump file.
The following example will create a user-mode minidump, containing full memory and handle information:
0: 000> . Dump/MFH myfile. dmp
Handle information can be read by using! HandleExtension command.