WinDbg Core Diagnostic Method-Reproduced

what is WinDbg? What can it do?

WinDbg is a powerful user-state and kernel-State debugging tool under the Windows platform. It is able to easily locate the source of the problem through the DMP file, can be used to analyze blue screen, program crashes (ie crash) reasons, is an essential tool in our daily work, learn to use it, will effectively improve our problem solving efficiency and accuracy.

Second, WinDbg6.12.0002.633 download:

x86-bit version download: "Microsoft Official installation Version"

Blue screen Dump analysis tool WinDbg (x86). RAR (13.2 MB, 11,228 times)

x64-bit version download: "Microsoft Official installation Version"

Blue screen Dump analysis tool WinDbg (x64). RAR (12.4 MB, 9,251 times)

third, set the symbol table:

The symbol table is windbg key "database", if does not have it, WinDbg basically is a waste, cannot analyze more problem reason. So using WinDbg to set the symbol table is a must-go step.
1. Run the WinDbg software and press the "Ctrl+s" pop-up symbol table to set the window
2, the Symbol table address:srv*c:\symbols*http://msdl.microsoft.com/download/symbols paste in the input box, click OK.
Note: The red font is the symbol table local storage path, it is recommended to fix the path, to avoid duplicate symbol table download.

Four, learn to open the first DMP file!

When you get a DMP file, you can use the "ctrl+d" shortcut to open a DMP file, or click the "File=>open Crash Dump ..." button on the WinDbg interface to open a DMP file. When you open the DMP file for the first time, you may receive the following prompt, tick "Don't ask again in this WINDBG session", then click No.

When you want to open the second DMP file, you may be unable to parse the next DMP file directly because the previous analysis record was not cleared, and you can use the shortcut key "shift+f5" to close the previous DMP analysis record.

At this point, the simple WinDbg use you have learned!

Five, through a few simple steps to learn to analyze some DMP files.

Share a 8E blue screen DMP case Analysis Process:
When you open a DMP file, you may be overwhelmed by too much information, but it doesn't matter, we just need to focus on a few key messages.

First key message: System Uptime (boot time):

By observing this time you can know when the problem occurs, such as the time is less than 1 minutes basic can be positioned as a blue screen, the other is more than a minute can prove to be on the machine or play the process of problems.

Next, use a simple example to learn the simple DMP analysis, the system Uptime: 0 days 0:14:23.581, meaning 0 day (s) 0 hours 14 minutes 23 seconds 581 milliseconds when the blue screen appears, it seems to be on the machine not long on the blue screen, The customer is very sad ...

So what led to the blue screen? Next we need to pay attention to the second key message!

Second key message: Probaly caused by (causes blue screen possible)

This information is a relatively important information, if you are lucky, through this information can basically see the driver or the name of the program that led to the blue screen, like, the preliminary analysis has the results,probaly caused by followed by a named Kimsgprotect.sys driver file led to blue screen, this file is a key driver of Heng Xin card. Therefore, the blue screen is likely to be related to a cartoon.

The + sign after the driver file name in parentheses represents the offset address, if the driver file name of multiple DMP files is the same, and the offset address is the same, the problem is most likely the same, this offset address is related to the Assembly, there is no more introduction.

In fact, for the analysis of blue screen DMP is not every luck is so good, if just opened the DMP file did not see a clear blue screen reason, we need to use a command to further analyze DMP, this command is:!analyze-v, This command automatically analyzes most of the blue screen causes. When the preliminary analysis has no results, you can use this command to further analyze the cause of the failure, of course, you can also directly click on the link style !analyze-v to execute the command, in order to let people more intuitive to understand the information inside, you can directly see the image of the comments.

After reading so much information, what is the blue screen dmp? According to the information given by DMP, it should be: customer on machine 0 days (day) 0 hours 14 minutes 23 seconds 581 milliseconds, a bug named PinyinUp.exe triggered a Kimsgprotect.sys this driver, resulting in a blue screen.

So, PinyinUp.exe and Kimsgprotect.sys are the manufacturers? Generally want to know this information, can only go to the user's machine to find, I went to find the PinyinUp.exe is Sogou input method of the automatic upgrade program, Kimsgprotect.sys is Heng Xin card billing software driver, so this DMP said the meaning appears to be sogou Pinyin and Heng letter a cartoon together, out of the problem! Of course, the elimination method is very simple, the Sogou input method to remove the automatic upgrade program, and then see if there is still a blue screen problem occurs on the OK!

Learned here, basically can be analyzed most of the DMP files, but the analysis of blue screen dmp to be more cautious, the information need to re-verify the more insurance, the verification method is very simple, in the WinDbg command input box, enter the !process command, You can verify that the program that triggered the blue screen is correct.

Information obtained after running the !process command:

At this point, master the above several simple analysis methods, basically the majority of DMP can be independently analyzed, of course, WinDbg is a powerful tool, while the reasons for the blue screen is also a lot, if you want to analyze enough accurate, then only more learning more practice, more to analyze, Because WinDbg analysis is more important than just a few commands!

Reasonable to give you some analysis and suggestions:

Not necessarily each DMP file can be analyzed for useful conclusions, so the analysis of DMP does not need to the results of each DMP file too tangled, in fact, blue-screen DMP analysis is also observed a law or scale of the problem location method. For example, you analyzed 10 dmp, there are 5 dmp are pointing to the same blue screen reason, the other 5 DMP information is very different, then you can completely deal with 5 times blue screen, the same reason problem, because after solving this problem, the problem may be solved!

VDISKBUS+DA6C This blue screen message refers to the screen master blue disk of the DMP capture mechanism, this is not a blue screen reason, a lot of friends because the article to see half to toss, the results come to some wrong conclusion, so here specifically to remind everyone, see vdiskbus+da6c this information, Do not judge the error, this information can be confirmed that the information is: This DMP file is captured by the network Master blue Screen Eagle Eye, and is in the network-dimensional diskless client captured, the other can not represent anything.

WinDbg Core Diagnostic Method-Reproduced