Windows Process crash Problem location method

Introduction: Memory and stack dumps using the NSTD tool for process crashes.

1. Open the Debug option when compiling the release version and publish the EXE and PDB files together.

2. Use the batch command to set the debugger that the Windows system calls when the process crashes NTSD

@reg Add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug"/V "Auto"/t reg_sz/d "1"/F

This batch instruction, set AeDebug call before the need to bounce message box confirmation? The default is 0, and setting 1 means the auto process does not bounce confirmation box. If you have installed visual Studio, you may have encountered the following bullet boxes:

This is the process by which vs sets the AeDebug debugger, encounters a process crash, and then the box confirms whether to attach to the process for debugging.

Then set the debug dump directive for NTSD:

@reg Add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug"/V "Debugger"/t reg_sz/d "D:\Dump\ Ntsd.exe-p%%ld-e%%ld-g-C \ ". dump/ma/u D:\Dump\dump.dmp;. logopen/t D:\Dump\dump.txt;. time;. Echo Process Status: ; ^|; . Echo Thread Status:; ^~;. Echo Stack Status:; KPN; logclose; Q\ ""/F

I copied the NTSD program to the D:\dump directory.

-P%%ld Incoming process id,-c executes the dump command: Echo prints thread information, thread stack, and finally exits.

Batch installation script and NTSD program I have already made the package, can download here.

3. Here's an example to illustrate the effect:

#include <stdio.h>void test2 () {int a = 1; int b = 0; int c = A/b;} void Test1 () {test2 ();} int main (int argc, char** argv) {test1 (); return 0;}

By constructing a crash with the exception of 0 errors, Test1 and test2 are intended to demonstrate the call stack.

The stack text crawled by this method is as follows:

opened log file  ' D:\Dump\dump_22d4_2014-09-30_15-15-33-062.txt ' debug session time:  Tue Sep 30 15:15:33.063 2014  (gmt+8) system uptime: 2 days  3:35:54.545process uptime: 0 days 0:00:00.923  kernel time: 0  days 0:00:00.015  user time: 0 days 0:00:00.000process status:.   0id: 3854attachname: D:\xcb\20140808\test\CoreDump\DumpExampleNormalStack.exeThread  status:.  0  id: 3854.3138 suspend: 1 teb: 7ffdf000  unfrozenstack status:*** error: symbol file could not be found.   Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -   # childebp retaddr  00 002dfb2c 01321038 dumpexamplenormalstack!test2 (void) +0x1801 002dfb34 01321048 dumpexamplenormalstack!test1 (void) +0x802 002dfb3c 01321159 dumpexamplenormalstack! Main (int argc = 1, char ** argv = 0x003ea488) +0x8*** ERROR:  Symbol file could not be found.  defaulted to export symbols  for C:\Windows\system32\kernel32.dll - 03 002dfb84 76e2ee1c  Dumpexamplenormalstack!__tmaincrtstartup (void) +0xfewarning: stack unwind information not  available. Following frames may be wrong.04 002dfb90 77ba37eb  kernel32! basethreadinitthunk+0x1205 002dfbd0 77ba37be ntdll! rtlinitializeexceptionchain+0xef06 002dfbe8 00000000 ntdll! rtlinitializeexceptionchain+0xc2closing open log file d:\dump\dump_22d4_2014-09-30_ 15-15-33-062.txt

Remember: The debug option needs to be opened in release version, and the resulting PDB file and EXE will be placed in the same directory.

If you are looking for a memory leak, refer to my other blog post. If you need to use Google to query technical questions, you can use here.

Windows Process crash Problem location method