Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home WINDBG

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Exploring multiple Windows .dmp files

DeskjockyDeskjocky Member Posts: 2
in WINDBG

Hi Folks,

Long time lurker, first time poster.

Can anyone suggest any tools/windbg commands that I could use to open and compare multiple dump files? Say, open 5-10 files to be easily able to compare each content to look for patterns with driver crashes? I'm currently opening lots of Windbg windows and flicking between them, so hoping for an alternative.

I am guessing not, but thought I'd ask just in case.

Cheers.

· Share on Facebook

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,556

    BlueScreenView is handy if you just want to see the bugcheck code/arguments:

    http://www.nirsoft.net/utils/blue_screen_view.html

    I don't know of any utilities. If you go to the \sdk\samples\dumpstk folder in the WinDbg installation there is a sample command line utility to open a dump and print the call stack. It's pretty easy to hack something into this utility to get more information from the dump and spit it out in whatever format you'd like.

    -scott
    OSR

    · Share on Facebook
  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,605
    via Email
    You could look at the work that Dmitry Vostokov has been doing on crash
    dump analysis patterns.
    https://www.oreilly.com/library/view/memory-dump-analysis/9781908043511/ I
    personally have never been able to make heads or tails of that stuff, but
    I'm probably just being dim. What I do in practice is to auto-generate
    analysis.txt files plus other assorted logs I can automatically fetch using
    scripted wndbg invocations and then quickly triage-sort dumps using what
    that data.

    Mark Roddy
    · Share on Facebook
  • raj_rraj_r Member - All Emails Posts: 987

    You can open Multiple dumps in a single instance of windbg using multiple -z switch

    a small demo

    lets run a tight loop and dump process several times to notice user time increase

    :\>cat tloop.cpp
int main (void) {
    int a=0,b=0;
    while ( a !=2 ){
        b = a+1;
    }
}

    :>cat complink.bat
    cl /Zi /W4 /Od /analyze /EHsc -Gs /nologo tloop.cpp /link /release /entry:main
    /subsystem:windows /merge:.rdata=.text /fixed /nologo

    compile and execute under debugger

    ** use .dump /ma /mt {filename}** to dump the process

    issue a g to run the binary so it consumes some user time
    repeat five times to get five dumps

    and all the dumps in one go using

    cdb -z one.dmp -z two.dmp -z tre.dmp -z for.dmp -z fiv.dmp

    you have to issue** g (go or f5)** as many times as the dumps
    to initialize each of them

    once all of them are initialised you can use

    || (process syntax ) and ~ (thread syntax ) to switch between them

    listing all processes

    ||4:4:009> ||*
   0 Full memory user mini dump: one.dmp
   1 Full memory user mini dump: two.dmp
   2 Full memory user mini dump: tre.dmp
   3 Full memory user mini dump: for.dmp
.  4 Full memory user mini dump: fiv.dmp

    selecting a process and checking all its threads

    ||4:4:009> ||0s;~*e .ttime

    Created: Sun Feb 3 10:23:57.848 2019
    Kernel: 0 days 0:00:00.015
    User: 0 days 0:00:07.534 <<<<<<<<<<<<<<<<<<<<
    Created: Sun Feb 3 10:24:05.790 2019
    Kernel: 0 days 0:00:00.000
    User: 0 days 0:00:00.000

    switching to next

    ||0:0:001> ||1s;~*e .ttime

    Created: Sun Feb 3 10:23:57.848 2019
    Kernel: 0 days 0:00:00.015
    User: 0 days 0:00:13.416 <<<<<<<<<<<<<<<<<<<<
    Created: Sun Feb 3 10:24:32.117 2019
    Kernel: 0 days 0:00:00.000
    User: 0 days 0:00:00.000

    rinse and repeat

    ||1:1:003> ||2s;~*e .ttime

    Created: Sun Feb 3 10:23:57.848 2019
    Kernel: 0 days 0:00:00.015
    User: 0 days 0:00:22.401 <<<<<<<<<<<<<<<<<<<<
    Created: Sun Feb 3 10:24:48.845 2019
    Kernel: 0 days 0:00:00.000
    User: 0 days 0:00:00.000

    ||2:2:005> ||3s;~*e .ttime

    Created: Sun Feb 3 10:23:57.848 2019
    Kernel: 0 days 0:00:00.015
    User: ** 0 days 0:00:29.125 <<<<<<<<<<<<<<<<<<<<**
    Created: Sun Feb 3 10:25:01.300 2019
    Kernel: 0 days 0:00:00.000
    User: 0 days 0:00:00.000

    ||3:3:007> ||4s;~*e .ttime

    Created: Sun Feb 3 10:23:57.848 2019
    Kernel: 0 days 0:00:00.031
    User: ** 0 days 0:00:49.327 <<<<<<<<<<<<<<<<<<<<**
    Created: Sun Feb 3 10:25:26.995 2019
    Kernel: 0 days 0:00:00.000
    User: 0 days 0:00:00.000

    ||4:4:009> ||5s;~*e .ttime
    ^ Illegal debuggee error in '||5s;~*e .ttime'
    ||4:4:009> q
    quit:

    · Share on Facebook
  • DeskjockyDeskjocky Member Posts: 2

    Thanks all for your help, I have managed to cobble something together using the above, it is not pretty but it does the job.

    Thanks again!

    · Share on Facebook
  • AndreyBazhanAndreyBazhan Member Posts: 5

    The easiest way to do this is to use http://www.andreybazhan.com/onedbg.html

    · Share on Facebook
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 January 2023 Live, Online
Developing Minifilters 20 March 2023 Live, Online
Internals & Software Drivers 17 April 2023 Live, Online
Writing WDF Drivers 22 May 2023 Live, Online

Categories