Hi Folks,
Long time lurker, first time poster.
Can anyone suggest any tools/windbg commands that I could use to open and compare multiple dump files? Say, open 5-10 files to be easily able to compare each content to look for patterns with driver crashes? I’m currently opening lots of Windbg windows and flicking between them, so hoping for an alternative.
I am guessing not, but thought I’d ask just in case.
Cheers.
BlueScreenView is handy if you just want to see the bugcheck code/arguments:
http://www.nirsoft.net/utils/blue_screen_view.html
I don’t know of any utilities. If you go to the \sdk\samples\dumpstk folder in the WinDbg installation there is a sample command line utility to open a dump and print the call stack. It’s pretty easy to hack something into this utility to get more information from the dump and spit it out in whatever format you’d like.
You could look at the work that Dmitry Vostokov has been doing on crash
dump analysis patterns.
https://www.oreilly.com/library/view/memory-dump-analysis/9781908043511/ I
personally have never been able to make heads or tails of that stuff, but
I’m probably just being dim. What I do in practice is to auto-generate
analysis.txt files plus other assorted logs I can automatically fetch using
scripted wndbg invocations and then quickly triage-sort dumps using what
that data.
Mark Roddy
You can open Multiple dumps in a single instance of windbg using multiple -z switch
a small demo
lets run a tight loop and dump process several times to notice user time increase
:\>cat tloop.cpp
int main (void) {
int a=0,b=0;
while ( a !=2 ){
b = a+1;
}
}
:>cat complink.bat
cl /Zi /W4 /Od /analyze /EHsc -Gs /nologo tloop.cpp /link /release /entry:main
/subsystem:windows /merge:.rdata=.text /fixed /nologo
compile and execute under debugger
** use .dump /ma /mt {filename}** to dump the process
issue a g to run the binary so it consumes some user time
repeat five times to get five dumps
and all the dumps in one go using
cdb -z one.dmp -z two.dmp -z tre.dmp -z for.dmp -z fiv.dmp
you have to issue** g (go or f5)** as many times as the dumps
to initialize each of them
once all of them are initialised you can use
|| (process syntax ) and ~ (thread syntax ) to switch between them
listing all processes
||4:4:009> ||*
0 Full memory user mini dump: one.dmp
1 Full memory user mini dump: two.dmp
2 Full memory user mini dump: tre.dmp
3 Full memory user mini dump: for.dmp
. 4 Full memory user mini dump: fiv.dmp
selecting a process and checking all its threads
*||4:4:009> ||0s;~e .ttime
Created: Sun Feb 3 10:23:57.848 2019
Kernel: 0 days 0:00:00.015
User: 0 days 0:00:07.534 <<<<<<<<<<<<<<<<<<<<
Created: Sun Feb 3 10:24:05.790 2019
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
switching to next
*||0:0:001> ||1s;~e .ttime
Created: Sun Feb 3 10:23:57.848 2019
Kernel: 0 days 0:00:00.015
User: 0 days 0:00:13.416 <<<<<<<<<<<<<<<<<<<<
Created: Sun Feb 3 10:24:32.117 2019
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
rinse and repeat
*||1:1:003> ||2s;~e .ttime
Created: Sun Feb 3 10:23:57.848 2019
Kernel: 0 days 0:00:00.015
User: 0 days 0:00:22.401 <<<<<<<<<<<<<<<<<<<<
Created: Sun Feb 3 10:24:48.845 2019
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
*||2:2:005> ||3s;~e .ttime
Created: Sun Feb 3 10:23:57.848 2019
Kernel: 0 days 0:00:00.015
User: ** 0 days 0:00:29.125 <<<<<<<<<<<<<<<<<<<<**
Created: Sun Feb 3 10:25:01.300 2019
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
*||3:3:007> ||4s;~e .ttime
Created: Sun Feb 3 10:23:57.848 2019
Kernel: 0 days 0:00:00.031
User: ** 0 days 0:00:49.327 <<<<<<<<<<<<<<<<<<<<**
Created: Sun Feb 3 10:25:26.995 2019
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
*||4:4:009> ||5s;~e .ttime
^ Illegal debuggee error in ‘||5s;~*e .ttime’
||4:4:009> q
quit:
Thanks all for your help, I have managed to cobble something together using the above, it is not pretty but it does the job.
Thanks again!