crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Mayank,

You should be able to do
!analyze -v
in WinDBG and get some sensible information.

From that, you should also be able to dump memory in various places,
assuming memory was valid when the system crashed (in full dump, minidump
only saves certain sections).

The reason you don’t get any of your source to view could be that you didn’t
crash in your code… If the crash is in the OS, or in some other module in
the system that you don’t have source code for (for instance due to
corruption of memory owned by the other module), you may not be able to see
your code.

There are various commands like !thread and !process that can help with
switching the context of the system to the correct process, but if the
system didn’t crash in your module, then it may not be available in the
crash dump.

I hope this is of some help.

–
Mats

-----Original Message-----
From: Mayank Kumar [mailto:xxxxx@intersolutions.stpn.soft.net]
Sent: Friday, January 09, 2004 1:24 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver
but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

If Mayank has DriverStudio 3.1, both BoundsChecker and Visual SoftICE have
pretty decent crash dump analyzers, with integrated symbols and source code,
stack traversal, and more. However, some problems can leave you with quite a
shallow stack anyway.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

I suppose this is not ignorance of law -:), just ignorance of info. on my
side.

I’ve installed 3.1 in my office did yet get the chance to crank it, so hope
things would not be like 2.7 where crash dump analyzer was feeding me with
too many stacks. All the stacks in the systems, even I asked to the
customer’s support, a while back, and the response was I will have to hunt
to get to the stacks I am interested. Well, the intention is not to put it
up here, since I know it has many many more merits than its weaknesses in
the past, so dont take it otherwise. And also I remember during 1996 time
frame windbg has its own mind, if she liked you, you would be able to have a
null-modem connection, othewise days just goby, and finally I might have put
more bugs than fixed myself, so you know …

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, January 09, 2004 8:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

If Mayank has DriverStudio 3.1, both BoundsChecker and Visual SoftICE have
pretty decent crash dump analyzers, with integrated symbols and source code,
stack traversal, and more. However, some problems can leave you with quite a
shallow stack anyway.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Oh! I forgot, I once approached sysinternals to get their source code
license for their single machine windbg, the problem was to shoot too many
customers’problem, crashes now how do i debug remotely, would they allow the
systems to be down for my debug, blah, blah …

I might be weired, but my test is to have a automatic kernel crash analysis
to the defaulting party, sort of along the line of MS’s new feature, but bit
more nail pointing in a nice way, so that sepration of concerns occurs. When
you see more than 10 crashes a day, and your client thinks it is right to
dump down towards you, since you are a new vendor trying to get the deal
thru ( taking about 1000 of sits(licenses) ), you know life is bit worse
than shit :).

So anyone knows the whereabouts of David Hilbert, let me know, dead or alive

–prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 6:39 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

I suppose this is not ignorance of law -:), just ignorance of info. on my
side.

I’ve installed 3.1 in my office did yet get the chance to crank it, so hope
things would not be like 2.7 where crash dump analyzer was feeding me with
too many stacks. All the stacks in the systems, even I asked to the
customer’s support, a while back, and the response was I will have to hunt
to get to the stacks I am interested. Well, the intention is not to put it
up here, since I know it has many many more merits than its weaknesses in
the past, so dont take it otherwise. And also I remember during 1996 time
frame windbg has its own mind, if she liked you, you would be able to have a
null-modem connection, othewise days just goby, and finally I might have put
more bugs than fixed myself, so you know …

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, January 09, 2004 8:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

If Mayank has DriverStudio 3.1, both BoundsChecker and Visual SoftICE have
pretty decent crash dump analyzers, with integrated symbols and source code,
stack traversal, and more. However, some problems can leave you with quite a
shallow stack anyway.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Mayank,

Look at the help of WinDbg tells you with its own details that how to analyze the crash dump. And this will be great before asking all these you look in the various resources provided by the MS. Sorry, being harsh at this stand.

Good Luck,

From: “Mayank Kumar”

>Reply-To: “Windows System Software Devs Interest List”

>To: “Windows System Software Devs Interest List”

>Subject: [ntdev] crash dump analysis

>Date: Fri, 9 Jan 2004 18:53:42 +0530

>

>hi all

>can anyone out there help

>me figure out how to do crash dump analysis of the

>minidump.dmp and memory.dmp.

>

>i have tried both driverworkbench from compuware and

>Windbg but both of them do not show any thing other then

>the status code of bug check code and address which caused the

>problem.

>i even loaded the symbols for OS as well as my private driver but the call

>stack does not

>show any source file which caused the expcetion, kebugcheck etc

>

>can any body help

>thanks in advance

>Mayank

>

>

>—

>Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

>

>You are currently subscribed to ntdev as: xxxxx@hotmail.com

>To unsubscribe send a blank email to xxxxx@lists.osr.com

Free transactions in any ATM across India. Click here.

> the past, so dont take it otherwise. And also I remember during 1996 time

frame windbg has its own mind, if she liked you, you would be able to have a

WinDbg sustained a complete rewrite in 2000, and since 2000, is not this
terrifying thing.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Yes, you are right. And I’ve seen some other problems even after 2000
release. It might not be problem(s), but having a supported debugger is much
better. Not to mention that the customer’s support or those fielding the
Windbg problems are some of the nicest people, and they extends their hands
to couple thousand miles :). And yes there are constant improvements, and
those of us went thru the trail feel very much relived. But those are not
that familiar usually get a slap on their face. They should be the one try
these debugger hard, judge by themselves, but unfortunately lot of guys dont
get interested in it. We are so used to it, we would almost always find a
way to dig out crash problems, and eventual patch, either with windbg or
softice or IDA or bus analyzer or scope … But there are lots of rooms for
improvement(s).

In my other note, as I mentioned, one step would be to have some
instrumentation at customers site, user can turn it on, as and when crash
happens, it would be funneled back to
faulting parties(s). Should be fairly automatic. Enterprise systems should
be 24 by 7 LUNER TIME, not otherwise. And yes, this is wishful thinking, may
be.

–prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Saturday, January 10, 2004 5:41 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] crash dump analysis

the past, so dont take it otherwise. And also I remember during 1996 time
frame windbg has its own mind, if she liked you, you would be able to have
a

WinDbg sustained a complete rewrite in 2000, and since 2000, is not this
terrifying thing.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> In my other note, as I mentioned, one step would be to have some

instrumentation at customers site, user can turn it on, as and when crash
happens, it would be funneled back to
faulting parties(s).

Called - “the crash dump”.

Test installations for product alpha sites can always run with WinDbg attached
(no problems attaching WinDbg to a nearly production PC or server, you must not
install anything, just add a line to BOOT.INI, you will remove it later), the
binary in question is checked and makes debug prints, and, in case of crash or
hang, the WinDbg command output log is sent to the development.

In case of crash, !analyze -v output is sent too.
In case of hang, !process 0 7 output is sent too. Very convinient.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

That is excellent. I did not know this. But an enhancement to tackle the
general case, meaning vendors are added might not be that difficult. And
transperant(almost) recovery would be another on the list. I’m sure MS would
and could do it, when the time is right. Seems like loosly coupled systems
might be the future for Enterprises and built in redundancy with trasperant
recovery, and fault reporting would be great to have… Lot of time, I just
put myself into the position of a doctor, and try to think that in certain
cases I would have only a very limited finite time to shoot the problem out,
and get the patient back in time and life. Lucky I am that I dont need to
deal with it, but in the future may be the systems we play with would have
something like that.

Back in IBM I used to hear that most main frames runs for at least a year
w/o crash, and they are usually brought down for sys maintenance yearly,
while the other machines are fielding the responsiblity. Now I hear that the
official record is 20 yrs non-stop production machine. And lot of the above
ideas are pretty old for that matter. Well, that is also in a somewhat
controlled environment, not too many funky h/w or funky s/w …

–prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Saturday, January 10, 2004 4:20 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] crash dump analysis

In my other note, as I mentioned, one step would be to have some
instrumentation at customers site, user can turn it on, as and when crash
happens, it would be funneled back to
faulting parties(s).

Called - “the crash dump”.

Test installations for product alpha sites can always run with WinDbg
attached
(no problems attaching WinDbg to a nearly production PC or server, you must
not
install anything, just add a line to BOOT.INI, you will remove it later),
the
binary in question is checked and makes debug prints, and, in case of crash
or
hang, the WinDbg command output log is sent to the development.

In case of crash, !analyze -v output is sent too.
In case of hang, !process 0 7 output is sent too. Very convinient.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Comments in line:
----- Original Message -----
From: “Prokash Sinha”
To: “Windows System Software Devs Interest List”
Sent: Saturday, January 10, 2004 8:03 PM
Subject: RE: [ntdev] crash dump analysis

> That is excellent. I did not know this. But an enhancement to tackle the
> general case, meaning vendors are added might not be that difficult.

If you mean that any vendor can get their crash data, Microsoft has such a
program. You can get online crash analysis data for any driver that you
develop, it just requires a verisign ID for your company.

> And
> transperant(almost) recovery would be another on the list. I’m sure MS
would
> and could do it, when the time is right. Seems like loosly coupled systems
> might be the future for Enterprises and built in redundancy with
trasperant
> recovery, and fault reporting would be great to have…

Uh this ain’t easy, I architected and help build a fault tolerant effort for
NT 4.0 this is not a small task. Also, depending how transparent you mean,
loosely coupled is not the way to go, a loosely coupled system has recovery
times typically in minutes to hours (for example an Oracle fail over cluster
under a heavy load, can take hours to rebuild the database after a
failover). So if by transparent you mean everything is back within a day,
go loosely coupled, otherwise you have to have a tighter integration.
>
> Back in IBM I used to hear that most main frames runs for at least a year
> w/o crash, and they are usually brought down for sys maintenance yearly,
> while the other machines are fielding the responsiblity. Now I hear that
the
> official record is 20 yrs non-stop production machine. And lot of the
above
> ideas are pretty old for that matter.

This is one of those lovely what does “mean time between outages” actually
represent?
By 20 years non-stop, does that include taking things down for periodic
maintenance? A lot of the pseudo fault tolerant claims are “we stay up for
years, as long as you shut things down once a month.”, while the real fault
tolerant companies were up for years without loss of operation for periodic
maintenance. One of funniest things that happened a couple of years ago,
was I got a call asking me if I remembered how to administer a version of
the Sequoia Topix operating system. It seems the customer installed the
machine in 1990, and if was not 2001 and they wanted to move, the problem
was nobody remembered how to shut it down or restart it, since that had not
happened in 10 years.

> Well, that is also in a somewhat
> controlled environment, not too many funky h/w or funky s/w …
>

Yep, in controlled environments you get stable systems, I don’t know if it
is still there, but last year I heard of an NT 3.5.1 system that had been up
without an outage since 1996. Of course it was lightly loaded and only was
doing simple file and print.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

Embedded cmts:
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Saturday, January 10, 2004 5:25 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] crash dump analysis

Comments in line:
----- Original Message -----
From: “Prokash Sinha”
To: “Windows System Software Devs Interest List”
Sent: Saturday, January 10, 2004 8:03 PM
Subject: RE: [ntdev] crash dump analysis

> That is excellent. I did not know this. But an enhancement to tackle the
> general case, meaning vendors are added might not be that difficult.

If you mean that any vendor can get their crash data, Microsoft has such a
program. You can get online crash analysis data for any driver that you
develop, it just requires a verisign ID for your company.

Thanx for the info.

> And
> transperant(almost) recovery would be another on the list. I’m sure MS
would
> and could do it, when the time is right. Seems like loosly coupled systems
> might be the future for Enterprises and built in redundancy with
trasperant
> recovery, and fault reporting would be great to have…

Uh this ain’t easy, I architected and help build a fault tolerant effort for
NT 4.0 this is not a small task. Also, depending how transparent you mean,
loosely coupled is not the way to go, a loosely coupled system has recovery
times typically in minutes to hours (for example an Oracle fail over cluster
under a heavy load, can take hours to rebuild the database after a
failover). So if by transparent you mean everything is back within a day,
go loosely coupled, otherwise you have to have a tighter integration.

Well, I might be wrong, but it seems like (H/W) point of view, it would be
bit easier to comeup with this kind of parallel machine, than having even 64
processor(s) hooked in a backplane bus. And in that case Oracle or anyone
else might have to accomodate the h/w design in the future, I suppose.
>
> Back in IBM I used to hear that most main frames runs for at least a year
> w/o crash, and they are usually brought down for sys maintenance yearly,
> while the other machines are fielding the responsiblity. Now I hear that
the
> official record is 20 yrs non-stop production machine. And lot of the
above
> ideas are pretty old for that matter.

This is one of those lovely what does “mean time between outages” actually
represent?
By 20 years non-stop, does that include taking things down for periodic
maintenance? A lot of the pseudo fault tolerant claims are “we stay up for
years, as long as you shut things down once a month.”, while the real fault
tolerant companies were up for years without loss of operation for periodic
maintenance. One of funniest things that happened a couple of years ago,
was I got a call asking me if I remembered how to administer a version of
the Sequoia Topix operating system. It seems the customer installed the
machine in 1990, and if was not 2001 and they wanted to move, the problem
was nobody remembered how to shut it down or restart it, since that had not
happened in 10 years.

For sure, I know those one year continous running was w/o any maintenance or
outage. And I’m not talking about sysPlexes, plain vanilla 3090 ( or
whatever around mid 80s). The service contract and agreement was to have an
annual or later enhancement to h/w and s/w. For the 20 year, I really dont
know, but the origin of this info is very serious about it, and I think it
might very well be that w/o any interruption of service whatsoever. Then
again, I kind of see your logic, if a systems runs over a year, it might
have a good chance to survive 10 or 20 yrs, and in that case numbers does
not mean much either.

> Well, that is also in a somewhat
> controlled environment, not too many funky h/w or funky s/w …
>

Yep, in controlled environments you get stable systems, I don’t know if it
is still there, but last year I heard of an NT 3.5.1 system that had been up
without an outage since 1996. Of course it was lightly loaded and only was
doing simple file and print.

The example I mentioned was not lightly loaded or just totally controlled in
the programming labs, it was out on the production, and the companies were
stock exchange, Amex, Sears, etc.
What I meant by controlled is that the whole set of h/w was IBM provided, it
is another thing that some of the ICs or components were built by 3rd party,
but the final systems went out of one of the door of IBM, so there were
massive test and QAs. And s/w were provided only by IBM.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> In my other note, as I mentioned, one step would be to have some

instrumentation at customers site, user can turn it on, as and when crash
happens, it would be funneled back to
faulting parties(s). Should be fairly automatic. Enterprise systems should
be 24 by 7 LUNER TIME, not otherwise. And yes, this is wishful thinking,
may
be.

Not wishful thinking. This exists for the Enterprise class machines, but it
is provided by the hardware vendor, not by MS. Wouldn’t be surprised if it
is also available on some smaller systems. I seem to recall the Dell dual I
have at work kept wanting to call mommy all the time before I finally
convinced it otherwise.

Loren

hi prokash
some doubts here:-
first: where do i get the OS symbols downloaded from ??
second: do i need to download os symbols for a specific Service pack for eg
i am using windows 2000 sp4??
third: can u specify as to where these OS symbols as well as the drivers
symbols should be kept??
foruth: also when we are talking about the drivers symbols, then i hope u
are refeering to .pdb file
fifth: where should the drivers source code be kept??

i know these questions are asking too much but i have tried my hand on
windbg with all settings but with NO considerable success. i also specified
the symbols path in the windbg settings as well as the source path there.

Also i u have had some success with debugging a crash dump using
drivcerstudio then u can tell me that too.

thanks in advance
Mayank

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 9:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@intersolutions.stpn.soft.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

HI Alberto
Is there some problem with the DriverStudio 3.0 version ??
I have that installed. Does the 3.1 version not require
the path to the OS symbols. I have tried it with DriverStudio 3.0
but without success. Most of the times the stack only shows a list of
drivers
but no source.
If DriverStudio 3.1 has integrated symbols for the OS and only needs the
drivers
symbol and source code for debugging then its a great thing and i can have
that purchased
by our company.

I tried loading the crash dump using the driver work bench , it only shows
the bugcheck code and nothing more helpful.
Anybooks on the same which u know of will also be helpfull to me.
thanks
regds
Mayank

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, January 09, 2004 9:45 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

If Mayank has DriverStudio 3.1, both BoundsChecker and Visual SoftICE have
pretty decent crash dump analyzers, with integrated symbols and source code,
stack traversal, and more. However, some problems can leave you with quite a
shallow stack anyway.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@intersolutions.stpn.soft.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

First you search with google or any search engine to find the website for
windows debugger… This is for your reference !!!

http://www.microsoft.com/whdc/ddk/debugging/

Look at How to get symbols link. And the following is the string you put in
your symbol
path

SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;your driver src>

You can type it up <anypath …> or use the browsing button to the folder of
your src, and click a src file, that will get the folder or whatever.

2nd:: You dont need to specify any thing, when you try to reload ( look at
the help menu, I think .reload), it would go out and reach someone to
download the symbols :-). BTW, there is another menu-button, from where you
can look at what symbols are resolved or not, I think it is from option
button !!.

3rd:: Syms would be downloaded to c:\websymbols, so dont worry about the
dirs or whatever, but you can look at it if the folder is created and
populated …

4th: Yes .pdb files from your driver, if you are using windbg. For driver
studio, it is .nms.

5th: Any folder on your debugger machine, not the debuggee (the unfortunate
one your are debugging for.

I’ve not had a chance to use the Driver studio 3.1 yet, so someone else
might give you hints on this…

–prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Sunday, January 11, 2004 9:09 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

hi prokash
some doubts here:-
first: where do i get the OS symbols downloaded from ??
second: do i need to download os symbols for a specific Service pack for eg
i am using windows 2000 sp4??
third: can u specify as to where these OS symbols as well as the drivers
symbols should be kept??
foruth: also when we are talking about the drivers symbols, then i hope u
are refeering to .pdb file
fifth: where should the drivers source code be kept??

i know these questions are asking too much but i have tried my hand on
windbg with all settings but with NO considerable success. i also specified
the symbols path in the windbg settings as well as the source path there.

Also i u have had some success with debugging a crash dump using
drivcerstudio then u can tell me that too.

thanks in advance
Mayank

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 9:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@intersolutions.stpn.soft.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi, Mayank,

The path to the symbols is one of the settings, for example, if you click on
“Select Functions” there’s an entry in there for the symbols path. You can
also use the Symbol Retriever utility, which will go out to the required
Microsoft Web Site and download the symbols for you. Actually, that utility
can automatically load them into SoftICE too. And it should mostly work with
DS 3.0, if not, you can send an email to xxxxx@compuware.com and
they’ll help you sorting it out.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Monday, January 12, 2004 12:00 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

HI Alberto
Is there some problem with the DriverStudio 3.0 version ??
I have that installed. Does the 3.1 version not require
the path to the OS symbols. I have tried it with DriverStudio 3.0
but without success. Most of the times the stack only shows a list of
drivers
but no source.
If DriverStudio 3.1 has integrated symbols for the OS and only needs the
drivers
symbol and source code for debugging then its a great thing and i can have
that purchased
by our company.

I tried loading the crash dump using the driver work bench , it only shows
the bugcheck code and nothing more helpful.
Anybooks on the same which u know of will also be helpfull to me.
thanks
regds
Mayank

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, January 09, 2004 9:45 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

If Mayank has DriverStudio 3.1, both BoundsChecker and Visual SoftICE have
pretty decent crash dump analyzers, with integrated symbols and source code,
stack traversal, and more. However, some problems can leave you with quite a
shallow stack anyway.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@intersolutions.stpn.soft.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Have you reported the issue ? Do you have a number I can go look up ?

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 9:39 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

I suppose this is not ignorance of law -:), just ignorance of info. on my
side.

I’ve installed 3.1 in my office did yet get the chance to crank it, so hope
things would not be like 2.7 where crash dump analyzer was feeding me with
too many stacks. All the stacks in the systems, even I asked to the
customer’s support, a while back, and the response was I will have to hunt
to get to the stacks I am interested. Well, the intention is not to put it
up here, since I know it has many many more merits than its weaknesses in
the past, so dont take it otherwise. And also I remember during 1996 time
frame windbg has its own mind, if she liked you, you would be able to have a
null-modem connection, othewise days just goby, and finally I might have put
more bugs than fixed myself, so you know …

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, January 09, 2004 8:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

If Mayank has DriverStudio 3.1, both BoundsChecker and Visual SoftICE have
pretty decent crash dump analyzers, with integrated symbols and source code,
stack traversal, and more. However, some problems can leave you with quite a
shallow stack anyway.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

This is almost a year ago, if not more. Yes I reported at that time, so
if you have some kind of archiving you will sure find it. It was reported
when I
was working for Zone Labs, just to give you another keyword to search for.
And I think, Prokash Sinha seems to be fairly unique name around the
circles, due to its spelling oddity :-). Also,
I’m not sure if I talked to a person over the phone or not, but my
recollection is
that “I have to hunt for the stack(s) out of all the stack(s) being spitted
out”.
Right there I went back to windbg using two machines.

If you happen to have any KB for shooting crash dumps around 2.7 are little
earlier
version(s) I would be happy if I get to look at.

If you have anything to say on it, I will definitely return your email
tonight.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Monday, January 12, 2004 7:40 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Have you reported the issue ? Do you have a number I can go look up ?

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 9:39 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

I suppose this is not ignorance of law -:), just ignorance of info. on my
side.

I’ve installed 3.1 in my office did yet get the chance to crank it, so hope
things would not be like 2.7 where crash dump analyzer was feeding me with
too many stacks. All the stacks in the systems, even I asked to the
customer’s support, a while back, and the response was I will have to hunt
to get to the stacks I am interested. Well, the intention is not to put it
up here, since I know it has many many more merits than its weaknesses in
the past, so dont take it otherwise. And also I remember during 1996 time
frame windbg has its own mind, if she liked you, you would be able to have a
null-modem connection, othewise days just goby, and finally I might have put
more bugs than fixed myself, so you know …

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, January 09, 2004 8:15 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

If Mayank has DriverStudio 3.1, both BoundsChecker and Visual SoftICE have
pretty decent crash dump analyzers, with integrated symbols and source code,
stack traversal, and more. However, some problems can leave you with quite a
shallow stack anyway.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, January 09, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] crash dump analysis

Mayank:

Windbg is your choice here.

First make sure you have the pagefile size is twice as much as your RAM
size. At least the page file size should be bit more than RAM size.

If it is reproducible, then configure to get a full dump then it would be
bit easier.

When you get the dump loaded you get a handful of text, copy them a post.
Sometime it might be the case that you cannot even use !analyze -v (whatever
says in the msg body ).

Also make sure you have the OS symbols downloaded from MS symbol server,
then you hardly need to worry about OS version(s) etc., etc. And in that
case you should see the stacks with symbolic name such as nt!KebugCheck,
Urdriver!IOctlDispatch etc. then you are fine, otherwise make sure your
symbol path is correct for your driver.

If all else fails, and you only get stacks with constant addresses on the
stack, job is harder, you will have to look at the assembly level to find
where is your driver loaded, and then by looking at the assembly you can
find where is the routine.

To verify that symbolic representation is there - Try from cmd line:

x nt!* to see if ntoskrnl symbols are there or not

x Urdriver!* ; where Urdriver is the name of the driver file w/o the .sys
part

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mayank Kumar
Sent: Friday, January 09, 2004 5:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] crash dump analysis

hi all
can anyone out there help
me figure out how to do crash dump analysis of the
minidump.dmp and memory.dmp.

i have tried both driverworkbench from compuware and
Windbg but both of them do not show any thing other then
the status code of bug check code and address which caused the
problem.
i even loaded the symbols for OS as well as my private driver but the call
stack does not
show any source file which caused the expcetion, kebugcheck etc

can any body help
thanks in advance
Mayank

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com