Find usermode stack from full kernel dump

hi guys,

I have a full kernel dump, where i want to find out user mode stack of a specific process.
what i see is:

4: kd> .process fffffa804e0c2920
Process fffffa804e0c2920 has invalid page directories 4: kd\> .process /r /p fffffa804e0c2920 Process fffffa804e0c2920 has invalid page directories

and .reload /f /user does not load user mode symbols at all

Is there any way to dig out user mode stack there or the dump just does not contain user mode info?

Regards
Haibo

xxxxx@hotmail.com wrote:

hi guys,

I have a full kernel dump, where i want to find out user mode stack of a specific process.
what i see is:

4: kd> .process fffffa804e0c2920
Process fffffa804e0c2920 has invalid page directories 4: kd\> .process /r /p fffffa804e0c2920 Process fffffa804e0c2920 has invalid page directories

and .reload /f /user does not load user mode symbols at all

Is there any way to dig out user mode stack there or the dump just does not contain user mode info?

A full kernel dump does not contain user mode memory at all.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

thanks Tim, is there any way to make Windows include user mode mem in dump?

You should set windows up to create full memory dump via startup and
recovery settings.

Thanks,
Elad
On Oct 22, 2014 6:54 AM, wrote:

> thanks Tim, is there any way to make Windows include user mode mem in dump?
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Hello

In my windbg, after loading a crash dump, the command prompt in command windows is displayed as it is below.

Please help me identifying what is 16 and 0 here

16.0: kd:x86 >

Hi Elad,

I see “small memory dump” and “kerne memory dump (my current setting)”, no full dump there.

Regards
Haibo

From my experience it happens because your page file is too small or
located on a different volume other then your boot volume ? how much RAM
you have on your system ?

If non of the above is correct, try setting the registry :
HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled value
to 1 (DWORD)

This will bypass the start-up and recovery choice and choose complete
memory dump manually

On Wed, Oct 22, 2014 at 12:10 PM, wrote:

> Hi Elad,
>
> I see “small memory dump” and “kerne memory dump (my current setting)”, no
> full dump there.
>
> Regards
> Haibo
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>