Programally get minidump from Kernel

NTDEV
1

Hi, buddies, I have a question about manually get minidump:

As I know can get minidump in user mode through MiniDumpWriteDump, can find an equivalent one in kernel mode, if there’s no thus one, have to follow the minidump file structure to get one header information and another, that’s rather time consuming.

I know there’re other two ways to get kernel minidump, through OS’s system utility, and in windbg use .minidump command. But I want to do that in my sample driver.

Can anybody give me some tip to continue for it, Thanks!

2

If you mean creating a user mode minidump, no there’s no supported way to do
that. Not really sure why you would want to.

If you mean a kernel mode dump in response to a BSOD, then you could look
into registering a KeBugCheckCallbackReason.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, July 11, 2012 9:58 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Programally get minidump from Kernel

Hi, buddies, I have a question about manually get minidump:

As I know can get minidump in user mode through MiniDumpWriteDump, can find
an equivalent one in kernel mode, if there’s no thus one, have to follow the
minidump file structure to get one header information and another, that’s
rather time consuming.

I know there’re other two ways to get kernel minidump, through OS’s system
utility, and in windbg use .minidump command. But I want to do that in my
sample driver.

Can anybody give me some tip to continue for it, Thanks!

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

There is no documented way to do this from km. What problem are you trying to solve?

d

debt from my phone

From: xxxxx@gmail.com
Sent: 7/11/2012 6:57 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Programally get minidump from Kernel

Hi, buddies, I have a question about manually get minidump:

As I know can get minidump in user mode through MiniDumpWriteDump, can find an equivalent one in kernel mode, if there’s no thus one, have to follow the minidump file structure to get one header information and another, that’s rather time consuming.

I know there’re other two ways to get kernel minidump, through OS’s system utility, and in windbg use .minidump command. But I want to do that in my sample driver.

Can anybody give me some tip to continue for it, Thanks!

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

I want to generate it and save to removable disk, or send out through network, currently It can only saved on hard disk.

I have tried KeBugCheckCallbackReason this several days ago also, but when this function called, it can not allocate memory, and sync with resource. so can not use ZwCreateFile/ZwWriteFile to put on removable disk or call TDI function to save to network.

5

Impossible.

When the dump occurs, most of your kernel is considered to be broken and thus cannot be used anymore.
Only the very special disk dump path can be used, which really does not allocate any memory during dump writing (everything is preallocated).


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
>I want to generate it and save to removable disk, or send out through network, currently It can only saved on hard disk.
>
> I have tried KeBugCheckCallbackReason this several days ago also, but when this function called, it can not allocate memory, and sync with resource. so can not use ZwCreateFile/ZwWriteFile to put on removable disk or call TDI function to save to network.
>

6

Hi Maxim, thanks, It can, the experiment is going on in my side, you can do that little bit earlier.

This address gives the structure of minidump file format:
http://infopurge.tumblr.com/post/10445418822/the-format-of-a-minidump-mdmp-file

I would get all of these information one by one, and save to my own prepared file, although it would take quite a long time, but seems currently there’s no other way yet

7

It’s better to check new minidumps during next reboot and then you can
upload them somewhere.
As for your link, minidump structure is changed in Win8 (it means old windbg
tools won’t open win8 dumps).

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, July 12, 2012 10:50 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Programally get minidump from Kernel

Hi Maxim, thanks, It can, the experiment is going on in my side, you can do
that little bit earlier.

This address gives the structure of minidump file format:
http://infopurge.tumblr.com/post/10445418822/the-format-of-a-minidump-mdmp-f
ile

I would get all of these information one by one, and save to my own prepared
file, although it would take quite a long time, but seems currently there’s
no other way yet

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

8

Hi Petr Kurtin, Thanks, can also get from pagefile, but for me, I need get immediately the minidump file, currently it’s only for windows XP, we do not have the willingness to migrate to windows 8 within three years.

Really appreciate if somebody has thus kind of experience. And can we hook the method Windbug use? like what would happen if input command “.dump”?

Best regards,

9

That is not going to do what you want.

  • S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, July 12, 2012 9:05 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Programally get minidump from Kernel

Hi Petr Kurtin, Thanks, can also get from pagefile, but for me, I need get immediately the minidump file, currently it’s only for windows XP, we do not have the willingness to migrate to windows 8 within three years.

Really appreciate if somebody has thus kind of experience. And can we hook the method Windbug use? like what would happen if input command “.dump”?

Best regards,

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

10

The you are going to need to use the bug check reason callbacks, and do
a lot of work yourself. Bottom line once the dump starts, till the time
the OS has started again after the reboot you are extremely limited in
what you can do. You can access device registers, and you can access
memory, but there is little else. So this is either a roll you own
driver that will work in the dump environment and do the right thing
such as raw writing to a removable drive, or else you have to wait till
the reboot.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:

> Hi Petr Kurtin, Thanks, can also get from pagefile, but for me, I need get immediately the minidump file, currently it’s only for windows XP, we do not have the willingness to migrate to windows 8 within three years.
>
> Really appreciate if somebody has thus kind of experience. And can we hook the method Windbug use? like what would happen if input command “.dump”?
>
> Best regards,

11

xxxxx@gmail.com wrote:

Hi Petr Kurtin, Thanks, can also get from pagefile, but for me, I need get immediately the minidump file, currently it’s only for windows XP, we do not have the willingness to migrate to windows 8 within three years.

What are you trying to do? What is the overall plan here? Are you
trying to capture the system state at a point where you think things are
not healthy? If so, then the right answer is to call KeBugCheckEx to
force a blue screen. That will capture everything.

Are you trying to do some kind of progressive checkpoint? If so, then
system dumps are not the right way to do that. You need to have a
custom mechanism.

Are you trying to do tracing of a live driver? If so, then a live
windbg session is way more productive than a bunch of mini dumps.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

12

Hi Don Burn, Thanks, I already knew that, only limited kernel API can be used when “bug check reason callbacks”

And Tim, Thanks, what I want to do is before BSOD, I got the minidump and send to our server ( I hook KeBugCheckEx), currently all are OK, I can send bug check code, and bug check parameters through NDIS TDI, but for the minidump (that’s about 64KB), i need find a way to get them either through API or prepare the raw file by myself.

And do you hear of winaoe, that’s a kind of httpdisk or ramdisk, it would treat an image on a server as a local disk, if you put OS into that image, local computer do not need hard disk, it can boot from that network disk.

But when system crash, since it’s a virtual disk, files are not saved, so I need capture the minidump by myself, and send to our server for analysis. So after consider lots of reasons, the best efficient way is get the minidump by ourselves. I have made this product for around ten years, need ways to tract the problems and make it more robust.

Thanks,

13

“make it more robust” and hooking APIs are polar opposites.

d

debt from my phone

From: xxxxx@gmail.com
Sent: 7/12/2012 6:29 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Programally get minidump from Kernel

Hi Don Burn, Thanks, I already knew that, only limited kernel API can be used when “bug check reason callbacks”

And Tim, Thanks, what I want to do is before BSOD, I got the minidump and send to our server ( I hook KeBugCheckEx), currently all are OK, I can send bug check code, and bug check parameters through NDIS TDI, but for the minidump (that’s about 64KB), i need find a way to get them either through API or prepare the raw file by myself.

And do you hear of winaoe, that’s a kind of httpdisk or ramdisk, it would treat an image on a server as a local disk, if you put OS into that image, local computer do not need hard disk, it can boot from that network disk.

But when system crash, since it’s a virtual disk, files are not saved, so I need capture the minidump by myself, and send to our server for analysis. So after consider lots of reasons, the best efficient way is get the minidump by ourselves. I have made this product for around ten years, need ways to tract the problems and make it more robust.

Thanks,

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

14

Hi Doron, Thanks, after found the reason, can remove the hook, but under current condition it’s a good way to tract the problem.

Guys from Microsoft should have wide knowledge, can you give some suggestions if I want to know what has happen if input “.dump” command in windbg, should I debug windbg? or perhaps can find the extension dll where “.dump” is included, and reverse engineering, I’m just curious about the technical details behind.

15

>

Hi Don Burn, Thanks, I already knew that, only limited kernel API can be used
when “bug check reason callbacks”

And Tim, Thanks, what I want to do is before BSOD, I got the minidump and
send to our server ( I hook KeBugCheckEx), currently all are OK, I can send
bug check code, and bug check parameters through NDIS TDI, but for the
minidump (that’s about 64KB), i need find a way to get them either through
API or prepare the raw file by myself.

And do you hear of winaoe, that’s a kind of httpdisk or ramdisk, it would treat
an image on a server as a local disk, if you put OS into that image, local
computer do not need hard disk, it can boot from that network disk.

But when system crash, since it’s a virtual disk, files are not saved, so I need
capture the minidump by myself, and send to our server for analysis. So after
consider lots of reasons, the best efficient way is get the minidump by
ourselves. I have made this product for around ten years, need ways to tract
the problems and make it more robust.

If your winaoe is ATA-over-Ethernet then you may want to investigate how some of the iSCSI drivers approach the problem. You mention ramdisk though so maybe your winaoe is something else? Assuming it is an AoE driver, does your AoE driver run over NDIS or do you poke at the network adapter directly (eg custom network adapter PCI ID that loads your driver and exposes storport miniport to Windows instead of NDIS miniport)?

I think that current versions of Windows with iSCSI running on top of NDIS can do crash dump, so maybe there is a way to run NDIS in ‘crashdump’ mode… I find that unlikely though as I have seen no mention of NDIS drivers being written with the expectation that they might be called within the limitations of the dump environment.

James

16

You can easily attach windbg to the instance of windbg running .dump and step through it.

d

debt from my phone

From: xxxxx@gmail.com
Sent: 7/12/2012 7:23 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Programally get minidump from Kernel

Hi Doron, Thanks, after found the reason, can remove the hook, but under current condition it’s a good way to tract the problem.

Guys from Microsoft should have wide knowledge, can you give some suggestions if I want to know what has happen if input “.dump” command in windbg, should I debug windbg? or perhaps can find the extension dll where “.dump” is included, and reverse engineering, I’m just curious about the technical details behind.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

17

What I now hear is “I need to send the minidump to a server”. This is a
far cry from “I need to invoje a minidump programatically”

Also, since the goal is to get te minidump to te server, wjy is it tbat
you have fastened onto the idea that to get the minidump to the server you
have to cause it to be written to the server disk by the kernel minidump
logic.

I would have approached it by writing a system service that, when it
started up, enumerated all the files in the minidump diectory. Then, when
it finds one that is newer than its last run, it copies it over to the
server, probably in a directory of the form computername\minidumpfile.

After doing this, the service can shut down.

This can be coded as a system service in fewer hours than this discussion
of how to do it at kernel level has consumed.
joe

Hi Don Burn, Thanks, I already knew that, only limited kernel API can be
used when “bug check reason callbacks”

And Tim, Thanks, what I want to do is before BSOD, I got the minidump and
send to our server ( I hook KeBugCheckEx), currently all are OK, I can
send bug check code, and bug check parameters through NDIS TDI, but for
the minidump (that’s about 64KB), i need find a way to get them either
through API or prepare the raw file by myself.

And do you hear of winaoe, that’s a kind of httpdisk or ramdisk, it would
treat an image on a server as a local disk, if you put OS into that image,
local computer do not need hard disk, it can boot from that network disk.

But when system crash, since it’s a virtual disk, files are not saved, so
I need capture the minidump by myself, and send to our server for
analysis. So after consider lots of reasons, the best efficient way is get
the minidump by ourselves. I have made this product for around ten years,
need ways to tract the problems and make it more robust.

Thanks,

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

18

Hi James, thanks, you’re correct, it’s ATA-over-Ethernet, it’s run on NDIS, our client OS is windows XP, and are you sure can save the minidump to the server image(.iso) automatically? The architecture is complicated, I have asked who design that part, he said can not.

Doron, Thanks, so I would try to debug windbg (which is debug a OS under virtual machine), and see if can get some useful information.

Best regards,
Zhen Hua

19

i am not sure about your requirements for sending whatever to wherever

but if you are going to take the route of writing a minidump from
usermode windbg sdk offers a good api to do that and you possibly dont
have to muck with raw dumpfile format take a look at below


DEBUG MODE HACKERY CODE JUST GLANCE AND ADAPT NO ERROR CHECKING NO
WARRANTIES ? GUARANTIES ? WHATSOEVER OFFERED USES SHITTY PROGRAMMING
STYLE / SPITS OUT HEX FOR ERRORS IF ANY and can CRASH YOUR PC IN
UNDEFINABLE WAYS READER BEWARE FIX IT YOURSELF CRAP FOLLOWS

kohlwritedump:\>wmic process get Commandline /format:list | grep -i cmd
CommandLine=“C:\WINDOWS\system32\cmd.exe” /k C:\WinDDK\7600.16385.1\bin\setenv.b
at C:\WinDDK\7600.16385.1\ fre x86 WXP
CommandLine=grep -i cmd

kohlwritedump:\>dir /b
makefile
prebuild.bat
sources
WriteDump.cpp

kohlwritedump:\>type WriteDump.cpp
#include <stdio.h>

#include <engextcpp.hpp>

int __cdecl main (void){

IDebugClient* g_Client;

IDebugControl* g_Control;

HRESULT status;

printf(

“Trying to Call DbgEng Functions\n”

“IDebugClient::WriteDumpFile Method\n”

“From An Exe Not From Windbg\n”

“Attaching To Kernel to Dump a Dump\n”

);

status = DebugCreate(

__uuidof(IDebugClient),

(void**)&g_Client

);

status = g_Client->QueryInterface(

__uuidof(IDebugControl),

(void**)&g_Control

);

status = g_Client->AttachKernel(

DEBUG_ATTACH_LOCAL_KERNEL,

NULL

);

g_Control->WaitForEvent(
0,
INFINITE
);

status = g_Client->WriteDumpFile(

“c:\kohlyang_test.dmp”,

DEBUG_DUMP_SMALL

);

printf(

“WriteDumpFile Method Returned %x\n” ,status

);

g_Client->Release();

return 0;

}
kohlwritedump:&gt;prebuild.bat
BUILD: Compile and Link for x86
BUILD: Start time: Fri Jul 13 11:25:21 2012

Linking Executable - objfre_wxp_x86\i386\writedump.exe
BUILD: Finish time: Fri Jul 13 11:25:22 2012
BUILD: Done

3 files compiled
1 executable built

kohlwritedump:&gt;objfre_wxp_x86\i386\WriteDump.exe
Trying to Call DbgEng Functions
IDebugClient::WriteDumpFile Method
From An Exe Not From Windbg
Attaching To Kernel to Dump a Dump
WriteDumpFile Method Returned 0

kohlwritedump:&gt;dumpchk c:\kohlyang_test.dmp
Loading dump file c:\kohlyang_test.dmp

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [c:\kohlyang_test.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRVF:\symbolshttp://msdl.microsoft.com/download/symbols

Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp3_gdr.100216-1514
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
Debug session time: Fri Jul 13 11:25:43.453 2012 (UTC + 5:30)
System Uptime: 0 days 3:45:12.019
Loading Kernel Symbols



Loading User Symbols
Loading unloaded module list
Exception Analysis



Use !analyze -v to get detailed debugging information.

kohlwritedump:&gt;

On 7/13/12, xxxxx@gmail.com wrote:
> Hi James, thanks, you’re correct, it’s ATA-over-Ethernet, it’s run on NDIS,
> our client OS is windows XP, and are you sure can save the minidump to the
> server image(.iso) automatically? The architecture is complicated, I have
> asked who design that part, he said can not.
>
> Doron, Thanks, so I would try to debug windbg (which is debug a OS under
> virtual machine), and see if can get some useful information.
>
>
> Best regards,
> Zhen Hua
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></engextcpp.hpp></stdio.h>

20

Have you heard of Boot From SAN? It’s a requirement to support crashdump
and hibernation (note that as an exception, msiscsi can’t do
hybernation) for BFS driver. It can be done by
a) implementing the SAN miniport driver as a standard hardware storport
miniport driver
b) or if a) is not possible (i.e. virtual miniport sits on a home brew bus
driver), provide your own crashdump driver which writes crashdump and
hybernate.

None of your proposed way will work at production level. It may be fun to
play though.

Calvin