When did the crash occur?

I’m looking at a WinDbg crash dump and it occurred to me that a very basic
piece of information is missing: When did the crash occur?

The information that WinDbg gives tells me:

(1) How long the system was running; but not when the system started.

(2) When the debugging session started.

I also know from the time stamp on the memory.dmp file when the memory.dmp
file was created.

Last night I had a crash. I was asleep. The memory.dmp file was created
several hours later.

All of the above information is insufficient to tell me when the crash
actually occurred.

There’s gotta be a way.

Ralph Shnelvar

How does the time of day give you any valuable information (other than
perhaps how long it took before the system crashed)? I’m sorry, but I don’t
see why someone at microsoft should spend time adding this to the
dump-file. If you know that your system time is correct, then you can
calculate when it happened from the “how long the system was up” anyways,
assuming you’re aware of when the system started (and you can get that from
the event log of the machine if nothing else).


Mats

xxxxx@lists.osr.com wrote on 02/09/2005 04:08:44 PM:

I’m looking at a WinDbg crash dump and it occurred to me that a very
basic
piece of information is missing: When did the crash occur?

The information that WinDbg gives tells me:

(1) How long the system was running; but not when the system started.

(2) When the debugging session started.

I also know from the time stamp on the memory.dmp file when the
memory.dmp
file was created.

Last night I had a crash. I was asleep. The memory.dmp file was created
several hours later.

All of the above information is insufficient to tell me when the crash
actually occurred.

There’s gotta be a way.

Ralph Shnelvar


Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

ForwardSourceID:NT0000C7DE

I always use !lastlivetime but there are no doubt other ways to achieve
the same thing.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class April
4, 2005 in Boston!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 11:09 AM
To: ntdev redirect
Subject: [ntdev] When did the crash occur?

I’m looking at a WinDbg crash dump and it occurred to me that a very
basic
piece of information is missing: When did the crash occur?

The information that WinDbg gives tells me:

(1) How long the system was running; but not when the system started.

(2) When the debugging session started.

I also know from the time stamp on the memory.dmp file when the
memory.dmp
file was created.

Last night I had a crash. I was asleep. The memory.dmp file was
created
several hours later.

All of the above information is insufficient to tell me when the crash
actually occurred.

There’s gotta be a way.

Ralph Shnelvar


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Mats PETERSSON wrote:

How does the time of day give you any valuable information (other than
perhaps how long it took before the system crashed)? I’m sorry, but I don’t
see why someone at microsoft should spend time adding this to the
dump-file.

I disagree. When you’re chasing one of those crashes that only happens
in an overnight run, it would often be quite handy to know the wall
clock time of the crash. Theoretically, you are correct that I could
compute the time from the system up time and the last reboot time, but
that assumes the operating system is operational at the time of the
analysis. If I’m live in the kernel debugger the next morning, it isn’t
as easy.

The system already knows this information. We’re talking about one
extra dword to hold the wall clock time. A trivial effort on their part
could eliminate a somewhat difficult manual operation.

Dear Tony:

On Wed, 9 Feb 2005 11:32:21 -0500, you wrote:

I always use !lastlivetime but there are no doubt other ways to achieve
the same thing.

Is that some sort of custom extension? It doesn’t seem to exist on my
version of WinDbg.

Regards,

Tony

Regards,

Ralph Shnelvar

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class April
4, 2005 in Boston!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 11:09 AM
To: ntdev redirect
Subject: [ntdev] When did the crash occur?

I’m looking at a WinDbg crash dump and it occurred to me that a very
basic
piece of information is missing: When did the crash occur?

The information that WinDbg gives tells me:

(1) How long the system was running; but not when the system started.

(2) When the debugging session started.

I also know from the time stamp on the memory.dmp file when the
memory.dmp
file was created.

Last night I had a crash. I was asleep. The memory.dmp file was
created
several hours later.

All of the above information is insufficient to tell me when the crash
actually occurred.

There’s gotta be a way.

Ralph Shnelvar


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

.time works for me…

1: kd> .time
Debug session time: Tue Feb 8 14:57:21.987 2005 (GMT-5)
System Uptime: 0 days 19:13:53.078

/simgr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Wednesday, February 09, 2005 11:32 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] When did the crash occur?

I always use !lastlivetime but there are no doubt other ways to achieve
the same thing.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class April
4, 2005 in Boston!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 11:09 AM
To: ntdev redirect
Subject: [ntdev] When did the crash occur?

I’m looking at a WinDbg crash dump and it occurred to me that a very
basic
piece of information is missing: When did the crash occur?

The information that WinDbg gives tells me:

(1) How long the system was running; but not when the system started.

(2) When the debugging session started.

I also know from the time stamp on the memory.dmp file when the
memory.dmp
file was created.

Last night I had a crash. I was asleep. The memory.dmp file was
created
several hours later.

All of the above information is insufficient to tell me when the crash
actually occurred.

There’s gotta be a way.

Ralph Shnelvar


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

>How does the time of day give you any valuable information (other than

perhaps how long it took before the system crashed)? I’m sorry, but I don’t
see why someone at microsoft should spend time adding this to the
dump-file.

Having spent more of my life than I should have in an OS development group analyzing mainframe OS dumps, I can tell you that having the time of the crash was a GREAT help. Sometimes we’d get 3-4 dumps in a row from a user, and 3 of the 4 would either be trash because they had done something really stupid (like clearing memory before taking the memory dump), and the 4th one would show some problem, but not at all what the bug with the dump described. Often we would discover that the dump submitted with the console output or system log info (or even their statement of when the crash occurred) didn’t match at all. Like off by days, or sometimes even months.

Users can manage some really stupid things when it comes to collecting bug documentation. The more ways you can cross-check the info, the better chance you have of not wasting three days trying to develop a believable scenario for how the information in the dump can possibly match the other submitted documentation, so that you can figure out what is going wrong. That answer to how the dump info can match the other stuff? It can’t, they had an old program dump lying around the mail room from two months before, and the operator figured it would be easier to attach that one to the package than print off the new dump info. (I kid you not.)

Loren

I know that it is at least included in kdex2x86.dll (distributed with
Windbg). Of course, it only works on NT systems, I haven’t found the XP
equivalent to this dll yet. !kdex2x86.lastlivetime will work or you can
just load the dll first.

Pat

Ralph Shnelvar wrote:

Dear Tony:

On Wed, 9 Feb 2005 11:32:21 -0500, you wrote:

>I always use !lastlivetime but there are no doubt other ways to achieve
>the same thing.

Is that some sort of custom extension? It doesn’t seem to exist on my
version of WinDbg.

>
>Regards,
>
>Tony

Regards,

Ralph Shnelvar

>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>Looking forward to seeing you at the Next OSR File Systems Class April
>4, 2005 in Boston!
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
>Sent: Wednesday, February 09, 2005 11:09 AM
>To: ntdev redirect
>Subject: [ntdev] When did the crash occur?
>
>I’m looking at a WinDbg crash dump and it occurred to me that a very
>basic
>piece of information is missing: When did the crash occur?
>
>
>The information that WinDbg gives tells me:
>
>(1) How long the system was running; but not when the system started.
>
>(2) When the debugging session started.
>
>I also know from the time stamp on the memory.dmp file when the
>memory.dmp
>file was created.
>
>
>Last night I had a crash. I was asleep. The memory.dmp file was
>created
>several hours later.
>
>All of the above information is insufficient to tell me when the crash
>actually occurred.
>
>There’s gotta be a way.
>
>Ralph Shnelvar
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@osr.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com

I normally just copy the DLL from the w2kfre to winxp directories; there
are several commands (relating to the thread and process structures,
which changed sizes between W2K and WXP) that are not reliable, but most
command still are. I’ve always preferred the !list implementation in
kdex2x86, and the !stack command simplifies the stack walking process
considerably.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pat Bell
Sent: Saturday, February 12, 2005 9:28 PM
To: ntdev redirect
Subject: Re:[ntdev] When did the crash occur?

I know that it is at least included in kdex2x86.dll (distributed with
Windbg). Of course, it only works on NT systems, I haven’t found the XP

equivalent to this dll yet. !kdex2x86.lastlivetime will work or you can

just load the dll first.

Pat

Ralph Shnelvar wrote:

Dear Tony:

On Wed, 9 Feb 2005 11:32:21 -0500, you wrote:

>I always use !lastlivetime but there are no doubt other ways to
achieve
>the same thing.

Is that some sort of custom extension? It doesn’t seem to exist on my
version of WinDbg.

>
>Regards,
>
>Tony

Regards,

Ralph Shnelvar

>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>Looking forward to seeing you at the Next OSR File Systems Class April
>4, 2005 in Boston!
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
>Sent: Wednesday, February 09, 2005 11:09 AM
>To: ntdev redirect
>Subject: [ntdev] When did the crash occur?
>
>I’m looking at a WinDbg crash dump and it occurred to me that a very
>basic
>piece of information is missing: When did the crash occur?
>
>
>The information that WinDbg gives tells me:
>
>(1) How long the system was running; but not when the system started.
>
>(2) When the debugging session started.
>
>I also know from the time stamp on the memory.dmp file when the
>memory.dmp
>file was created.
>
>
>Last night I had a crash. I was asleep. The memory.dmp file was
>created
>several hours later.
>
>All of the above information is insufficient to tell me when the crash
>actually occurred.
>
>There’s gotta be a way.
>
>Ralph Shnelvar
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@osr.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The debug session time reported by .time is the time stored in the dump that
indicates when the dump was created. There shouldn’t be much of a delay
between that time and the time the crash occurred.

W2KSP3 example:
0: kd> .time
Debug session time: Tue Jul 09 03:24:46 2002
System Uptime: 0 days 0:01:02.312
0: kd> !w2kfre\kdex2x86.lastlivetime
Tuesday, July 09 2002, 10:24:46 AM (GMT)
Tuesday, July 09 2002, 03:24:46 AM (Local Time)

----- Original Message -----
From: “Tony Mason”
To: “Windows System Software Devs Interest List”
Sent: Sunday, February 13, 2005 6:22 AM
Subject: RE: [ntdev] When did the crash occur?

I normally just copy the DLL from the w2kfre to winxp directories; there
are several commands (relating to the thread and process structures,
which changed sizes between W2K and WXP) that are not reliable, but most
command still are. I’ve always preferred the !list implementation in
kdex2x86, and the !stack command simplifies the stack walking process
considerably.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pat Bell
Sent: Saturday, February 12, 2005 9:28 PM
To: ntdev redirect
Subject: Re:[ntdev] When did the crash occur?

I know that it is at least included in kdex2x86.dll (distributed with
Windbg). Of course, it only works on NT systems, I haven’t found the XP

equivalent to this dll yet. !kdex2x86.lastlivetime will work or you can

just load the dll first.

Pat

Ralph Shnelvar wrote:

> Dear Tony:
>
> On Wed, 9 Feb 2005 11:32:21 -0500, you wrote:
>
>>I always use !lastlivetime but there are no doubt other ways to
achieve
>>the same thing.
>
> Is that some sort of custom extension? It doesn’t seem to exist on my
> version of WinDbg.
>
>
>>
>>Regards,
>>
>>Tony
>
> Regards,
>
> Ralph Shnelvar
>
>
>>
>>Tony Mason
>>Consulting Partner
>>OSR Open Systems Resources, Inc.
>>http://www.osr.com
>>
>>Looking forward to seeing you at the Next OSR File Systems Class April
>>4, 2005 in Boston!
>>
>>-----Original Message-----
>>From: xxxxx@lists.osr.com
>>[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
>>Sent: Wednesday, February 09, 2005 11:09 AM
>>To: ntdev redirect
>>Subject: [ntdev] When did the crash occur?
>>
>>I’m looking at a WinDbg crash dump and it occurred to me that a very
>>basic
>>piece of information is missing: When did the crash occur?
>>
>>
>>The information that WinDbg gives tells me:
>>
>>(1) How long the system was running; but not when the system started.
>>
>>(2) When the debugging session started.
>>
>>I also know from the time stamp on the memory.dmp file when the
>>memory.dmp
>>file was created.
>>
>>
>>Last night I had a crash. I was asleep. The memory.dmp file was
>>created
>>several hours later.
>>
>>All of the above information is insufficient to tell me when the crash
>>actually occurred.
>>
>>There’s gotta be a way.
>>
>>Ralph Shnelvar
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: xxxxx@osr.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
>>To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

On Sun, 13 Feb 2005 09:02:05 -0800, you wrote:

The debug session time reported by .time is the time stored in the dump that
indicates when the dump was created. There shouldn’t be much of a delay
between that time and the time the crash occurred.

The time the dump is created may be several hours or days after the crash
occurred. Just think of a crash that happens when you are asleep and the
system does not automatically reboot.

Ralph Shnelvar

W2KSP3 example:
0: kd> .time
Debug session time: Tue Jul 09 03:24:46 2002
System Uptime: 0 days 0:01:02.312
0: kd> !w2kfre\kdex2x86.lastlivetime
Tuesday, July 09 2002, 10:24:46 AM (GMT)
Tuesday, July 09 2002, 03:24:46 AM (Local Time)

----- Original Message -----
From: “Tony Mason”
>To: “Windows System Software Devs Interest List”
>Sent: Sunday, February 13, 2005 6:22 AM
>Subject: RE: [ntdev] When did the crash occur?
>
>
>I normally just copy the DLL from the w2kfre to winxp directories; there
>are several commands (relating to the thread and process structures,
>which changed sizes between W2K and WXP) that are not reliable, but most
>command still are. I’ve always preferred the !list implementation in
>kdex2x86, and the !stack command simplifies the stack walking process
>considerably.
>
>Regards,
>
>Tony
>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Pat Bell
>Sent: Saturday, February 12, 2005 9:28 PM
>To: ntdev redirect
>Subject: Re:[ntdev] When did the crash occur?
>
>I know that it is at least included in kdex2x86.dll (distributed with
>Windbg). Of course, it only works on NT systems, I haven’t found the XP
>
>equivalent to this dll yet. !kdex2x86.lastlivetime will work or you can
>
>just load the dll first.
>
>Pat
>
>Ralph Shnelvar wrote:
>
>> Dear Tony:
>>
>> On Wed, 9 Feb 2005 11:32:21 -0500, you wrote:
>>
>>>I always use !lastlivetime but there are no doubt other ways to
>achieve
>>>the same thing.
>>
>> Is that some sort of custom extension? It doesn’t seem to exist on my
>> version of WinDbg.
>>
>>
>>>
>>>Regards,
>>>
>>>Tony
>>
>> Regards,
>>
>> Ralph Shnelvar
>>
>>
>>>
>>>Tony Mason
>>>Consulting Partner
>>>OSR Open Systems Resources, Inc.
>>>http://www.osr.com
>>>
>>>Looking forward to seeing you at the Next OSR File Systems Class April
>>>4, 2005 in Boston!
>>>
>>>-----Original Message-----
>>>From: xxxxx@lists.osr.com
>>>[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
>>>Sent: Wednesday, February 09, 2005 11:09 AM
>>>To: ntdev redirect
>>>Subject: [ntdev] When did the crash occur?
>>>
>>>I’m looking at a WinDbg crash dump and it occurred to me that a very
>>>basic
>>>piece of information is missing: When did the crash occur?
>>>
>>>
>>>The information that WinDbg gives tells me:
>>>
>>>(1) How long the system was running; but not when the system started.
>>>
>>>(2) When the debugging session started.
>>>
>>>I also know from the time stamp on the memory.dmp file when the
>>>memory.dmp
>>>file was created.
>>>
>>>
>>>Last night I had a crash. I was asleep. The memory.dmp file was
>>>created
>>>several hours later.
>>>
>>>All of the above information is insufficient to tell me when the crash
>>>actually occurred.
>>>
>>>There’s gotta be a way.
>>>
>>>Ralph Shnelvar
>>>
>>>—
>>>Questions? First check the Kernel Driver FAQ at
>>>http://www.osronline.com/article.cfm?id=256
>>>
>>>You are currently subscribed to ntdev as: xxxxx@osr.com
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>—
>>>Questions? First check the Kernel Driver FAQ at
>>>http://www.osronline.com/article.cfm?id=256
>>>
>>>You are currently subscribed to ntdev as: unknown lmsubst tag
>argument: ‘’
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@osr.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@dos32.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com