I have a kernel memory crash dump file that I want to analyze.
I have all of the proper symbol files and the latest version
of WinDbg. Unfortunately, when I open the dump file in WinDbg
it fails, outputting the text below. Any idea why WinDbg would
fail?
============================
Loading Dump File [D:\dumps\craig1\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Microsoft (R) Windows 2000 Kernel Debugger
Version 3.0.0007.0
Copyright (c) Microsoft Corporation. All rights reserved.
Loaded dbghelp extension DLL
Loaded ext extension DLL
Loaded kext extension DLL
Loaded kdextx86 extension DLL
Symbol search path is: d:\dumps\craig1
Executable search path is: d:\dumps\craig1
PsLoadedModuleList not initialized yet. Delay kernel load.
KdDebuggerDataBlock not available !
KdDebuggerData.KernBase < g_SystemRangeStart
Windows 2000 Kernel Version 2195 MP (2 procs) Free x86 compatible
Kernel base = 0x00000000 PsLoadedModuleList = 0x80480320
Debug session time: Tue May 08 22:20:03 2001
System Uptime: 0 days 3:53:48
PsLoadedModuleList not initialized yet. Delay kernel load.
KdDebuggerDataBlock not available !
KdDebuggerData.KernBase < g_SystemRangeStart
Loading Kernel Symbols
PsLoadedModuleList not initialized yet. Delay kernel load.
StackTrace failed
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Same here, I am unable to analyze memory dump files using the latest
debuggers. The dump files that I am trying are NT4 dump files. W2K dump
files may work I don’t know.
----- Original Message -----
From: “Nate Bushman”
To: “NT Developers Interest List”
Sent: Wednesday, May 09, 2001 8:54 AM
Subject: [ntdev] WinDbg fails to analyze crash dump file…
> I have a kernel memory crash dump file that I want to analyze.
> I have all of the proper symbol files and the latest version
> of WinDbg. Unfortunately, when I open the dump file in WinDbg
> it fails, outputting the text below. Any idea why WinDbg would
> fail?
>
> ============================
>
> Loading Dump File [D:\dumps\craig1\MEMORY.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
>
> Microsoft (R) Windows 2000 Kernel Debugger
> Version 3.0.0007.0
> Copyright (c) Microsoft Corporation. All rights reserved.
>
> Loaded dbghelp extension DLL
> Loaded ext extension DLL
> Loaded kext extension DLL
> Loaded kdextx86 extension DLL
> Symbol search path is: d:\dumps\craig1
> Executable search path is: d:\dumps\craig1
> PsLoadedModuleList not initialized yet. Delay kernel load.
> KdDebuggerDataBlock not available !
> KdDebuggerData.KernBase < g_SystemRangeStart
> Windows 2000 Kernel Version 2195 MP (2 procs) Free x86 compatible
> Kernel base = 0x00000000 PsLoadedModuleList = 0x80480320
> Debug session time: Tue May 08 22:20:03 2001
> System Uptime: 0 days 3:53:48
> PsLoadedModuleList not initialized yet. Delay kernel load.
> KdDebuggerDataBlock not available !
> KdDebuggerData.KernBase < g_SystemRangeStart
> Loading Kernel Symbols
> PsLoadedModuleList not initialized yet. Delay kernel load.
> StackTrace failed
>
> —
> You are currently subscribed to ntdev as: xxxxx@hotmail.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Andre Vachon responded to this question on
nntp://microsoft.public.ddk.win2000.debugging
Here’s what he had to say:
It’s because the dump file is corrupt.
dump files are not 100% guaranteed to be valid as
they are generated while a system is crashing.
It’s possible for things to get cloberred in the OS
in such a way that the resulting dump file can not be
analyzed. For example, if PsLoadedModuleList, or other
key data structures get corrupted (they are in pool
afterall) then we won’t be able to look at those data
structures in the dump.
-Andre
-----Original Message-----
From: Noman Smith [mailto:xxxxx@hotmail.com]
Sent: Thursday, May 10, 2001 11:32 AM
To: NT Developers Interest List
Subject: [ntdev] Re: WinDbg fails to analyze crash dump file…
Same here, I am unable to analyze memory dump files using the latest
debuggers. The dump files that I am trying are NT4 dump files. W2K dump
files may work I don’t know.
----- Original Message -----
From: “Nate Bushman”
To: “NT Developers Interest List”
Sent: Wednesday, May 09, 2001 8:54 AM
Subject: [ntdev] WinDbg fails to analyze crash dump file…
> I have a kernel memory crash dump file that I want to analyze.
> I have all of the proper symbol files and the latest version
> of WinDbg. Unfortunately, when I open the dump file in WinDbg
> it fails, outputting the text below. Any idea why WinDbg would
> fail?
>
> ============================
>
> Loading Dump File [D:\dumps\craig1\MEMORY.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
>
> Microsoft (R) Windows 2000 Kernel Debugger
> Version 3.0.0007.0
> Copyright (c) Microsoft Corporation. All rights reserved.
>
> Loaded dbghelp extension DLL
> Loaded ext extension DLL
> Loaded kext extension DLL
> Loaded kdextx86 extension DLL
> Symbol search path is: d:\dumps\craig1
> Executable search path is: d:\dumps\craig1
> PsLoadedModuleList not initialized yet. Delay kernel load.
> KdDebuggerDataBlock not available !
> KdDebuggerData.KernBase < g_SystemRangeStart
> Windows 2000 Kernel Version 2195 MP (2 procs) Free x86 compatible
> Kernel base = 0x00000000 PsLoadedModuleList = 0x80480320
> Debug session time: Tue May 08 22:20:03 2001
> System Uptime: 0 days 3:53:48
> PsLoadedModuleList not initialized yet. Delay kernel load.
> KdDebuggerDataBlock not available !
> KdDebuggerData.KernBase < g_SystemRangeStart
> Loading Kernel Symbols
> PsLoadedModuleList not initialized yet. Delay kernel load.
> StackTrace failed
>
> —
> You are currently subscribed to ntdev as: xxxxx@hotmail.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
—
You are currently subscribed to ntdev as: xxxxx@legato.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Use Dumpchk to check the dump file if you have not done so already.
From the DDK docs:
–> Validating a Crash Dump with DumpChk
Run the DumpChk tool to check the validity of the dump file. If the file
passes the test, you can use one of the debuggers to analyze it for the
source of the error. If the dump file fails the DumpChk validity test,
any results derived from debugger analysis are unreliable.
-----Original Message-----
From: Nate Bushman [mailto:xxxxx@Legato.com]
Sent: Wednesday, May 09, 2001 8:54 AM
To: NT Developers Interest List
Subject: [ntdev] WinDbg fails to analyze crash dump file…
I have a kernel memory crash dump file that I want to
analyze. I have all of the proper symbol files and the latest
version of WinDbg. Unfortunately, when I open the dump file
in WinDbg it fails, outputting the text below. Any idea why
WinDbg would fail?
============================
Loading Dump File [D:\dumps\craig1\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Microsoft (R) Windows 2000 Kernel Debugger
Version 3.0.0007.0
Copyright (c) Microsoft Corporation. All rights reserved.
Loaded dbghelp extension DLL
Loaded ext extension DLL
Loaded kext extension DLL
Loaded kdextx86 extension DLL
Symbol search path is: d:\dumps\craig1
Executable search path is: d:\dumps\craig1
PsLoadedModuleList not initialized yet. Delay kernel load.
KdDebuggerDataBlock not available ! KdDebuggerData.KernBase <
g_SystemRangeStart Windows 2000 Kernel Version 2195 MP (2
procs) Free x86 compatible Kernel base = 0x00000000
PsLoadedModuleList = 0x80480320 Debug session time: Tue May
08 22:20:03 2001 System Uptime: 0 days 3:53:48
PsLoadedModuleList not initialized yet. Delay kernel load.
KdDebuggerDataBlock not available ! KdDebuggerData.KernBase <
g_SystemRangeStart Loading Kernel Symbols PsLoadedModuleList
not initialized yet. Delay kernel load. StackTrace failed
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com