Announcement

Collapse
No announcement yet.

.dmp analysis

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • .dmp analysis

    To all,

    I am trying to interpret this .dmp file that was created when i received the bsod, but the analysis is inconclusive. I am using Windows Debugger with the latest symbols files. The debugger points to Ntoskrnl.exe and svchost.exe (one of them i guess), so the crash happened during kernel mode. If someone could help me extrapolate useful info from the debugger to determine exactly why it occurred i would appreciate it.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

    FAULTING_IP:
    nt!ExpAllocateHandleTableEntry+1be
    80566d34 8b4904 mov ecx,dword ptr [ecx+4]

    TRAP_FRAME: b8b37964 -- (.trap 0xffffffffb8b37964)
    ErrCode = 00000000
    eax=e135e6f0 ebx=e135e6d4 ecx=00000000 edx=00000004 esi=81f3eb80 edi=00000000
    eip=80566d34 esp=b8b379d8 ebp=b8b379fc iopl=0 nv up ei pl zr na pe nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
    nt!ExpAllocateHandleTableEntry+0x1be:
    80566d34 8b4904 mov ecx,dword ptr [ecx+4] ds:0023:00000004=????????
    Resetting default scope

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0x8E

    PROCESS_NAME: svchost.exe

    LAST_CONTROL_TRANSFER: from 8051d6a7 to 8053331e

    STACK_TEXT:
    b8b3752c 8051d6a7 0000008e c0000005 80566d34 nt!KeBugCheckEx+0x1b
    b8b378f4 804df235 b8b37910 00000000 b8b37964 nt!KiDispatchException+0x3b1
    b8b3795c 804df1e6 b8b379fc 80566d34 badb0d00 nt!CommonDispatchException+0x4d
    b8b37988 80576125 00000312 00000000 00000023 nt!KiExceptionExit+0x18a
    b8b379fc 80566dd1 e135e6c0 b8b37a14 00000000 nt!RtlpNewSecurityObject+0x821
    b8b37a18 80564138 e135e6c0 b8b37a4c 8219f318 nt!ExCreateHandle+0x19
    b8b37a6c 80564383 00000000 f8ce6020 00000000 nt!ObpCreateHandle+0x3f7
    b8b37b6c 8057af5c f8ce6020 b8b37b98 00000000 nt!ObInsertObject+0x346
    b8b37cc4 8057b2a3 009aec18 001f03ff 00000000 nt!PspCreateThread+0x618
    b8b37d3c 804de7ec 009aec18 001f03ff 00000000 nt!NtCreateThread+0x118
    b8b37d3c 7c90eb94 009aec18 001f03ff 00000000 nt!KiFastCallEntry+0xf8
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    009aefc8 00000000 00000000 00000000 00000000 0x7c90eb94


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    nt!ExpAllocateHandleTableEntry+1be
    80566d34 8b4904 mov ecx,dword ptr [ecx+4]

    SYMBOL_STACK_INDEX: 0

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME: ntoskrnl.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

    SYMBOL_NAME: nt!ExpAllocateHandleTableEntry+1be

    FAILURE_BUCKET_ID: 0x8E_nt!ExpAllocateHandleTableEntry+1be

    BUCKET_ID: 0x8E_nt!ExpAllocateHandleTableEntry+1be

  • #2
    Re: .dmp analysis

    Here's a pretty good discussion on analyzing DMP files:

    http://forums.petri.com/showthread.p...ghlight=windbg

    WinDbg is about the easiest tool I know to make sense of the DMP file.
    Cheers,

    Rick

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

    Comment

    Working...
    X