» Анализ dmp файла в Windows

Добрый день. Сегодня система выдала BSOD сделал полный дамп памяти, решил провести анализ ошибки с помощью утилиты DUMPEXAM
C:\dumpexam -y с:\winnt\symbols с:\winnt\memory.dmp создался файл
memory.txt, но он пустой (размер 0 байт).
Библиотеку symbols качал отсюда
Прошу совета

p/s. Сделал проверку на целостность файла dumpchk показал что файл не битый


[more] D:\>damp\dumpchk

Filename . . . . . . .C:\WINNT\MEMORY.DMP
Signature. . . . . . .PAGE
ValidDump. . . . . . .DUMP
MajorVersion . . . . .free system
MinorVersion . . . . .2195
DirectoryTableBase . .0x00030000
PfnDataBase. . . . . .0x818d7000
PsLoadedModuleList . .0x804814c0
PsActiveProcessHead. .0x80482f48
MachineImageType . . .i386
NumberProcessors . . .1
BugCheckCode . . . . .0x0000007f
BugCheckParameter1 . .0x00000008
BugCheckParameter2 . .0x00000000
BugCheckParameter3 . .0x00000000
BugCheckParameter4 . .0x00000000

ExceptionCode. . . . .0x80000003
ExceptionFlags . . . .0x00000001
ExceptionAddress . . .0x80466d69

NumberOfRuns . . . . .0x5
NumberOfPages. . . . .0xff7c
Run #1
BasePage . . . . . .0x1
PageCount. . . . . .0x1f
Run #2
BasePage . . . . . .0x21
PageCount. . . . . .0x1f
Run #3
BasePage . . . . . .0x50
PageCount. . . . . .0x4f
Run #4
BasePage . . . . . .0x100
PageCount. . . . . .0xeff
Run #5
BasePage . . . . . .0x1000
PageCount. . . . . .0xeff0


**************
**************--> Validating the integrity of the PsLoadedMo
**************
validating ntoskrnl.exe 0x80400000 0x0019cb40
validating hal.dll 0x80062000 0x00014100
validating BOOTVID.dll 0xed410000 0x00003000
validating ACPI.sys 0xbffd8000 0x00028000
validating WMILIB.SYS 0xed5c8000 0x00001000
validating pci.sys 0xed000000 0x0000f000
validating isapnp.sys 0xed010000 0x0000c000
validating pciide.sys 0xed5c9000 0x00001000
validating PCIIDEX.SYS 0xed280000 0x00006000
validating MountMgr.sys 0xed288000 0x00008000
validating ftdisk.sys 0xbffbb000 0x0001d000
validating Diskperf.sys 0xed500000 0x00002000
validating dmload.sys 0xed502000 0x00002000
validating dmio.sys 0xbff99000 0x00022000
validating PartMgr.sys 0xed414000 0x00003000
validating IdeBusDr.sys 0xed418000 0x00004000
validating atapi.sys 0xbff83000 0x00016000
validating IdeChnDr.sys 0xbff6b000 0x00018000
validating disk.sys 0xed290000 0x00008000
validating CLASSPNP.SYS 0xed020000 0x00009000
validating fltmgr.sys 0xbff49000 0x00022000
validating KSecDD.sys 0xbff37000 0x00012000
validating Ntfs.sys 0xbfeb9000 0x0007e000
validating NDIS.sys 0xbfe8f000 0x0002a000
validating Mup.sys 0xbfe79000 0x00016000
validating kl1.sys 0xbfe5d000 0x0001c000
validating TDI.SYS 0xed41c000 0x00004000
validating agp440.sys 0xed298000 0x00006000
validating VIDEOPRT.SYS 0xed050000 0x0000d000
validating nv4_mini.sys 0xbfd60000 0x000dd000
validating USBD.SYS 0xed398000 0x00005000
validating uhcd.sys 0xed380000 0x00008000
validating USBPORT.SYS 0xbfd3e000 0x00022000
validating usbehci.sys 0xed3a8000 0x00005000
validating DLKRTS.SYS 0xed3d8000 0x00006000
validating i8042prt.sys 0xed060000 0x0000c000
validating mouclass.sys 0xed3f8000 0x00006000
validating anvosdnt.sys 0xbfcef000 0x0004f000
validating kbdclass.sys 0xed2e8000 0x00006000
validating fdc.sys 0xed300000 0x00007000
validating serial.sys 0xed070000 0x00010000
validating serenum.sys 0xed48c000 0x00004000
validating parport.sys 0xed320000 0x00007000
validating gameenum.sys 0xed494000 0x00003000
validating cdrom.sys 0xed330000 0x00007000
validating KS.SYS 0xbfc07000 0x0001e000
validating portcls.sys 0xbfc25000 0x00025000
validating ALCXWDM.SYS 0xbfc4a000 0x000a5000
validating klim5.sys 0xed3c0000 0x00008000
validating audstub.sys 0xed5ed000 0x00001000
validating RootMdm.sys 0xed50e000 0x00002000
validating Modem.SYS 0xed3d0000 0x00008000
validating rasl2tp.sys 0xed080000 0x0000d000
validating ndistapi.sys 0xed4a8000 0x00003000
validating ndiswan.sys 0xbfbc8000 0x00017000
validating raspptp.sys 0xed090000 0x0000c000
validating ptilink.sys 0xed2b0000 0x00005000
validating raspti.sys 0xed2c0000 0x00005000
validating parallel.sys 0xed0a0000 0x0000f000
validating swenum.sys 0xed5f8000 0x00001000
validating update.sys 0xbfb9d000 0x0002b000
validating usbhub.sys 0xed0c0000 0x0000a000
validating usbhub20.sys 0xed0d0000 0x0000d000
validating flpydisk.sys 0xed340000 0x00005000
validating NDProxy.SYS 0xed0f0000 0x0000a000
validating EFS.SYS 0xed358000 0x00007000
validating Fs_Rec.SYS 0xed51c000 0x00002000
validating Null.SYS 0xed607000 0x00001000
validating Beep.SYS 0xed609000 0x00001000
validating vga.sys 0xed4d4000 0x00004000
validating mnmdd.SYS 0xed60c000 0x00001000
validating Msfs.SYS 0xed378000 0x00006000
validating Npfs.SYS 0xed100000 0x00009000
validating rasacd.sys 0xed524000 0x00002000
validating tcpip.sys 0xbeb06000 0x0004f000
validating msgpc.sys 0xed130000 0x00009000
validating wanarp.sys 0xed2d8000 0x00008000
validating netbt.sys 0xbeadb000 0x0002b000
validating netbios.sys 0xed140000 0x00009000
validating anvioctl.sys 0xbeaaf000 0x0002c000
validating rdbss.sys 0xbda82000 0x0002d000
validating mrxsmb.sys 0xbda06000 0x0006a000
validating klif.sys 0xbd9c7000 0x0003f000
validating Fastfat.SYS 0xbd97c000 0x00023000
validating dump_IdeChnDr.sys 0xbd964000 0x00018000
validating win32k.sys 0xa0000000 0x0018f000
validating nv4_disp.dll 0xb939d000 0x000c1000
validating ANV4DISP.DLL 0xb9048000 0x00355000
validating ANVMINI.DLL 0xbfbdf000 0x00003000

**************
**************--> Performing a complete check (^C to end)
**************
**************
**************--> Validating all physical addresses
**************
**************
**************--> Validating all virtual addresses
**************
**************
**************--> This dump file is good!
[/more]

s800
Чем "прочитать" минидамп ( minidump )?
Чем прочесть Dump W2K???
и тд и тп.. но явно не в этом разделе

доброго времени.
столкнулся с синим экраном в висте.
прочитал дамп Debugging Tools for Windows от Microsoft

можете помочь понять в чем у меня проблема.



Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
Kernel base = 0x81c17000 PsLoadedModuleList = 0x81d2ec70
Debug session time: Sat Nov 1 22:37:03.643 2008 (GMT+3)
System Uptime: 0 days 0:07:54.346
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Loading Kernel Symbols
..............................................................................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, 81e3615e, 83b1892c, 0}

*** ERROR: Module load completed but symbols could not be loaded for hdbca.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Page 5c7ff not present in the dump file. Type ".hh dbgerr004" for details
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Probably caused by : hdbca.sys ( hdbca+129b3 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81e3615e, The address that the exception occurred at
Arg3: 83b1892c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Page 5c7ff not present in the dump file. Type ".hh dbgerr004" for details
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************

MODULE_NAME: hdbca

FAULTING_MODULE: 81c17000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 46e7b03c

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

FAULTING_IP:
nt!RtlMapGenericMask+2ed
81e3615e f00fba2800 lock bts dword ptr [eax],0

TRAP_FRAME: 83b1892c -- (.trap 0xffffffff83b1892c)
ErrCode = 00000002
eax=0000000c ebx=00000000 ecx=0000000c edx=8583e950 esi=89251848 edi=00000000
eip=81e3615e esp=83b189a0 ebp=83b189b4 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
nt!RtlMapGenericMask+0x2ed:
81e3615e f00fba2800 lock bts dword ptr [eax],0 ds:0023:0000000c=????????
Resetting default scope

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 81c4d5a0 to 81ce4163

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
83b184ec 81c4d5a0 0000008e c0000005 81e3615e nt!KeBugCheckEx+0x1e
83b188bc 81c6f63a 83b188d8 00000000 83b1892c nt!ExfReleasePushLockShared+0xaa4
83b18944 81e5eaa2 99097ca0 83b18a01 00000001 nt!Kei386EoiHelper+0x1d2
83b189b4 81e36252 83b189d8 00020008 83b18a70 nt!SeUnlockSubjectContext+0x1105
83b189d0 81e5e666 00000000 83b189fc 83b18a70 nt!RtlMapGenericMask+0x3e1
83b18a30 81e27602 00000001 99097ca0 00000000 nt!SeUnlockSubjectContext+0xcc9
83b18b20 81e1f9eb 99097ca0 00000000 00000000 nt!ObOpenObjectByPointer+0xbc
83b18b8c 81e241bb 80004a34 00020008 00000000 nt!NtOpenProcessTokenEx+0xb4
83b18ba8 81c6ea7a 80004a34 00020008 83b18c48 nt!NtOpenProcessToken+0x16
83b18bbc 81c6cfc5 badb0d00 83b18c34 81008a61 nt!ZwQueryLicenseValue+0xc02
83b18c50 82bc79b3 83b18c78 80004a34 81d1913c nt!ZwOpenProcessToken+0x11
83b18d18 82bc74cd 81d1913c 866b9f08 86344480 hdbca+0x129b3
83b18d30 81e3323b 92c3a8d8 86344480 89251848 hdbca+0x124cd
83b18d44 81c4f41d 86344480 00000000 89251848 nt!LpcRequestPort+0x525
83b18d7c 81deca1c 86344480 9702fe4f 00000000 nt!KeQuerySystemTime+0x14d
83b18dc0 81c45a3e 81c4f320 80000001 00000000 nt!RtlDestroyAtomTable+0x4fe
00000000 00000000 00000000 00000000 00000000 nt!RtlSubAuthorityCountSid+0x3c4


STACK_COMMAND: kb

FOLLOWUP_IP:
hdbca+129b3
82bc79b3 8b9560ffffff mov edx,dword ptr [ebp-0A0h]

SYMBOL_STACK_INDEX: b

SYMBOL_NAME: hdbca+129b3

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: hdbca.sys

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------