Como analisar DUMPs de memória no Windows 8

 

Como  preparar o computador para fazer a análise de Dumps.

1 – Fazer download do pacote SDK para Windows 8. O “Debugging Tools for Windows” é parte do SDK. Link para download: http://msdn.microsoft.com/en-US/windows/hardware/hh852363

2 – Fazer instalação customizada do SDK. Na janela “Select the features you want to install” mantenha selecionada apenas a opção “Debugging Tools for Windows”. O pacote tem 73,9 MB.

3 – Abrir o aplicativo WinDBG (x64) ou WinDBG (x86). Segue link para escolha da melhor versão: http://msdn.microsoft.com/en-us/library/windows/hardware/ff539099(v=VS.85).aspx

4 – No menu “File” clicar na opção “Symbol File Path…” e digitar “SRV*c:\Dados\Symbols*http://msdl.microsoft.com/download/symbols”. C:\Dados\Symbols representa a pasta para onde serão baixados os Symbols.

 

Como fazer a análise superficial:

1 – No WinDBG, clicar “File” e escolher a opção “Open Crash Dump…”

Aparecerá o seguinte conteúdo no tela do WinDBG. Esse procedimento pode demorar, pois será necessário fazer download dos symbols. Para análise desete dump, foi necessário 23MB de symbols.

Microsoft (R) Windows Debugger Version 6.2.9200.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:82712-25038-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\Dados\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.17017.amd64fre.win7_gdr.120503-2030
Machine Name:
Kernel base = 0xfffff800`03652000 PsLoadedModuleList = 0xfffff800`0388ee70
Debug session time: Mon Aug 27 16:06:30.467 2012 (UTC – 3:00)
System Uptime: 0 days 0:00:31.496
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
…………
Loading User Symbols
Loading unloaded module list
….
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 116, {fffffa8005198420, fffff8800ffb74d4, 0, 2}

Unable to load image \SystemRoot\system32\DRIVERS\nvlddmkm.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvlddmkm.sys
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys
*** WARNING: Unable to verify timestamp for win32k.sys
*** ERROR: Module load completed but symbols could not be loaded for win32k.sys
Probably caused by : nvlddmkm.sys ( nvlddmkm+19e4d4 )

Followup: MachineOwner
———

Com a informação acima, já podemos ter uma ideia que o crash está acontecendo devido ao driver “nvlddmkm.sys”.

Para uma análise mais detalhada, clicar no link “!analyze –v” e então aparecerá a tela abaixo.

 

2: kd> !analyze –v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

VIDEO_TDR_FAILURE (116)
Attempt to reset the display driver and recover from timeout failed.
Arguments:
Arg1: fffffa8005198420, Optional pointer to internal TDR recovery context (TDR_RECOVERY_CONTEXT).
Arg2: fffff8800ffb74d4, The pointer into responsible device driver module (e.g. owner tag).
Arg3: 0000000000000000, Optional error code (NTSTATUS) of the last failed operation.
Arg4: 0000000000000002, Optional internal context dependent data.

Debugging Details:
——————

FAULTING_IP:
nvlddmkm+19e4d4
fffff880`0ffb74d4 4883ec28        sub     rsp,28h

DEFAULT_BUCKET_ID:  GRAPHICS_DRIVER_TDR_FAULT

CUSTOMER_CRASH_COUNT:  1

BUGCHECK_STR:  0x116

PROCESS_NAME:  System

CURRENT_IRQL:  0

STACK_TEXT: 
fffff880`04dbe988 fffff880`040e5000 : 00000000`00000116 fffffa80`05198420 fffff880`0ffb74d4 00000000`00000000 : nt!KeBugCheckEx
fffff880`04dbe990 fffff880`040e4d0a : fffff880`0ffb74d4 fffffa80`05198420 fffffa80`06383d50 fffffa80`06381010 : dxgkrnl!TdrBugcheckOnTimeout+0xec
fffff880`04dbe9d0 fffff880`0418bf07 : fffffa80`05198420 00000000`00000000 fffffa80`06383d50 fffffa80`06381010 : dxgkrnl!TdrIsRecoveryRequired+0x1a2
fffff880`04dbea00 fffff880`041b5b75 : 00000000`ffffffff 00000000`0000064d 00000000`00000000 00000000`00000002 : dxgmms1!VidSchiReportHwHang+0x40b
fffff880`04dbeae0 fffff880`041b42bb : 00000000`00000102 00000000`00000006 00000000`0000064d 00000000`00000000 : dxgmms1!VidSchiCheckHwProgress+0x71
fffff880`04dbeb10 fffff880`041872c6 : ffffffff`ff676980 fffffa80`06381010 00000000`00000000 00000000`00000000 : dxgmms1!VidSchiWaitForSchedulerEvents+0x1fb
fffff880`04dbebb0 fffff880`041b3e7a : 00000000`00000000 00000000`0000000f 00000000`00000080 fffffa80`04c66c68 : dxgmms1!VidSchiScheduleCommandToRun+0x1da
fffff880`04dbecc0 fffff800`039616e6 : 00000000`03e7b656 fffffa80`063e7060 fffffa80`03cce040 fffffa80`063e7060 : dxgmms1!VidSchiWorkerThread+0xba
fffff880`04dbed00 fffff800`036a0566 : fffff800`0383be80 fffffa80`063e7060 fffff800`03849c40 fffff880`0142e2b4 : nt!PspSystemThreadStartup+0x5a
fffff880`04dbed40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxStartSystemThread+0x16

STACK_COMMAND:  .bugcheck ; kb

FOLLOWUP_IP:
nvlddmkm+19e4d4
fffff880`0ffb74d4 4883ec28        sub     rsp,28h

SYMBOL_NAME:  nvlddmkm+19e4d4

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nvlddmkm

IMAGE_NAME:  nvlddmkm.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4fb20748

FAILURE_BUCKET_ID:  X64_0x116_IMAGE_nvlddmkm.sys

BUCKET_ID:  X64_0x116_IMAGE_nvlddmkm.sys

Followup: MachineOwner
———

Pesquisando no bing.com pela arquivo “nvlddmkm.sys” descobrimos que esse driver refere-se à placa de vídeo NVidia que tem vários reports de tela azul.

Sugestão: Atualizar o driver !!

Esse post foi publicado em Windows 8. Bookmark o link permanente.

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s