Sample Minidumps(Memory Dumps)

Discussion in 'Software' started by Adrynalyne, Jun 23, 2004.

  1. Adrynalyne

    Adrynalyne Guest

    I had a PM requesting to post some sample minidumps.

    The zip file contains two:

    Mini030404-01.dmp is a dump created from a crash I had on shutdown back a few months ago.

    The stop code was 0x86427532, no filenames were mentioned.

    http://www.majorgeeks.com/vb/showthread.php?t=26803&goto=nextnewest

    --This was the thread that started it all.

    Check online, you will find that there are no real documented solutions for what causes the error, except here :D

    Even the internal MS KB says nothing of it.

    Goldfish and I (He had the same error) had our suspicions, but the debug provided the proof:

    http://majorgeeks.com/vb/showthread.php?t=32284


    Your debug output should look like below. If you get errors, or it looks different, check your symbols path.



    Microsoft (R) Windows Debugger Version 6.3.0017.0
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Documents and Settings\Jeremy\Desktop\Mini030404-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp2.030422-1633
    Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
    Debug session time: Thu Mar 04 10:20:12 2004
    System Uptime: 0 days 0:09:10.390
    Loading Kernel Symbols
    ..........................................................................................................................
    Loading unloaded module list
    ........
    Loading User Symbols
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 86427532, {1db, 2, 3, b}

    Unable to load image pavdrv51.sys, Win32 error 2
    *** WARNING: Unable to verify timestamp for pavdrv51.sys
    *** ERROR: Module load completed but symbols could not be loaded for pavdrv51.sys
    Probably caused by : pavdrv51.sys ( pavdrv51+7fc0 )

    Followup: MachineOwner
    ---------

    kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Unknown bugcheck code (86427532)
    Unknown bugcheck description
    Arguments:
    Arg1: 000001db
    Arg2: 00000002
    Arg3: 00000003
    Arg4: 0000000b

    Debugging Details:
    ------------------


    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0x86427532

    LAST_CONTROL_TRANSFER: from f3e41fc0 to 804f4103

    STACK_TEXT:
    afaab964 f3e41fc0 86427532 000001db 00000002 nt!KeBugCheckEx+0x19
    WARNING: Stack unwind information not available. Following frames may be wrong.
    afaabba0 f3e4220b 860eb8b0 f3e45cf0 00000000 pavdrv51+0x7fc0
    afaabc34 804ea221 86338030 861bf890 806ad190 pavdrv51+0x820b
    afaabc44 8055d0fe 861bf900 861322f0 861bf890 nt!IopfCallDriver+0x31
    afaabc58 8055de46 86338030 861bf890 861322f0 nt!IopSynchronousServiceTail+0x5e
    afaabd00 80556cea 000000a0 00000000 00000000 nt!IopXxxControlFile+0x5c2
    afaabd34 8052d571 000000a0 00000000 00000000 nt!NtDeviceIoControlFile+0x28
    afaabd34 7ffe0304 000000a0 00000000 00000000 nt!KiSystemService+0xc4
    00cdff70 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4


    FOLLOWUP_IP:
    pavdrv51+7fc0
    f3e41fc0 ?? ???

    SYMBOL_STACK_INDEX: 1

    FOLLOWUP_NAME: MachineOwner

    SYMBOL_NAME: pavdrv51+7fc0

    MODULE_NAME: pavdrv51

    IMAGE_NAME: pavdrv51.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 3e8c072b

    STACK_COMMAND: kb

    BUCKET_ID: 0x86427532_pavdrv51+7fc0

    Followup: MachineOwner
    ---------


    The second memory dump (nick.dmp) is my aunt's computer, that my cousin keeps crashing ;)

    The stop error was 0XC0000218 Registry_File_Failure

    The debug looks like this:


    Microsoft (R) Windows Debugger Version 6.3.0017.0
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Documents and Settings\Jeremy\Desktop\nick.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp2.030422-1633
    Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
    Debug session time: Fri Jun 11 10:22:46 2004
    System Uptime: 0 days 0:00:24.187
    Loading Kernel Symbols
    .................................................
    Loading unloaded module list

    Loading User Symbols
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck C0000218, {e144c418, 0, 0, 0}

    Probably caused by : ntoskrnl.exe ( nt!ExRaiseHardError+13c )

    Followup: MachineOwner
    ---------

    kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Unknown bugcheck code (c0000218)
    Unknown bugcheck description
    Arguments:
    Arg1: e144c418
    Arg2: 00000000
    Arg3: 00000000
    Arg4: 00000000

    Debugging Details:
    ------------------


    BUGCHECK_STR: 0xc0000218

    ERROR_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure} The registry cannot load the hive (file): %hs or its log or alternate. It is corrupt, absent, or not writable.

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    LAST_CONTROL_TRANSFER: from 8062be87 to 804f4103

    STACK_TEXT:
    f96f0870 8062be87 0000004c c0000218 f96f09d4 nt!KeBugCheckEx+0x19
    f96f0a20 805e9f96 c0000218 00000001 00000001 nt!ExpSystemErrorHandler+0x44c
    f96f0bcc 805ea21c c0000218 00000001 00000001 nt!ExpRaiseHardError+0x9a
    f96f0c3c 805fb94c c0000218 00000001 00000001 nt!ExRaiseHardError+0x13c
    f96f0dac 805aa2b6 00000000 00000000 00000000 nt!CmpLoadHiveThread+0x16a
    f96f0ddc 805319c6 805fb7e2 00000001 00000000 nt!PspSystemThreadStartup+0x34
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


    FOLLOWUP_IP:
    nt!ExRaiseHardError+13c
    805ea21c 837dfc00 cmp dword ptr [ebp-0x4],0x0

    SYMBOL_STACK_INDEX: 3

    FOLLOWUP_NAME: MachineOwner

    SYMBOL_NAME: nt!ExRaiseHardError+13c

    MODULE_NAME: nt

    IMAGE_NAME: ntoskrnl.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 3ea80977

    STACK_COMMAND: kb

    BUCKET_ID: 0xc0000218_nt!ExRaiseHardError+13c

    Followup: MachineOwner
    ---------


    This one unfortunately is not as obvious. This is a machine I am still working on.


    There are some minidumps here as well:

    http://majorgeeks.com/vb/showthread.php?t=33794

    This is still an active thread, so if you have suggestions for pegg, by all means, post em ;)

    Memory dump debugging doesn't always give us an exact answer (well sometimes it does), but it gives a starting point on where the problem may lie.
     
  2. Adrynalyne

    Adrynalyne Guest

    For the really ambitious, you can make your computer dump the memory at will:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

    Add a DWORD value called CrashOnCtrlScroll and set it to a value of 1(hex).

    Reboot.

    Then you hold ctrl(I think its the right ctrl key) and tap ScrollLock twice.

    Your machine will give a stop error (self inflicted, not really an error) and dumps the contents of ram.

    This is only for testing, of course.
     
  3. Adrynalyne

    Adrynalyne Guest

    Take note on the above. This DOES crash your computer, and any unsaved work WILL be lost :)

    Ok, thats my disclaimer.
     
  4. alanc

    alanc MajorGeek

    Cool. Crash-on-demand :p


    An idea for a prank comes to mind...:D
     
  5. alanc

    alanc MajorGeek

    The crash-on-demand reg tweak works like a charm, although in going thru it I learned something I hadn't known before. Windows (2k at least) has a problem creating a crash dump if your pagefile is not on the %systemroot% drive (mine is on D:, Windows on C: ). So I had to create an additional small pagefile on C: to get it to work. Once I got a dump to debug I got symbol and timestamp errors (see output below, is this normal?), but even with the errors the
    "Probably caused by : i8042prt.sys"
    line tells the story. I recognize that from the reg tweak. ;)

    I didn't get any errors running the two dumps you posted.

    All in all I think this is a very cool tool :)


    Microsoft (R) Windows Debugger Version 6.3.0017.0
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [C:\WINNT\Minidump\Mini062304-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Unable to load image ntoskrnl.exe, Win32 error 2
    *** WARNING: Unable to verify timestamp for ntoskrnl.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
    Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
    Kernel base = 0x80400000 PsLoadedModuleList = 0x8046e8f0
    Debug session time: Wed Jun 23 17:32:32 2004
    System Uptime: not available
    Unable to load image ntoskrnl.exe, Win32 error 2
    *** WARNING: Unable to verify timestamp for ntoskrnl.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
    Loading Kernel Symbols
    ..................................................................................................
    Loading unloaded module list
    ..............
    Loading User Symbols
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck E2, {0, 0, 0, 0}

    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    *** WARNING: Unable to verify timestamp for i8042prt.sys
    *** ERROR: Module load completed but symbols could not be loaded for i8042prt.sys
    Probably caused by : i8042prt.sys ( i8042prt+207e )

    Followup: MachineOwner
    ---------
     
  6. da chicken

    da chicken MajorGeek

    Nice work Ad. Wanted to know how to do this stuff for a long time. :)
     
  7. alanc

    alanc MajorGeek

    I got symbol and timestamp errors running pegg's minidump too, but the memory corruption cause was still listed.
     
  8. DanTekGeek

    DanTekGeek Master Sergeant

    just a quick question. what is the purpose of all this?
     
  9. alanc

    alanc MajorGeek

  10. Adrynalyne

    Adrynalyne Guest

    alanc, at first I was gonna say you had the wrong symbols path, however a dump from my 2K machine gave the same error.

    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    However, as you can see, even with an incorrect symbols path, you were able to delve useful information. :)

    Look at the difference in my output with an XP minidmp:



    Microsoft (R) Windows Debugger Version 6.3.0017.0
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Documents and Settings\Jeremy\Desktop\Mini062204-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows XP Kernel Version 2600 (Service Pack 1) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp2.030422-1633
    Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054a230
    Debug session time: Tue Jun 22 22:23:15 2004
    System Uptime: 0 days 0:01:00.718
    Loading Kernel Symbols
    ...............................................................................................................................
    Loading unloaded module list
    ..
    Loading User Symbols
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck E2, {0, 0, 0, 0}

    Probably caused by : i8042prt.sys ( i8042prt!I8xProcessCrashDump+235 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    MANUALLY_INITIATED_CRASH (e2)
    The user manually initiated this crash dump.
    Arguments:
    Arg1: 00000000
    Arg2: 00000000
    Arg3: 00000000
    Arg4: 00000000

    Debugging Details:
    ------------------


    BUGCHECK_STR: MANUALLY_INITIATED_CRASH

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    LAST_CONTROL_TRANSFER: from f8738681 to 804f5471

    STACK_TEXT:
    8053e33c f8738681 000000e2 00000000 00000000 nt!KeBugCheckEx+0x19
    8053e358 f8737efb 0025fcc0 01a337c6 00000000 i8042prt!I8xProcessCrashDump+0x235
    8053e3a0 805343e5 ff71d428 8225fc08 00010009 i8042prt!I8042KeyboardInterruptService+0x21c
    8053e3a0 f882fc7e ff71d428 8225fc08 00010009 nt!KiInterruptDispatch+0x45
    8053e450 80534a6c 00000000 0000000e 00000000 processr!AcpiC1Idle+0x12


    FOLLOWUP_IP:
    i8042prt!I8xProcessCrashDump+235
    f8738681 5d pop ebp

    SYMBOL_STACK_INDEX: 1

    FOLLOWUP_NAME: MachineOwner

    SYMBOL_NAME: i8042prt!I8xProcessCrashDump+235

    MODULE_NAME: i8042prt

    IMAGE_NAME: i8042prt.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 3d6de41d

    STACK_COMMAND: kb

    BUCKET_ID: MANUALLY_INITIATED_CRASH_i8042prt!I8xProcessCrashDump+235

    Followup: MachineOwner
    ---------
     
  11. Adrynalyne

    Adrynalyne Guest

    On pegg's first memory dump, this is the only error I received:

    *** WARNING: Unable to verify timestamp for aswMon2.SYS
    *** ERROR: Module load completed but symbols could not be loaded for aswMon2.SYS


    Microsoft only provides symbols for their files. This one is not MS.

    However, if you still got the error:

    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    Then your symbols path needs to be re-entered.

    These tools are incredibly stupid, er sensitive when it comes to symbols path, even if it looks correct, it needs to be re-entered.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds