Wednesday, June 6, 2012

Part 3: Setup WinDBG as a server to solve BSOD


Part 3: Configuration

WinDBG is setup and ready, now we need memory dump file to analyze. When I started writing this demo, I didn’t have any real world dump file, but in the end I found one and you can see demo in the last. for Here there is a trick, you can have dump file, by crashing  system manually. Source  http://support.microsoft.com/kb/969028.
 
I tried to download Notmyfault utility from http://download.sysinternals.com/Files/Notmyfault.zip, but it is not available there I found the software on http://www.afterdawn.com/software/system_tools/misc_system_tools/notmyfault.cfm download and unzip it under c:\notmyfault folder (create notmyfault folder under c drive).
 
Run NotMyfault.exe from c:\Notmyfault\x64.

Congrats you have just crashed your system and created memory dump file.
Note: Do not try this on your pc or production systems I am here crashing it in virtual machine Lab.
Once it will done writing to dump file, system will restart automatically.
Currently my dump setting is set to minidump file, and I crashed my computer twice, it has created 2 files. You can set dump file settings to full memory dump or kernel memory dump and see the results.


After installation, you will find new programs installed under  Start>All Programs>Windows Kits>Debugging tools for windows
Click WinDBG (X64). WinDBG is a pure debugger tool, specially designed for Microsoft application developers. 

What are symbol files?
In next stage you need symbols in order to be able to do effective debugging. I will call it as WinDBG dictionary from where WinDBG decode dump files.

Next  you need to configure Symbol files location and server path
You can alter the symbols store location, you can set it to another drive. Here I am using srv*c:\symbols*http://msdl.microsoft.com/download/symbols which will save symbols files to c:\symbols and download from http://msdl.microsoft.com/download/symbols,

There are also symbols available from citrix if you want check bug files generated on citrix server. Below is the list.

  1. Value for non-Microsoft employees:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
For Microsoft employees:
srv*c:\symbols*http://symweb
  1. 2.       Symbol Server (Citrix):
           srv*c:\css*http://ctxsym.citrix.com/symbols
Click file>Open Crash Dump  or press Ctrl+D.
Navigate to c:\dump\minidump and select latest memory dump file. Press open.

It will download partial necessary symbol files to decode dump file. It will take time depending on your internet speed.  you can check the c:\symbols folder size later as it is growing slowly.


As from above screenshot Windbg detected myfault.sys file is the culprit. Now you can google or search files and folders for the filename on your computer and determine what driver or software is associated to myfault.sys. when we run notmyfault.exe check the other file name located in the same folder. Once you get what application or driver is causing error upgrade it to stable version or also check Hardware relying on drivers or software.

Here we have successfully postmortem'ed minidump file. Now we are going to capture Kernel memory dump file. For this change write debugging information and dump file location.
 
This time I will show you another method of crashing system, and don’t need any utility, simply go to Task manager and end process tree of csrss.

 
This will generate BSOD and create Memory.dump file under c:\dump. After restart open WinDGB>file> open crash dump> Navigate to c:\dump and open Memory.dump file.

Once the cmd prompt opened type !analyze - v command for detailed debug logs.
 
As you can see csrss.exe caused BSOD.

Download  full PDF of this article from http://kunaludapi.weebly.com.

1 comment: