Install and Configure WinDBG for BSOD Analysis

Ztruker · 23 Jun 2016

The images still refer to Windows 8.1, not Windows 10.

Brink · 23 Jun 2016

All updated now. :)

Ztruker · 27 Jun 2016

Great job Shawn, Looks great now.

ICIT2LOL · 06 Jul 2016

Ok Colin mate I have just installed this 10 and got to the test file but it cannot open because of some error.

axe0 · 06 Jul 2016

John, could you try to open a dump from the BSOD forum, please let it load and use the !analyze -v command, close it and open it again. Do this a few times please so all symbols required are downloaded.
Please let us know what you get (copy/paste the output in code tags) so we can get your symbol problems gone :)

derekimo · 06 Jul 2016

ICIT2LOL said:

Ok Colin mate I have just installed this 10 and got to the test file but it cannot open because of some error.

Sounds like the same thing that happened a month ago John,

ICIT2LOL said:

Ok just installed the kit onto my 10 machine but it will not open that test BSOD file. What now??

derekimo said:

That was zipped with 7-zip, you should be able to open this one,

Attachment 82489

ICIT2LOL said:

Thanks Derek it worked fine even though I did have 7-zip installed for the other try anyway at least it is working.:)

derekimo said:

You're welcome John, you would have needed to right click on it and use the 7zip context menu options instead of just clicking on it.

As you say, at least it's working. :)

I changed the file in the tutorial to a regular zip to avoid this in the future.

ICIT2LOL · 06 Jul 2016

Yes Derek it was exactly the same thing. I shall try the new link.

ICIT2LOL · 06 Jul 2016

axe0 said:

John, could you try to open a dump from the BSOD forum, please let it load and use the !analyze -v command, close it and open it again. Do this a few times please so all symbols required are downloaded.
Please let us know what you get (copy/paste the output in code tags) so we can get your symbol problems gone :)

Ok it is working with the test link and I shall see what I get for a posted BSOD dump.

Now my problem with reading these dumps is that I seem to see things that are blatantly obvious like graphics drivers but more often than not get pulled up for some other feature that I do see but cannot attach any relevance to it.

derekimo · 06 Jul 2016

ICIT2LOL said:

Yes Derek it was exactly the same thing. I shall try the new link.

ICIT2LOL said:

Ok it is working with the test link.

The rest of what you said can be learned if you focus on this here John,

WinDBG - The Basics for Debugging Crash Dumps in Windows 10 - Windows 10 Forums

That is part 3 I linked directly, it has 3 steps, focus on the first two for now.

ICIT2LOL · 06 Jul 2016

Thanks Derek I shall have to get into that and what Martijn wanted I opened this dump three times and each time it got quicker because the initial opening of a dump takes ages - I hope this is what is needed.

Code:

Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.




Loading Dump File [C:\Users\John\AppData\Local\Temp\Temp1_DESKTOP-REO3G45-2016_06_30_152907_92.zip\062816-13671-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 10586 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.420.amd64fre.th2_release_sec.160527-1834
Machine Name:
Kernel base = 0xfffff801`8ee07000 PsLoadedModuleList = 0xfffff801`8f0e5cf0
Debug session time: Wed Jun 29 07:25:01.179 2016 (UTC + 10:00)
System Uptime: 0 days 0:00:49.988
Loading Kernel Symbols
.


Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.


..............................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
..........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************


Use !analyze -v to get detailed debugging information.


BugCheck 50, {ffffcfffd8a8e950, 2, fffff80019aa31de, 2}




Could not read faulting driver name
Probably caused by : memory_corruption


Followup:     memory_corruption
---------


3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************


PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffcfffd8a8e950, memory referenced.
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
Arg3: fffff80019aa31de, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000002, (reserved)


Debugging Details:
------------------




Could not read faulting driver name


DUMP_CLASS: 1


DUMP_QUALIFIER: 400


BUILD_VERSION_STRING:  10586.420.amd64fre.th2_release_sec.160527-1834


SYSTEM_MANUFACTURER:  System manufacturer


SYSTEM_PRODUCT_NAME:  P5K3 Deluxe


SYSTEM_SKU:  To Be Filled By O.E.M.


SYSTEM_VERSION:  System Version


BIOS_VENDOR:  American Megatrends Inc.


BIOS_VERSION:  1206   


BIOS_DATE:  04/16/2009


BASEBOARD_MANUFACTURER:  ASUSTeK Computer INC.


BASEBOARD_PRODUCT:  P5K3 Deluxe


BASEBOARD_VERSION:  Rev 1.xx


DUMP_TYPE:  2


BUGCHECK_P1: ffffcfffd8a8e950


BUGCHECK_P2: 2


BUGCHECK_P3: fffff80019aa31de


BUGCHECK_P4: 2


READ_ADDRESS: fffff8018f185520: Unable to get MiVisibleState
 ffffcfffd8a8e950 


FAULTING_IP: 
dxgkrnl!DxgkDestroyAllocationHelper+ce
fffff800`19aa31de 0f9280000000b8  setb    byte ptr [rax-48000000h]


MM_INTERNAL_CODE:  2


CPU_COUNT: 4


CPU_MHZ: 965


CPU_VENDOR:  GenuineIntel


CPU_FAMILY: 6


CPU_MODEL: f


CPU_STEPPING: 7


CPU_MICROCODE: 6,f,7,0 (F,M,S,R)  SIG: 6A'00000000 (cache) 6A'00000000 (init)


CUSTOMER_CRASH_COUNT:  1


DEFAULT_BUCKET_ID:  CODE_CORRUPTION


BUGCHECK_STR:  AV


PROCESS_NAME:  LogonUI.exe


CURRENT_IRQL:  0


ANALYSIS_SESSION_HOST:  DESKTOP-9I73FSG


ANALYSIS_SESSION_TIME:  07-07-2016 12:58:26.0804


ANALYSIS_VERSION: 10.0.10586.567 amd64fre


TRAP_FRAME:  ffffd00020a8e5b0 -- (.trap 0xffffd00020a8e5b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffd00020a8e950 rbx=0000000000000000 rcx=ffffd00020a8e950
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80019aa31de rsp=ffffd00020a8e740 rbp=ffffd00020a8e840
 r8=0000000000000000  r9=0000000000000001 r10=0000000000000000
r11=fffff80019a323c3 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
dxgkrnl!DxgkDestroyAllocationHelper+0xce:
fffff800`19aa31de 0f9280000000b8  setb    byte ptr [rax-48000000h] ds:ffffcfff`d8a8e950=??
Resetting default scope


LAST_CONTROL_TRANSFER:  from fffff8018ef765c1 to fffff8018ef497a0


STACK_TEXT:  
ffffd000`20a8e358 fffff801`8ef765c1 : 00000000`00000050 ffffcfff`d8a8e950 00000000`00000002 ffffd000`20a8e5b0 : nt!KeBugCheckEx
ffffd000`20a8e360 fffff801`8ee72621 : 00000000`00000002 00000000`00000000 ffffd000`20a8e5b0 ffffe000`4e1e6700 : nt! ?? ::FNODOBFM::`string'+0x1e3c1
ffffd000`20a8e450 fffff801`8ef52abc : ffffd000`50488180 00000000`00000001 ffffd000`5048eb40 ffffe000`4e1e6700 : nt!MmAccessFault+0x5f1
ffffd000`20a8e5b0 fffff800`19aa31de : ffffe000`4e523840 ffffd000`50488180 ffffd000`50494bc0 00000000`00000000 : nt!KiPageFault+0x13c
ffffd000`20a8e740 fffff800`19b574b9 : 00000000`00000020 00000265`203ccf08 00000094`e937eb70 ffffc001`2f496d70 : dxgkrnl!DxgkDestroyAllocationHelper+0xce
ffffd000`20a8eba0 fffff801`8ef540a3 : 00000000`00000020 00000000`00000020 00000000`00000000 00000265`203ccf08 : dxgkrnl!DxgkDestroyAllocation+0xd9
ffffd000`20a8ec40 00007ffd`9fcb4424 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000094`e937e8b8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffd`9fcb4424




STACK_COMMAND:  kb


CHKIMG_EXTENSION: !chkimg -lo 50 -db !dxgkrnl
2 errors : !dxgkrnl (fffff80019aa31df-fffff80019aa33df)
fffff80019aa31d0  04  00  00  45  8b  fc  45  8d  75  02  41  83  fc  41  0f *92 ...E..E.u.A..A..
...
fffff80019aa33d0  38  ff  15  29  3d  fd  ff  85  c0  75  1b  48  8d  4e  38 *55 8..)=....u.H.N8U


MODULE_NAME: memory_corruption


IMAGE_NAME:  memory_corruption


FOLLOWUP_NAME:  memory_corruption


DEBUG_FLR_IMAGE_TIMESTAMP:  0


MEMORY_CORRUPTOR:  STRIDE


FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_STRIDE


BUCKET_ID:  MEMORY_CORRUPTION_STRIDE


PRIMARY_PROBLEM_CLASS:  MEMORY_CORRUPTION_STRIDE


TARGET_TIME:  2016-06-28T21:25:01.000Z


OSBUILD:  10586


OSSERVICEPACK:  0


SERVICEPACK_NUMBER: 0


OS_REVISION: 0


SUITE_MASK:  272


PRODUCT_TYPE:  1


OSPLATFORM_TYPE:  x64


OSNAME:  Windows 10


OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS


OS_LOCALE:  


USER_LCID:  0


OSBUILD_TIMESTAMP:  2016-05-28 13:59:07


BUILDDATESTAMP_STR:  160527-1834


BUILDLAB_STR:  th2_release_sec


BUILDOSVER_STR:  10.0.10586.420.amd64fre.th2_release_sec.160527-1834


ANALYSIS_SESSION_ELAPSED_TIME: 1e5b


ANALYSIS_SOURCE:  KM


FAILURE_ID_HASH_STRING:  km:memory_corruption_stride


FAILURE_ID_HASH:  {574dbc1b-92cb-fb09-cb7a-cacc1bb2c511}


Followup:     memory_corruption