Appendix B. 

Crash Dump Analysis Checklist

General:

  • Symbol servers (.symfix)

  • Internal database(s) search

  • Google or Microsoft search for suspected components as this could be a known issue. Sometimes a simple search immediately points to the fix on a vendor's site

  • The tool used to save a dump (to flag false positive, incomplete or inconsistent dumps)

  • OS/SP version (version)

  • Language

  • Debug time

  • System uptime

  • Computer name (dS srv!srvcomputername or (!envvar COMPUTERNAME)

  • Hardware configuration (!sysinfo)

  • .kframes 100

Application crash or hang:

  • Default analysis (!analyze -v or !analyze -v -hang for hangs)

  • Critical sections (!locks and !locks -v, !cs -l -o -s) for both crashes and hangs

  • Component timestamps, duplication and paths. DLL Hell?

  • Do any newer components exist?

  • Process threads (~*kv or !uniqstack)

  • Process uptime

  • Your components on the full raw stack of the problem thread

  • Your components on the full raw stack of the main application thread

  • Process size

  • Number of threads

  • Gflags value (!gflag)

  • Time consumed by thread (!runaway)

  • Environment (!peb)

  • Import table (!dh)

  • Hooked functions (!chkimg)

  • Exception handlers (!exchain)

  • Computer name (!envvar COMPUTERNAME)

System hang:

  • Default analysis (!analyze -v -hang)

  • ERESOURCE contention (!locks)

  • Processes and virtual memory including session space (!vm 4)

  • Important services are present and not hanging (for example, terminal or IMA services for Citrix environments)

  • Pools (!poolused)

  • Waiting threads (!stacks)

  • Critical system queues (!exqueue f)

  • I/O (!irpfind)

  • The list of all thread stack traces (!process 0 ff for W2K3/XP/Vista, ListProcessStacks script for W2K, Volume 1, page 222)

  • LPC/ALPC chain for suspected threads (!lpc message or !alpc /m after search for "Waiting for reply to LPC" or "Waiting for reply to ALPC" in !process 0 ff output)

  • Mutants (search for "Mutants - owning thread" in !process 0 ff output)

  • Critical sections for suspected processes (!ntsdexts.locks, !cs -l -o -s )

  • Sessions, session processes (!session, !sprocess)

  • Processes (size, handle table size) (!process 0 0)

  • Running threads (!running)

  • Ready threads (!ready)

  • DPC queues (!dpcs)

  • The list of APCs (!apc)

  • Internal queued spinlocks (!qlocks)

  • Computer name (dS srv!srvcomputername)

BSOD:

  • Default analysis (!analyze -v)

  • Pool address (!pool)

  • Component timestamps.

  • Processes and virtual memory (!vm 4)

  • Current threads on other processors

  • Raw stack

  • Bugcheck description (including ln exception address for corrupt or truncated dumps)

  • Bugcheck callback data (!bugdump for systems prior to Windows XP SP1)

  • Bugcheck secondary callback data (.enumtag)

  • Computer name (dS srv!srvcomputername)

  • Hardware configuration (!sysinfo)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset