Windows 7 / Getting Started

Using Symbol Files and Debuggers

You can also analyze memory dump files by using a kernel debugger. Kernel debuggers are primarily intended to be used by developers for in-depth analysis of application behavior. However, kernel debuggers are also useful tools for administrators troubleshooting Stop errors. In particular, kernel debuggers can be used to analyze memory dump files after a Stop error has occurred.

A debugger is a program that users with the Debug Programs user right (by default, only the Administrators group) can use to step through software instructions, examine data, and check for certain conditions. The following two examples of kernel debuggers are installed by installing Debugging Tools For Windows:

  • Kernel Debugger Kernel Debugger (Kd.exe) is a command-line debugging tool that you can use to analyze a memory dump file written to disk when a Stop message occurs. Kernel Debugger requires that you install symbol files on your system.
  • WinDbg Debugger WinDbg Debugger (WinDbg.exe) provides functionality similar to Kernel Debugger, but it uses a graphical user interface (GUI).

Both tools allow users with the Debug Programs user right to analyze the contents of a memory dump file and debug kernel-mode and user-mode programs and drivers. Kernel Debugger and WinDbg Debugger are just a few of the many tools included in the Debugging Tools For Windows installation. For more information about these and other debugging tools included with Debugging Tools For Windows, see Help in Debugging Tools For Windows.

To use WinDbg to analyze a crash dump, first install the debugging tools available at http://www.microsoft.com/whdc/devtools/debugging/.

To gather the most information from a memory dump file, provide the debugger access to symbol files. The debugger uses symbol files to match memory addresses to human-friendly module and function names. The simplest way to provide the debugger access to symbol files is to configure the debugger to access the Microsoft Internet-connected symbol server.

To configure the debugger to use the Microsoft symbol server, follow these steps:

  1. Click Start, point to All Programs, point to Debugging Tools For Windows, right-click WinDbg, and then click Run As Administrator.
  2. Select Symbol File Path from the File menu.
  3. In the Symbol Path box, type
    SRV*localpath*http://msdl.microsoft.com/download/symbols
    where localpath is a path on the hard disk that the debugger will use to store the downloaded symbol files. The debugger will automatically create localpath when you analyze a dump file.
    For example, to store the symbol files in C:\Websymbols, set the symbol file path to "SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols".
  4. Click OK.
    Debuggers do not require access to symbol files to extract the Stop error number and parameters from a memory dump file. Often, the debugger can also identify the source of the Stop error without access to symbols.

Note You can also download symbol files for offline use from http://www.microsoft.com/whdc/devtools/debugging/.

To analyze a memory dump file, follow these steps:

  1. Click Start, point to All Programs, point to Debugging Tools For Windows, right-click WinDbg, and then click Run As Administrator.
  2. Select Open Crash Dump from the File menu.
  3. Type the location of the memory dump file and then click Open. By default, this location is %SystemRoot%\Memory.dmp.
  4. In the Save Workspace Information dialog box, click No.
  5. Select the Command window.

The Bugcheck line tells you the Stop error number. The Probably Caused By line indicates the file that was being processed at the time of the Stop error.

The Command window displays feedback from the debugger and allows you to issue additional commands. When a crash dump is opened, the Command window automatically displays the output of the !analyze command. In many cases, this default information is sufficient to isolate the cause of the Stop error.

If the default analysis does not provide all the information you need for troubleshooting, run the following command in the Command window.

!analyze -v

This command will display the stack, which contains a list of method calls preceding the Stop error. This might give clues to the source of a Stop error. For example, the following stack trace output, created by calling !analyze -v, correctly indicates that the Stop error was related to the removal of a universal serial bus (USB) device, as shown by the bold text.

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ba4ffb2c ba26c6ff 89467df0 68627375 70646f52 0x8924ed33
ba4ffb5c ba273661 88ffade8 8924eae0 89394e48 usbhub!USBH_PdoRemoveDevice+0x41
ba4ffb7c ba26c952 88ffaea0 89394e48 00000002 usbhub!USBH_PdoPnP+0x5b
ba4ffba0 ba26a1d8 01ffaea0 89394e48 ba4ffbd4 usbhub!USBH_PdoDispatch+0x5a
ba4ffbb0 804eef95 88ffade8 89394e48 88eac2e0 usbhub!USBH_HubDispatch+0x48
ba4ffbc0 ba3f2db4 88eac228 88eac2e0 00000000 nt!IopfCallDriver+0x31
ba4ffbd4 ba3f4980 88eac228 89394e48 89394e48 USBSTOR!USBSTOR_FdoRemoveDevice+0xac
ba4ffbec b9eed58c 88eac228 89394e48 89394f48 USBSTOR!USBSTOR_Pnp+0x4e
[Previous] [Contents] [Next]

In this tutorial:

  1. Troubleshooting Stop Messages
  2. Stop Message Overview
  3. Identifying the Stop Error
  4. Finding Troubleshooting Information
  5. Stop Messages
  6. Bugcheck Information
  7. Technical Information
  8. Debug Port and Dump Status Information
  9. Types of Stop Errors
  10. Memory Dump Files
  11. Configuring Small Memory Dump Files
  12. Configuring Kernel Memory Dump Files
  13. Configuring Complete Memory Dump Files
  14. How to Manually Initiate a Stop Error and Create a Dump File
  15. Using Memory Dump Files to Analyze Stop Errors
  16. Using Windows 7 Error Reporting
  17. Using Symbol Files and Debuggers
  18. Being Prepared for Stop Errors
  19. Record and Save Stop Message Information
  20. Check Software Disk Space Requirements
  21. Install a Kernel Debugger and Symbol Files
  22. Stop 0xA or IRQL_NOT_LESS_OR_EQUAL
  23. Stop 0x1E or KMODE_EXCEPTION_NOT_HANDLED
  24. Understanding Kernel Stack Overflows
  25. Stop 0x24 or NTFS_FILE_SYSTEM
  26. Stop 0x2E or DATA_BUS_ERROR
  27. Stop 0x3B or SYSTEM_SERVICE_EXCEPTION
  28. Stop 0x3F or NO_MORE_SYSTEM_PTES
  29. Stop 0x50 or PA GE_FAULT_IN_NONPA GED_AREA
  30. Stop 0x77 or KERNEL_STACK_INPA GE_ERROR
  31. Stop 0x7A or KERNEL_DATA_INPA GE_ERROR
  32. Stop 0x7B or INACCESSIBLE_BOOT_DEVICE
  33. Stop 0x7F or UNEXPECTED_KERNEL_MODE_TRAP
  34. Stop 0x9F or DRIVER_POWER_STATE_FAILURE
  35. Stop 0xBE or ATTEMPTED_WRITE_TO_READONLY_MEMORY
  36. Stop 0xC2 or BAD_POOL_CALLER
  37. Stop 0xCE or DRIVER_UNLOADED_WITHOUT_CANCELLING_ PENDING_OPERATIONS
  38. Stop 0xD1 or IRQL_NOT_LESS_OR_EQUAL
  39. Stop 0xD8 or DRIVER_USED_EXCESSIVE_PTES
  40. Stop 0xEA or THREAD_STUCK_IN_DEVICE_DRIVER
  41. Stop 0xED or UNMOUNTABLE_BOOT_VOLUME
  42. Stop 0xFE or BUGCODE_USB_DRIVER
  43. Stop 0x00000124
  44. Stop 0xC000021A or STATUS_SYSTEM_PROCESS_TERMINATED
  45. Stop 0xC0000221 or STATUS_IMAGE_CHECKSUM_MISMATCH
  46. Hardware Malfunction Messages
  47. Stop Message Checklist
  48. Check Your Software
  49. Use the Last Known Good Configuration
  50. Restart the System in Safe Mode
  51. Check Event Viewer Logs
  52. Install Compatible Antivirus Tools
  53. Report Your Errors
  54. Install Operating System and Driver Updates
  55. Install and Use a Kernel Debugger
  56. Check Your Hardware
  57. Check for Nondefault Firmware Settings
  58. Check for Non-Default Hardware Clock Speeds
  59. Check by Running Hardware Diagnostic Tools
  60. Check for SCSI Disk and Controller Settings
  61. Check Memory Compatibility
  62. Check by Temporarily Removing Devices
  63. Check by Replacing a Device