Analyzing a Kernel-Mode Dump File with KD

Kernel-mode memory dump files can be analyzed by KD. The processor or Windows version that the dump file was created on does not need to match the platform on which KD is being run.

Starting KD

To analyze a dump file, start KD with the -z command-line option:

kd -y SymbolPath -i ImagePath -z DumpFileName

The -v option (verbose mode) is also useful. For a full list of options, see KD Command-Line Options.

You can also open a dump file after the debugger is running by using the .opendump (Open Dump File) command, followed with g (Go).

It is possible to debug multiple dump files at the same time. This can be done by including multiple -z switches on the command line (each followed by a different file name), or by using .opendump to add additional dump files as debugger targets. For information about how to control a multiple-target session, see Debugging Multiple Targets.

Dump files generally end with the extension .dmp or .mdmp. You can use network shares or Universal Naming Convention (UNC) file names for the memory dump file.

It is also common for dump files to be packed into a CAB file. If you specify the file name (including the .cab extension) after the -z option or as the argument to an .opendump command, the debugger can read the dump files directly out of the CAB. However, if there are multiple dump files stored in a single CAB, the debugger will only be able to read one of them. The debugger will not read any additional files from the CAB, even if they were symbol files or other files associated with the dump file.

Analyzing the Dump File

If you are analyzing a Kernel Memory Dump or a Small Memory Dump, you may need to set the executable image path to point to any executable files which may have been loaded in memory at the time of the crash.

Analysis of a dump file is similar to analysis of a live debugging session. See the Debugger Commands reference section for details on which commands are available for debugging dump files in kernel mode.

In most cases, you should begin by using !analyze. This extension command performs automatic analysis of the dump file and can often result in a lot of useful information.

The .bugcheck (Display Bug Check Data) shows the bug check code and its parameters. Look up this bug check in the Bug Check Code Reference for information about the specific error.

The following debugger extensions are especially useful for analyzing a kernel-mode crash dump:

!drivers

!kdext*.locks

!memusage

!vm

!errlog

!process 0 0

!process 0 7

For techniques that can be used to read specific kinds of information from a dump file, see Extracting Information from a Dump File.

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft. All rights reserved.