how to get memory dump after blue screen

Asked 3/12, 2010 at 19:23 Answered 26/12, 2010 at 4:56

I'm getting a lovely BSOD on bootup (STOP: 0x0000007E) from a driver I'm writing, and would like to load up the memory dump for analysis. However, it's not getting dumped anywhere. Everything is setup correctly in the Startup and Recovery settings, but I get no dump file, and nothing in the event log stating a dump has taken place. It looks like a dump is not even occurring...

I know the exact line of code causing it (a call to IoAttachDevice()), but am not sure why, and would like to view the DbgPrint output to see where exactly it's failing. Could Windows possibly be crashing before the dumping functionality is set up? If so, how do I get access to the state of the machine when the failure occurs?

UPDATE: Other possibly useful information: I'm running Windows XP through VirtualBox on a Linux host.

Censor answered 3/12, 2010 at 19:23 Comment(7)

If you're doing Windows kernel programming, you want a Windows VM on a Windows host. – Depreciable 26/12, 2010 at 4:58

@BenVoigt Why not Windows VM on a linux Host? – Diarchy 10/2, 2014 at 14:35

Configure Boot Debugging? – Diarchy 10/2, 2014 at 14:36

@MilindR: How do you run WinDbg on your linux host? kernel debugging requires use of the Microsoft tools both inside and outside the VM. So no, Windows VM on Linux host is not good enough. – Depreciable 10/2, 2014 at 15:39

@BenVoigt another windows VM. Connect the serial ports. From what I've read about it, it's nothing exotic. – Diarchy 10/2, 2014 at 16:12

@MilindR: So you agree two Windows installs are needed. You can probably make two VMs work, but you will not be happy with performance. VM-aware debugging in the host is a thousand times faster than a serial port between VMs. Even with real hardware, there's a huge benefit to using IEEE1394 Firewire for the debug connection and not serial. – Depreciable 10/2, 2014 at 16:17

@BenVoigt yeah because the windows debugging symbols are also proprietary. Performance, yes you have a point. – Diarchy 10/2, 2014 at 16:20

I don't know why you're not getting a dump file, but if you have ready access to the machine, attach a kernel debugger to it an repro the error - you'll be left with the machine sitting in the debugger, ready to go (you can have the debugger produce the dumpfile for you if you want to debug offline as well).

Shed answered 3/12, 2010 at 19:30 Comment(6)

See my update. I'm running through VirtualBox from a Linux host, so can't setup a remote debugger (yet, at least...). – Censor 3/12, 2010 at 19:55

@user464164: You can start up a second Windows guest and connect the virtual COM ports. It's been a while since I've played with VBox but I think you can tell it to use UNIX domain sockets and then use an external tool like socat to pipe data between them. – Haemolysis 4/12, 2010 at 1:20

To add to this... I think the sysinternals guys wrote an extension or addon for windbag that lets you kernel debug on a single machine. Look on the sysinternals.com site and see what you find. (Note that sysinternals now redirects to microsofts site.) – Shockley 26/12, 2010 at 4:59

@JimR: If the machine isn't fully booting, there's no way you could load the kernel debugger... is there? WinDbg allows limited local kernel debugging, but not during boot. – Depreciable 26/12, 2010 at 5:5

@Ben Voigt: I remember it being useful for some boot time problems, but, that was ages ago. It's entirely possible it is useless now. It's also possible MS killed the addon/extension when they acquired sysinternals. I still think it's worth a shot as it does make some things less annoying. – Shockley 26/12, 2010 at 17:58

@JimR: LiveKd is still available (technet.microsoft.com/en-us/sysinternals/bb897415), but KD now has most of its capabilities built-in. Like Ben says, I don't think this would be any help on a non-booting system. – Shed 26/12, 2010 at 18:41

Right-click on "my computer" select "Advanced", under "startup and recovery" click "settings". select "kernel memory dump" or "complete memory dump".

Lanate answered 26/12, 2010 at 4:51 Comment(0)

What's the start setting of your driver? If it starts too early in the boot order, the filesystem might not be remounted read-write yet, and therefore there's no place for a dump to go.

Drivers under development shouldn't generally be set to auto-start until you've gotten the driver stable when loaded later. Of course you eventually need to set it to auto-start so you can verify it works correctly, but that comes later.

Depreciable answered 26/12, 2010 at 4:56 Comment(0)

Recommended topics

Hot tags