Read Dump Files
When a Windows application crashes or unexpectedly stops, a "crash dump file" is generated to save information present just before the malfunction. Reading small memory dump files can help you troubleshoot the cause of the error. You can use the freeware utility "BlueScreenView" to quickly learn what went wrong, or you can use the Windows Debugger tools to get more advanced information.
Contents
Steps
Using BlueScreenView
- Use BlueScreenView if you just need to see what caused your crash. Most users will only need dump files to determine what caused a system crash or Blue Screen of Death. BlueScreenView is a freeware utility from NirSoft that can analyze dump files and tell you which driver or other factor caused your crash.
- The dumps created during a system crash are referred to as "minidumps."
- Download BlueScreenView. You can download BlueScreenView directly from NirSoft at nirsoft.net/utils/blue_screen_view.html.
- You can download the program as a standalone, which comes in ZIP format. This will allow you to run it without installing it. Once you finish downloading the ZIP file, right-click it and select "Extract" to create a new folder with the BlueScreenView program.
- Launch BlueScreenView. After extracting BlueScreenView from the ZIP file, launch the program inside. You'll be prompted to continue by Windows.
- Find the dump file that you want to analyze. When your computer crashes, a file called a "minidump" is created in the Windows directory. These files have a .dmp extension, and BlueScreenView can read them and tell you what happened. Minidump files can be found at C:\Windows\Minidump. If you don't see the files, you may need to enable hidden files:
- In Windows 10 and 8, click the "View" tab in Windows Explorer and check the "Hidden items" box.
- In Windows 7 and earlier, open Folder Options from the Control Panel, click the "View" tab, and then select "Show hidden files, folders, and drives."
- Drag the .dmp file into the BlueScreenView window. The quickest way to open .dmp files is to simply drag them into the window. The file will not be moved from its original location. You'll the the lower half of the BlueScreenView window fill with data after dragging the file into the window.
- Find the "Caused By Driver" column in the top section. You may have to scroll to the right a bit to see it. This column will display the driver that caused the system crash.
- You can also find the problematic driver highlighted in red in the lower section of the window. Double-click this highlighted entry to see more details, such as the product name, description, and path.
- Use this information to troubleshoot. Now that you know what driver caused the crash, you can begin troubleshooting it. Start with a web search for "driver name crash" to see if others have experienced your problem.
Using WinDBG
- Use this method for more advanced analysis. Most users won't need to use the Windows Debugger program to open MEMORY.DMP files and examine the code dumped from memory when the system crashed. If you want to learn more about how Windows uses drivers and memory, or if you need to analyze dump files for development, Windows Debugger can give you a lot of information.
- Download the Windows Software Development Kit (WDK). This program contains the WinDBG program that you'll be using to open the dump files. You can download the WDK installer here.
- Run the sdksetup.exe file. This will start the installer. Proceed through the first few screens leaving them at their defaults.
- Deselect everything except "Debugging Tools for Windows." You can deselect all of the other features as they won't be used to open dump files. Deselecting them will save you installation time and hard disk space.
- Wait while the files are downloaded and installed. This may take a few minutes to complete.
- Open the Command Prompt as an administrator. You'll need to open an elevated Command Prompt in order to associate .dmp files with WinDBG so that it can analyze them. You'll start Command Prompt in the "system32" folder.
- Windows 10 and 8 - Right-click the Windows button and select "Command Prompt (Admin)."
- Windows 7 - Open the Start menu and type cmd. Press Ctrl+⇧ Shift+↵ Enter.
- Navigate to the debugger's directory. Enter the following command to move to the correct directory. If you're using Windows 10, you can copy and paste it. Earlier versions will require you to type it out:
- cd\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\
- Enter the command to associate the dump files. Enter the following command to associate WinDBG with .dmp files. Windows 10 users can copy and paste this command:
- windbg.exe -IA
- If you entered the command correctly, an empty WinDBG window will appear, which you can close.
- Launch WinDBG. You'll need to configure WinDBG to load the proper files from Microsoft to open .dmp files. You'll do this from within WinDBG.
- The quickest way to launch the program is to press ⊞ Win and type "windbg."
- Click "File" and select "Symbol File Path." This will open a new window.
- Copy and paste the following address. This path will tell WinDBG to download the necessary symbols directly from Microsoft, and to store them at C:\SymCache:
- SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
- Your C:\SymCache folder will grow over time as you open more debug files and additional symbols are downloaded from Microsoft.
- Find the dump file that you want to analyze. Dump (.dmp) files are generated when your system crashes. By default, you should be able to find the dump file in the C:\Windows\Minidump directory after recovering from a crash. The file may also be C:\Windows\MEMORY.DMP. If you can't find the files, you may have to enable hidden files:
- In Windows 10 and 8, click the "View" tab in Windows Explorer and check the "Hidden items" box.
- In Windows 7 and earlier, open Folder Options from the Control Panel, click the "View" tab, and then select "Show hidden files, folders, and drives."
- Double-click the dump file. As long as you configured WinDBG properly following the steps above, WinDBG should launch and begin processing the file.
- Wait while the dump file loads. The first time you open a dump file, you'll need to wait while the symbols are downloaded from Microsoft. Do not interrupt the WinDBG program as it loads the file.
- The dump file will load much quicker on subsequent openings since you'll already have the symbols in your C:\SymCache folder.
- You'll know the dump file has finished loading when you see Followup: MachineOwner at the bottom of the file.
- Find the "Probably caused by" line. This is the quickest way to get an idea of what caused the crash. WinDBG will analyze the dump file and report what dirver or process likely caused the problem. You can use this information to do deeper troubleshooting and research.
- Lookup BugCheck codes. The dump file will return codes for specific bugs encountered during the crash. Look for these directly above the "Probably caused by" line. You'll typically see a two-character code, such as "9F."
- Visit the Microsoft Bug Check Code Reference. Find the code that matches you BugCode by looking at the last two characters in each entry.
Related Articles
- Fix the Blue Screen of Death on Windows
- Force a Blue Screen in Windows
- Troubleshoot a Computer
- Develop Software
Sources and Citations
- http://www.howtogeek.com/196672/windows-memory-dumps-what-exactly-are-they-for/
- https://www.raymond.cc/blog/how-to-analyze-memory-dump-dmp-file/
- http://www.tenforums.com/tutorials/2082-windbg-install-configure.html
- http://www.tenforums.com/tutorials/5558-windbg-basics-debugging-crash-dumps-windows-10-a.html