Saturday 2 October 2010

Application crash dump in Windows 7

I am so familiar with Dr Waston in XP that I thought I could also use it in Windows 7 as a postmortem debugger to get application crash dump. However, I got the following when I tried to run it to do setup by typing "drwatson.exe"



Accoding to google search results, Dr Watson is no longer used since Windows Vista, it has been replaced by "Windows Error Reporting"(WER) which is located at C:\Users\USERNAME\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_crashtest.exe_UUID. For me, the content of WER is useless though.
If you check this sample, you may agree with me.



Fortunately, you can still get the crash dump file if you follow the instruction mentioned by KB931673.



This feature is not enabled by default. Enabling the feature requires administrator privileges. To save these user mode memory dumps locally using Windows Error Reporting, create the following Registry key: 




HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps 
Value Name = DumpType 
Data type: REG_DWORD
Value Data = 1 

Data Values Descriptions: 
0 = Create a custom dump 
1 = Mini dump 
2 = Full dump





The crash dump file is generally stored at the folder "“%LOCALAPPDATA%\CrashDumps"



If the crashing process is a service, the location may be at

C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps



Open the crash dump file with WinDbg, and enter the command "!analyze -v", it can tell you where the problem is. With my example, it happened at




> 154: *pEmpty = 'x';




0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
crashtest!WndProc+94 [c:\projects\crashtest\crashtest.cpp @ 154]
01331224 c60078          mov     byte ptr [eax],78h

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 01331224 (crashtest!WndProc+0x00000094)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00000000
Attempt to write to address 00000000

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  crashtest.exe

FAULTING_MODULE: 76ee0000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  4ca4a81d

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000 

FOLLOWUP_IP: 
crashtest!WndProc+94 [c:\projects\crashtest\crashtest.cpp @ 154]
01331224 c60078          mov     byte ptr [eax],78h

FAULTING_THREAD:  000009ec

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 76c786ef to 01331224

STACK_TEXT:  
0031f6e0 76c786ef 001d0222 00000111 00008003 crashtest!WndProc+0x94 [c:\projects\crashtest\crashtest.cpp @ 154]
WARNING: Stack unwind information not available. Following frames may be wrong.
0031f70c 76c78876 01331190 001d0222 00000111 user32+0x186ef
0031f784 76c789b5 00000000 01331190 001d0222 user32+0x18876
0031f7e4 76c78e9c 01331190 00000000 76c7910f user32+0x189b5
0031f7f4 013310d3 0031f810 0031f8b8 00000001 user32+0x18e9c
0031f81c 005e8dcf 000000f3 00000119 01331456 crashtest!wWinMain+0xd3 [c:\projects\crashtest\crashtest.cpp @ 51]
0031f830 00000000 004b1654 00000001 b6d37f1e 0x5e8dcf


STACK_COMMAND:  ~0s; .ecxr ; kb

FAULTING_SOURCE_CODE:  
   150:    break;
   151:   case ID_FILE_CRASH:
   152:    {
   153:     char* pEmpty = NULL;
>  154:     *pEmpty = 'x';
   155:    }
   156:    break;
   157:   case IDM_EXIT:
   158:    DestroyWindow(hWnd);
   159:    break;


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  crashtest!WndProc+94

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: crashtest

IMAGE_NAME:  crashtest.exe

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000005_crashtest.exe!base_address

Followup: MachineOwner
---------




If you just want to know the fault address(offset), you can check it from Control Panel -> Action Center





A little bit bizzare though, I couldn't reach the problem reports by a few clicks, it sounds no link in Action Center to get there, so that I had to search it




Double click one in the problem history, you can see Exception Code, Offset and other information.







Reference


How to create a user-mode process dump file in Windows Vista and in Windows 7

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)