########덤프 파일을 많들기 위한 작업########################
시스템 등록정보 -> 고급 -> 시작 및 복구 설정 ->
시스템 시작- "Windows Server 2003, Standard" /noexecute=optout /fastdetect 체크
운영체제 목록을 표시할 시간 -> 30초
편집 ->boot.ini
===========================================================================================================
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Standard" /noexecute=optout /fastdetect
=============================================================================================================
관리경고 보내기 체크
자동으로 다시 시작 체크
디버깅 정보 쓰기 -> 커널 메모리 덤프 체크
덤프파일 -> %SystemRoot%\MEMORY.DMP 지정
기존 파일 덥어쓰기 체크
######### 덤프파일 열기 ##################################
1. 파일들 위치를 알아둔다.
C:\Program Files\Debugging Tools for Windows
C:\WINDOWS\Minidump\Mini080207.dmp
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\Symbols
2. 덤프파일 읽기
1)설치
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
-> WindowsServer2003-KB933548-v1-x86-symbols-NRL-ENU.exe
2)설치
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#E3
-> dbg_x86_6.7.05.1.exe
3)실행
C:\Program Files\Debugging Tools for Windows>windbg -y C:\WINDOWS\Symbols -z C:\WINDOWS\Minidump\Mini080107-03.dmp
------------------------------------------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini080207-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*C:\WINDOWS\Symbols
Executable search path is: C:\WINDOWS\ServicePackFiles\i386
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
Debug session time: Thu Aug 2 14:00:18.031 2007 (GMT+9)
System Uptime: 0 days 18:18:20.705
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
..........................................................................................................
Loading User Symbols
Loading unloaded module list
.........
Unable to load image \SystemRoot\system32\DRIVERS\e1000325.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for e1000325.sys
*** ERROR: Module load completed but symbols could not be loaded for e1000325.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {80000003, f70caf12, 8089d208, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for NDIS.sys -
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : e1000325.sys ( e1000325+5f12 )
Followup: MachineOwner
---------
kd> !analyze -show -> Stop 오류 코드 및 매개 변수를 표시함 (Stop 오류 코드는 버그 확인 코드라고도 함)
Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000
kd> !analyze -v -> 자세한 정보 출력
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: 80000003, The exception code that was not handled
Arg2: f70caf12, The address that the exception occurred at
Arg3: 8089d208, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
FAULTING_MODULE: 80800000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 40520568
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - .
FAULTING_IP:
e1000325+5f12
f70caf12 cc int 3
TRAP_FRAME: 8089d208 -- (.trap 0xffffffff8089d208)
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=8082d9a9 edx=00000044 esi=f70ca436 edi=8089d2d6
eip=f70caf13 esp=8089d27c ebp=8089d2e4 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
e1000325+0x5f13:
f70caf13 eb36 jmp e1000325+0x5f4b (f70caf4b)
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from f70c93c1 to f70caf13
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
8089d2e4 f70c93c1 89667008 895c2c98 8089d3b2 e1000325+0x5f13
8089d3b4 f70c6e70 89667008 8089d3e4 8089d4fc e1000325+0x43c1
8089d504 f70c5e0b 89667008 8089d573 89737130 e1000325+0x1e70
8089d598 f7224466 89667008 ffdffa40 896674c0 e1000325+0xe0b
8089d5b0 80828aa8 896674c0 896674ac 00000000 NDIS!NdisCompletePnPEvent+0xee9
8089d600 80820bfa 00000000 0000000e 00000000 nt+0x28aa8
808a0000 00000000 808a0008 808a0008 808a0010 nt+0x20bfa
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
e1000325+5f12
f70caf12 cc int 3
SYMBOL_NAME: e1000325+5f12
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: e1000325
IMAGE_NAME: e1000325.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
kd> lmvm nt -> 로드된 모듈을 나열 (로드된 드라이버와 다른 모듈에 대한 정보 표시)
start end module name
80800000 80a6f000 nt T (no symbols)
Loaded symbol image file: ntoskrnl.exe
Image path: \WINDOWS\system32\ntoskrnl.exe
Image name: ntoskrnl.exe
Timestamp: Mon Mar 05 22:00:26 2007 (45EC146A)
CheckSum: 0025A006
ImageSize: 0026F000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
kd> lmvm e1000325 -> 로드된 드라이버 정보 표시
start end module name
f70c5000 f712a400 e1000325 T (no symbols)
Loaded symbol image file: e1000325.sys
Image path: \SystemRoot\system32\DRIVERS\e1000325.sys
Image name: e1000325.sys
Timestamp: Sat Mar 13 03:46:00 2004 (40520568)
CheckSum: 0006E91C
ImageSize: 00065400
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
댓글 없음:
댓글 쓰기