Included on the Windows NT Server and Windows NT Workstation version 3.51 CDs are three utilities for processing memory dump files: dumpflop, dumpchk, and dumpexam. All three utilities are on the product CDs in the Support\Debug\platform directories, where platform is I386, Alpha, MIPS, or PowerPC.
The primary purpose of these utilities is to create files on floppy disks or a text file that you can send to technical support personnel for analysis.
Dumpflop is a command-line utility that you can use to write a memory dump file in segments to floppy disks, so it can be sent to a support engineer. This is rarely the most efficient way to send a memory dump file, but it is sometimes the only way. Dumpflop compresses the information it writes to the floppy disks, so a 32 MB memory dump file can fit onto 10 floppy disks, rather than 20 or more. Dumpflop does not require access to symbols.
To store the crash dump onto floppy disks, use dumpflop with the following command-line syntax:
dumpflop options CrashDumpFile Drive:
To assemble a crash dump from floppy disks, use dumpflop with the following command-line syntax:
dumpflop options Drive: CrashDumpFile
In either case, Options can include:
Option | Action | |
-? | Displays the command syntax. | |
-p | Only prints the crash dump header on an assemble operation. | |
-v | Shows compression statistics. | |
-q | Formats the floppy disk, when necessary, before writing the memory dump file to the floppy disk. When reading the floppy disks to assemble the file, overwrites an existing memory dump file. |
If executed with no parameters, dumpflop attempts to find a memory dump file in the \systemroot directory (the default location for creating a memory dump file) and writes it to floppy disks on the A drive.
Dumpchk is a command-line utility that you can use to verify that a memory dump file has been created correctly. Dumpchk does not require access to symbols.
Dumpchk has the following command-line syntax:
dumpchk options CrashDumpFile
The Options can include:
Option | Action | |
-? | Displays the command syntax. | |
-p | Prints the header only (with no validation. | |
-v | Specifies verbose mode. | |
-q | Performs a quick test. |
Dumpchk displays some basic information from the memory dump file and then verifies all the virtual and physical addresses in the file. If any errors are found in the memory dump file, it reports them. The following is an example of the output of a Dumpchk command:
Filename . . . . . . .memory.dmp Signature. . . . . . .PAGE ValidDump. . . . . . .DUMP MajorVersion . . . . .free system MinorVersion . . . . .807 DirectoryTableBase . .0x00030000 PfnDataBase. . . . . .0xffb7e000 PsLoadedModuleList . .0x80196d40 PsActiveProcessHead. .0x80196c38 MachineImageType . . .i386 NumberProcessors . . .1 BugCheckCode . . . . .0xc000021a BugCheckParameter1 . .0xe17b7b68 BugCheckParameter2 . .0xc0000005 BugCheckParameter3 . .0x00000000 BugCheckParameter4 . .0x00000000 ExceptionCode. . . . .0x80000003 ExceptionFlags . . . .0x00000001 ExceptionAddress . . .0x8015f015 NumberOfRuns . . . . .0x3 NumberOfPages. . . . .0x3f9e Run #1 BasePage . . . . . .0x1 PageCount. . . . . .0x9e Run #2 BasePage . . . . . .0x100 PageCount. . . . . .0xec0 Run #3 BasePage . . . . . .0x1000 PageCount. . . . . .0x3040 ************** **************--> Validating the integrity of the PsLoadedModuleList ************** ************** **************--> Performing a complete check (^C to end) ************** ************** **************--> Validating all physical addresses ************** ************** **************--> Validating all virtual addresses **************
In this example, the most important information (from a debugging standpoint) is the following:
MajorVersion . . . . .free system MinorVersion . . . . .807 MachineImageType . . .i386 NumberProcessors . . .1 BugCheckCode . . . . .0xc000021a BugCheckParameter1 . .0xe17b7b68 BugCheckParameter2 . .0xc0000005 BugCheckParameter3 . .0x00000000 BugCheckParameter4 . .0x00000000
This information can be used to determine what kernel STOP error occurred and what version of Windows NT was in use.
Dumpexam is a command-line utility that examines a memory dump file, extracts information from it, and writes it to a text file. This text file can then be used by support personnel to determine the cause of the kernel STOP error. In many cases, the dumpexam analysis provides enough information for support personnel to determine the cause of the error without directly accessing the memory dump file.
Three files are required to run dumpexam, and they all must be in the same directory. You can find them on the Windows NT Server or Windows NT Workstation CD in the directory Support\Debug\platform, where platform is I386, Alpha, MIPS, or PowerPC. The first two files are:
The third file is one of the following, depending on the type of computer on which the memory dump file was generated:
You can run dumpexam directly from the product CD with no parameters, if
Dumpexam creates a text file called Memory.txt, located in the same directory as the Memory.dmp file, that contains information extracted from the memory dump file.
You can also use dumpexam to examine memory dump files created on computers running earlier versions of Windows NT. However, you can run it only with Windows NT version 3.51 or 4.0. Therefore, if your memory dump file was created in an earlier version of Windows NT, you must move the memory dump file or access it over the network. In addition, you must replace the Kdext*.dll files listed above with copies from the version of Windows NT that was running on the computer on which the dump occurred. These files contain debug information specific to that version of Windows NT. You must also specify the path to the symbols for the operating system version that was running on that computer.
The syntax for dumpexam is:
dumpexam options CrashDumpFile
where options can include:
Option | Action | |
-? | Displays the command syntax. | |
-p | Prints the header only. | |
-v | Specifies verbose mode. | |
-f filename | Specifies the output filename and path | |
-y path | Sets the symbol search path. |
You need to specify the memory dump file path only if you have moved the memory dump file.
You need to specify the symbol search path (using the -y option) only if you are using an alternative symbol path. The symbol path for dumpexam can contain several directories, separated by semicolons(;). Because these directories are searched in the order in which they are listed, you list directories with the most recently installed hot fixes or service packs first.
In the first example, the memory dump file was created on a computer running Windows NT Workstation version 3.51, and no service packs were installed. The symbols are all in the directory C:\Symbols. The memory dump file is in the directory C:\Dump and is called Machine1.dmp. The command line reads as follows:
dumpexam -y c:\symbols c:\dump\machine1.dmp
The results of the exam will be in \Systemroot\Memory.txt.
In the next example, the memory dump file was created on a DEC Alpha computer running Windows NT Server version 3.5, with Service Pack 2 installed. The Service Pack 2 symbols are in D:\Sp2\Symbols. The Windows NT Server 3.5 symbols are on the product CD, which is in the E drive. The memory dump file Memory.dmp is in D:\Temp. The output file is to be put in the same directory as the memory dump file. The command line reads as follows:
dumpexam -y d:\sp2\symbols;e:\support\debug\alpha -f d:\temp\memory.txt d:\temp\memory.dmp