Using Utilities to Process Memory Dump Files

Included on the Windows NT Server and Windows NT Workstation version 3.51 CDs are three utilities for processing memory dump files: dumpflop, dumpchk, and dumpexam. All three utilities are on the product CDs in the Support\Debug\platform directories, where platform is I386, Alpha, MIPS, or PowerPC.

The primary purpose of these utilities is to create files on floppy disks or a text file that you can send to technical support personnel for analysis.

Dumpflop

Dumpflop is a command-line utility that you can use to write a memory dump file in segments to floppy disks, so it can be sent to a support engineer. This is rarely the most efficient way to send a memory dump file, but it is sometimes the only way. Dumpflop compresses the information it writes to the floppy disks, so a 32 MB memory dump file can fit onto 10 floppy disks, rather than 20 or more. Dumpflop does not require access to symbols.

To store the crash dump onto floppy disks, use dumpflop with the following command-line syntax:

dumpflop options CrashDumpFile Drive:

To assemble a crash dump from floppy disks, use dumpflop with the following command-line syntax:

dumpflop options Drive: CrashDumpFile

In either case, Options can include:

Option	Action

-?	Displays the command syntax.
-p	Only prints the crash dump header on an assemble operation.
-v	Shows compression statistics.
-q	Formats the floppy disk, when necessary, before writing the memory dump file to the floppy disk. When reading the floppy disks to assemble the file, overwrites an existing memory dump file.

If executed with no parameters, dumpflop attempts to find a memory dump file in the \systemroot directory (the default location for creating a memory dump file) and writes it to floppy disks on the A drive.

Dumpchk

Dumpchk is a command-line utility that you can use to verify that a memory dump file has been created correctly. Dumpchk does not require access to symbols.

Dumpchk has the following command-line syntax:

dumpchk options CrashDumpFile

The Options can include:

Option	Action

-?	Displays the command syntax.
-p	Prints the header only (with no validation.
-v	Specifies verbose mode.
-q	Performs a quick test.

Dumpchk displays some basic information from the memory dump file and then verifies all the virtual and physical addresses in the file. If any errors are found in the memory dump file, it reports them. The following is an example of the output of a Dumpchk command:

Filename . . . . . . .memory.dmp
Signature. . . . . . .PAGE
ValidDump. . . . . . .DUMP
MajorVersion . . . . .free system
MinorVersion . . . . .807
DirectoryTableBase . .0x00030000
PfnDataBase. . . . . .0xffb7e000
PsLoadedModuleList . .0x80196d40
PsActiveProcessHead. .0x80196c38
MachineImageType . . .i386
NumberProcessors . . .1
BugCheckCode . . . . .0xc000021a
BugCheckParameter1 . .0xe17b7b68
BugCheckParameter2 . .0xc0000005
BugCheckParameter3 . .0x00000000
BugCheckParameter4 . .0x00000000

ExceptionCode. . . . .0x80000003
ExceptionFlags . . . .0x00000001
ExceptionAddress . . .0x8015f015

NumberOfRuns . . . . .0x3
NumberOfPages. . . . .0x3f9e
Run #1

 BasePage . . . . . .0x1
 PageCount. . . . . .0x9e
Run #2

 BasePage . . . . . .0x100
 PageCount. . . . . .0xec0
Run #3

 BasePage . . . . . .0x1000
 PageCount. . . . . .0x3040

**************
**************--> Validating the integrity of the PsLoadedModuleList
**************

**************
**************--> Performing a complete check (^C to end)
**************
**************
**************--> Validating all physical addresses
**************
**************
**************--> Validating all virtual addresses
**************

In this example, the most important information (from a debugging standpoint) is the following:

MajorVersion . . . . .free system
MinorVersion . . . . .807
MachineImageType . . .i386
NumberProcessors . . .1
BugCheckCode . . . . .0xc000021a
BugCheckParameter1 . .0xe17b7b68
BugCheckParameter2 . .0xc0000005
BugCheckParameter3 . .0x00000000
BugCheckParameter4 . .0x00000000

This information can be used to determine what kernel STOP error occurred and what version of Windows NT was in use.

Dumpexam

Dumpexam is a command-line utility that examines a memory dump file, extracts information from it, and writes it to a text file. This text file can then be used by support personnel to determine the cause of the kernel STOP error. In many cases, the dumpexam analysis provides enough information for support personnel to determine the cause of the error without directly accessing the memory dump file.

Three files are required to run dumpexam, and they all must be in the same directory. You can find them on the Windows NT Server or Windows NT Workstation CD in the directory Support\Debug\platform, where platform is I386, Alpha, MIPS, or PowerPC. The first two files are:

Dumpexam.exe

Imagehlp.dll

The third file is one of the following, depending on the type of computer on which the memory dump file was generated:

Kdextx86.dll

Kdextalp.dll

Kdextmip.dll

Kdextppc.dll

You can run dumpexam directly from the product CD with no parameters, if

The computer on which the dump occurred was running Windows NT version 4.0.

You have not applied any hot fixes or service packs on that computer.

The memory dump file you want to examine is in the location specified in the Recovery dialog box.

Dumpexam creates a text file called Memory.txt, located in the same directory as the Memory.dmp file, that contains information extracted from the memory dump file.

You can also use dumpexam to examine memory dump files created on computers running earlier versions of Windows NT. However, you can run it only with Windows NT version 3.51 or 4.0. Therefore, if your memory dump file was created in an earlier version of Windows NT, you must move the memory dump file or access it over the network. In addition, you must replace the Kdext*.dll files listed above with copies from the version of Windows NT that was running on the computer on which the dump occurred. These files contain debug information specific to that version of Windows NT. You must also specify the path to the symbols for the operating system version that was running on that computer.

Syntax for Dumpexam

The syntax for dumpexam is:

dumpexam options CrashDumpFile

where options can include:

Option	Action

-?	Displays the command syntax.
-p	Prints the header only.
-v	Specifies verbose mode.
-f filename	Specifies the output filename and path
-y path	Sets the symbol search path.

You need to specify the memory dump file path only if you have moved the memory dump file.

You need to specify the symbol search path (using the -y option) only if you are using an alternative symbol path. The symbol path for dumpexam can contain several directories, separated by semicolons(;). Because these directories are searched in the order in which they are listed, you list directories with the most recently installed hot fixes or service packs first.

Examples

In the first example, the memory dump file was created on a computer running Windows NT Workstation version 3.51, and no service packs were installed. The symbols are all in the directory C:\Symbols. The memory dump file is in the directory C:\Dump and is called Machine1.dmp. The command line reads as follows:

dumpexam -y c:\symbols c:\dump\machine1.dmp

The results of the exam will be in \Systemroot\Memory.txt.

In the next example, the memory dump file was created on a DEC Alpha computer running Windows NT Server version 3.5, with Service Pack 2 installed. The Service Pack 2 symbols are in D:\Sp2\Symbols. The Windows NT Server 3.5 symbols are on the product CD, which is in the E drive. The memory dump file Memory.dmp is in D:\Temp. The output file is to be put in the same directory as the memory dump file. The command line reads as follows:

dumpexam -y d:\sp2\symbols;e:\support\debug\alpha -f d:\temp\memory.txt d:\temp\memory.dmp