Sometimes there is a need to fully understand the happening of a Blue Screen of Death (BSOD) - (is it a faulty hardware module on the system, a system driver etc.) on Windows systems. To do so first, make sure when your system crashes to have a full memory dump created when the BSOD is happening. The link below is a good article how to check this https://support.microsoft.com/en-us/kb/254649 -- Overview of memory dump file options for Windows you can find the different options to set this up under the required OS. In my experience, so far, I have seen in test and production environments server systems that are using the HP Proliant software and some other monitoring software. Especially such software if not configured properly might stop the creation of a memory dump file or corrupt it so please be warned to take caution.
In order to analyze memory dump you could use a 3rd party solution or using the Microsoft obe WinDBG. To speed up somethings here are some links about this.
Debugging Tools for Windows (WinDbg, KD, CDB, NTSD):
Download the WDK, WinDbg, and associated tools:
In case you got issues with “missing symbols” when trying to analyze a Memory dump from Win Svr 2016, just like this one:
“ERROR: Symbol file could not be found” and “Kernel Symbols are WRONG. Please fix symbols to do analysis”
Cause why this might happen:
It is most likely because your 2012 R2 Kernel doesn’t let you analyze a 2016 – dump. Simple said the Kernel of 2016 server along with the Windows 10 is different compared to the previous Operating Systems created by Microsoft.
There are the Kernel Symbols saved in order to do so you need a Win 10 or Win Svr 2016.
- Build a Virtual machine in your labs with Windows 10. Please note that the networking / switch is important here.
Best practice for the VM would be having an “Internal” virtual switch, so it has network connection with the host machine only. You could use any other network adapter as well such as “external” but if you have VMs with DHCP server role configured and no Network hardware switch that drops the DHCP packets and you are working in a company with other users/computers this might become a big problem as of the DHCP server from a VM giving addresses to the other machines… Please be aware of such testing.
- Download and install the WDK 10 on your Windows 10 – Guest:
- Provide it access to the symbols through these steps:
Find, select and download the symbols from this link (from the host machine)
What to do next:
- When download is completed, run the *.msi file(s). Please note that Admin / Elevated privileges might be needed based on the Restriction applied on the system where you do this.
- By default it will install symbols at the path C:\symbols
- Wait for the installation to complete. (repeat this for all items)
- Start the Win Debugger v.10, (windbg, from debugging tools v. 10, C:\ProgramFiles(x86)\WindowsKits\10)
Enter following commands:
- Then you have loaded the locally installed symbols from your selection (in our case – for Win 2016).
+ additional info – downloading symbols https://developer.microsoft.com/en-us/windows/hardware/download-symbols
+ additional info – installing Windows symbols https://msdn.microsoft.com/en-us/library/windows/hardware/ff551035(v=vs.85).aspx
+ additional info – setting symbol store path https://msdn.microsoft.com/en-us/library/windows/hardware/ff565400(v=vs.85).aspx
- Access the memory dump, saved on your host, through a SMB-connection, from your guest machine:
It will be successful:
Enjoy another great blog post provided by: Project Founder Visionary of IT-PlayGround.Net