《windows_crash_dump_analysis》由会员分享,可在线阅读,更多相关《windows_crash_dump_analysis(63页珍藏版)》请在金锄头文库上搜索。
1、SVR422 Windows Hang and Crash Dump Analysis,Mark Russinovich Chief Software Architect Winternals Software Copyright 2006 Mark Russinovich,About The Speaker,Co-author of Windows Internals and Inside Windows 2000 (Microsoft Press) Senior Contributing Editor Windows IT Pro Magazine Author of tools on
2、Co-founder and chief software architect of Winternals Software () Microsoft Most Valuable Professional (MVP) 2005, 2006 Teach public and private live classes on Windows Internals and Advanced Troubleshooting with David Solomon (),Outline,Crash dumps and tools Analysis basics IRQLs Stacks Analyzing a
3、n “easy” crash Un-analyzable crashes Crash transformation Buffer overrun Code overwrite Microsoft Windows Memory Diagnostic Manual analysis Stack trashes Hung Systems When there is no crash dump,Introduction,Many systems administrators ignore Windows crash dump options “I didnt know I could analyze
4、crashes” “Crash analysis too hard” “A crash dump wont tell me anything anyway” Basic crash dump analysis is actually pretty straightforward Even if only 1 out of 5 or 10 dumps tells you whats wrong, isnt it worth spending a few minutes? More advanced crash dump analysis much harder Not well document
5、ed Requires advanced internals, compiler and CPU knowledge Requires lots of experience Often difficult to pinpoint cause More often than not, victim is not the culprit For example, a driver corrupts an operating system structure; Windows crashes later,Why Does Windows Crash?,This is called when some
6、things wrong in kernel-mode: Unhandled exception (for example, executing invalid instruction) OS or driver detects severe inconsistency Referencing paged out memory at interrupt level (famous “IRQL_NOT_LESS_EQUAL” crash) A reschedule is attempted at dispatch level IRQL or higher Hardware error,Why D
7、oes Windows Crash?,Microsofts analysis of crash root causes indicates: 70% caused by third-party driver code 15% caused by unknown (memory is too corrupted to tell) 10% caused by hardware issues 5% caused by Microsoft code There are lots of third-party drivers! From online crash analysis database: 5
8、5,000 unique drivers 24 new/day (28,000 in 2004) 220,000 total drivers 98 revised/day (130,000 in 2004) Many Devices Over 1,263,300 distinct Plug and Play (PnP) IDs (680,000 in 2004) 1,600 PnP IDs added every day,What Happens at the Crash,When a condition is detected that requires a crash, KeBugChec
9、kEx is called Takes five arguments: Stop code (also called bugcheck code) Four stop-code defined parameters KeBugCheckEx: Turns off interrupts Tells other CPUs to stop Paints the blue screen Notifies registered drivers of the crash If a dump is configured (and it is safe to do so), writes dump to di
10、sk,Bugcheck Codes,Bugcheck codes are shared by many components and drivers There are about 150 defined stop codes Two common ones are: (DRIVER_) IRQL_NOT_LESS_OR_EQUAL (0x0A) - Usually an invalid memory access INVALID_KERNEL_MODE_TRAP (0x7F) and KMODE_EXCEPTION_NOT_HANDLED (0x1E) Generated by execut
11、ing garbage instructions Its usually caused when a stack is trashed Most are documented in the Debugging Tools help file Also search Microsoft Knowledge Base ( Often, bugcheck code and parameters are not enough to solve the crash Need to examine crash dump,Crash Dumps Options,Small Memory Dump (aka
12、minidump or Triage Dump) Default for Microsoft Windows 2000/Windows XP Professional/Home Only 64 KB (128 KB on 64-bit systems, up to 512 KB on Vista) Contains minimal crash information Creates a unique file name in WindowsMinidump after reboot Kernel Writes OS memory and not processes Most crash deb
13、ugging doesnt involve looking at process memory anyway Useful for large memory systems Overwrites every time Default on Windows Vista Full Writes all of RAM Overwrites every time,Minidumps,On Windows XP, Windows Server 2003, and Windows Vista, minidump is always created, even if system set to full o
14、r kernel dump Can extract a minidump from a kernel or full dump using the debugger “.dump /m” command To analyze, requires access to the images on the system that crashed At least must have have access to the Ntoskrnl.exe Microsoft Symbol Server now has images for Windows XP and later Set image path
15、 to same as symbol path (covered later),Writing a Crash Dump,Crash dumps are written to the paging file Too risky to try and create a new file (no guarantee you will get a dump anyway) How is even this protected? When the system boots it checks HKEY_LOCAL_MACHINESystem CurrentControlSetControlCrashC
16、ontrol The boot volume paging files on-disk mapping is obtained Relevant components are checksummed: Boot disk miniport driver Crash I/O functions Page file map On crash, if checksum doesnt match, dump is not written,Why Would You Not Get a Dump?,Crash occurred before paging file was open For example a crash during driver initialization The crash corrupted components involved in the dump proce
