| Previous | Table of Contents | Next |
Once you have a dump file, before you can use it, you need to set up your computer to read it. This requires that you install the debug symbol files on to your computer. These symbol files must also exactly match the build of Windows NT that you are trying to debug. Which means, if you installed a service pack on to Windows NT, you need to install the debug symbols from the service pack, as well. The basic process to perform this task is presented here.
This will copy the debug symbols from the CD-ROM to the SystemRoot\Symbols directory. Installing the debug symbols from a service pack follows a similar methodology. To make sure you install the symbols correctly, read the included readme file.
The debug symbols and executables we use in this section are included on your installation CD-ROM in the SUPPORT\DEBUG subdirectory.
Once the symbols have been installed, you need to copy the dump file to the computer with the symbol files. If the computer that crashed still operates, you can copy the file over the network. If the computer is not working but the dump file is on a FAT partition, you can use the DUMPFLOP.EXE command. The syntax for this command is shown in Listing 14.2.
Listing 14.2 Syntax for the DUMPFLOP.EXE command.
DUMPFLOP [opts] - Store default dump thru
Drive A:
DUMPFLOP [opts] <CrashDumpFile> [<Drive>:] - Store crash dump onto
floppies
DUMPFLOP [opts] <Drive>: [<CrashDumpFile>] - Assemble crash dump from
floppies
[-?] display this message
[-p] only prints crash dump header on assemble operation
[-v] show compression statistics
[-q] formats floppy when necessary during store operation
overwrites existing crash dump file during assemble operation
After you copy the dump file to your computer, you need to determine if the dump file is a good dump. This can be accomplished with the DUMPCHK.EXE utility. The syntax for this command is shown in Listing 14.3.
Listing 14.3 Syntax for the DUMPCHK.EXE command.
DUMPCHK [options] CrashDumpFile
[-?] Display this message
[-v] Verbose mode
[-p] Print header only, NO validation
[-q] Perform a quick test
When you run DUMPCHK.EXE against your dump file, any error will be reported. If your dump file is good, the output should look similar to the output shown in Listing 14.4.
Listing 14.4 DUMPCHK.EXE output.
Filename . . . . . . .memory.dmp Signature. . . . . . .PAGE ValidDump. . . . . . .DUMP MajorVersion . . . . .free system MinorVersion . . . . .1381 DirectoryTableBase . .0x00030000 PfnDataBase. . . . . .0xffbc7000 PsLoadedModuleList . .0x8014ce10 PsActiveProcessHead. .0x8014cd08 MachineImageType . . .i386 NumberProcessors . . .1 BugCheckCode . . . . .0x0000007a BugCheckParameter1 . .0xc03fd318 BugCheckParameter2 . .0xc000016b BugCheckParameter3 . .0xff4c646c BugCheckParameter4 . .0x00772880 ExceptionCode. . . . .0x80000003 ExceptionFlags . . . .0x00000001 ExceptionAddress . . .0x80124967 NumberOfRuns . . . . .0x2 NumberOfPages. . . . .0xf5e Run #1 BasePage . . . . . .0x1 PageCount. . . . . .0x9e Run #2 BasePage . . . . . .0x100 PageCount. . . . . .0xec0 ************** **************--> Validating the integrity of the PsLoadedModuleList ************** ************** **************--> Performing a complete check (^C to end) ************** ************** **************--> Validating all physical addresses ************** ************** **************--> Validating all virtual addresses ************** ************** **************--> This dump file is good! **************
| Previous | Table of Contents | Next |