Sponsored By

Sign in to follow this  
shanenin

Analyze A Memory Dump

Recommended Posts

I would like to be able to be able to google the stop code when a system blue screens. It may point me in the correct direction to diagnosing a computer problem. I have output from using the dumpchk command on a mini dump file. I am pretty lost. what part of this output conains the stop code that is displayed during a blue screen. Any help would be appreciated

C:\Program Files\Support Tools>dumpchk.exe "c:\Documents and Settings\shane\Desk
top\Mini082404-01.dmp"
Loading dump file c:\Documents and Settings\shane\Desktop\Mini082404-01.dmp
----- 32 bit Kernel Mini Dump Analysis

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000a28
DirectoryTableBase 00039000
PfnDataBase 81051000
PsLoadedModuleList 80543530
PsActiveProcessHead 80545578
MachineImageType 0000014c
NumberProcessors 00000001
BugCheckCode 00000023
BugCheckParameter1 000e0100
BugCheckParameter2 f898395c
BugCheckParameter3 f898365c
BugCheckParameter4 eb8fb45d
PaeEnabled 00000000
KdDebuggerDataBlock 805353e0
MiniDumpFields 00000dff

TRIAGE_DUMP32:
ServicePackBuild 00000100
SizeOfDump 00010000
ValidOffset 0000fffc
ContextOffset 00000320
ExceptionOffset 000007d0
MmOffset 00001068
UnloadedDriversOffset 000010a0
PrcbOffset 00001878
ProcessOffset 000024c8
ThreadOffset 00002720
CallStackOffset 00002978
SizeOfCallStack 00000bb0
DriverListOffset 000037b8
DriverCount 0000007f
StringPoolOffset 00005d70
StringPoolSize 00001180
BrokenDriverOffset 00000000
TriageOptions 00000041
TopOfStack f8983450
DebuggerDataOffset 00003528
DebuggerDataSize 00000290
DataBlocksOffset 00006ef0
DataBlocksCount 00000007


Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
Debug session time: Tue Aug 24 19:00:27 2004
System Uptime: 0 days 0:02:41
start end module name
804d4000 806aa280 nt Checksum: 001E311B Timestamp: Thu Apr 24 10:
57:43 2003 (3EA80977)

Unloaded modules:
baaa2000 baac9000 kmixer.sys Timestamp: unavailable (00000000)
f8c16000 f8c17000 drmkaud.sys Timestamp: unavailable (00000000)
baf30000 baf3d000 DMusic.sys Timestamp: unavailable (00000000)
baf20000 baf2e000 swmidi.sys Timestamp: unavailable (00000000)
baadc000 baaff000 aec.sys Timestamp: unavailable (00000000)
f8ab8000 f8aba000 splitter.sys Timestamp: unavailable (00000000)
f888c000 f8894000 processr.sys Timestamp: unavailable (00000000)
f85e4000 f85ee000 p3.sys Timestamp: unavailable (00000000)
f886c000 f8871000 Cdaudio.SYS Timestamp: unavailable (00000000)
f8359000 f835c000 Sfloppy.SYS Timestamp: unavailable (00000000)

Finished dump check

Share this post


Link to post
Share on other sites

thanks for the link. I skimmed it the first time(earier today), but now I actually read it(skimmed it better). These seem to de the most significant areas

BugCheckCode 00000023

BugCheckParameter1 000e0100

BugCheckParameter2 f898395c

BugCheckParameter3 f898365c

BugCheckParameter4 eb8fb45d

by the way, this dump file is from a laptop that I worked on several months ago

edit added later//

when I google those codes above I am not getting any results.

Edited by shanenin

Share this post


Link to post
Share on other sites

This is the section I look at in those.

start end module name

804d4000 806aa280 nt Checksum: 001E311B

The entry under "Start" is the first call it found. The entry under "End" is the second call it found. The module Name "nt" tells me what section of the software the error occured. in This case the NT means it was not software related.

Share this post


Link to post
Share on other sites
BugCheckCode 00000023

FAT file system error. Trying googling "STOP 0x00000023".

Share this post


Link to post
Share on other sites

Does the stop code always equal (0x + BugCheckCode) <------concatenate ?

From what I remember about this laptop, it was running XP with an ntfs file system.

edit added later// --->or an ntfs problem

Edited by shanenin

Share this post


Link to post
Share on other sites
Does the stop code always equal (0x + BugCheckCode) <------concatenate ?

Yeah, I guess. It looks like dumpchk doesn't bother with the hex prefix.

From what I remember about this laptop, it was running XP with an ntfs file system.

Maybe a FAT recovery partition or something? Broken partition table with a ghost FAT partition? I suppose it's possible for the driver to spontaneously combust.

Unfortunately the parameters for 0x23 bugcheck are useless unless you're debugging.

Share this post


Link to post
Share on other sites

Thanks for your help :-)

This could come in very handy. So long as I am able to google the stop code, which is 0x+bugcheckcode, I can at least make some more accurate guesses when working on peoples computers. If nothing else it looks to my customers like I know something :-)

by the way, my laptop dumped once about 4 months ago. I now have an idea why

http://support.microsoft.com/kb/293078

Share this post


Link to post
Share on other sites

thanks steve

ive just book marked that fix

it would pay fubz to read that link

as he is haveing start stop problems

i tried to google that fix as i used it some time ago

and i save it but ive reinstalled since then

thanks agian

marty

Share this post


Link to post
Share on other sites
Does the stop code always equal (0x + BugCheckCode) <------concatenate ?

From what I remember about this laptop, it was running XP with an ntfs file system.

edit added later// --->or an ntfs problem

The 0x just means that the following code is in Hexadecimal ; so yes in general that is all the difference their is; the 0x to indicate that the stop code is hexadecimal.

Share this post


Link to post
Share on other sites

when it comes to searching it is significant

I got tons of non helpful hits when using this "00000023"

I got lots of meaningful hits when I searched for this "0x00000023"

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this