Windows Debugging工具

   如果遇到Windows机器崩溃或者出现蓝屏，可以使用Windows Debugging工具帮助分析原因，具体操作步骤：

1）下载Debugging工具：http://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx

2）安装，自定义选择安装到c:\debuggers文件夹下

3）关联windbg工具为dump文件的默认打开程序：c:\debuggers>windbg.exe -IA

4）运行windbg，点击File，然后Symbol File Path，添加symbol文件路径：SRV*C:\SymbolCache*http://msdl.microsoft.com/download/symbols

5) 关闭windbg，然后在c:\minidump文件夹下双击要查看的dump文件

6）运行!analyze -v查看详细的debugg信息

 

以下是一个例子，从中分析可以大致推断问题是由于一个名为vfilter.sys的驱动文件在执行时使用了非法的地址而造成。

Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\030610-24913-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymbolCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`02a66000 PsLoadedModuleList = 0xfffff800`02ca3e50
Debug session time: Sat Mar  6 15:09:49.256 2010 (GMT+8)
System Uptime: 0 days 0:53:37.098
Loading Kernel Symbols
...............................................................
................................................................
.......................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 0, fffff80002adc0b6}

Unable to load image \SystemRoot\system32\DRIVERS\vfilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for vfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for vfilter.sys
Probably caused by : vfilter.sys ( vfilter+29a6 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80002adc0b6, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002d0e0e0
0000000000000000

CURRENT_IRQL:  2

FAULTING_IP:
nt!KeSetEvent+226
fffff800`02adc0b6 488b09          mov     rcx,qword ptr [rcx]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  svchost.exe

TRAP_FRAME:  fffff88003938f70 -- (.trap 0xfffff88003938f70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa8006155198 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002adc0b6 rsp=fffff88003939100 rbp=0000000000000002
r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz ac pe cy
nt!KeSetEvent+0x226:
fffff800`02adc0b6 488b09          mov     rcx,qword ptr [rcx] ds:0002:00000000`00000000=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80002ad7469 to fffff80002ad7f00

STACK_TEXT: 
fffff880`03938e28 fffff800`02ad7469 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`03938e30 fffff800`02ad60e0 : 00000000`00000000 fffffa80`06155190 00000000`000007a9 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`03938f70 fffff800`02adc0b6 : fffff880`03939170 fffff880`03beeb0e 00000000`0000004f fffff880`039391f0 : nt!KiPageFault+0x260
fffff880`03939100 fffff880`03bee9a6 : fffffa80`00000000 00000000`00000000 00000000`00000000 fffffa80`06155180 : nt!KeSetEvent+0x226
fffff880`03939170 fffffa80`00000000 : 00000000`00000000 00000000`00000000 fffffa80`06155180 00000000`00000000 : vfilter+0x29a6
fffff880`03939178 00000000`00000000 : 00000000`00000000 fffffa80`06155180 00000000`00000000 fffff880`03bee42b : 0xfffffa80`00000000

STACK_COMMAND:  kb

FOLLOWUP_IP:
vfilter+29a6
fffff880`03bee9a6 ??              ???

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  vfilter+29a6

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: vfilter

IMAGE_NAME:  vfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4b048bff

FAILURE_BUCKET_ID:  X64_0xA_vfilter+29a6

BUCKET_ID:  X64_0xA_vfilter+29a6

Followup: MachineOwner
---------

转载于:https://blog.51cto.com/jackiechen/376409