How to Read a Mini Dump File
- Download source - ii KB
Summary: If your application crashes at a customer site, you lot tin now debug it subsequently the fact using minidumps and the Microsoft® Visual Studio® NET debugger. This article describes how minidumps work, how to make your application create them when it crashes, and how to read them dorsum with Visual Studio .NET. Minidumps are key to the Microsoft fault reporting program to improve the reliability of the Windows operating arrangement and applications such as Visual Studio .NET. This commodity too describes how to employ the Microsoft symbol server to automatically find symbols for system components. This article assumes that you are familiar with Win32 and C++ programming.
Contents
- What Is a Minidump?
- Creating a Minidump
- Build Issues
- Writing a Minidump with MiniDumpWriteDump
- Reading a Minidump with Visual Studio .NET
- How Microsoft Uses Minidumps
- Further Improvements
- Conclusion
What Is a Minidump?
A minidump is a file containing the most important parts of a crashed application. It is written on the user'southward machine and so the customer can submit information technology to the programmer. The programmer tin can load the dump to help determine the cause of the crash and develop a prepare.
Since the early days of Windows NT, the Dr. Watson program has been able to generate crash dump files, denoted with the .dmp extension. However, they were non as useful equally they should take been considering of ii problems:
- They were huge. The dump of an application included every byte of the unabridged procedure infinite, and then a crash in something simple similar Notepad would be several megabytes in size, and a crash in something like Word can be many hundreds of megabytes. The files were only likewise large to send by east-postal service or FTP.
- Their content was not necessarily useful. Dr. Watson was, in fact, a merely-in-time (JIT) debugger, and information technology is difficult for a debugger to get the full path to a loaded module. Full debuggers such as the Visual Studio debugger complete a number of steps to get the paths, but Dr. Watson did not. This usually resulted in unhelpful module names such equally MOD0000 and so on.
Minidumps were designed to fix these issues in a number of ways:
- Instead of saving the entire procedure space, simply certain sections are saved. There is no point in saving copies of modules such as Kernel32.dll; if the version number is included, it is easy to get a copy from a Windows CD. The actual retentiveness heap of the awarding is by default not saved in a minidump; it is non required to debug a surprisingly high percentage of crashes. You lot can save the heap if you need to, however.
- The minidump save code works to get authentic and full data for modules, including their names, paths, version information, and internal timestamps.
- The minidump save code also gets the list of threads, their contexts (that is, register sets), and the memory behind their stacks.
- The whole file is compressed, further reducing its size. A minidump for Notepad is around 6K on Windows XP, near 300 times smaller than the previous crash dump of the same process.
Notation: Kernel-mode minidumps, which are generated by Windows XP afterward a computer stops responding, likewise exist, simply this article discusses more common user-mode minidumps.
Creating a Minidump
There are three ways to create a minidump:
- Add lawmaking to your ain application to write a minidump if the application has an unhandled exception.
- In the integrated development environment of Visual Studio .Internet, click Save Dump on the Debug bill of fare when debugging the awarding.
- Do nothing.
The first option is discussed in more item in the following sections.
The second option works merely on a workstation with the debugger already configured, which is likely useful only inside an organization (for example, with another developer or tester). If you debug a crash with Visual Studio .Cyberspace, you can then click Salvage Dump As on the Debug menu. You lot tin can save every bit a Minidump or Minidump With Heap. You do not need whatsoever symbols or PDBs configured to save a dump file; you volition need them later, still, to read it back.
The third choice works only in Windows XP, which automatically creates a minidump if an application has an unhandled exception and no JIT debugger has been fix. Also, the minidump is submitted direct to Microsoft, so you will not have the opportunity to determine why.
Build Issues
To configure your application to create dumps when it stops responding, you must configure your builds to generate total debugging information, especially for retail builds. After generating a PDB, you also must archive every binary that ships to customers and its matching PDB; y'all will need the PDB later to debug whatsoever minidumps that your customers submit.
Also, ensure that you lot set the version information correctly on your binaries. Every release of every component that yous ship should have a unlike version, so you tin can match them to the minidump. The version field assists yous in matching the bits. The debugger itself does not utilise the version information, however; it matches binaries based on the internal timestamp in the PE header.
In terms of output, generating debug data for release builds has a pocket-size result. A PDB, taking up some space on a build car, is generated, and the binary will be a few hundred bytes larger, to record the proper name of the PDB in the debug directory within the PE file. You lot should not provide customers with the PDB; this could allow customers to more easily reverse-engineer your application.
Writing a Minidump with MiniDumpWriteDump
The primal API to saving a minidump is MiniDumpWriteDump, which is exported from Dbghelp.dll, a redistributable DLL that comes with the Platform SDK. Make sure that you are using the Windows XP version 5.1.2600; earlier beta and release candidate versions had issues with the API, and versions 5.0.ten are from Windows 2000 and practise not consign the role. If you have a version before than five.0, so it comes from the Systems Debugger package (including WinDbg and then on) and is non redistributable.
To call the API, you need to take hold of the crash past setting an unhandled exception handler with the SetUnhandledExceptionFilter API. This allows the filter role to be called at almost any time an unhandled exception occurs in an awarding. In certain unhandled exceptions, such as a double stack fault, the operating organization will immediately stop the application without calling the filter or a JIT debugger.
In your filter function, yous must load Dbghelp.dll. This is not as simple as calling LoadLibrary; equally with Windows 2000, you will access the one from the System32 directory, which does not have the right export. The sample code in the attached file tries to load from the aforementioned location as the EXE. Install the correct version of Dbghelp.dll into the same directory as the EXE; if this does non work, so the lawmaking reverts to a plain LoadLibrary, which volition only work if the application is running on Windows XP.
Afterwards loading the DLL, information technology and so checks for the named export; if correct, it then creates a file with an appropriate name, such every bit saving to the Temp directory and using the application name with the .dmp extension. This handle is and then passed to the API itself, with some additional information such as the process ID and the type of dump file. The sample uses MiniDumpNormal. You may desire to or-in the flag value of MiniDumpWithDataSegs, which is the equivalent to the Minidump With Heap option in the Visual Studio debugger. This does outcome in substantially larger dump files.
In one case the .dmp file is created, the application informs the user where it is stored. The user tin can then e-mail it or use FTP to become you the file to investigate.
To apply the sample code provided, add together the mdump.h file and declare one MiniDumper object at global scope. Its constructor takes an statement, which should be the basename of the minidump file. Add together mdump.cpp to your project. Y'all need to take the correct Dbghelp.dll file in the same directory equally the EXE to run successfully.
Yous cannot debug the code that writes the minidump with a debugger (in the sample code, Minidumper::TopLevelFilter). If a debugger is attached to a procedure, then the unhandled exception filter volition never exist called. If you encounter issues, yous will need to use MessageBox debugging.
Reading a Minidump with Visual Studio .NET
This section uses an example of a manually created minidump from Notepad in Windows 2000 and debugging in Windows XP.
Start Visual Studio .NET and, on the File menu, click Open up Solution. Change the Files of type driblet-downwards menu to Dump Files (*.dmp; *.mdmp), navigate to the minidump, and create a default projection by clicking Open up.
To launch the dump with the debugger, press F5. This will provide yous with data to become started. The debugger creates a fake process; in the Output window, diverse module load messages are displayed. The debugger is recreated the crashed processes land just. After displaying a warning that the EXE contains no debug data, the debugger stops with the user's crash, such every bit an access violation. If you lot then examine the Call Stack window, yous will discover the lack of symbols and a lack of useful information.
Figure i. Initial Stack with No Symbols
To read a minidump, you typically need copies of the binaries involved. To detect the right binaries, open the Modules window.
Effigy two. Initial Modules with No Binaries
Effigy two shows the Notepad example and demonstrates two things. First, the paths to the binaries are marked with asterisks, which denotes the path on the user's workstation but the binary could not be found at that location on your auto. 2nd, the letters read "No matching binary plant" in the Information field. The central to finding matching binaries is to look at the Version field and the file name. In this example, the version of most system files is 2195, which indicates Windows 2000. It does not immediately point the exact service pack (SP) or quality fix engineering (QFE), however. For more information, see the DLL Aid database at this link.
At this point, you lot will demand to detect a Windows operating system CD or a user's workstation with the right versions and copy the correct versions into a directory. It is not normally necessary to find every binary that was in the process, but information technology is important to observe each binary that features on every relevant call stack. This will often involve both operating system binaries (such as Kernel32.dll) and your application binaries (in this case, Notepad.exe).
When you have institute the bits and copied them to a local directory, on the Debug bill of fare, click Stop Debugging. In Solution Explorer, right-click the project icon and click Backdrop on the shortcut bill of fare. This will accept you to the Debugging page. Fill in the Control Arguments to be MODPATH, followed by an equal sign, and followed past a semicolon-delimited list of places to look for binaries. In this case, it is:
MODPATH=yard:\sysbits
Afterwards setting the path, press F5 to reload the minidump. MODPATH reuses the command statement to get the value to the debugger; a future version of Visual Studio .NET may have a better way of setting this, possibly equally an selection in the Properties dialog box.
Although finding the binaries is unlikely to improve the call stack, it should resolve some issues in the Modules window, every bit shown in Figure 3.
Figure 3. Modules with Binaries
Instead of maxim "No matching binary found", it now says a combination of "Cannot find or open up a required DBG file" or "No symbols loaded". The get-go message occurs with system DLLs that employ DBGs for their debugging information. The 2d message occurs for DLLs that use PDBs. Getting matching binaries will not necessarily improve your call stack; y'all also demand debug information that matches them.
Method A: Symbols the Hard Way
To completely analyze a minidump, y'all should find debug data for everything, but to save time, you can find merely the information yous need. The case stack lists User32.dll and Kernel32.dll, and then they need matching debug information.
Matching Debug Data
| Operating system | Files required |
| Windows NT 4 | DBGs |
| Windows 2000 | DBGs, PDBs |
| Windows XP | PDBs |
The best place to locate arrangement symbols is here. Y'all can too locate organization symbols on the Support meaty disc that ships with Windows NT Server and Windows 2000 Server operating systems. In this example, they were copied to the location of the binaries. In real instances, y'all will have non-Microsoft binaries listed, so you will need to have PDBs for them. Also in this example, the DBG and PDB for Notepad were likewise copied, because it was the sample awarding used.
Later on yous click Finish Debugging on the Debug menu, pressing F5 will list a phone call stack, as shown in Figure 4. You may find that, as you add new binaries and debug data, your phone call stack will change. This is to be expected; a call stack can only be walked accurately with debug information, so as you add together more than data, your stack will become more accurate, which volition oftentimes betrayal additional frames that were not in the original.
In this example, there was no crash. In existent instances, you lot would accept sufficient information to decide the cause of around lxx percent of your user crashes. In add-on, this stack was created with the stripped symbols that Microsoft ships for system component, so there was no line number information. For your own binaries with full PDBs, you will get an even richer stack.
Figure 4. Phone call Stack with Symbols and Binaries
Symbol Servers
If y'all are dealing with many minidumps and performing general debugging, storing and accessing all the binary and PDB/DBG files tin exist hard. Windows NT adult a technology known as a symbol server, which was originally conceived as storage for symbols but was extended to support finding binary files. The Windows NT debugger was the first tool to support this, but Visual Studio .NET likewise does so as an undocumented feature. For more data on symbol server, see here.
You can also retrieve symbols from the Microsoft symbol server. These symbols volition be cached and indexed locally for yous.
Method B: Symbols The Easy Way: Using Symbol Server
Start, go to this link and download the debugging tools. You lot need Symsrv.dll, which needs to be on the path. You can either copy information technology next to devenv.exe or into your System32 directory, to allow Visual Studio .Net access to it. In one case you have copied Symsrv.dll, yous can safely uninstall the debugging tools. You will as well need to make a local directory. For this case, create a local directory as C:\localstore.
In the Projection Properties dialog box, set up the Symbol Path on the Debugging page to:
SRV*c:/localstore*http://msdl.microsoft.com/download/symbols
This string tells the debugger to use the symbol server to become symbols and create a local symbol server, where they will exist copied. Now, when yous press F5 on the minidump, the symbols are copied from the Microsoft Web site, copied to the local store, so used past the debugger. Afterwards the kickoff time yous practice this, your performance will be quicker, because they will be retrieved from the local store rather than from the Web.
When debugging a non-Microsoft application, you should use a combination of methods A and B. Use A to go the system components and add paths to your bits and symbols by separating them with semicolons, such every bit:
c:\drop\build\myapp;SRV*c:\localstore*http://msdl.microsoft.com/download/symbols
Because the symbol server is an undocumented characteristic of Visual Studio .NET, there is no fault reporting. If the syntax is incorrect or Symsrv.dll is not on the path, the symbols will neglect to load with the error "No symbols loaded". You can also use symbol servers to store and recall binaries, just the MODPATH syntax needs to use symsrv*symsrv.dll* instead of SRV*.
Note: The Microsoft symbol server does not incorporate binary files, only any symbol servers that you create tin can.
Symbol servers work for "alive" debugging, likewise, non only for minidumps. To do this, you volition need to ready the Symbol Path on the Debugging page properly.
How Microsoft Uses Minidumps
Microsoft has been using minidumps to better the quality of its applications for more than a yr. Microsoft Internet Explorer 5.v and Microsoft Office XP were the beginning products to ship with the new Dr. Watson, a utility that catches when an application stops responding, creates a minidump, and asks the user if he or she wants to submit the information to Microsoft.
If the user clicks Send Error Study, then Dr. Watson creates and submits the minidump to a server on the Microsoft Web site. The utility performs the user prompting and minidump saving in a dissimilar process, which is spawned from the crashing process. This places less need on the crashed application, increasing the chances of getting a valid minidump from the user.
Further Improvements
On the server side, the minidumps are analyzed into areas of like crashes, based on where the crash occurred and in what component. This gives production teams statistics of how oftentimes the awarding crashed and how often a given crash occurs. The teams likewise receive the actual minidumps of the crashes for farther investigation. In some cases where the crash is fully understood, users are automatically directed to a Web page that contains information near a known workaround or contains a set to correct the problem. Since the release of Internet Explorer 5.v and Office XP, many other product teams use similar technology to gather crash data. It is also a standard part of Windows XP.
The sample discussed in this article provides a ground for understanding minidumps. The sample does not discuss retrieving the dump file from the user. In the simplest case, the user can be prompted to send the minidump by eastward-post. As well, potential privacy issues can occur, because user information may exist present on the stack and is guaranteed to exist present in a minidump that includes the full heap. This should exist fabricated clear to users. The Microsoft data collection policy, which also contains additional information about the exact contents of minidumps, is at this link.
In addition, the creation of minidumps from a Windows service that has an unhandled exception poses additional challenges, to practice with desktop access (for example, if no one is using the panel, then you cannot prompt them) and security contexts.
Conclusion
Minidumps are a new engineering to port-mortem debug crashes on user workstations. It is piece of cake to add code to existing applications to automatically create them when an unhandled exception occurs. Visual Studio .NET tin can easily read them back to recreate the crash and allow the developer to debug the problem. Symbol server tin can be used to make it much easier to notice system symbols to aid in this analysis.
License
This article has no explicit license attached to it, just may incorporate usage terms in the article text or the download files themselves. If in uncertainty, delight contact the author via the word board below. A listing of licenses authors might use can exist found here.
Source: https://www.codeproject.com/Articles/1934/Post-Mortem-Debugging-Your-Application-with-Minidu
0 Response to "How to Read a Mini Dump File"
Post a Comment