工具

Windbg Preview

Dump日志查看

Windows生成Dump后，系统日志一般会有如下信息记录：
Windows os日志中的记录位置：
Error 07/11/2020 11:22:40 BugCheck none 0x0000001e (0xffffffffc0000094, 0xfffff801a7614256, 0xffffd00021fff7e0, 0x000000000000000c)C:\Windows\MEMORY.DMP071120-25390-01

Dump解析过程

使用Windbg Preview工具对Dump文件进行分析：

image.png

解析结果

    Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
    Loading Dump File [D:\\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
    ************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
Windows 8.1 Kernel Version 9600 MP (32 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Edition build lab: 9600.18589.amd64fre.winblue_ltsb.170204-0600
Machine Name:
Kernel base = 0xfffff803`90207000 PsLoadedModuleList = 0xfffff803`904da670
Debug session time: Sat Jul 11 10:26:34.305 2020 (UTC + 8:00)
System Uptime: 539 days 19:57:39.511
Loading Kernel Symbols
...............................................................
................................................................
.......................
Loading User Symbols
    Loading unloaded module list
...............................................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`903552a0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffd000`21ffe5e0=000000000000001e
12: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
    KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000094, The exception code that was not handled
Arg2: fffff801a7614256, The address that the exception occurred at
Arg3: ffffd00021fff7e0, Parameter 0 of the exception
Arg4: 000000000000000c, Parameter 1 of the exception
    Debugging Details:
------------------
    KEY_VALUES_STRING: 1
    Key  : Analysis.CPU.mSec
    Value: 2108
    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-N75119D
    Key  : Analysis.DebugData
    Value: CreateObject
    Key  : Analysis.DebugModel
    Value: CreateObject
    Key  : Analysis.Elapsed.mSec
    Value: 2844
    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 80
    Key  : Analysis.System
    Value: CreateObject
    Key  : WER.OS.Branch
    Value: winblue_ltsb
    Key  : WER.OS.Timestamp
    Value: 2017-02-04T06:00:00Z
    Key  : WER.OS.Version
    Value: 8.1.9600.18589
    ADDITIONAL_XML: 1
    OS_BUILD_LAYERS: 1
    BUGCHECK_CODE:  1e
    BUGCHECK_P1: ffffffffc0000094
    BUGCHECK_P2: fffff801a7614256
    BUGCHECK_P3: ffffd00021fff7e0
    BUGCHECK_P4: c
    EXCEPTION_PARAMETER1:  ffffd00021fff7e0
    EXCEPTION_PARAMETER2:  000000000000000c
    PROCESS_NAME:  System
    STACK_TEXT:  
ffffd000`21ffe5d8 fffff803`903e1b02     : 00000000`0000001e ffffffff`c0000094 fffff801`a7614256 ffffd000`21fff7e0 : nt!KeBugCheckEx
ffffd000`21ffe5e0 fffff803`9035c7ed     : ffffd000`21ffed50 00000000`00000000 ffffd000`21fff548 ffffd000`21ffe750 : nt!KiFatalExceptionHandler+0x22
ffffd000`21ffe620 fffff803`9027f369     : 00000000`00000001 fffff803`90207000 ffffd000`21fff500 fffff801`00000000 : nt!RtlpExecuteHandlerForException+0xd
ffffd000`21ffe650 fffff803`9028372e     : ffffd000`21fff548 ffffd000`21fff250 ffffd000`21fff548 ffffe000`24945000 : nt!RtlDispatchException+0x1a5
ffffd000`21ffed20 fffff803`90360ec2     : 00000000`00000701 ffffe000`21622248 00000000`00000001 ffffe000`251191b0 : nt!KiDispatchException+0x646
ffffd000`21fff410 fffff803`9035e2e8     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0xc2
ffffd000`21fff5f0 fffff801`a7614256     : ffffe000`220b0ac0 015b295a`79c6c6a3 00000000`00000001 ffffd000`21cc6400 : nt!KiDivideErrorFault+0xe8
ffffd000`21fff780 fffff801`a62c7e02     : ffffe000`220f41a0 ffffd000`21fff829 00000000`00000000 ffffe000`2541c000 : ocnd64!BeMessageInterruptDpc+0x146
ffffd000`21fff7b0 fffff803`902376f0     : 00000000`00000000 00000000`00000001 00000000`00000001 fffff803`9099958f : NDIS!ndisInterruptDpc+0x1a3
ffffd000`21fff890 fffff803`90236a37     : ffffe000`42861300 ffffe000`42861300 00000000`00000000 ffffd000`0000000e : nt!KiExecuteAllDpcs+0x1b0
ffffd000`21fff9e0 fffff803`90358dea     : ffffd000`21fe9180 ffffd000`21fe9180 ffffd000`21ff59c0 ffffe000`3f439880 : nt!KiRetireDpcList+0xd7
ffffd000`21fffc60 00000000`00000000     : ffffd000`22000000 ffffd000`21ff9000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a
    SYMBOL_NAME:  ocnd64!BeMessageInterruptDpc+146
    MODULE_NAME: ocnd64
    IMAGE_NAME:  ocnd64.sys
    STACK_COMMAND:  .thread ; .cxr ; kb
    BUCKET_ID_FUNC_OFFSET:  146
    FAILURE_BUCKET_ID:  0x1E_c0000094_ocnd64!BeMessageInterruptDpc
    OS_VERSION:  8.1.9600.18589
    BUILDLAB_STR:  winblue_ltsb
    OSPLATFORM_TYPE:  x64
    OSNAME:  Windows 8.1
    FAILURE_ID_HASH:  {f4a2857c-b106-5a17-c81e-d5cedab523c6}
    Followup:     MachineOwner
---------