Tuesday, April 21, 2015

Windows Memory Analysis Checklist - windbg


General:
  • Symbol servers (.symfix)
  • Internal database(s) search
  • Google or Microsoft search for suspected components as this could be a known issue. Sometimes a simple search immediately points to the fix on a vendor’s site
  • The tool used to save a dump (to flag false positive, incomplete or inconsistent dumps)
  • OS/SP version (version)
  • Language
  • Debug time
  • System uptime
  • Computer name (dS srv!srvcomputername or !envvar COMPUTERNAME)
  • List of loaded and unloaded modules (lmv or !dlls)
  • Hardware configuration (!sysinfo)
  • .kframes 1000
Application or service:
  • Default analysis (!analyze -v or !analyze -v -hang for hangs)
  • Critical sections (!cs -s -l -o, !locks) for both crashes and hangs
  • Component timestamps, duplication and paths. DLL Hell? (lmv and!dlls)
  • Do any newer components exist?
  • Process threads (~*kv or !uniqstack) for multiple exceptions and blocking functions
  • Process uptime
  • Your components on the full raw stack of the problem thread
  • Your components on the full raw stack of the main application thread
  • Process size
  • Number of threads
  • Gflags value (!gflag)
  • Time consumed by threads (!runaway)
  • Environment (!peb)
  • Import table (!dh)
  • Hooked functions (!chkimg)
  • Exception handlers (!exchain)
  • Computer name (!envvar COMPUTERNAME)
  • Process heap stats and validation (!heap -s, !heap -s -v)
  • CLR threads? (mscorwks or clr modules on stack traces) Yes: use .NET checklist below
  • Hidden (unhandled and handled) exceptions on thread raw stacks
System hang:
  • Default analysis (!analyze -v -hang)
  • ERESOURCE contention (!locks)
  • Processes and virtual memory including session space (!vm 4)
  • Important services are present and not hanging (for example, terminal or IMA services for Citrix environments)
  • Pools (!poolused)
  • Waiting threads (!stacks)
  • Critical system queues (!exqueue f)
  • I/O (!irpfind)
  • The list of all thread stack traces (!process 0 3f)
  • LPC/ALPC chain for suspected threads (!lpc message or !alpc /mafter search for "Waiting for reply to LPC" or "Waiting for reply to ALPC" in !process 0 3f output)
  • Mutants (search for "Mutants - owning thread" in !process 0 3foutput)
  • Critical sections for suspected processes (!cs -l -o -s)
  • Sessions, session processes (!session, !sprocess)
  • Processes (size, handle table size) (!process 0 0)
  • Running threads (!running)
  • Ready threads (!ready)
  • DPC queues (!dpcs)
  • The list of APCs (!apc)
  • Internal queued spinlocks (!qlocks)
  • Computer name (dS srv!srvcomputername)
  • File cache, VACB (!filecache)
  • File objects for blocked thread IRPs (!irp -> !fileobj)
  • Network (!ndiskd.miniports and !ndiskd.pktpools)
  • Disk (!scsikd.classext -> !scsikd.classext class_device 2)
  • Modules rdbss, mrxdav, mup, mrxsmb in stack traces
BSOD:
  • Default analysis (!analyze -v)
  • Pool address (!pool)
  • Component timestamps (lmv)
  • Processes and virtual memory (!vm 4)
  • Current threads on other processors
  • Raw stack
  • Bugcheck description (including ln exception address for corrupt or truncated dumps)
  • Bugcheck callback data (!bugdump for systems prior to Windows XP SP1)
  • Bugcheck secondary callback data (.enumtag)
  • Computer name (dS srv!srvcomputername)
  • Hardware configuration (!sysinfo)
.NET application or service:
  • CLR module and SOS extension versions (lmv and .chain)
  • Managed exceptions (~*e !pe)
  • Nested managed exceptions (!pe -nested)
  • Managed threads (!Threads -special)
  • Managed stack traces (~*e !CLRStack)
  • Managed execution residue (~*e !DumpStackObjects and!DumpRuntimeTypes)
  • Managed heap (!VerifyHeap!DumpHeap -stat and !eeheap -gc)
  • GC handles (!GCHandles!GCHandleLeaks)
  • Finalizer queue (!FinalizeQueue)
  • Sync blocks (!syncblk)


Symbol Server (Microsoft):
srv*c:\mss*http://msdl.microsoft.com/download/symbols


Symbol Server (Citrix):
srv*c:\css*http://ctxsym.citrix.com/symbols
.symfix c:\mss
.sympath+ srv*c:\css*http://ctxsym.citrix.com/symbols

Crash Dump Analysis Poster v3.0 (HTML version)

--- Common commands for all dumps ------ Common commands for all dumps ---
d{d|q|p}{s|p|a|u} [/c Width] [/p | /pc | /puc | /pwc] [Range].reload [ReloadOptions] [Module [= Address [, Size [, Timestamp]]]]
.effmach [. | # | x86 | amd64 | ia64 | ebc]ReloadOptions := [/d] [/f] [/i] [/l] [/n] [/o] [/s] [/u] [/unl] [/user] [/v] [/w]
u[b] [Range | Address].frame [/r] [FrameNumber]
uf [/m] [/o] Address.frame [/r] = BasePtr [FrameIncrement]
x [[/t] [/v] [/s Size] [/q] [/p] [/a | /A | /n | /N | /z | /Z]] Module!Symbol.frame [/r] = BasePtr StackPtr InstructionPtr
x [[/t] [/v] [/s Size] [/q] [/p] [/a | /A | /n | /N | /z | /Z]] *dv [[/i] [/t] [/v] [/V] [/a | /A | /n | /N | /z | /Z]] [Pattern]
!list -t [Module!]Type.Field -x "Commands" [-a "Arguments"] [Options] StartAddress!list " -t [Module!]Type.Field -x \"Commands\" [-a \"Arguments\"] [Options] StartAddress "
ln Address!list -h
!analyze -c [-load KnownIssuesFile | -unload | -help]!analyze [-v] [-f | -hang] [-D BucketID]
--- User dumps ------ Kernel/Complete memory dumps ---
d{a|b|c|d|D|f|p|q|u|w|W} [/c Width] [Range]!analyze -show BugCheckCode [BugParameters]
dy{b|d} [/c Width] [Range]!locks [-v] [-p] [-d]
d [/c Width] [Range]!cs [-l] [-o] [-s]
dt [DisplayOptions] [[-n] [-y]] [module!]NAME [[[-n] [-y]] Field] [Address] [-l List]!peb [Address]
dt [DisplayOptions] Address [-l List]!teb [Address]
dt -hlm [olvecifnpt] [1m] [u | k] [a Address] [m Pattern | M Pattern]
DisplayOptions := [-a[quantity]] [-b] [-c] [-e] [-i] [-o] [-p] [-r[depth]] [-s size] [-v]d{a|b|c|d|D|f|p|q|u|w|W} [/c Width] [/p | /pc | /puc | /pwc] [Range]
!cs [-l] [-o] [-s]dy{b|d} [/c Width] [/p | /pc | /puc | /pwc] [Range]
lm [olvecifnpt] [1m] [a Address] [m Pattern | M Pattern]d [/c Width] [/p | /pc | /puc | /pwc] [Range]
~*kv /  !uniqstack [ -b | -v | -p ] [ -n ][Processor] dt [DisplayOptions] [[-n] [-y]] [module!]NAME [[[-n] [-y]] Field] [Address] [-l List]
[~Thread] r[M Mask|F|X|?] [ Register[:[Num]Type] [= [Value]] ]dt [DisplayOptions] Address [-l List]
[~Thread] k[b|p|P|v] [n] [f] [L] [FrameCount]dt -h
[~Thread] k[b|p|P|v] [n] [f] [L] = BasePtr [FrameCount]DisplayOptions := [-a[quantity]] [-b] [-c] [-e] [-i] [-o] [-p] [-r[depth]] [-s size] [-v]
[~Thread] k[b|p|P|v] [n] [f] [L] = BasePtr StackPtr InstructionPtr!vm [0-0x3F]
[~Thread] kd [WordCount]!irpfind [-v] [0-4 [RestartAddress [arg|device|fileobject|mdlprocess|thread|userevent Data]]]
!peb [Address]!exqueue [0-0xF | 0x10 | 0x20 | 0x40]
!teb [Address]!poolused [0-1[0x2 | 0x4 | 0x8]] [TagString]]
!gflag -?!stacks [0-2 [FilterString]]
!gflag!lpc message MessageID
!heap [HeapOptions] [ValidationOptions] [Heap]!lpc port Port
HeapOptions := [-v] [-a] [-h] [-f] [-m] [-t] [-T] [-g] [-s] [-k] [-c]!lpc scan Port
ValidationOptions := -C | -D | -E | -d | -e!lpc thread Thread
!heap -b [{alloc|realloc|free} [Tag]] [Heap | BreakAddress]!lpc PoolSearch
!heap -B {alloc|realloc|free} [Heap | BreakAddress]!lpc
!heap -l~<p>s
!heap -s [SummaryOptions] [StatHeapAddress][Processor] r[M Mask|F|X|?] [ Register[:[Num]Type] [= [Value]]
SummaryOptions := [-v] [-b BucketSize] [-d DumpBlockSize] [-a] [-c][Processor] k[b|p|P|v] [n] [f] [L] [FrameCount]
!heap -i HeapAddress[Processor] k[b|p|P|v] [n] [f] [L] = BasePtr [FrameCount]
!heap -x [-v] Address[Processor] k[b|p|P|v] [n] [f] [L] = BasePtr StackPtr InstructionPtr
!heap -p [PageHeapOptions][Processor] kd [WordCount]
PageHeapOptions := -h Handle | -a Address | -t[c|s] [Traces] | -t[c|s] [Traces] | -all | -?.process [/p] [/r] [Process]
!heap -srch [-b | -w | -d | -q] Pattern!process [/s Session] [/m Module] [Process [0-0x3F]]
!heap -flt {s Size | r SizeMin SizeMax}!process [/s Session] [/m Module] 0 Flags ImageName
!heap -stat [-h Handle [-grp {A | B | S} [MaxDisplay]]]!thread [-p] [-t] [Address [0-0x3F]]
!heap [-p] -?.thread [Thread]

Designed by Dmitry Vostokov (http://www.dumpanalysis.org)

No comments:

Post a Comment