Dump file format
Dump file have specific formats that help in debugging. For example, they store the system information and exception record as the first few fields of data that they carry and hence at calculatable offsets from the start of the file. The exception record has the exception which produced the dump. It also has additional information such as the exception code which gives the bucket under which this exception falls such as access violation, array bounds exceeded, divide by zero, invalid operation, overflow or underflow, invalid operation etc. Exception records can be chained together to provide additional information on nested exceptions. Exception Address gives the address at which the exception occurred and used for stack trace.
Exceptions are not always on the first thread. Hence a display of the stack trace at the first thread may not capture the exception that triggered the dump. This is obtained with another command on the debugger by name .ecxr. This sets the context to that of the exception and then the stack trace command gives the desired stack trace. The stack trace can be manually displayed with dd command on ebp or esp register after .ecxr. This can then be resolved against symbols to display function names.
The dump file does not look for threads. The system information directory and exception record directory precede all other data. Hence the look up of the exception address is easier. The exception directory is followed by the exception record and the context of the thread. Additional thread info structures can follow next in n * field info data structure.
Dump filters relative virtual addresses (RVA) to point to the data member within the file. These are offsets from the start of the file. The format specifies a set of directories that point to the data. Each directory specifies the following, the data type, the data size and the RVA to the location of data in the dump file. The file layout consists of a header that gives information on the version, signature, number of directories and RVA. This is followed by a set of directories each of which points to data in the dump data section. The data sections follow this list of directories. The first two data sections are reserved for system information and exception stream.
Dump files can be of more than one type. They are categorized by their sizes and are enumerated as context dumps, system dumps, complete dumps in the order of increasing size. The context dumps range in size from 4Kb- 64Kb, the system dumps range from 64 Kb - several MB and the complete dumps store the entire physical memory and the 64Kb. The context dumps carry information such as exception that initiated the crash, context record of faulting thread, Module list and thread list although these are restricted to the faulting ones, callstack of faulting thread, 64 bytes of memory above and below the instruction pointer and the stack memory dump of the faulting thread that can fit in the 64KB limit. The other types of dump includes these same essential information but include the complete list of all modules, threads, and more memory dumps around the instruction pointers and stack. When the entire heap is included in the dump file, there is plenty of debugging information to even discern the values of local variables on the stack. However, that increases the size of the dumps considerably.
Dump file bucketing refers to grouping of dump files that arose from similar crashes such as those from a common code defect. These can include variables like the application name, version and timestamp, the owner application name, version and timestamp, the module name, version and timestamp, and the offset into the module. Bucketing helps to determine the priority and severity of the associated code defect.
Dump file structures indicate how to navigate the file for specific information. These are well documented and essentially refer to using RVAs to find information. There are specific structures that represent thread call stack frames.
Note reading the dump file is a forward only operation and hence streams can be used with dump files to retrieve the stack trace.
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
Windows 8 Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: SingleUserTS
Built by: 6.2.9200.16384 (win8_rtm.120725-1247)
Machine Name:
Debug session time: Tue Apr 30 18:37:57.000 2013 (UTC - 7:00)
System Uptime: not available
Process Uptime: 0 days 0:00:45.000
.............................
----- User Mini Dump Analysis
MINIDUMP_HEADER:
Version A793 (62F0)
NumberOfStreams 10
Flags 1105
0001 MiniDumpWithDataSegs
0004 MiniDumpWithHandleData
0100 MiniDumpWithProcessThreadData
1000 MiniDumpWithThreadInfo
Streams:
Stream 0: type ThreadListStream (3), size 00000094, RVA 00000410
3 threads
RVA 00000414, ID 38, Teb:000007F7BC25E000
RVA 00000444, ID 3FFC, Teb:000007F7BC25C000
RVA 00000474, ID 3828, Teb:000007F7BC25A000
Stream 1: type ThreadInfoListStream (17), size 000000CC, RVA 000004A4
RVA 000004B0, ID 38
RVA 000004F0, ID 3FFC
RVA 00000530, ID 3828
Stream 2: type ModuleListStream (4), size 00000C40, RVA 00000570
29 modules
RVA 00000574, 000007f7`bd1c0000 - 000007f7`bd2cb000: 'C:\Windows\System32\calc
.exe', 8160
RVA 000005E0, 000007f8`c31d0000 - 000007f8`c338e000: 'C:\Windows\System32\ntdl
l.dll', 140
RVA 0000064C, 000007f8`c29d0000 - 000007f8`c2b06000: 'C:\Windows\System32\kern
el32.dll', 140
RVA 000006B8, 000007f8`c0240000 - 000007f8`c0333000: 'C:\Windows\System32\KERN
ELBASE.dll', 140
RVA 00000724, 000007f8`c10c0000 - 000007f8`c23a4000: 'C:\Windows\System32\shel
l32.dll', 140
RVA 00000790, 000007f8`c2530000 - 000007f8`c2580000: 'C:\Windows\System32\shlw
api.dll', 140
RVA 000007FC, 000007f8`c2c50000 - 000007f8`c2df0000: 'C:\Windows\WinSxS\amd64_
microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9200.16384_none_72771d4ecc1c3a4d\
GdiPlus.dll', 140
RVA 00000868, 000007f8`c2580000 - 000007f8`c265e000: 'C:\Windows\System32\adva
pi32.dll', 140
RVA 000008D4, 000007f8`c2b80000 - 000007f8`c2c43000: 'C:\Windows\System32\olea
ut32.dll', 140
RVA 00000940, 000007f8`be9e0000 - 000007f8`beac6000: 'C:\Windows\System32\uxth
eme.dll', 140
RVA 000009AC, 000007f8`c2660000 - 000007f8`c27de000: 'C:\Windows\System32\ole3
2.dll', 140
RVA 00000A18, 000007f8`ba1b0000 - 000007f8`ba419000: 'C:\Windows\WinSxS\amd64_
microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_418c2a697
189c07f\comctl32.dll', 140
RVA 00000A84, 000007f8`c0e20000 - 000007f8`c0f6c000: 'C:\Windows\System32\user
32.dll', 140
RVA 00000AF0, 000007f8`c0ce0000 - 000007f8`c0e20000: 'C:\Windows\System32\rpcr
t4.dll', 140
RVA 00000B5C, 000007f8`ba5b0000 - 000007f8`ba5d0000: 'C:\Windows\System32\winm
m.dll', 140
RVA 00000BC8, 000007f8`c2890000 - 000007f8`c29d0000: 'C:\Windows\System32\gdi3
2.dll', 140
RVA 00000C34, 000007f8`c1010000 - 000007f8`c10b5000: 'C:\Windows\System32\msvc
rt.dll', 140
RVA 00000CA0, 000007f8`c0670000 - 000007f8`c0820000: 'C:\Windows\System32\comb
ase.dll', 140
RVA 00000D0C, 000007f8`c0f70000 - 000007f8`c0fb8000: 'C:\Windows\System32\sech
ost.dll', 140
RVA 00000D78, 000007f8`ba040000 - 000007f8`ba072000: 'C:\Windows\System32\WINM
MBASE.dll', 140
RVA 00000DE4, 000007f8`c0fd0000 - 000007f8`c1009000: 'C:\Windows\System32\imm3
2.dll', 140
RVA 00000E50, 000007f8`c30b0000 - 000007f8`c31c4000: 'C:\Windows\System32\msct
f.dll', 140
RVA 00000EBC, 000007f8`ba420000 - 000007f8`ba5aa000: 'C:\Windows\System32\Wind
owsCodecs.dll', 140
RVA 00000F28, 000007f8`bb410000 - 000007f8`bb431000: 'C:\Windows\System32\dwma
pi.dll', 140
RVA 00000F94, 000007f8`bffb0000 - 000007f8`bffba000: 'C:\Windows\System32\CRYP
TBASE.dll', 140
RVA 00001000, 000007f8`bff50000 - 000007f8`bffac000: 'C:\Windows\System32\bcry
ptPrimitives.dll', 1c0
RVA 0000106C, 000007f8`c05d0000 - 000007f8`c0666000: 'C:\Windows\System32\clbc
atq.dll', 140
RVA 000010D8, 000007f8`b9b30000 - 000007f8`b9b99000: 'C:\Windows\System32\olea
cc.dll', 140
RVA 00001144, 000007f8`bf250000 - 000007f8`bf2e6000: 'C:\Windows\System32\SHCo
re.dll', 140
Stream 3: type MemoryListStream (5), size 00000354, RVA 00002D5D
53 memory ranges
range# RVA Address Size
0 000030B1 000007f8`bffb5000 00000000`00000730
1 000037E1 00000043`da3f0860 00000000`00002000
2 000057E1 00000043`da3f2bf0 00000000`00000028
3 00005809 00000043`da3f8c80 00000000`00000008
4 00005811 00000043`da3f94e0 00000000`00000010
5 00005821 000007f8`c2572000 00000000`000014a0
6 00006CC1 00000043`da3fc320 00000000`00000008
7 00006CC9 00000043`da3fc770 00000000`00000410
8 000070D9 000007f8`c0e21e3a 00000000`00000100
9 000071D9 00000043`da4005c0 00000000`00000010
10 000071E9 00000043`da400620 00000000`00000010
11 000071F9 000007f8`c2ae1000 00000000`00001920
12 00008B19 000007f8`c0ff9000 00000000`00001120
13 00009C39 00000043`da415310 00000000`00000410
14 0000A049 000007f8`b9b84000 00000000`00002eec
15 0000CF35 00000043`da446cb0 00000000`00000008
16 0000CF3D 00000043`da446d70 00000000`00000018
17 0000CF55 00000043`da446db0 00000000`00000008
18 0000CF5D 00000043`da44a760 00000000`00000410
19 0000D36D 000007f8`c1939000 00000000`00000009
20 0000D376 000007f8`c2975000 00000000`00003d28
21 0001109E 000007f8`c27aa000 00000000`0000234a
22 000133E8 000007f8`beaa7000 00000000`00003490
23 00016878 000007f8`c0ebd000 00000000`00001ac9
24 00018341 000007f8`c2617000 00000000`000048c6
25 0001CC07 000007f8`c109e000 00000000`00004bda
26 000217E1 00000043`da31d7d8 00000000`00002828
27 00024009 000007f8`c07e4000 00000000`00006e08
28 0002AE11 000007f8`c3308000 00000000`0000a1d0
29 00034FE1 000007f8`c2dc4000 00000000`00001c38
30 00036C19 000007f8`c0654000 00000000`00005790
31 0003C3A9 000007f8`c316c000 00000000`00001d10
32 0003E0B9 000007f8`c2dd8000 00000000`00003164
33 0004121D 000007f8`ba3a6000 00000000`000041c8
34 000453E5 000007f7`bd259000 00000000`0000517c
35 0004A561 000007f8`ba588000 00000000`000039d0
36 0004DF31 000007f8`c2c2c000 00000000`00002204
37 00050135 00000043`df44f8c8 00000000`00000738
38 0005086D 000007f8`ba3cc000 00000000`000055b8
39 00055E25 000007f7`bc254000 00000000`00000388
40 000561AD 000007f8`bf2d1000 00000000`00001080
41 0005722D 000007f7`bc25a000 00000000`00006000
42 0005D22D 000007f8`bf2e0000 00000000`00000009
43 0005D236 000007f8`c0313000 00000000`00003176
44 000603AC 000007f8`ba5c4000 00000000`00001694
45 00061A40 000007f8`c18a4000 00000000`0000e4ac
46 0006FEEC 000007f8`c0fac000 00000000`00002a08
47 000728F4 000007f8`bb423000 00000000`00003420
48 00075D14 000007f8`ba068000 00000000`00002050
49 00077D64 000007f8`c31d311b 00000000`00000100
50 00077E64 00000043`deb9f998 00000000`00000668
51 000784CC 000007f8`c0dfc000 00000000`00001adb
52 00079FA7 000007f8`bffa4000 00000000`00000ce8
Total memory: 77bde
Stream 4: type SystemInfoStream (7), size 00000038, RVA 00000098
ProcessorArchitecture 0009 (PROCESSOR_ARCHITECTURE_AMD64)
ProcessorLevel 0006
ProcessorRevision 2A07
NumberOfProcessors 08
MajorVersion 00000006
MinorVersion 00000002
BuildNumber 000023F0 (9200)
PlatformId 00000002 (VER_PLATFORM_WIN32_NT)
CSDVersionRva 000011B0
Length: 0
Product: WinNt, suite: SingleUserTS
Stream 5: type MiscInfoStream (15), size 00000340, RVA 000000D0
Stream 6: type HandleDataStream (12), size 00000EE8, RVA 0007BB39
95 descriptors, header size is 16, descriptor size is 40
Handle(0000000000000004,"Directory","\KnownDlls")
Handle(0000000000000008,"File","")
Handle(000000000000000C,"File","")
Handle(0000000000000010,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\SESSION MANAGER")
Handle(0000000000000014,"ALPC Port","")
Handle(0000000000000018,"File","")
Handle(000000000000001C,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Sorting\Versions")
Handle(0000000000000020,"Key","\REGISTRY\MACHINE")
Handle(0000000000000000,"","")
Handle(0000000000000028,"Event","")
Handle(000000000000002C,"Event","")
Handle(0000000000000030,"Event","")
Handle(0000000000000034,"Event","")
Handle(0000000000000038,"Event","")
Handle(000000000000003C,"Event","")
Handle(0000000000000000,"","")
Handle(0000000000000044,"Directory","\Sessions\1\BaseNamedObjects")
Handle(0000000000000000,"","")
Handle(000000000000004C,"Event","")
Handle(0000000000000050,"WindowStation","\Sessions\1\Windows\WindowStations\
WinSta0")
Handle(0000000000000054,"Desktop","\Default")
Handle(0000000000000058,"WindowStation","\Sessions\1\Windows\WindowStations\
WinSta0")
Handle(000000000000005C,"File","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000080,"Semaphore","")
Handle(0000000000000084,"Semaphore","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(00000000000000C4,"Section","")
Handle(00000000000000C8,"Event","")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(00000000000000D4,"Event","")
Handle(00000000000000D8,"Key","\REGISTRY\USER\S-1-5-21-2127521184-1604012920
-1887927527-1877126_CLASSES")
Handle(0000000000000000,"","")
Handle(00000000000000E0,"ALPC Port","")
Handle(00000000000000E4,"Key","\REGISTRY\USER\S-1-5-21-2127521184-1604012920
-1887927527-1877126")
Handle(00000000000000E8,"Section","\Windows\Theme3392824991")
Handle(00000000000000EC,"Section","\Sessions\1\Windows\Theme2414463033")
Handle(0000000000000000,"","")
Handle(0000000000000000,"","")
Handle(00000000000000F8,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Locale")
Handle(00000000000000FC,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Locale\Alternate Sorts")
Handle(0000000000000100,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Language Groups")
Handle(0000000000000104,"File","")
Handle(0000000000000108,"Section","")
Handle(000000000000010C,"Key","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Contro
l\Nls\Sorting\Ids")
Handle(0000000000000110,"Event","")
Handle(0000000000000114,"Thread","")
Handle(0000000000000118,"Event","")
Handle(000000000000011C,"Mutant","")
Handle(0000000000000000,"","")
Handle(0000000000000124,"Event","")
Handle(0000000000000128,"Event","")
Handle(000000000000012C,"Event","")
Handle(0000000000000130,"Event","")
Handle(0000000000000134,"Event","")
Handle(0000000000000000,"","")
Handle(000000000000013C,"Section","\BaseNamedObjects\__ComCatalogCache__")
Handle(0000000000000140,"File","")
Handle(0000000000000144,"Key","\REGISTRY\USER\S-1-5-21-2127521184-1604012920
-1887927527-1877126_CLASSES")
Handle(0000000000000000,"","")
Handle(000000000000014C,"Event","\KernelObjects\MaximumCommitCondition")
Handle(0000000000000150,"Key","\REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsR
untime\CLSID")
Handle(0000000000000154,"Key","\REGISTRY\MACHINE\SOFTWARE\Classes\Activatabl
eClasses\CLSID")
Handle(0000000000000158,"Section","\BaseNamedObjects\__ComCatalogCache__")
Handle(000000000000015C,"Mutant","\Sessions\1\BaseNamedObjects\MSCTF.Asm.Mut
exDefault1")
Handle(0000000000000160,"Key","\REGISTRY\USER\S-1-5-21-2127521184-1604012920
-1887927527-1877126_CLASSES")
Handle(0000000000000164,"Event","")
Handle(0000000000000168,"Event","")
Handle(000000000000016C,"Thread","")
Handle(0000000000000170,"Timer","")
Handle(0000000000000174,"Event","")
Handle(0000000000000000,"","")
Handle(0000000000000184,"Section","\Sessions\1\BaseNamedObjects\windows_shel
l_global_counters")
Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
Stream 8: type UnusedStream (0), size 00000000, RVA 00000000
Stream 9: type UnusedStream (0), size 00000000, RVA 00000000
Windows 8 Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: SingleUserTS
Built by: 6.2.9200.16384 (win8_rtm.120725-1247)
Machine Name:
Debug session time: Tue Apr 30 18:37:57.000 2013 (UTC - 7:00)
System Uptime: not available
Process Uptime: 0 days 0:00:45.000
Kernel time: 0 days 0:00:00.000
User time: 0 days 0:00:00.000
*** WARNING: Unable to verify timestamp for user32.dll
*** ERROR: Module load completed but symbols could not be loaded for user32.dll
PEB at 000007f7bc254000
Unable to load image C:\Windows\System32\ntdll.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntdll.dll
*** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ntdll!_PEB ***
*** ***
*************************************************************************
error 3 InitTypeRead( nt!_PEB at 000007f7bc254000)...
Finished dump check