Crash Dump Analysis AntiPatterns (Part 4)

A customer reports application.exe crashes and you ask for a dump file. You get a dump, open it and see the dump is not from your application.exe. You ask for print spooler crash dump and you get mplayer.exe crash dump. I originally thought to call it Wrong Dump pattern and place it into patterns category but after writing about Zippocricy I clearly see it as anti-pattern. It is not a rocket science to check process name in a dump file before sending it for analysis:

  • Load the user process dump in WinDbg
  • Type command .symfix; .reload; !analyze -v and wait

 

until WinDbg is not busy analyzing

  • Find PROCESS_NAME: in the output. You get something like:

PROCESS_NAME: spoolsv.exe

You can also use dumpchk.exe from Debugging Tools for Windows.

I’m also writing a new version of Citrix DumpCheck Explorer extension that will include process name in its output.  

Another example is when you ask for a complete memory dump but you get a kernel dump or you get various mini-dumps. Fortunately DumpCheck extension can  warn users before they submit a dump.

- Dmitry Vostokov -

2 Responses to “Crash Dump Analysis AntiPatterns (Part 4)”

  1. Crash Dump Analysis » Blog Archive » Crash Dump Analysis AntiPatterns (Part 12) Says:

    […] forcing the dump of the system via standard keyboard method. Therefore this is also an instance of Wrong Dump […]

  2. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 104) Says:

    […] similar cases of abridged dumps are discussed in Wrong Dump and Missing […]

Leave a Reply

You must be logged in to post a comment.