Crash Dump Analysis Patterns (Part 124)

The following pattern is useful for inconsistent dumps or incomplete supporting information: Environment Hint. It is mostly environment variable information for troubleshooting suggestions such as product elimination for testing purposes and / or necessary upgrade, for example:

0: kd> !peb
PEB at 7ffd7000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: Yes
    BeingDebugged:            No
    ImageBaseAddress:         01000000
    Ldr                       7c8897e0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00081f18 . 000f9e88
    Ldr.InLoadOrderModuleList:           00081eb0 . 000f9e78
    Ldr.InMemoryOrderModuleList:         00081eb8 . 000f9e80
            Base TimeStamp                     Module
         1000000 45d6a03c Feb 17 06:27:08 2007 C:\WINNT\system32\svchost.exe
        7c800000 49900d60 Feb 09 11:02:56 2009 C:\WINNT\system32\ntdll.dll
[...]
    SubSystemData:     00000000
    ProcessHeap:       00080000
    ProcessParameters: 00020000
    WindowTitle:  'C:\WINNT\system32\svchost.exe'
    ImageFile:    'C:\WINNT\system32\svchost.exe'
    CommandLine:  'C:\WINNT\system32\svchost.exe -k rpcss'
    DllPath:      [...]
    Environment:  00010000
        ALLUSERSPROFILE=C:\Documents and Settings\All Users
[...]
        PROTECTIONDIR=C:\Documents and Settings\All Users\Application Data\3rdPartyAntivirus\Protection
[…] 
       Path= […]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

One Response to “Crash Dump Analysis Patterns (Part 124)”

  1. Dmitry Vostokov Says:

    We can get environment hints from all processes in a complete memory dump by using this command:

    !for_each_process “.process /r /p @#Process; !peb”

Leave a Reply

You must be logged in to post a comment.