Software Diagnostics Library

Crash Dump Analysis Patterns (Part 124)

The following pattern is useful for inconsistent dumps or incomplete supporting information: Environment Hint. It is mostly environment variable information for troubleshooting suggestions such as product elimination for testing purposes and / or necessary upgrade, for example:

0: kd> !peb PEB at 7ffd7000 InheritedAddressSpace: No ReadImageFileExecOptions: Yes BeingDebugged: No ImageBaseAddress: 01000000 Ldr 7c8897e0 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00081f18 . 000f9e88 Ldr.InLoadOrderModuleList: 00081eb0 . 000f9e78 Ldr.InMemoryOrderModuleList: 00081eb8 . 000f9e80 Base TimeStamp Module 1000000 45d6a03c Feb 17 06:27:08 2007 C:\WINNT\system32\svchost.exe 7c800000 49900d60 Feb 09 11:02:56 2009 C:\WINNT\system32\ntdll.dll [...] SubSystemData: 00000000 ProcessHeap: 00080000 ProcessParameters: 00020000 WindowTitle: 'C:\WINNT\system32\svchost.exe' ImageFile: 'C:\WINNT\system32\svchost.exe' CommandLine: 'C:\WINNT\system32\svchost.exe -k rpcss' DllPath: [...] Environment: 00010000 ALLUSERSPROFILE=C:\Documents and Settings\All Users [...] PROTECTIONDIR=C:\Documents and Settings\All Users\Application Data\3rdPartyAntivirus\Protection […] Path= […]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Friday, December 24th, 2010 at 2:08 am and is filed under Crash Dump Analysis, Crash Dump Patterns. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Crash Dump Analysis Patterns (Part 124)”

Dmitry Vostokov Says:
June 23rd, 2015 at 1:18 pm
We can get environment hints from all processes in a complete memory dump by using this command:

!for_each_process “.process /r /p @#Process; !peb”

You must be logged in to post a comment.

Crash Dump Analysis Patterns (Part 124)

One Response to “Crash Dump Analysis Patterns (Part 124)”

Leave a Reply