3 Ways to Analyze Memory Dump (.dmp) File

The dreaded blue screen of death (BSoD) has been around since Windows 95. It is scary in a way that this blue screen can happen anytime without the user expecting it and there is no way to recover from this blue screen other than restarting the computer. Obviously the biggest problem is actually when you are working on something important and haven’t got a chance to save it. An unexpected blue screen will just cause you to lose all or some parts of your work depending on how often it is being saved. Other than that, the blue screen on an older Windows does look a bit scary with all the text and technical information on screen. Fortunately the blue screen on Windows 8.1 doesn’t look so frightening.
blue screen in windows
Anything can cause a blue screen in Windows. It can be from an unstable driver for a hardware device, 3rd party software such as an antivirus/firewall, or even a rootkit based malware. It can also be caused by an attacker exploiting or in another word “nuking” an unpatched Windows. Hardware such as memory, CPU and motherboards that are failing can also randomly cause blue screen.
If the blue screen is caused by software, an inexperienced computer technician will have to spend more time to determine the culprit by going through the process of elimination of disabling all 3rd party programs that startup automatically, enable them one at a time and test until they experience the blue screen. However with the right tools in hand, it can quickly reveal which software is possibly causing the blue screen so you can work towards fixing the problem. Here we have 3 free software that can do that.
1. BlueScreenView
BlueScreenView is a small and portable tool developed by NirSoft that is capable of quickly showing you which file caused the blue screen. All you need to do is download the program, run it and it will automatically analyze the minidump files that are created during the blue screen. The top pane shows the dump files while the lower pane shows the offending files that caused the crash. If the blue screen is caused by a third party program, the driver file should be listed in the lower pane.
bluescreenview
The drivers that are found in crash stack will be highlighted and those are the files that you should pay attention to. Double clicking on the driver file listed at the lower pane will show every detail about the file such as the stack addresses, size, time stamp and etc. We can see that it was a system file driver belonged to “Resplendence WhoCrashed Crash Dump Test” that caused the blue screen.
bluescreenview file properties
It is also possible to generate an HTML report for sharing or logging purposes. Do take note that you’ll need to download a separate 64-bit version of BlueScreenView if you intend to run it on a 64-bit version of Windows.

2. WhoCrashed
WhoCrashed Home Edition also does pretty much the same thing as BlueScreenView except it tries to be more user friendly. You’ll need to click the Analyze button to start analyzing the minidump files and scroll down to see the crash dump analysis report. It shows you which file probably caused the blue screen and the bug check description helps the user to understand better. As you can see from the screenshot below, it says that the crash appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
whocrashed
The Home Edition is free for home use only. You’ll need to purchase the Pro version if there is a need to run WhoCrashed in a commercial environment and displaying dump details, kernel stacks and loaded modules. Although WhoCrashed comes in a setup installer, it can actually run as a portable program by simply copying the program’s folder to a USB flash drive and run the executable file.

3. Manually Analyzing Minidumps
Debugging a program to locate the bug so that the problem can be fixed is not an easy task and not something every IT person is capable of. The 2 tools mentioned above are made to be user friendly so that both beginner and expert can tell which offending driver might have caused the blue screen. Although there are quite a few good third party debuggers, WinDbg, a free debugging tool by Microsoft is commonly used to analyze the minidump file and it involves command line usage.
If you do not have WhoCrashed or BlueScreenView at hand, a simple solution is to analyze the memory dump file online. All you need is a web browser with an internet connection to visit the webpage, upload the .dmp file and wait for a few seconds for a report to be automatically generated. Follow the simple steps below to analyze minidump file online.
3b. Click the “Browse” button and select the .dmp file which is normally located at C:\Windows\Minidump. If UAC is enabled, you need to copy the .dmp file from the Minidump folder to another location such as Desktop otherwise you’ll receive an error message saying that “You don’t have permission to open this file.”
analyze dmp file online
3c. Once you’ve selected the .dmp file to analyze, click the “Upload Dump” button. The file size of a minidump .dmp file is normally quite small at around 150KB to 300KB so the upload won’t take very long.
3d. On the analysis report, take note of the MODULE_NAME and IMAGE_NAME which shows the file or program that caused the crash in Windows.
osronline dmp crash analysis
Additional Notes: If it is a file from a third party program or a driver for a hardware device, updating or disabling it can stop the blue screen from happening. If it a file from Windows, there are chances that one of the hardware such as memory, CPU or mainboard is failing. You should run a memory test first since it is easy to do that by pressing the Start button and type mdsched which will run the Windows Memory Diagnostic program.
Read More: https://www.raymond.cc/blog/how-to-analyze-memory-dump-dmp-file/

Post a Comment

0 Comments