-1

I would like help in how I can effectively create and then analyze a dump file for an c++ application that is experiencing random crashes. How can I create a dump file for the time the application crashes automatically? I tried to follow this tutorial that windows provide: https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps

But I am not sure if this would apply to my case. Further, using winbdbg, I try to open a dump file created simply by the task manager for when the application was using to too much memory than expected. Results:

For analysis of this file, run !analyze -v
wow64cpu!CpupSyscallStub+0xc:
00000000`77291cbc c3              ret
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for RFPrj.exe

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on RTX2LBSAPW1V

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 105

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 72

    Key  : Analysis.System
    Value: CreateObject

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 2236962

    Key  : Timeline.Process.Start.DeltaSec
    Value: 27699


NTGLOBALFLAG:  2000100

APPLICATION_VERIFIER_FLAGS:  80001005

APPLICATION_VERIFIER_LOADED: 1

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0000000000000000
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 0

FAULTING_THREAD:  00007ac8

PROCESS_NAME:  RFPrj.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE_STR:  80000003

STACK_TEXT:  
00000000`00ffe848 00000000`77291b99 : 00000023`77311cec 00000000`012f0023 00000000`00000000 00000000`012f6e6c : wow64cpu!CpupSyscallStub+0xc
00000000`00ffe850 00000000`77291199 : 00000000`012ff688 00007ffc`7d00d0c4 00000000`00ffe920 00007ffc`7d00c5e7 : wow64cpu!Thunk2ArgNSpNSpReloadState+0xc
00000000`00ffe900 00007ffc`7d00cfda : 00000000`0106d000 00000000`00820110 00000000`00000000 00000000`00fff180 : wow64cpu!BTCpuSimulate+0x9
00000000`00ffe940 00007ffc`7d00cea0 : 00000000`00000000 00000000`02c2eed8 00000000`00000000 00000000`00000000 : wow64!RunCpuSimulation+0xa
00000000`00ffe970 00007ffc`7f48538d : 00000000`00000010 00000000`00000010 00007ffc`7f4dd120 00000000`0106c000 : wow64!Wow64LdrpInitialize+0x120
00000000`00ffec20 00007ffc`7f47383f : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000001 : ntdll!LdrpInitializeProcess+0x1789
00000000`00fff060 00007ffc`7f427cb3 : 00000000`00000000 00007ffc`7f3b0000 00000000`00000000 00000000`0106e000 : ntdll!_LdrpInitialize+0x4bb73
00000000`00fff100 00007ffc`7f427c5e : 00000000`00fff180 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpInitialize+0x3b
00000000`00fff130 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe


SYMBOL_NAME:  wow64cpu!CpupSyscallStub+c

MODULE_NAME: wow64cpu

IMAGE_NAME:  wow64cpu.dll

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb

FAILURE_BUCKET_ID:  BREAKPOINT_AVRF_80000003_wow64cpu.dll!CpupSyscallStub

OS_VERSION:  10.0.17763.1

BUILDLAB_STR:  rs5_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {19b8a07b-d2f7-3179-d96e-5eb594405f99}

Followup:     MachineOwner

Not able to get any useful data from this. Not sure if my problem is how I am creating the dump, ie, whether this is will only work once I get the a dump at the time of the crash. Is there a good walkthrough or tutorial for this?

I have the following tools available: windbg, vs2019.

user17732522
  • 53,019
  • 2
  • 56
  • 105
user010101
  • 25
  • 9
  • In most cases you should use `procdump` to capture full memory crash dumps, https://learn.microsoft.com/en-us/sysinternals/downloads/procdump and for a 32 bit process like yours never capture a 64 bit dump as it just will be messy to analyze. – Lex Li Jan 07 '22 at 02:18
  • your 32 bit process is running under wow or windows on windows virtual layer capture dump using x86 windbg .dump /ma foo.dmp and use x86 windbg to analyse ( there atre more than one flavor of windbg available in the installation path like x86 x64 arm go to x86 folder and rin x86 windbg) – blabb Jan 07 '22 at 03:25
  • I don't have procdump installed in the production system. Is there something else I can do to capture the dump? – user010101 Jan 07 '22 at 03:29
  • 1
    Use the 32bit taskmgr.exe of the `syswow64` directory. – ssbssa Jan 07 '22 at 12:22
  • Although the duplicate was originally written with .NET in mind, I'm sure it'll answer your questions and point to the necessary tools. – Thomas Weller Jan 10 '22 at 08:29
  • ProcDump doesn't need an installation. You can just run it from a USB Stick. I would still recommend the WER LocalDumps Registry entry as proposed by blabb – Thomas Weller Jan 10 '22 at 08:55
  • For LocalDumps, see also https://stackoverflow.com/questions/9535676/localdumps-registry-key-stopped-working-windows-error-reporting – Thomas Weller Jan 10 '22 at 08:56

1 Answers1

1

you can configure WER to Create and store a Dump file.
below is a walk through (os windows 10 64 bit )

the DumpFile is stored in its Default Path %LOCALAPPDATA%\CrashDumps
I have cleared the folder for demo

:\>ls %localappdata%\CrashDumps

a simple code for an app that crashes compiled as a 32 bit binary

:\>ls
complink.bat  except.cpp

:\>cat complink.bat
cl /Zi /W4 /Gs- /analyze:autolog- /Od except.cpp /link /release /subsystem:windows /entry:main
:\>cat except.cpp
int main (void)
{
        int a =0;
        int b = 3;
        return b/a;
}
:\>complink.bat

:\>cl /Zi /W4 /Gs- /analyze:autolog- /Od except.cpp /link /release /subsystem:windows /entry:main
Microsoft (R) C/C++ Optimizing Compiler Version 19.16.27045 for x86
Copyright (C) Microsoft Corporation.  All rights reserved.

except.cpp
Microsoft (R) Incremental Linker Version 14.16.27045.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:except.exe
/debug
/release
/subsystem:windows
/entry:main
except.obj

on executing this will crash but will not create a dump as WER is not configured to create a dump file

:\>except.exe

:\>ls %localappdata%\CrashDumps

configure WER to create a dump file (the regular cautions apply for editing registry)

:\>reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps"
The operation completed successfully.

now executing the app will crash and also write a dump file which can be loaded in windbg

:\>ls %localappdata%\CrashDumps
except.exe.1600.dmp

:\>file %localappdata%\CrashDumps\except.exe.1600.dmp
C:\Users\xxxx\AppData\Local\CrashDumps\except.exe.1600.dmp: Mini DuMP crash report, 12 streams, Fri Jan  7 19:23:33 2022, 0x121 type
blabb
  • 8,674
  • 1
  • 18
  • 27