logging i NT 4.0

Lytter

Hvis du har alle symbols-filer til den server-version + service-pack findes der et kommando-linie værktøj fra MS som kan bruges på selve-coredump-filen.

Øjeblik. Jeg spørger lige min kollegaer.

/CoRex

Medens jeg finder ud af diverse ting. Angiv her hvad der står på linie 2+3 på crash-skærmen (BSOF - Blue Screen Of Death).

Nu kommer der lige en lang smøre! :)

Dumpexam is a command-line utility that examines a memory dump file, extracts information from it, and writes it to a text file. This text file can then be used by support personnel to determine the cause of the kernel STOP error. In many cases, the dumpexam analysis provides enough information for support personnel to determine the cause of the error without directly accessing the memory dump file.

Three files are required to run dumpexam, and they all must be in the same directory. You can find them on the Windows NT Server or Windows NT Workstation CD in the directory Support\\Debug\\platform, where platform is I386, Alpha, MIPS, or PowerPC. The first two files are:
·Dumpexam.exe
·Imagehlp.dll
The third file is one of the following, depending on the type of computer on which the memory dump file was generated:
·Kdextx86.dll
·Kdextalp.dll
·Kdextmip.dll
·Kdextppc.dll

You can run dumpexam directly from the product CD with no parameters, if
·The computer on which the dump occurred was running Windows NT version 4.0.
·You have not applied any hot fixes or service packs on that computer.
·The memory dump file you want to examine is in the location specified in the Recovery dialog box.

Dumpexam creates a text file called Memory.txt, located in the same directory as the Memory.dmp file, that contains information extracted from the memory dump file.

You can also use dumpexam to examine memory dump files created on computers running earlier versions of Windows NT. However, you can run it only with Windows NT version 3.51 or 4.0. Therefore, if your memory dump file was created in an earlier version of Windows NT, you must move the memory dump file or access it over the network. In addition, you must replace the Kdext*.dll files listed above with copies from the version of Windows NT that was running on the computer on which the dump occurred. These files contain debug information specific to that version of Windows NT. You must also specify the path to the symbols for the operating system version that was running on that computer.

Syntax for Dumpexam
 
The syntax for dumpexam is:
dumpexam options CrashDumpFile
where options can include:
 
Option    Action

-?    Displays the command syntax.
-p    Prints the header only.
-v    Specifies verbose mode.
-f filename    Specifies the output filename and path
-y path    Sets the symbol search path.
You need to specify the memory dump file path only if you have moved the memory dump file.
You need to specify the symbol search path (using the -y option) only if you are using an alternative symbol path. The symbol path for dumpexam can contain several directories, separated by semicolons(;). Because these directories are searched in the order in which they are listed, you list directories with the most recently installed hot fixes or service packs first.
Examples
 
In the first example, the memory dump file was created on a computer running Windows NT Workstation version 3.51, and no service packs were installed. The symbols are all in the directory C:\\Symbols. The memory dump file is in the directory C:\\Dump and is called Machine1.dmp. The command line reads as follows:
dumpexam -y c:\\symbols c:\\dump\\machine1.dmp

The results of the exam will be in \\Systemroot\\Memory.txt.
In the next example, the memory dump file was created on a DEC Alpha computer running Windows NT Server version 3.5, with Service Pack 2 installed. The Service Pack 2 symbols are in D:\\Sp2\\Symbols. The Windows NT Server 3.5 symbols are on the product CD, which is in the E drive. The memory dump file Memory.dmp is in D:\\Temp. The output file is to be put in the same directory as the memory dump file. The command line reads as follows:
dumpexam -y d:\\sp2\\symbols;e:\\support\\debug\\alpha -f d:\\temp\\memory.txt d:\\temp\\memory.dmp

Using the Dumpexam Output File
 
Dumpexam reads a memory dump file, executes debugger commands on it, and writes the output in a text file, called Memory.txt, by default. The same debugger commands are executed on each memory dump file.
A full interpretation of the output requires knowledge of Windows NT kernel processes and the ability to read assembly language; however, there are some guidelines you can follow to get an idea of what the output means. This section first describes each part of the memory dump file output, giving sample output and a description. Then several common traps are discussed, along with guidelines on which sections of the Memory.txt file can help you determine what caused the kernel STOP error.
Because the primary purpose of the dumpexam utility is to create a text file to send to support personnel, the descriptions in this section do not provide complete details of the contents of the Memory.txt file.
The following sections of the Memory.txt file each occur once, as they include information that applies to the whole system. These sections are listed in the order in which they appear in Memory.txt.
Windows NT Crash Dump Analysis
 
The first section of output is Windows NT Crash Dump Analysis, which looks like the following:
****************************************************************
**
** Windows NT Crash Dump Analysis
**
****************************************************************
*
Filename . . . . . . .c:\\temp\\dumps\\mac.dmp
Signature. . . . . . .PAGE
ValidDump. . . . . . .DUMP
MajorVersion . . . . .free system
MinorVersion . . . . .1057
DirectoryTableBase . .0x0006f005
PfnDataBase. . . . . .0x83fce000
PsLoadedModuleList . .0x800ee5c0
PsActiveProcessHead. .0x800ee590
MachineImageType . . .alpha
NumberProcessors . . .2
BugCheckCode . . . . .0x0000002e
BugCheckParameter1 . .0x00000000
BugCheckParameter2 . .0x00000000
BugCheckParameter3 . .0x00000000
BugCheckParameter4 . .0x00000000
ExceptionCode. . . . .0x80000003
ExceptionFlags . . . .0x00000001
ExceptionAddress . . .0x800bc140

Most of the information here is useful only for determining whether the memory dump file is corrupted. The following items are most important, especially if you did not record any information from the blue screen generated when the computer trapped:
 
Parameter    Meaning

BugCheckCode    This code lists the number of the stop that occurred. The stop code can be used by support personnel to determine what trap occurred. For information on bug check codes, see Chapter 4, “Message Reference,” in Windows NT Messages. Descriptions of the STOP code message start on page 441 in chapter 4 and are in numerical order. In the preceding example, the code was 0x0000002e, which is a DATA_BUS_ERROR.
BugCheckParameters    These are the four parameters that are normally included with each STOP code. The description of the STOP code in Windows NT Messages includes the meaning of the parameters for some of the kernel STOP Errors.

Tak for hurtigt svar.

Nu har jeg ikke lige dumpet her, og har ikke testet Dumpexam, men det ligner det rigtige, så de 150 går til corex.

Et tillægsspørgsmål: Hvor kommer teksten fra? Er det en onlinebog man kan hente på nettet?

Det er et dokument jeg har hentet fra Microsoft Technet. Og det er MEEEGGEETT længere end det du ser her!

/CoRex