A. When your machine crashes, a memory dump file called memory.dmp is created in your Windows directory. You can use the dumpchk.exe utility to inspect what caused the dump. To use the utility, you must first download and install the symbol package for your OS from http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx. Once the symbols are installed, install the Debugging Tools for Windows from http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx. Versions are available for both 32-bit and 64-bit OSs.
Once you’ve downloaded and installed the symbol package and debugging tool, you can run a check against the memory dump file by using the following command:
dumpchk -y %windir%\symbols %windir%\memory.dmp
Following is the command’s output. Note the “Probably caused by” line, which indicates why the system crashed.
%windir%\memory.dmp
Loading dump file C:\Windows\memory.dmp
Microsoft (R) Windows Debugger Version 6.9.0003.113 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File \[C:\Windows\memory.dmp\]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: C:\Windows\symbols
Executable search path is:
Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Kernel base = 0xfffff800`02a61000 PsLoadedModuleList = 0xfffff800`02c26db0
Debug session time: Sun Sep 21 12:30:02.588 2008 (GMT-5)
System Uptime: 2 days 22:08:26.619
Loading Kernel Symbols
................................................................................
....................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd6018). Type ".hh dbgerr001" for details
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, \{167, 2, 0, fffff80002a9e835\}
Page c27fa not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 000007ff`fffd6018). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 000007ff`fffd6018). Type ".hh dbgerr001" for details
Probably caused by : ntkrnlmp.exe ( nt!CcZeroEndOfLastPage+1b5 )
Followup: MachineOwner
