Crash Dumps for Dummies (Part 3)

This part follows Dumps for Dummies (Part 2)and hereI’ll try to explaincrashes, dumps and postmortem debuggers.

Sometimes a computer(CPU, Central Processing Unit) cannot perform its job because the instruction it gets to dosome calculations, read or write data iswrong. Imagine a situation when you get an address to deliver a message to and youfind that it doesn’t exist…The following idealized picture shows this situation (if memory locations/addresses are indexed from 0 then -1 is obviously wrong address):

When referencing invalid addressCPUexecutesspecial sequence of actions (called trap) that ultimately leads tosavingmemory so you could later examine its contents and find outwhich instruction was invalid. If crash happens inside Windows operating system then you see blue screenand then a kernel memory orfull computer physicalmemory is saved in a file (called either kernel or complete memory dump respectively). If you have a crash in a running application or service thenits memorycontents are saved in a file (called user dump). The latterfile is also calleda postmortemdump andwe calla program which savesit a postmortem debugger. There can be several such programs and the one which is specified in the registry toexecute whenever a crash happens in a running application or service is calleda default postmortem debugger. The following pictureillustrates this (here spooler service, spoolsv.exe, crashedby faulty printer driver):

By default it is Dr. Watson (drwtsn32.exe) but sometimes it doesn’t work in terminal services environment and haslimitations so we always recommend setting NTSD (ntsd.exe) as a default postmortem debugger:

How to Set NTSD as a Default Windows Postmortem Debugger

Iprefer to call both user and kernel/complete memory dumps postmortem (not only user dumps) because they are saved after application, service or systemis dead already (crash or fatal error already happened). This distinguishes them from live memory dumpssaved manually whenever we want them.This brings us to dump classification that I show you inforthcoming parts.

- Dmitry Vostokov -