Analyzing Windows Process -NotMyFault


I was trying to generate dump manually on my Dell D630 laptop which is running on 32-bit architecture with 2GB Ram , 1.5 times page file set. I understand the different ways to generate complete / kernel / mini dumps. But I was interested to run Mark’s Notmyfault tool to generate complete memory dump , you can find more information about the tool from the link 

One of the observation I made when trying to set specific process as implicit is that windbg throws the following error “Process <ID> has invalid page directories”. This behavior you observe for any process I try to make it implicit.  

Why does Windbg thinks page directories are invalid ?, page directory is process specific and has the information about virtual memory to physical memory mapping, so I would think some of the pages might be missing when capturing dump ? , I might be wrong , but I was able to successfully see the thread stack. 

 

Lab : 

Step 1 : Download notmyfault tool , and manual crash the system to generate complete memory dump 

Step 2 : launch Windbg with symbols loaded appropriately and attach the dump  

Step 3 : try running .process <ID> which will result in above message  

Step 4 : try reloading the symbols for the application using .process /r /p  <id >  

Step 5 : Now run !process <ID / address> or !process 0 0 <process name > 

Step 6 : Navigate to the thread you desire to debug and run .thread <id / address>  which would say “implicit hread is <ID>”

Step 7 : Run KV to examine the thread stack.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s