Reading a Memory .dmp File

Scenario:  A server performed a hard shutdown and restarted. You want to figure out the faulting process that cause this crash.

Steps:

1.  Make sure you have downloaded and installed BlueScreenView and WDK 8 (Windows Driver Kit).

2.  Open BlueScreenView.  If you have copied the dmp files to your computer, make sure you put them in C:\windows\minidump folder.

Click on the dmp file and it will tell you what driver caused the blue screen.  You can also change the lower pane mode in the Options menu to see the actual Blue Screen on the server or the drivers in the crash stack. This will give you somewhat of an idea of what caused the crash.



3.  To find more information in the crash dump file, use WDK. Open a Elevated Command Prompt and navigate to the following directory: C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\

4.  Copy the Dump file (.dmp) locally. On Server 2012, this is in the %SystemRoot%\MiniDump folder.

5. Type the following:
                a.  kd –z C:\Windows\memory.dmp (or the path to your .dmp file)
                b.  .logopen c:\debuglog.txt
                c.  .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
                d.  .reload;!analyze -v;r;kv;lmnt;.logclose;q

6. Review the results by opening c:\debuglog.txt.  Search for the Process_Name and other relevant information and it will tell you the faulting processes and information.