Çözüldü Minidump Dosyaları Nasıl Analiz Edilir?

Bekir Öztürk · 13 Ağustos 2014

Mavi ekran hatası aldığımızda minidump dosyalarını buraya yüklüyoruz ve anlayan kişiler bize sorunun ne olduğunu söylüyorlar. Bunu kendim Sosyal'deki kişilere sormadan yapmak istiyorum. Ne yapmalıyım? Hangi programı kullanmalıyım?

Recep Baltaş · 16 Ağustos 2018

WDK'dan çıkartılması bence de mükemmel olmuş.

Murat5038 · 17 Ağustos 2018

Wheeler Man dedi:
Önceden WinDbg programı Windows Driver Kit(WDK)'ya dahildi. WDK boyutu da biraz yüksek. Mağaza uygulaması olarak sunmaları güzel olmuş.

Hala kit ile kurulabiliyor. Kitte kurulan boyut ile mağazadaki boyut eşit sayılır.

onlyfatih · 23 Şubat 2019

claus dedi:
Android ile ilgili bir araç var sanırım ? Var ise geçici olarak kaldır.
BIOS güncellenmemiş görünüyor. Intel Wifi sürücünü güncelle.

Evet emulatör var. BIOS'u gönderdiğiniz linkteki exe dosyasını indirdim kurdum. Wifi sürücüsünü kaldırıp tekrar yüklemiştim. Bu dump dosyasını nasıl yorumluyorsunuz ya da okuyorsunuz söyleyebilir misiniz? Her mavi ekran da burayı kullanmak ve sizleri yormak istemiyorum da.

claus · 23 Şubat 2019

Yorabilirsiniz problem yok

onlyfatih · 14 Mart 2019

claus dedi:
Yorabilirsiniz problem yok

Hocam nasıl öğrenebiliriz biraz ipucu falan verebilir misiniz?

claus · 15 Mart 2019

Yıllarca bu işler ile ilgilen zamanla istemesende öğrenirsin

Recep Baltaş · 15 Mart 2019

WinDbg Preview ile açıyoruz:

Sonrasında ekranda gördüğün !analyze -v kısmına tıklıyoruz.

Biraz bekledikten sonra döküm analiz ediliyor:

Ortaya şöyle bir kod çıkıyor:

Kod:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffb8079e870000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8041f7c92e0, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


Could not read faulting driver name
*** WARNING: Unable to verify checksum for win32k.sys

KEY_VALUES_STRING: 1


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING:  17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER:  LENOVO

SYSTEM_PRODUCT_NAME:  81AX

SYSTEM_SKU:  LENOVO_MT_81AX_BU_idea_FM_V330-15IKB

SYSTEM_VERSION:  Lenovo V330-15IKB

BIOS_VENDOR:  LENOVO

BIOS_VERSION:  6SCN31WW

BIOS_DATE:  02/21/2018

BASEBOARD_MANUFACTURER:  LENOVO

BASEBOARD_PRODUCT:  LNVNB161216

BASEBOARD_VERSION:  NO DPK

DUMP_TYPE:  2

BUGCHECK_P1: ffffb8079e870000

BUGCHECK_P2: 0

BUGCHECK_P3: fffff8041f7c92e0

BUGCHECK_P4: 2

READ_ADDRESS: GetUlongFromAddress: unable to read from fffff8041facb540
fffff8041fb46390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
ffffb8079e870000

FAULTING_IP:
nt!memcpy+a0
fffff804`1f7c92e0 f30f6f0411      movdqu  xmm0,xmmword ptr [rcx+rdx]

MM_INTERNAL_CODE:  2

CPU_COUNT: 8

CPU_MHZ: 708

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 8e

CPU_STEPPING: a

CPU_MICROCODE: 6,8e,a,0 (F,M,S,R)  SIG: 84'00000000 (cache) 84'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  opera.exe

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  DESKTOP-HH6FM2D

ANALYSIS_SESSION_TIME:  03-15-2019 11:12:43.0707

ANALYSIS_VERSION: 10.0.18317.1001 amd64fre

TRAP_FRAME:  fffffc8c47c77120 -- (.trap 0xfffffc8c47c77120)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000005840000 rbx=0000000000000000 rcx=000001df936f0000
rdx=ffffb6240b180000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8041f7c92e0 rsp=fffffc8c47c772b8 rbp=0000000000000000
r8=0000000000000000  r9=0000000000000800 r10=ffff9305f32f71f8
r11=000001df936c0000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!memcpy+0xa0:
fffff804`1f7c92e0 f30f6f0411      movdqu  xmm0,xmmword ptr [rcx+rdx] ds:ffffb803`9e870000=????????????????????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8041f7eb4f7 to fffff8041f7b6b40

STACK_TEXT:
fffffc8c`47c76e38 fffff804`1f7eb4f7 : 00000000`00000050 ffffb807`9e870000 00000000`00000000 fffffc8c`47c77120 : nt!KeBugCheckEx
fffffc8c`47c76e40 fffff804`1f713097 : 00000000`00000110 00000000`00000000 00000000`00000000 ffffb807`9e870000 : nt!MiSystemFault+0x1a2de7
fffffc8c`47c76f80 fffff804`1f7c4683 : 00000002`00000000 00000000`00000000 00000000`00000000 ffffea80`052a0130 : nt!MmAccessFault+0x327
fffffc8c`47c77120 fffff804`1f7c92e0 : fffff804`1f6eaa5e ffffb803`9e840000 00000000`00040000 00000000`05800000 : nt!KiPageFault+0x343
fffffc8c`47c772b8 fffff804`1f6eaa5e : ffffb803`9e840000 00000000`00040000 00000000`05800000 fffff804`1f6e886f : nt!memcpy+0xa0
fffffc8c`47c772c0 fffff804`1fc9e868 : 00000000`05840000 00000000`00040000 00000000`00000001 fffffc8c`47c773f0 : nt!CcCopyBytesToUserBuffer+0x6e
fffffc8c`47c77340 fffff804`1f6e862e : ffffca8b`834dd8b8 00000000`05800000 ffffca8b`00040000 fffff803`00000001 : nt!CcMapAndCopyFromCache+0x128
fffffc8c`47c773e0 fffff803`afdcab1d : fffffc8c`47c77510 00000000`00000000 ffff9305`00100000 00000000`00100000 : nt!CcCopyReadEx+0x12e
fffffc8c`47c77470 fffff803`ad526a28 : 00000000`00000000 00000000`000002b0 ffffca8b`86044c70 00000000`00000000 : Ntfs!NtfsCopyReadA+0x2ad
fffffc8c`47c77730 fffff803`ad523b73 : fffffc8c`47c77820 00000000`00000000 00000000`00000000 ffffca8b`87b44270 : FLTMGR!FltpPerformFastIoCall+0x198
fffffc8c`47c77790 fffff803`ad55d089 : 00000000`00000001 00000000`00000000 00000081`ddbff548 ffffca8b`86044c70 : FLTMGR!FltpPassThroughFastIo+0xd3
fffffc8c`47c777f0 fffff804`1fc7f0cc : ffffca8b`86044c70 00000000`00000000 fffffc8c`47c77a80 ffffca8b`86044c70 : FLTMGR!FltpFastIoRead+0x159
fffffc8c`47c77890 fffff804`1f7c7d85 : ffffffff`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x42c
fffffc8c`47c77990 00007ffc`6f52f724 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000081`ddbff528 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`6f52f724


THREAD_SHA1_HASH_MOD_FUNC:  19ad1606bfcd149ffe69be2fc3d46535cc77ebf4

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  f42f3c8876cb04b445bfb5a41a4169cccd393889

THREAD_SHA1_HASH_MOD:  e1ba9cfcf25ede23ae6417a3f58a65d04badb60a

FOLLOWUP_IP:
nt!MiSystemFault+1a2de7
fffff804`1f7eb4f7 cc              int     3

FAULT_INSTR_CODE:  be05f7cc

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!MiSystemFault+1a2de7

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP:  0

IMAGE_VERSION:  10.0.17763.253

STACK_COMMAND:  .thread ; .cxr ; kb

IMAGE_NAME:  memory_corruption

BUCKET_ID_FUNC_OFFSET:  1a2de7

FAILURE_BUCKET_ID:  AV_R_INVALID_nt!MiSystemFault

BUCKET_ID:  AV_R_INVALID_nt!MiSystemFault

PRIMARY_PROBLEM_CLASS:  AV_R_INVALID_nt!MiSystemFault

TARGET_TIME:  2019-02-06T08:14:38.000Z

OSBUILD:  17763

OSSERVICEPACK:  253

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  180914-1434

BUILDLAB_STR:  rs5_release

BUILDOSVER_STR:  10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME:  26ff

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_r_invalid_nt!misystemfault

FAILURE_ID_HASH:  {624e8a06-dc22-13e9-d8b0-4e137ca36c13}

Followup:     MachineOwner
---------

Bir diğer Minidump dosyanızın içeriği de şöyle:

Kod:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff98c686a3f388, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: ffff9897375cfca8, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

KEY_VALUES_STRING: 1


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING:  17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER:  LENOVO

SYSTEM_PRODUCT_NAME:  81AX

SYSTEM_SKU:  LENOVO_MT_81AX_BU_idea_FM_V330-15IKB

SYSTEM_VERSION:  Lenovo V330-15IKB

BIOS_VENDOR:  LENOVO

BIOS_VERSION:  6SCN40WW

BIOS_DATE:  11/01/2018

BASEBOARD_MANUFACTURER:  LENOVO

BASEBOARD_PRODUCT:  LNVNB161216

BASEBOARD_VERSION:  NO DPK

DUMP_TYPE:  2

BUGCHECK_P1: ffff98c686a3f388

BUGCHECK_P2: 0

BUGCHECK_P3: ffff9897375cfca8

BUGCHECK_P4: 2

READ_ADDRESS: GetUlongFromAddress: unable to read from fffff807638da4c0
fffff80763955390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
ffff98c686a3f388

FAULTING_IP:
win32kbase!GrepValidateVisRgn+78
ffff9897`375cfca8 8b5558          mov     edx,dword ptr [rbp+58h]

MM_INTERNAL_CODE:  2

CPU_COUNT: 8

CPU_MHZ: 708

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 8e

CPU_STEPPING: a

CPU_MICROCODE: 6,8e,a,0 (F,M,S,R)  SIG: 96'00000000 (cache) 96'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  explorer.exe

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  DESKTOP-HH6FM2D

ANALYSIS_SESSION_TIME:  03-15-2019 11:14:33.0376

ANALYSIS_VERSION: 10.0.18317.1001 amd64fre

TRAP_FRAME:  ffff8686dff6f8d0 -- (.trap 0xffff8686dff6f8d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000010c259 rbx=0000000000000000 rcx=ffff98c2806e3010
rdx=ffff98c286a3f330 rsi=0000000000000000 rdi=0000000000000000
rip=ffff9897375cfca8 rsp=ffff8686dff6fa60 rbp=ffff98c286a3f330
r8=ffff8686dff6fb08  r9=ffff98c2842f7840 r10=7ffffffffffffffc
r11=ffff8686dff6faf8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
win32kbase!GrepValidateVisRgn+0x78:
ffff9897`375cfca8 8b5558          mov     edx,dword ptr [rbp+58h] ss:0018:ffff98c2`86a3f388=00000000
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff807635f5e9b to fffff807635c6440

STACK_TEXT:
ffff8686`dff6f5e8 fffff807`635f5e9b : 00000000`00000050 ffff98c6`86a3f388 00000000`00000000 ffff8686`dff6f8d0 : nt!KeBugCheckEx
ffff8686`dff6f5f0 fffff807`6351a957 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff98c6`86a3f388 : nt!MiSystemFault+0x1ac1db
ffff8686`dff6f730 fffff807`635d3f83 : ffffc707`102502c0 ffff98c2`80613170 00000000`00000000 ffff98c2`808c00c0 : nt!MmAccessFault+0x327
ffff8686`dff6f8d0 ffff9897`375cfca8 : 00000000`0000067c ffff8686`dff6fab8 00000000`80000002 00000000`80000002 : nt!KiPageFault+0x343
ffff8686`dff6fa60 ffff9897`375cedd9 : ffff98c2`80602980 00000000`00000000 00000000`000009b6 00000000`00000000 : win32kbase!GrepValidateVisRgn+0x78
ffff8686`dff6fb00 ffff9897`375d01f4 : ffff98c2`808308c0 00000000`00000000 ffff8686`00004003 ffff98c2`84da0b60 : win32kbase!_GetDCEx+0x1e39
ffff8686`dff6fd10 fffff807`635d7685 : 00007ff6`00000000 ffffc707`102502c0 00000000`00000000 00000000`00000020 : win32kbase!NtUserGetDC+0x164
ffff8686`dff6fe40 00007ffb`267c11e4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000000`0375b0f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`267c11e4


THREAD_SHA1_HASH_MOD_FUNC:  613b4c59e497ad0e16ec69a99dd5cf4d940b7dce

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  7f42c30d00d78ac292e88f5cbde0c24bb6c74ebc

THREAD_SHA1_HASH_MOD:  3e1b276afd23cc304eca99dc1018bd8eef691a5f

FOLLOWUP_IP:
win32kbase!GrepValidateVisRgn+78
ffff9897`375cfca8 8b5558          mov     edx,dword ptr [rbp+58h]

FAULT_INSTR_CODE:  4458558b

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  win32kbase!GrepValidateVisRgn+78

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32kbase

IMAGE_NAME:  win32kbase.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  2b1dc0fa

IMAGE_VERSION:  10.0.17763.316

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  78

FAILURE_BUCKET_ID:  AV_R_INVALID_win32kbase!GrepValidateVisRgn

BUCKET_ID:  AV_R_INVALID_win32kbase!GrepValidateVisRgn

PRIMARY_PROBLEM_CLASS:  AV_R_INVALID_win32kbase!GrepValidateVisRgn

TARGET_TIME:  2019-02-20T15:16:07.000Z

OSBUILD:  17763

OSSERVICEPACK:  316

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  180914-1434

BUILDLAB_STR:  rs5_release

BUILDOSVER_STR:  10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME:  3103

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_r_invalid_win32kbase!grepvalidatevisrgn

FAILURE_ID_HASH:  {be63fdb6-af3a-8c3f-467a-4e474f58344d}

Followup:     MachineOwner
---------

Bunları yorumlamak ise tecrübe istiyor. Mesela PAGE_FAULT_IN_NONPAGED_AREA daha çok bellek arızası varsa ortaya çıkan bir hata.

Zaten Dump içinde şöyle bir kısım mevcut:

Kod:

IMAGE_NAME:  memory_corruption

Bu bilgiler ışığında sana ilk olarak bellek testi yapmanı söylüyorum.

Video rehber:

onlyfatih · 16 Mart 2019

Bellek testini belirtildiği gibi yaptım. Benim şüphelendiğim nokta 8 GB RAM'in 4 GB'lık kısmı slotta diğeri anakarta. Acaba bu yüzden sıkıntı çıkarabiliyor olabilir mi?

Çözüldü Minidump Dosyaları Nasıl Analiz Edilir?

Ayrıntılı düzenleme

Bekir Öztürk

Ziyaretçi

Recep Baltaş

Recep Baltaş

Technopat

Murat5038

Yottapat!

onlyfatih

Decapat

claus

Zettapat

onlyfatih

Decapat

claus

Zettapat

Recep Baltaş

Technopat

onlyfatih

Decapat

Benzer konular

Yeni konular

Yeni mesajlar

Gizliliğinize önem veriyoruz