In order to successfully and effectively analyze a dump file it is very important to ensure your environment is configured correctly.
The first step is to ensure symbol paths are setup. This is extremely important to have a successful analysis session. Assuming you want your symbols to be stored on your local hard drive in a directory called “c:\symbols” you would create a folder structure that looks like “c:\symbols\web” and “c:\symbols\private”. Set the _NT_SYMBOL_PATH and _NT_ALT_SYMBOL_PATH environment variables to “c:\symbols\private;srv*c:\symbols\web*http://msdl.microsoft.com/download/symbols”. This symbol path will tell the debugger to look in the private folder first (where you can place your own private symbols as desired) then the web folder. In the event that the debugger cannot find the symbol already in the web folder it will go the http://msdl.microsoft.com/download/symbols site and download them to the web folder, if they are available.
Note: If either environment variable already exists, do not overwrite their values without understanding the impact as it could negatively impact other applications that use them. The symbol path is delimited by ‘;’ and you can often append the string above to the end of the existing string.
Next install the version of “Debugging Tools for Windows” that reflects the architecture of the dump you are analyzing. If your machine is 32 bit you cannot install the 64 bit tools, but on a 64 bit machine both the 32 bit and 64 bit installations can coexist. If the dump was taken from a 64 bit machine under WOW it will be considered a 32 bit dump. After the package has been installed on one machine it can be copied to others as required.
*You may have to run the install from an elevated command prompt.
Please remember to check periodically to see if new versions of the debugger exist. Sometimes the added features can really help ease the debugging process, as well as new scenarios may be added to the automated analysis feature.
When the install is complete start WinDBG which can be found on the start menu under “Debugging Tools for Windows (x86)” or “Debugging Tools for Windows (x64)” as appropriate. You are immediately presented with a menu, toolbar and status bar, but not much else. Using the view menu display the following windows (drag and dock them to your desired location, remembering they can be stacked as appropriate):
1) Command: This is the main window in which you enter your debugging commands and review the output (I place this one front and centre).
2) Locals: Displays the local variables and parameters for the current frame (a frame is a function call on the call stack).
3) Registers: Displays the CPUs register values that are associated with the current frame.
4) Memory: Displays the memory at a specific location.
5) Call Stack: Displays the chain of function calls for the current thread with the most recent at the top.
6) Processes and Threads: Displays the processes and threads associated with the dump being analyzed. The current thread will be highlighted in bold.
It can take some time to get the windows docked successfully, but it is worth the effort.
Next you will want to setup the symbol, image and source paths for the environment. Select “Symbol File Path…” from the File menu and a dialog box will be displayed. Enter the same symbol path in this dialog that was entered into the _NT_SYMBOL_PATH environment variable above. Click the OK button.
Create two folders on your hard drive, one for image files (binaries) and the other for source files. For the next steps we will assume your folders were created as “c:\images” and “c:\source”.
Select “Image File Path…” from the file menu. Enter “C:\images” and click the OK button. Select “Source File Path…” from the file menu. Enter “C:\source” and click the OK button. If you are using a source server or have a default location for it you can change the source path appropriately.
Select “Save Workspace” from the File menu.
*If you forget to save the workspace you will have to perform the steps above again when you open the next dump file.
To ensure your symbol path is setup correctly open a memory dump by selecting “Open Crash Dump…” from the File menu. Wait until the command window displays something like “0:0>”. This may take some time as it is the first time running WinDBG and it should be pulling symbols from the internet.
Open the “c:\symbols\web” folder and you should see subfolders with names like “AcLayers.dll” (this folder may not be found there but is used as an example).