MS出的WinDbg是内核级调试利器,但我喜欢用它来调试客户端程序崩溃生成的Dump文件(运行状态生成Dump文件的方法可参见另一封转贴 http://blog.csdn.net/boythl/archive/2008/09/02/2868344.aspx).
Windbg中常用分析命令是: !analyze -v ,然后在分析结果里可以直接看到详细的调用堆栈; 另一个命令是: lmv ,该命令可以列举当前加载模板的详细数据.
下文贴转自windbg的帮助文件; 第一部分是介绍,第二部分列举 !analyze 命令详解. 第三部分列举 lm 命令详解.
============================================================================
User-mode memory dump files can be analyzed by WinDbg. The processor or Windows version that the dump file was created on does not need to match the platform on which WinDbg is being run.
Before analyzing the memory dump file, you will need to install the symbol files for the version of Windows that generated the dump file. These files will be used by the debugger you choose to use to analyze the dump file. For more information about the proper installation of symbol files, see Installing Windows Symbol Files.
You will also need to install all the symbol files for the user-mode process, either an application or system service, that caused the system to generate the dump file. If this code was written by you, the symbol files should have been generated when the code was compiled and linked. If this is commercial code, check on the product CD-ROM or contact the software manufacturer for these particular symbol files.
To analyze a dump file, start WinDbg with the -z command-line option:
windbg -y SymbolPath -i ImagePath -z DumpFileName
The -v option (verbose mode) is also useful. For a full list of options, see WinDbg Command-Line Options.
If WinDbg is already running and is in dormant mode, you can open a crash dump by selecting the File | Open Crash Dump menu command or pressing the CTRL+D shortcut key. When the Open Crash Dump dialog box appears, enter the full path and name of the crash dump file in the File name text box, or use the dialog box to select the proper path and file name. When the proper file has been chosen, click Open.
You can also open a dump file after the debugger is running by using the .opendump (Open Dump File) command, followed with g (Go).
It is possible to debug multiple dump files at the same time. This can be done by including multiple -z switches on the command line (each followed by a different file name), or by using .opendump to add additional dump files as debugger targets. For information about how to control a multiple-target session, see Debugging Multiple Targets.
Dump files generally end with the extension .dmp or .mdmp. You can use network shares or Universal Naming Convention (UNC) file names for the memory dump file.
It is also common for dump files to be packed into a CAB file. If you specify the file name (including the .cab extension) after the -z option or as the argument to an .opendump command, the debugger can read the dump files directly out of the CAB. However, if there are multiple dump files stored in a single CAB, the debugger will only be able to read one of them. The debugger will not read any additional files from the CAB, even if they were symbol files or executables associated with the dump file.
Analysis of a full user dump file is similar to analysis of a live debugging session. See the Debugger Commands reference section for details on which commands are available for debugging dump files in user mode.
Analysis of a user-mode minidump file is done in the same way as a full user dump. However, since much less memory has been preserved, you are much more limited in the actions you can perform. Commands that attempt to access memory beyond what is preserved in the minidump file will not function properly.
For techniques that can be used to read specific kinds of information from a dump file, see Extracting Information from a Dump File.
The !analyze extension displays information about the current exception or bug check.
User-Mode
!analyze [-v] [-f | -hang] [-D BucketID]
!analyze -c [ -load KnownIssuesFile | -unload | -help ]
Kernel-Mode
!analyze [-v] [-f | -hang] [-D BucketID]
!analyze -c [ -load KnownIssuesFile | -unload | -help ]
!analyze -show BugCheckCode [BugParameters]
Before you run this extension in user mode, consider changing the current thread to the thread that you think has stopped responding (that is, hung), because the exception might have changed the current thread to a different one.
-D BucketID Displays only those items that are relevant to the specified BucketID. -show Displays information about the specified bug check code. -c Continues execution when the debugger encounters a known issue. If the issue is not a "known" issue, the debugger remains broken into the target.You can use the -c option with the following subparameters. These subparameters configure the list of known issues. They do not cause execution to occur by themselves. Until you run !analyze -c -load at least one time, !analyze -c has no effect.
The list of known issues in the KnownIssuesFile file is used for all later !analyze -c commands until you use !analyze -c -unload, or until you use !analyze -c -load again (at which point the new data replaces the old data).
Windows NT 4.0 | Ext.dll |
Windows 2000 | Ext.dll |
Windows XP and later | Ext.dll |
In user mode, the !analyze and !analyze -v extensions display information about the current exception.
In kernel mode, these extensions display information about the most recent bug check. If a bug check occurs, the !analyze display is automatically generated. You can use !analyze -v to show additional information. If you want to see only the basic bug check parameters, you can use the .bugcheck (Display Bug Check Data) command.
You can use the !analyzebugcheck -show extension command to display information about an individual bug check code. This display is not affected by the current status of the target computer.
The following example shows the results of !analyze after a breakpoint is hit.
0:000> !analyze
Last event: Hit breakpoint 10000
For sample analysis of a user-mode exception and of a kernel-mode stop error (that is, crash), and for more information about how !analyze uses the triage.ini file, see Using the !analyze Extension.
================================================
The lm command displays the specified loaded modules. The output includes the status and the path of the module.
lm Options [a Address] [m Pattern | M Pattern]
In addition, you can include only one of the following options. If you do not include any of these options, the display includes the symbol file name.
Note In most cases, the module name is the file name without the file name extension. For example, if you want to display information about the Flpydisk.sys driver, use the lm mflpydisk command, not lm mflpydisk.sys. In some cases, the module name differs significantly from the file name. For more information, see Executable Image Path.
M Pattern Specifies a pattern that the image path must match. Pattern can contain a variety of wildcard characters and specifiers. For more information about the syntax of this information, see String Wildcard Syntax.
Modes | User mode, kernel mode |
Targets | Live, crash dump |
Platforms | All |
The lm command lists all of the modules and the status of symbols for each module.
Microsoft Windows Server 2003 and later versions of Windows maintain an unloaded module list for user-mode processes. When you are debugging a user-mode process or dump file, the lm command also shows these unloaded modules.
This command shows several columns or fields, each with a different title. Some of these titles have specific meanings:
The following code example shows the lm command with a Windows Server 2003 target computer. This example includes the m and s* options, so only modules that begin with "s" are displayed.
kd> lm m s*
start end module name
f9f73000 f9f7fd80 sysaudio (deferred)
fa04b000 fa09b400 srv (deferred)
faab7000 faac8500 sr (deferred)
facac000 facbae00 serial (deferred)
fb008000 fb00ba80 serenum e:/mysymbols/SereEnum.pdb/.......
fb24f000 fb250000 swenum (deferred)
Unloaded modules:
f9f53000 f9f61000 swmidi.sys
fb0ae000 fb0b0000 splitter.sys
fb040000 fb043000 Sfloppy.SYS