This emindsca teaches you how to examine the dump files on your Windows computer after it has crashed. Dump files, which are created automatically by Windows after your computer crashes, show a list of programmes that were running prior to the crash; this can help you determine which programmes caused the crash. If you’re expecting another crash or want to test a programme, you can analyse your dump files with a free programme called BlueScreenView. You can also open dump files from a previous crash using the free Windows 10 Drivers Kit.
Reading with BlueScreenView, Part 1
1. Open Start. Click the Windows logo in the bottom-left corner of the screen.
2. Enter view advanced system settings in the search box. This will look for the Advanced System Settings section of Control Panel on your computer.
3. View advanced system settings by clicking the View advanced system settings button. It’s a computer monitor with a checkmark icon in the Start menu. This brings up the Advanced System Settings window.
4. Navigate to the Advanced tab. This is visible at the top of the window.
To open the Advanced System Settings window, you may need to first click the computer monitor-shaped icon at the bottom of the screen.
5. Select Settings. It’s near the bottom of the page, just below the “Startup and Recovery” heading. This will bring up a new window.
6. Select “Write debugging information” from the drop-down menu. This box can be found in the middle of the separate window. When you click it, a drop-down menu appears.
7. Small memory dump should be selected. It’s available in the drop-down menu. This option allows you to read future memory dumps with a simple file explorer like BlueScreenView.
8. Click the OK button. It is located at the bottom of the window. The window will close and you will be returned to the Advanced System Settings window.
9. Click the OK button. This saves your modifications and closes the Advanced System Settings window.
10. Navigate to the BlueScreenView page. In your browser, navigate to https://www.nirsoft.net/utils/blue screen view.html. BlueScreenView is a programme that finds and analyses dump files for you, allowing you to see which programmes were running immediately before a crash.
11. BlueScreenView can be downloaded here. Scroll down to the middle of the page and click the Download BlueScreenView with full install/uninstall support link.
12. Open the BlueScreenView installation file. Double-click the bluescreenview setup file in the “Downloads” folder on your computer.
13. Install BlueScreenView. To do so:
Click Yes when prompted.
Wait for BlueScreenView to install.
14. Launch BlueScreenView. Check the “Run NirSoft BlueScreenView” box, then click Finish at the bottom of the window. BlueScreenView will be launched.
15. Examine your dump files. BlueScreenView has a top and bottom pane; the dump file(s) will be listed in the top pane, while the programmes recorded by the currently selected dump file will be listed in the bottom pane.
By clicking on a dump file in the top pane, you can select it.
The crash was most likely caused by at least one of the programmes recorded by the dump file.
Reading with the Windows Drivers Kit, Part 2
1. Navigate to the Windows 10 Drivers Kit page. In your browser, navigate to https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk. The Windows Drivers Kit can open any type of dump file, making it useful for inspecting a dump file from a previous crash.
2. Install the Windows Drivers Kit by downloading the setup file. Scroll down and click the Download WDK for Windows 10, version 1803 link, which is near the top of the page, just below the “Install WDK for Windows 10” heading. The installation file will be downloaded to your computer.
3. Open the WDK installation file. Double-click the wdksetup file in your computer’s default “Downloads” folder to begin the installation process.
4. Install the Windows 10 Drivers Kit. To do so:
Click Next on the first 4 pages.
Click Yes when prompted.
Wait for the WDK program to finish installing.
5. Open Start. Click the Windows logo in the bottom-left corner of the screen.
6. Type in command prompt. This will search your computer for the Command Prompt app.
7. Command Prompt can be accessed by right-clicking it. It appears as a black box at the top of the Start screen. There will be a drop-down menu.
8. Click the Run as administrator button. This option is available from the drop-down menu.
You will be unable to complete this step if you are not logged in as an administrator on your computer.
9. When prompted, select Yes. By doing so, the Command Prompt app is launched in administrator mode.
10. Switch to the WDK directory. Type in the following address and then press ↵ Enter:
cd C:\Program Files (x86)\Windows Kits\10\Debuggers\x86
11. Enter the installation command. Type in windbg.exe -IA and then press ↵ Enter.
12. When prompted, click OK. This means that the Windows Debugger will now automatically open dump files.
13. Open WinDBG. Click Start, type in windbg, and click WinDbg (X86) in the results. The Windows Debugger program will open.
14. Add a symbol path. The symbol path tells the Windows Debugger which information to display:
Click File in the upper-left corner.
Click Symbol File Path…
Type in SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
15. Find your dump file. To do this, you’ll need to go to the system root folder:
Type in run and press ↵ Enter
Type in %SystemRoot%
Click the View tab.
Check the “Hidden items” box if it isn’t already checked.
Scroll down and double-click the MEMORY.DMP file.
16. Examine the dump file’s output. You should see a list of programmes that were open when your computer crashed, which will help you determine which program(s) caused the crash.
Creative Commons License