系统诊断概述-如何通过windbg来dump特定process的memory.
生活随笔
收集整理的這篇文章主要介紹了
系统诊断概述-如何通过windbg来dump特定process的memory.
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
關鍵字:系統異常system exception? 內存dump (信息轉儲),windbg工具.
1.為什么需要dump 內存
????系統經常出現各種各樣的問題,這些問題,可能是本身程序設計的時候考慮的不夠周全,導致的程序異常,或者系統本身的問題。那么,當系統crash或者發生exception的時候,如何獲得系統的context,然后給出準確地diagnostics,然后提出resolution呢?
????我們所說的crash或者exception包括各種各樣的情況,比如系統某個進程占用大量資源,某個進程low performance,某個程序crash等等。為了獲得發生crash或者exception的process的context, 我們必須得到發生exception的時候,該process的context。那么可以給該process進行捕捉一個snapshot。捕捉發生exception時刻的snapshot所用的方法就是dump當時該process的內存。
2.dump內存的方法
???????這里介紹一種dump內存的方法,就是windbg中的.dump。當程序發生異常時,我們可以通過該方法snapshot該process在發生exception的時候的context。
????????具體做法就是:
????????當program發生exception的時候,或者發生之前,我們可以將windbg attach to a specific process in which en exception will occur. 然后在windbg command window中,type g or press F5 to let the program execute.如果不出意外的話,會出現exception,然后我們我們可以用.dump command來capture the snapshot。the following section?is the usage about command .dump.
.dump (Create Dump File)Overwrites an existing dump file with the same name. If this is option not used and the there is a file with the same file name, the dump file is not written. /f (Kernel mode:) Creates a complete memory dump. /m[MiniOptions] Creates a small memory dump (in kernel mode) or a minidump (in user mode). If neither /f nor /m is specified, /m is the default.
/u Appends the date, time, and PID to the dump file names. This ensures that dump file names are unique. /a Generates dumps for all currently-debugged processes. If /a is used, the /u option should also be used to ensure that each file has a unique name. /b[a] Creates a .cab file. If this option is included, FileName is interpreted as the CAB file name, not the dump file name. A temporary dump file will be created, this file will be packaged into a CAB, and then the dump file will be deleted. If the b option is followed by a, all symbol and image files also will be packaged into the CAB. /c "Comment" Specifies a comment string that will be written to the dump file. If Comment contains spaces, it must be enclosed in double quotes. When the dump file is loaded, the Comment string will be displayed. /xc Address (User mode minidumps only) Adds a context record to the dump file. Address must specify the address of the context record. /xr Address (User mode minidumps only) Adds an exception record to the dump file. Address must specify the address of the exception record. /xp Address (User mode minidumps only) Adds a context record and an exception record to the dump file. Address must specify the address of an EXCEPTION_POINTERS structure which contains pointers to the context record and the exception record. /xt ThreadID (User mode minidumps only) Specifies the thread ID of a the system thread that will be used as the exception thread for this dump file. /kpmf File (Only when creating a kernel-mode Complete Memory Dump) Specifies a file that contains physical memory page data. FileName Specifies the name of the dump file. You can specify a full path and file name or just the file name. If the file name contains spaces, FileName should be enclosed in quotation marks. If no path is specified, the current directory is used. -? Displays help for this command. This text is different in kernel mode and in user mode.
?????
1.為什么需要dump 內存
????系統經常出現各種各樣的問題,這些問題,可能是本身程序設計的時候考慮的不夠周全,導致的程序異常,或者系統本身的問題。那么,當系統crash或者發生exception的時候,如何獲得系統的context,然后給出準確地diagnostics,然后提出resolution呢?
????我們所說的crash或者exception包括各種各樣的情況,比如系統某個進程占用大量資源,某個進程low performance,某個程序crash等等。為了獲得發生crash或者exception的process的context, 我們必須得到發生exception的時候,該process的context。那么可以給該process進行捕捉一個snapshot。捕捉發生exception時刻的snapshot所用的方法就是dump當時該process的內存。
2.dump內存的方法
???????這里介紹一種dump內存的方法,就是windbg中的.dump。當程序發生異常時,我們可以通過該方法snapshot該process在發生exception的時候的context。
????????具體做法就是:
????????當program發生exception的時候,或者發生之前,我們可以將windbg attach to a specific process in which en exception will occur. 然后在windbg command window中,type g or press F5 to let the program execute.如果不出意外的話,會出現exception,然后我們我們可以用.dump command來capture the snapshot。the following section?is the usage about command .dump.
.dump (Create Dump File)
The .dump command creates a user-mode or kernel-mode crash dump file.
Syntax
.dump?Options?FileName?
.dump?/??
Parameters
Options Represents one or more of the following options /o(User mode:) Creates a full user-mode dump. Despite their names, the largest minidump file actually contains more information than a full user-mode dump. For example, .dump?/mf or .dump?/ma creates a larger and more complete file than .dump?/f. In user mode, .dump?/m[MiniOptions] is always preferable to .dump?/f.
In user mode, /m can be followed with additional MiniOptions specifying extra data that to be included in the dump. If no MiniOptions are included, the dump will include module, thread, and stack information, but no additional data. You can add any of the following MiniOptions to change the contents of the dump file; they are case-sensitive.
| a | Creates a minidump with all optional additions. The /ma option is equivalent to /mfFhut — it adds full memory data, handle data, unloaded module information, basic memory information, and thread time information to the minidump. |
| f | Adds full memory data to the minidump. All accessible committed pages owned by the target application will be included. |
| F | Adds all basic memory information to the minidump. This adds a stream to the minidump that contains all basic memory information, not just information about valid memory. This allows the debugger to reconstruct the complete virtual memory layout of the process when the minidump is being debugged. |
| h | Adds data about the handles associated with the target application to the minidump. |
| u | Adds unloaded module information to the minidump. This is available only in Windows Server?2003 and later versions of Windows. |
| t | Adds additional thread information to the minidump. This includes thread times, which can be displayed by using the !runaway extension or the .ttime?(Display Thread Times) command when debugging the minidump. |
| i | Adds secondary memory to the minidump. Secondary memory is any memory referenced by a pointer on the stack or backing store, plus a small region surrounding this address. |
| p | Adds process environment block (PEB) and thread environment block (TEB) data to the minidump. This can be useful if you need access to Windows system information regarding the application's processes and threads. |
| w | Adds all committed read-write private pages to the minidump. |
| d | Adds all read-write data segments within the executable image to the minidump. |
| c | Adds code sections within images. |
| r | Deletes from the minidump those portions of the stack and store memory that are not useful for recreating the stack trace. Local variables and other data type values are deleted as well. This option does not make the minidump smaller (because these memory sections are simply zeroed), but it is useful if you want to protect the privacy of other applications. |
| R | Deletes the full module paths from the minidump. Only the module names will be included. This is a useful option if you want to protect the privacy of the user's directory structure. |
These MiniOptions can only be used when creating a user-mode minidump. They should follow the /m specifier.
?
Environment
| Modes | user mode, kernel mode |
| Targets | live, crash dump |
| Platforms | all |
Comments
This command can be used in a variety of situations:
- During live user-mode debugging, this command directs the target application to generate a dump file, but the target application does not terminate.
- During live kernel-mode debugging, this command directs the target computer to generate a dump file, but the target computer does not crash.
- During crash dump debugging, this command creates a new crash dump file from the old one. This is useful if you have a large crash dump file and want to create a smaller one.
You can control what type of dump file will be produced:
- In kernel mode, to produce a complete memory dump, use the /f option. To produce a small memory dump, use the /m option (or no options). The .dump command cannot produce a kernel memory dump.
- In user mode, .dump?/m[MiniOptions] is the best choice. Although "m" stands for "minidump", the dump files created by using this MiniOption can vary in size from very small to very large. By specifying the proper MiniOptions you can control exactly what information is included. For example, .dump?/ma produces a dump with a great deal of information. The older command, .dump?/f, produces a moderately large "standard dump" file and cannot be customized.
You cannot specify which process is dumped. All running processes will be dumped.
The /xc, /xr, /xp, and /xt options are used to store exception and context information in the dump file. This allows .ecxr?(Display Exception Context Record) to be run on this dump file.
The following example will create a user-mode minidump, containing full memory and handle information:
0:000>?.dump?/mfh?myfile.dmp?
Handle information can be read by using the !handle extension command.
?????
轉載于:https://www.cnblogs.com/Winston/archive/2008/06/06/1215286.html
總結
以上是生活随笔為你收集整理的系统诊断概述-如何通过windbg来dump特定process的memory.的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 新版数采仪问题解决全记录-升级失败问题
- 下一篇: 如何移动SQL SERVER的系统数据库