mgrzeg
BSOD Kernel Dump Senior Analyst
Hello,
I love the SysnativeBSODApp for all the job it does :) And I begin the analysis with this app whenever I have to work with dumps. But from time to time I have to deal with more than 50 dumps (wer directory coming from the user) and after performing full analysis by the SysnativeBSODApp (which takes some time of course) I discover, that most of the dumps have the same bugcheck and full analysis of all dumps was not necessary. I use the BlueScreenView from Nir Sofer, and it's another great tool, but I thought, that basic information I can read directly from the .dmp file, which can be much faster, than full analysis, or using BSV.
Of course, there's no publicly available memory dump file format specification, so I started with some help from http://computer.forensikblog.de/files/010_templates/DMP.bt and http://www.debuggingexperts.com/win32dd–memory-imaging and after a while I wrote a small tool (available here; written in c#, so you can view the source using reflector or any other .net disasm tool), that reads all .dmp files from current directory and writes only few basics: file name, creation date&time, os version, processor architecture and bugcheck with all the params to the 'basicInfo.txt' file. It's not fully tested (just a few lines of code, so I even didn't bother with error checking) in very early dev stage, but I think it may help you save some time before any further analysis with the SysnativeBSODApp, which is of course primary tool of analysis.
Hope you enjoy it and help in further development (maybe you have the .dmp file format spec? :))
m.g.
I love the SysnativeBSODApp for all the job it does :) And I begin the analysis with this app whenever I have to work with dumps. But from time to time I have to deal with more than 50 dumps (wer directory coming from the user) and after performing full analysis by the SysnativeBSODApp (which takes some time of course) I discover, that most of the dumps have the same bugcheck and full analysis of all dumps was not necessary. I use the BlueScreenView from Nir Sofer, and it's another great tool, but I thought, that basic information I can read directly from the .dmp file, which can be much faster, than full analysis, or using BSV.
Of course, there's no publicly available memory dump file format specification, so I started with some help from http://computer.forensikblog.de/files/010_templates/DMP.bt and http://www.debuggingexperts.com/win32dd–memory-imaging and after a while I wrote a small tool (available here; written in c#, so you can view the source using reflector or any other .net disasm tool), that reads all .dmp files from current directory and writes only few basics: file name, creation date&time, os version, processor architecture and bugcheck with all the params to the 'basicInfo.txt' file. It's not fully tested (just a few lines of code, so I even didn't bother with error checking) in very early dev stage, but I think it may help you save some time before any further analysis with the SysnativeBSODApp, which is of course primary tool of analysis.
Hope you enjoy it and help in further development (maybe you have the .dmp file format spec? :))
m.g.
I tried to use only local cache (setting c:/websymbols in the symbols path field), but I didn't notice any change 