通用:
- 符号服务器(.symfix)
- 内部数据库搜索
- 针对可疑组件进行 Google 或 Microsoft 搜索,因为这可能是一个已知问题。有时简单的搜索就能立即在供应商的网站上找到修复方法
- 用来保存 dump 的工具(用于标记错误报告,不完整或不一致的 dump)
- 操作系统/服务包版本(version)
- 语言
- 调试时间
- 系统运行时间
- 计算机名称(dS srv!srvcomputername 或 !envvar COMPUTERNAME)
- 已加载和未加载模块的列表(lmv 或 !dlls)
- 硬件配置(!sysinfo)
- .kframes 1000
应用程序或服务:
- 默认分析 (!analyze -v 或对于挂起的情况 !analyze -v -hang)
- 重要部分(!cs -s -l -o, !locks)适用于崩溃和挂起
- 组件时间戳,重复和路径。DLL Hell?(lmv 和 !dlls)
- 是否存在任何更新的组件?
- 进程线程(~kv* 或 !uniqstack)适用于多个异常和阻塞函数
- 进程运行时间
- 问题线程的全原始堆栈上的您的组件
- 主应用线程的全原始堆栈上的您的组件
- 进程大小
- 线程数
- Gflags 值(!gflag)
- 线程消耗的时间(!runaway)
- 环境(!peb)
- 导入表(!dh)
- 挂钩函数(!chkimg)
- 异常处理程序(!exchain)
- 计算机名称(!envvar COMPUTERNAME)
- 进程堆统计和验证(!heap -s, !heap -s -v)
- CLR线程?(堆栈跟踪上的 mscorwks 或 clr 模块)是:使用下面的 .NET 检查列表
- 线程原始堆栈上的隐藏(未处理和已处理)异常
系统挂起:
- 默认分析(!analyze -v -hang)
- ERESOURCE 冲突(!locks)
- 包括会话空间在内的进程和虚拟内存(!vm 4)
- 重要服务是否存在并且没有挂起
- 池(!poolused)
- 等待线程(!stacks)
- 关键系统队列(!exqueue f)
- I/O(!irpfind)
- 所有线程堆栈跟踪的列表(!process 0 3f)
- 可疑线程的 LPC/ALPC 链(在 !process 0 3f 输出中搜索 "Waiting for reply to LPC" 或 "Waiting for reply to ALPC" 后的 !lpc message 或 !alpc /m)
- RPC 线程(在 !process 0 3f 输出中搜索 "RPCRT4!OSF")
- Mutants(在 !process 0 3f 输出中搜索 "Mutants - owning thread")
- 可疑进程的重要部分(!cs -l -o -s)
- 会话,会话进程(!session, !sprocess)
- 进程(大小,句柄表大小)(!process 0 0)
- 运行线程(!running)
- 就绪线程(!ready)
- DPC 队列(!dpcs)
- APC列表(!apc)
- 内部排队的自旋锁(!qlocks)
- 计算机名称(dS srv!srvcomputername)
- 文件缓存,VACB(!filecache)
- 阻塞线程 IRPs 的文件对象(!irp -> !fileobj)
- 网络(!ndiskd.miniports 和 !ndiskd.pktpools)
- 磁盘(!scsikd.classext -> !scsikd.classext class_device 2)
- 堆栈跟踪中的模块 rdbss,mrxdav,mup,mrxsmb
- 堆栈跟踪中的函数 Ntfs!Ntfs*,nt!Fs* 和 fltmgr!Flt*
蓝屏:
- 默认分析(!analyze -v)
- 池地址(!pool)
- 组件时间戳(lmv)
- 进程和虚拟内存(!vm 4)
- 其他处理器上的当前线程
- 原始堆栈
- Bugcheck 描述(包括损坏或截断的 dump 的 ln exception address)
- Bugcheck 回调数据(Windows XP SP1 之前的系统的 !bugdump)
- Bugcheck 二级回调数据(.enumtag)
- 计算机名称(dS srv!srvcomputername)
- 硬件配置(!sysinfo)
.NET 应用程序或服务:
- CLR 模块和 SOS 扩展版本(lmv 和 .chain)
- 托管异常(~e !pe*)
- 嵌套的托管异常(!pe -nested)
- 托管线程(!Threads -special)
- 托管堆栈跟踪(~e !CLRStack*)
- 托管执行残留(~e !DumpStackObjects* 和 !DumpRuntimeTypes)
- 托管堆(!VerifyHeap,!DumpHeap -stat 和 !eeheap -gc)
- GC 句柄(!GCHandles,!GCHandleLeaks)
- Finalizer 队列(!FinalizeQueue)
- 同步块(!syncblk)
General:
- Symbol servers (.symfix)
- Internal database(s) search
- Google or Microsoft search for suspected components as this could be a known issue. Sometimes a simple search immediately points to the fix on a vendor’s site
- The tool used to save a dump (to flag false positive, incomplete or inconsistent dumps)
- OS/SP version (version)
- Language
- Debug time
- System uptime
- Computer name (dS srv!srvcomputername or !envvar COMPUTERNAME)
- List of loaded and unloaded modules (lmv or !dlls)
- Hardware configuration (!sysinfo)
- .kframes 1000
Application or service:
- Default analysis (!analyze -v or !analyze -v -hang for hangs)
- Critical sections (!cs -s -l -o, !locks) for both crashes and hangs
- Component timestamps, duplication and paths. DLL Hell? (lmv and !dlls)
- Do any newer components exist?
- Process threads (~*kv or !uniqstack) for multiple exceptions and blocking functions
- Process uptime
- Your components on the full raw stack of the problem thread
- Your components on the full raw stack of the main application thread
- Process size
- Number of threads
- Gflags value (!gflag)
- Time consumed by threads (!runaway)
- Environment (!peb)
- Import table (!dh)
- Hooked functions (!chkimg)
- Exception handlers (!exchain)
- Computer name (!envvar COMPUTERNAME)
- Process heap stats and validation (!heap -s, !heap -s -v)
- CLR threads? (mscorwks or clr modules on stack traces) Yes: use .NET checklist below
- Hidden (unhandled and handled) exceptions on thread raw stacks
System hang:
- Default analysis (!analyze -v -hang)
- ERESOURCE contention (!locks)
- Processes and virtual memory including session space (!vm 4)
- Important services are present and not hanging
- Pools (!poolused)
- Waiting threads (!stacks)
- Critical system queues (!exqueue f)
- I/O (!irpfind)
- The list of all thread stack traces (!process 0 3f)
- LPC/ALPC chain for suspected threads (!lpc message or !alpc /m after search for "Waiting for reply to LPC" or "Waiting for reply to ALPC" in !process 0 3f output)
- RPC threads (search for "RPCRT4!OSF" in !process 0 3f output)
- Mutants (search for "Mutants - owning thread" in !process 0 3f output)
- Critical sections for suspected processes (!cs -l -o -s)
- Sessions, session processes (!session, !sprocess)
- Processes (size, handle table size) (!process 0 0)
- Running threads (!running)
- Ready threads (!ready)
- DPC queues (!dpcs)
- The list of APCs (!apc)
- Internal queued spinlocks (!qlocks)
- Computer name (dS srv!srvcomputername)
- File cache, VACB (!filecache)
- File objects for blocked thread IRPs (!irp -> !fileobj)
- Network (!ndiskd.miniports and !ndiskd.pktpools)
- Disk (!scsikd.classext -> !scsikd.classext class_device 2)
- Modules rdbss, mrxdav, mup, mrxsmb in stack traces
- Functions Ntfs!Ntfs*, nt!Fs* and fltmgr!Flt* in stack traces
BSOD:
- Default analysis (!analyze -v)
- Pool address (!pool)
- Component timestamps (lmv)
- Processes and virtual memory (!vm 4)
- Current threads on other processors
- Raw stack
- Bugcheck description (including ln exception address for corrupt or truncated dumps)
- Bugcheck callback data (!bugdump for systems prior to Windows XP SP1)
- Bugcheck secondary callback data (.enumtag)
- Computer name (dS srv!srvcomputername)
- Hardware configuration (!sysinfo)
.NET application or service:
- CLR module and SOS extension versions (lmv and .chain)
- Managed exceptions (~*e !pe)
- Nested managed exceptions (!pe -nested)
- Managed threads (!Threads -special)
- Managed stack traces (~*e !CLRStack)
- Managed execution residue (~*e !DumpStackObjects and !DumpRuntimeTypes)
- Managed heap (!VerifyHeap, !DumpHeap -stat and !eeheap -gc)
- GC handles (!GCHandles, !GCHandleLeaks)
- Finalizer queue (!FinalizeQueue)
- Sync blocks (!syncblk)
0