个人技术笔记

Windows程序Crash调试

发布时间：2022-06-29  栏目：Windows, 工程部署  评论：0 Comments

The .ecxr command changes to the context that is associated with the dump’s exception. It displays the registers at that context.

Use .cxr to reset the context to the default context.

In general, start the debugging of a dump file by executing .exr -1, .ecxr and k. And then use !analyze -v.

 

 

What is a crash:
An unhandled exception is where our built in code has no contingency for something that went wrong. The OS (Windows) supplies some code that runs when something goes wrong called an unhandled exception handler. You have seen this code run before as an error message that says “application has stopped working..close the program”

What is a hang:
Windows applications also have a duty to report back periodically so the OS can keep the GUI responsive. If they do not do this, Windows flags them as “hung”. You may have seen these as “X is not responding, restart or wait…”

There is another type of hang where the application is still responsive to the Windows GUI but is otherwise not actually getting anything done. These will sit possibly forever and Windows will not identify them as hung.

Getting a dump of all process memory can be helpful in determining the cause of a crash or hang. To do so we can instruct windows to handle the scenarios above differently.

Important: A memory dump is a point in time snapshot. Like a paused movie, it tells you what is occuring at that moment but not necessarily what lead to it. User mode memory dumps also give no insight into what is occuring in the OS or other processes on the system. Logs from the application in question are still essential!

About Procdump

The preferred method for collecting memory dumps from crashes and hangs is the sysinternal utility Procdump.

 

Local run:

procdump64.exe -ma -i c:\Dumps

 

参考：

.ecxr (Display Exception Context Record) – Windows drivers | Microsoft Docs

.ecxr | Microsoft Docs

留下评论

You must be logged in to post a comment.