Microsoft KB Archive/156280

= How to Use Dumpchk.exe to check a memory dump file =

Article ID: 156280

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT Workstation 3.5
 * Microsoft Windows NT Workstation 3.51
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 3.5
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q156280



For a Microsoft Windows XP version of this article, see 315271.



SUMMARY
Dumpchk is a command-line utility you can use to verify that a memory dump file has been created correctly. Dumpchk does not require access to symbols.

You can download debugging tools for Windows products from the following Microsoft Web site:

http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx

Dumpchk is located in the following locations:  Windows NT 4.0 CD-ROM:

Support\Debug\\Dumpchk.exe

 Windows 2000 CD-ROM: Install the Support Tools by running Setup.exe from the Support\Tools folder on the CD-ROM. By default, Dumpchk.exe is installed to the Program Files\Support Tools folder.



MORE INFORMATION
Dumpchk has the following command-line switches:   DUMPCHK [options] 

-? Display the command syntax.

-p Prints the header only (with no validation).

-v Specifies verbose mode.

-q Performs a quick test. Not available in the Windows 2000. Additional switches that are only available in Windows 2000 Dumpchk.exe version:    -c Do dump validation.

-x Extra file validation. Takes several minutes.

-e Do dump exam.

-y  Set the symbol search path for dump exam. If the symbol search path is empty, the CD-ROM is used for symbols.

-b  Set the image search path for dump exam. If the symbol search path is empty, <SystemRoot>\system32 is used for symbols.

-k <File> Set the name of the kernel to File.

-h <File> Set the name of the hal to File. Dumpchk displays some basic information from the memory dump file, then verifies all the virtual and physical addresses in the file. If any errors are found in the memory dump file, Dumpchk reports them. The following is an example of the output of a Dumpchk command: <pre class="fixed_text">  Filename. . . . . . .memory.dmp Signature. . . . . . .PAGE ValidDump. . . . . . .DUMP MajorVersion. . . . .free system MinorVersion. . . . .1057  DirectoryTableBase. .0x00030000 PfnDataBase. . . . . .0xffbae000 PsLoadedModuleList. .0x801463d0 PsActiveProcessHead. .0x801462c8 MachineImageType. . .i386 NumberProcessors. . .1  BugCheckCode. . . . .0xc000021a BugCheckParameter1. .0xe131d948 BugCheckParameter2. .0x00000000 BugCheckParameter3. .0x00000000 BugCheckParameter4. .0x00000000

ExceptionCode. . . . .0x80000003 ExceptionFlags. . . .0x00000001 ExceptionAddress. . .0x80146e1c

NumberOfRuns. . . . .0x3 NumberOfPages. . . . .0x1f5e Run #1 BasePage. . . . . .0x1 PageCount. . . . . .0x9e Run #2 BasePage. . . . . .0x100 PageCount. . . . . .0xec0 Run #3 BasePage. . . . . .0x1000 PageCount. . . . . .0x1000

**************  **************--> Validating the integrity of the PsLoadedModuleList **************

**************  **************--> Performing a complete check (^C to end) **************  **************   **************--> Validating all physical addresses **************  **************   **************--> Validating all virtual addresses **************  **************   **************--> This dump file is good! ************** If there is an error during any portion of the output displayed above, the dump file is corrupted and analysis cannot be performed.

In this example, the most important information (from a debugging standpoint) is the following: <pre class="fixed_text">  MajorVersion. . . . .free system MinorVersion. . . . .1057  MachineImageType. . .i386 NumberProcessors. . .1  BugCheckCode. . . . .0xc000021a BugCheckParameter1. .0xe131d948 BugCheckParameter2. .0x00000000 BugCheckParameter3. .0x00000000 BugCheckParameter4. .0x00000000 This information can be used to determine what Kernel STOP Error occurred and, to a certain extent, what version of Windows was in use.

The information in this article is from the Windows NT Resource Kit. For more information on Dumpchk.exe and other debugging utilities, see Appendix A in the Windows NT 3.51 Resource Kit Update and Update 2.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

119490 Checking the Crashdump file for corruption

Additional query words: prodnt

Keywords: kbnetwork KB156280

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.