Article ID: 148658 - View products that this article applies to.
This article was previously published under Q148658
The I386KD.EXE utility is used to load a MEMORY.DMP file created by a computer running Windows NT. This article explains the basics required to load a MEMORY.DMP file using the I386KD.EXE debugging utility.
The article contents are organized into the following subsections:
What is a MEMORY.DMP File?When the recovery option is set in the System option dialog box to write debugging information, the physical disk a program called SAVEDUMP.EXE is invoked during a fatal system error which writes the entire contents of memory to the system paging file. When the system is rebooted Windows NT copies the paging file to a file called MEMORY.DMP.
Windows NT writes the entire contents of RAM into the paging file. The paging file must be at least as large as the amount of physical memory installed in the system for a MEMORY.DMP file to be created. Also, the paging file must reside on the system partition of the physical disk.
The advantage of a MEMORY.DMP file is that it is possible to determine why the system failed without removing the system from service.
The disadvantage is that the MEMORY.DMP is an image of memory at the exact time of the failure. Many failures are caused by events that happened prior to the system failure and to identify these problems it may be necessary to use a real time remote debugging session.
Checking the Integrity of a MEMORY.DMP FileThe debugging tools rely on the information stored in the MEMORY.DMP file which makes it important to verify the integrity of the file. Windows NT Server ships with the DUMPCHK.EXE utility located in the \SUPPORT\DEBUG\[Machine Type]\Directory. The DUMPCHK.EXE utility will display the stop screen information, processor information, and checks the MEMORY.DMP file for errors. Run the DUMPCHK.EXE file on the MEMORY.DMP as follows:
What is I386KD.EXE?The I386KD.EXE is a command line utility for debugging kernel mode memory dump files. The kernel debugger parses the MEMORY.DMP file and displays various information about the MEMORY.DMP file. It gives you a glimpse into what was loaded on the system and what was happening at the time of the system failure. I386KD is capable of displaying memory usage, a trace of the functions running and queued to run, and lots of valuable clues to the state of the system at the time of the failure. I386KD.EXE is located in the \Support\Debug\I386\ directory of the Windows NT Server compact disc.
Located in the same directory are ALPHAKD.EXE, MIPSKD.EXE and PCKD.EXE. These command line utilities are used for kernel debugging the Alpha, MIPS and the PowerPC platforms from an I386 based machine. If you are debugging from a platform other than the I386 then you must use the utilities in the directory specific to the platform you are using to run the debugger from.
NOTE: This article discusses the I386KD, but the methods are interchangeable with the methods you should use with the other kernel debuggers.
Setting Up for DebuggingThe recommended way to run I386KD is to copy all of the files located in the \Support\Debug\I386\ directory to a directory on the hard drive, change to that directory and set up the environment variables for the debugging session.
The I386KD relies on environment variables for information necessary to run successfully. I386KD uses many environment variables, the minimal needed to load the MEMORY.DMP file is the _NT_SYMBOL_PATH variable. This variable points to the path of the symbols file that the debugger will use for the debug session. After setting the path, the kernel debugger can be started.
I386KD has several command line parameters. The -z parameter specifies the path to the MEMORY.DMP file that will be used for the debugging session. At the command prompt, type:
I386KD -z <path_to_MEMORY.DMP>.
This will invoke I386KD and load the MEMORY.DMP file into the kernel debugger.
Setting Up and Running I386KD.EXE
Using I386KD with REMOTE.EXEThe REMOTE.EXE is a command line utility which allows you to run command-line programs on remote computers. REMOTE.EXE uses two parts, the server component and the client component. To use Remote, you must first start the server end on the computer where you are debugging from. This allows other users to connect to your debugging session using the client portion of Remote. This is very useful to Product Support Services Engineers who commonly use the client end of Remote over a Remote Access link to debug a customer's system. The REMOTE.EXE comes with the Resource Kit. For more details and the command syntax of this utility, refer to the Resource Kit online help.
Running I386KD with REMOTE
Common Errors Loading a MEMORY.DMP FileThere are many pitfalls on the road to a successful debug session. There are many reasons why a MEMORY.DMP file will not load. Here are a couple common errors and solutions:
Error: [ syntax ] Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH setting kd: crash dump initialized [C:\Dump\MEMORY.DMP] KD: Unable to load debug information for ntoskrnl.exe could not get the KiProcessorBlock address Solution: This error can be generated because of an improper symbols path. To solve this, check your symbols path and reset your environment. Possibly the MEMORY.DMP file is corrupted; run DUMPCHK.EXE on this file to verify its integrity. Error: [ syntax ] Microsoft(R) Windows NT Kernel Debugger Version 3.51 (C) 1991-1995 Microsoft Corp. Symbol search path is: C:\SYMBOLS Remote:Parent exiting. Child(i386kd -z C:\Dump\MEMOR.DMP) dead.. Solution: This can be due to an improper path to the MEMORY.DMP file. Check your path and reload the file.
KD Environment Variables
_NT_DEBUG_PORT Serial port used by the debugger _NT_DEBUG_BAUD_RATE Baud rate used by the debugger _NT_SYMBOL_PATH Location of the symbols files _NT_ALT_SYMBOL_PATH Additional symbol path which is searched first _NT_DEBUG_CACHE_SIZE Debugger cache size _NT_DEBUG_LOG_FILE_OPEN Specifies a file for logging the debug session _NT_DEBUG_LOG_FILE_APPEND Appends to a debug log file if one exists
-b - Causes a running kernel to stop as soon as possible. -c - Causes a resync of a modem connection -n - Symbols load as soon as the module is loaded -v - Verbose mode -m - Causes the debugger enter the terminal mode -x - The debugger will break on first chance exceptions -y - Path to the symbols -z - Path to the crash dump file
Additional Information Resources