You are currently offline, waiting for your internet to reconnect

How to Load Windows NT MEMORY.DMP File Using I386KD.EXE

This article was previously published under Q148658
The I386KD.EXE utility is used to load a MEMORY.DMP file created by acomputer running Windows NT. This article explains the basics required toload a MEMORY.DMP file using the I386KD.EXE debugging utility.

The article contents are organized into the following subsections:
  • What is a MEMORY.DMP File?
  • Checking the Integrity of a MEMORY.DMP File
  • What is I386KD.EXE?
  • Setting Up for Debugging
  • Setting Up and Running I386KD.EXE
  • Using I386KD.EXE with REMOTE.EXE
  • Common Errors Loading a MEMORY.DMP File
  • KD Environment variables
  • KD Options
  • Additional Information Resources
The utilities described in this article are from the Windows NT 3.51Server compact disc. These utilities will work on a MEMORY.DMP from acomputer running Windows NT 3.5. The utilities located on the Windows NT3.5 Server compact disc will not load a MEMORY.DMP file and are used onlyfor remote sessions.

What is a MEMORY.DMP File?

When the recovery option is set in the System option dialog box towrite debugging information, the physical disk a program calledSAVEDUMP.EXE is invoked during a fatal system error which writes theentire contents of memory to the system paging file. When the systemis rebooted Windows NT copies the paging file to a file calledMEMORY.DMP.

Windows NT writes the entire contents of RAM into the paging file.The paging file must be at least as large as the amount of physicalmemory installed in the system for a MEMORY.DMP file to be created.Also, the paging file must reside on the system partition of thephysical disk.

The advantage of a MEMORY.DMP file is that it is possible to determinewhy the system failed without removing the system from service.

The disadvantage is that the MEMORY.DMP is an image of memory at theexact time of the failure. Many failures are caused by events thathappened prior to the system failure and to identify these problems itmay be necessary to use a real time remote debugging session.

Checking the Integrity of a MEMORY.DMP File

The debugging tools rely on the information stored in the MEMORY.DMPfile which makes it important to verify the integrity of the file.Windows NT Server ships with the DUMPCHK.EXE utility located in the\SUPPORT\DEBUG\[Machine Type]\Directory. The DUMPCHK.EXE utility willdisplay the stop screen information, processor information, andchecks the MEMORY.DMP file for errors. Run the DUMPCHK.EXE file on theMEMORY.DMP as follows:
  1. Copy the MEMORY.DMP file to the C:\DUMP directory.
  2. Run the DUMPCHK utility:

If any errors are reported, the MEMORY.DMP file is unreliable. Asystem that consistently produces a corrupt MEMORY.DMP file usuallyindicates that there are problems with the disk controller or thephysical disk.

What is I386KD.EXE?

The I386KD.EXE is a command line utility for debugging kernel modememory dump files. The kernel debugger parses the MEMORY.DMP file anddisplays various information about the MEMORY.DMP file. It gives you aglimpse into what was loaded on the system and what was happening atthe time of the system failure. I386KD is capable of displaying memoryusage, a trace of the functions running and queued to run, and lots ofvaluable clues to the state of the system at the time of the failure.I386KD.EXE is located in the \Support\Debug\I386\ directory of theWindows NT Server compact disc.

Located in the same directory are ALPHAKD.EXE, MIPSKD.EXE andPCKD.EXE. These command line utilities are used for kernel debuggingthe Alpha, MIPS and the PowerPC platforms from an I386 based machine.If you are debugging from a platform other than the I386 then you mustuse the utilities in the directory specific to the platform you areusing to run the debugger from.

NOTE: This article discusses the I386KD, but the methods areinterchangeable with the methods you should use with the other kerneldebuggers.

Setting Up for Debugging

The recommended way to run I386KD is to copy all of the files locatedin the \Support\Debug\I386\ directory to a directory on the harddrive, change to that directory and set up the environment variablesfor the debugging session.

The I386KD relies on environment variables for information necessaryto run successfully. I386KD uses many environment variables, theminimal needed to load the MEMORY.DMP file is the _NT_SYMBOL_PATHvariable. This variable points to the path of the symbols file thatthe debugger will use for the debug session. After setting the path,the kernel debugger can be started.

I386KD has several command line parameters. The -z parameterspecifies the path to the MEMORY.DMP file that will be used for thedebugging session. At the command prompt, type:

I386KD -z <path_to_MEMORY.DMP>.

This will invoke I386KD and load the MEMORY.DMP file into the kerneldebugger.

Setting Up and Running I386KD.EXE

  1. Set up the Windows NT symbols in C:\SYMBOLS. To properly set up symbols, please see the following article in the Microsoft Knowledge Base:
    ARTICLE-ID: 148660
    TITLE : How to Verify Windows NT Debug Symbols
  2. From the command prompt make a directory on the C drive named DEBUG:

    mkdir c:\debug
  3. Copy all of the files in the \Support\Debug\I386\ directory to the

    C:\DEBUG directory: xcopy [cd drive]:\support\debug\i386 c:\debug
  4. Set up the symbols path environment variable:

    set _nt_symbol_path=d:\symbols
  5. Copy the MEMORY.DMP to the C:\DUMP directory.
  6. Run the kernel debugger.

    i386kd -z c:\dump\memory.dmp
  7. Verify the symbols and start debugging by referencing the article mentioned in step 1 above.

Using I386KD with REMOTE.EXE

The REMOTE.EXE is a command line utility which allows you to runcommand-line programs on remote computers. REMOTE.EXE uses two parts,the server component and the client component. To use Remote, you mustfirst start the server end on the computer where you are debugging from.This allows other users to connect to your debugging session using theclient portion of Remote. This is very useful to Product Support ServicesEngineers who commonly use the client end of Remote over a Remote Accesslink to debug a customer's system. The REMOTE.EXE comes with the ResourceKit. For more details and the command syntax of this utility, refer to theResource Kit online help.

Running I386KD with REMOTE
  1. Copy the REMOTE.EXE command from the Resource Kit directory to the C:\DEBUG directory.
  2. Start the remote debugging session:

    remote /s "i386kd -z c:\dump\memory.dmp" debug1

Common Errors Loading a MEMORY.DMP File

There are many pitfalls on the road to a successful debug session.There are many reasons why a MEMORY.DMP file will not load. Here are acouple common errors and solutions:

   Error:      [ syntax ]      Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH        setting      kd: crash dump initialized [C:\Dump\MEMORY.DMP]      KD: Unable to load debug information for ntoskrnl.exe      could not get the KiProcessorBlock address   Solution:      This error can be generated because of an improper symbols      path. To solve this, check your symbols path and reset your      environment. Possibly the MEMORY.DMP file is corrupted; run      DUMPCHK.EXE on this file to verify its integrity.   Error:      [ syntax ]      Microsoft(R) Windows NT Kernel Debugger      Version 3.51      (C) 1991-1995 Microsoft Corp.      Symbol search path is: C:\SYMBOLS      Remote:Parent exiting. Child(i386kd -z C:\Dump\MEMOR.DMP) dead..   Solution:      This can be due to an improper path to the MEMORY.DMP file.      Check your path and reload the file.				

KD Environment Variables

_NT_DEBUG_PORT                Serial port used by the debugger_NT_DEBUG_BAUD_RATE           Baud rate used by the debugger_NT_SYMBOL_PATH               Location of the symbols files_NT_ALT_SYMBOL_PATH           Additional symbol path which is searched first_NT_DEBUG_CACHE_SIZE          Debugger cache size_NT_DEBUG_LOG_FILE_OPEN       Specifies a file for logging the debug session_NT_DEBUG_LOG_FILE_APPEND     Appends to a debug log file if one exists				

KD Options

-b    - Causes a running kernel to stop as soon as possible.-c    - Causes a resync of a modem connection-n    - Symbols load as soon as the module is loaded-v    - Verbose mode-m    - Causes the debugger enter the terminal mode-x    - The debugger will break on first chance exceptions-y    - Path to the symbols-z    - Path to the crash dump file				

Additional Information Resources

  • Windows NT Resource Kit
  • The Driver Development Kit Online help
  • The Kernel-Debug How-To series of articles can be found by searching on the keyword "debugref" here in the Microsoft Knowledge Base.
prodnt debugref

Article ID: 148658 - Last Review: 11/01/2006 06:09:56 - Revision: 3.1

  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • KB148658