Tinus EngOps Wiki


OpsaC - Operating as PowerShell code



PowerShell Blog

PowerShell Index

PowerShell Search

Additional Websites

View my GitHub Profile

View my GitHub Gists

View Tinus IT Wiki

View my Photo Website

Memory Dump

tags: PowerShell categories: System-Engineering

Table of Contents

Analyze Memory Dump

PowerShell Script to analyze a Memory-Dump.

		Load the Windows Debugger
		This function will load the Windows Debugger to analyze a MemoryDump
		-Author: Martin Walther
		-Email : 
		-CreationDate: 07.04.2017
		-LastModifiedDate: 18.10.2022
		-Version: 2.0.0

    Write-Output "Set the proxy and restart the script"

$winkitpath = "C:\Program Files (x86)\Windows Kits\10"
if(Test-Path -Path "$($winkitpath)\Debuggers\x64"){
    Set-Location "$($winkitpath)\Debuggers\x64"
    write-output ("*******************************************************************************")
    write-output ("*")
    Write-Output ("*                            Load Windows Debugger                             ")
    write-output ("*")
    write-output ("*******************************************************************************")
    Get-ChildItem '...\..\Dumps' -Filter *.dmp | Select LastWriteTime,Fullname | ft -AutoSize

    write-output ("")
    $dumpfile   = $(read-host "Enter the full-filename of the memory-dump")
        $dumpfile = $dumpfile.Trim('"')
    $Logfile = "C:\scripts\$($dumpfile | Split-Path -Leaf).log"

    if(Test-Path -Path $dumpfile){
        Write-Output ("Analyze $($dumpfile), please wait . . .")
        $ret = .\kd.exe -y "srv*https://msdl.microsoft.com/download/symbols" -z $dumpfile -logo out.txt -c "!analyze -v;q"
        $ret | Out-File "$($Logfile)"

        Write-output ("`n*******************************************************************************")
        Write-Output ("Analysis result:")
        $ret -match "Probably caused by"
        $ret -match "MODULE_NAME:\s.*"
        $ret -match "IMAGE_NAME:\s.*"
        $ret -match "SYMBOL_NAME:\s.*"
        $ret -match "PROCESS_NAME:\s.*"
        $ret -match "BUGCHECK_"
        $ret -match "FAILURE_BUCKET_ID:\s.*"
        Write-output ("*******************************************************************************")

        if(Test-Path -Path $Logfile){
            Write-Output ("`nBugcheck Analysis saved to $($Logfile)")
            Write-Output ("For more information consult $($Logfile)")

        Write-Output "Warning: File $($dumpfile) not found, could not analyze dumpfile."
    Write-Output "Warning: File $($winkitpath) not found, could not start Windows Debugger."

See also

Analyze crash dump files by using WinDbg.

[ Top ] [ Blog ]