Tinus EngOps Wiki

Logo

OpsaC - Operating as PowerShell code

Links

Home

PowerShell Blog

PowerShell Index

PowerShell Search

Additional Websites

View my GitHub Profile

View my GitHub Gists

View Tinus IT Wiki

View my Photo Website

Memory Dump

published: September 7, 2022 author: Tinu tags: PowerShell categories: System-Engineering

Table of Contents

Analyze Memory Dump

PowerShell Script to analyze a Memory-Dump.

<#
    .SYNOPSIS
        Load the Windows Debugger

    .DESCRIPTION
        This function will load the Windows Debugger to analyze a MemoryDump

    .NOTES
        -Author: Martin Walther
        -Email : 
        -CreationDate: 07.04.2017
        -LastModifiedDate: 18.10.2022
        -Version: 2.0.0
        -History:

    .LINK
        https://www.ssisg.com/galaxy/knowledgebase.php?action=displayarticle&id=85

#>

if(-not($env:HTTP_PROXY)){
    Write-Output "Set the proxy and restart the script"
    [System.Environment]::SetEnvironmentVariable('HTTP_PROXY','proxy.contoso.com:8080',[System.EnvironmentVariableTarget]::Machine)
}


$winkitpath = "C:\Program Files (x86)\Windows Kits\10"
if(Test-Path -Path "$($winkitpath)\Debuggers\x64"){
    
    Set-Location "$($winkitpath)\Debuggers\x64"
    Clear-Host
    write-output ("*******************************************************************************")
    write-output ("*")
    Write-Output ("*                            Load Windows Debugger                             ")
    write-output ("*")
    write-output ("*******************************************************************************")
    
    Get-ChildItem '...\..\Dumps' -Filter *.dmp | Select LastWriteTime,Fullname | ft -AutoSize

    write-output ("")
    $dumpfile   = $(read-host "Enter the full-filename of the memory-dump")
    if($dumpfile.StartsWith('"')){
        $dumpfile = $dumpfile.Trim('"')
    }
    $Logfile = "C:\scripts\$($dumpfile | Split-Path -Leaf).log"

    if(Test-Path -Path $dumpfile){
        Write-Output ("Analyze $($dumpfile), please wait . . .")
        
        $ret = .\kd.exe -y "srv*https://msdl.microsoft.com/download/symbols" -z $dumpfile -logo out.txt -c "!analyze -v;q"
        $ret | Out-File "$($Logfile)"

        Write-output ("`n*******************************************************************************")
        Write-Output ("Analysis result:")
        $ret -match "Probably caused by"
        $ret -match "MODULE_NAME:\s.*"
        $ret -match "IMAGE_NAME:\s.*"
        $ret -match "SYMBOL_NAME:\s.*"
        $ret -match "PROCESS_NAME:\s.*"
        $ret -match "BUGCHECK_"
        $ret -match "FAILURE_BUCKET_ID:\s.*"
        Write-output ("*******************************************************************************")

        if(Test-Path -Path $Logfile){
            Write-Output ("`nBugcheck Analysis saved to $($Logfile)")
            Write-Output ("For more information consult $($Logfile)")
        }

    }else{
        Write-Output "Warning: File $($dumpfile) not found, could not analyze dumpfile."
    }
}else{
    Write-Output "Warning: File $($winkitpath) not found, could not start Windows Debugger."
}

See also

Analyze crash dump files by using WinDbg.

← Previous Post [ Top ] Copyright © 2024 by tinuwalther [ Blog ] Next Post →