如何使用C ++读取Windows BSOD生成的memory.dmp
[英]How can I read a windows BSOD generated memory.dmp using C++
问题描述
I need to read information, code, flags, address, etc from a memory.dmp file generated from a windows BSOD through C++. 
我需要从Windows BSOD通过C ++生成的memory.dmp文件中读取信息,代码,标志,地址等。 The basic idea is that status info can be requested from a remote site and one of the requested pieces of information is some basic info from the last BSOD that occured on the machine thus I need to open the kernel/memory dump file through C++ (Im using MSVC 2005). 基本思想是可以从远程站点请求状态信息,并且所请求的信息之一是计算机上发生的最后一个BSOD的一些基本信息,因此我需要通过C ++(Im打开内核/内存转储文件使用MSVC 2005)。
2 个解决方案
解决方案1
1 已采纳 2014-11-10 15:46:12
Start here , then realize using scripted commands in WinDBG is much easier. 从这里开始 ,然后实现在WinDBG中使用脚本命令要容易得多。
Note: you only need WinDBG on the analysis machine, not the crashing one. 注意:您只需要在分析机上使用WinDBG,而不需要崩溃的计算机。 You retrieve the minidump and analyse it externally. 您检索小型转储并在外部进行分析。 The only difficulty you will have is getting the right symbols - for Windows, Microsoft makes them available via their symbol servers, but applications that caused the crash may not supply the right symbols you need. 唯一的困难是获取正确的符号-对于Windows,Microsoft通过其符号服务器使它们可用,但是导致崩溃的应用程序可能无法提供所需的正确符号。 IF they are you own applications causing the crash, get a symbol server and use it. 如果它们是您自己的导致崩溃的应用程序,请获取符号服务器并使用它。
解决方案2
0 2014-11-10 17:38:03
I would configure Windows to create small kernel memory dumps which will include the parameter of the bugcheck you are after. 我将Windows配置为创建小的内核内存转储,其中将包含您要执行的bugcheck的参数。
On XP it was 64KB on my Win8.1 x64 it is 256KB. 在XP上,在Win8.1 x64上为64KB,在256KB上。 These files compress well. 这些文件压缩良好。 You should be able to get away with a zip file of 10-60KB size depending on the bitness of the OS. 您应该能够摆脱10-60KB大小的zip文件,具体取决于操作系统的位数。 If bandwidth is of of utmost importance to you, you can use 7z which compresses about 50% better than the plain zip algo at the expense of much longer compression times (5-6 longer) but for such small files the CPU time difference should be irrelevant. 如果带宽对您最重要,则可以使用7z压缩比普通zip算法好约50%,但压缩时间要长得多(长5-6倍),但是对于这么小的文件,CPU时间差应该是无关。
If you do not want your users to configure dump reporting you need to set the DWORD 如果您不希望用户配置转储报告,则需要设置DWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
to 3 for a small kernel dump programatically. 以编程方式将其减小到3。
For an explanation of the values see http://technet.microsoft.com/en-us/library/cc976050.aspx 有关值的说明,请参见http://technet.microsoft.com/zh-cn/library/cc976050.aspx
- 0 Debugging information is not written to a file. 0调试信息未写入文件。
- 1 Complete crash dump is written to a file. 1将完整的故障转储写入文件。
- 2 Kernel memory dump is written to a file. 2内核内存转储被写入文件。
- 3 Small memory dump is written to a file. 3将小内存转储写入文件。
You will then get by default a small kernel dump in %SystemRoot%\\MEMORY.DMP. 然后,默认情况下,您将在%SystemRoot%\\ MEMORY.DMP中获得一个小的内核转储。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.