How to Use Dumpchk.exe to Check a Memory Dump File

ID: Q156280

The information in this article applies to:

Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0
Microsoft Windows NT Server versions 3.5, 3.51, 4.0

SUMMARY

Dumpchk is a command-line utility you can use to verify that a memory dump file has been created correctly. Dumpchk does not require access to symbols. Dumpchk is located on the Windows NT compact disc in the following location:

Support\Debug\<Platform>\Dumpchk.exe

MORE INFORMATION

Dumpchk has the following command-line parameters:


   DUMPCHK [options] <CrashDumpFile>

     -? Display the command syntax.

     -p Prints the header only (with no validation).

     -v Specifies verbose mode.

     -q Performs a quick test.

Dumpchk displays some basic information from the memory dump file, then verifies all the virtual and physical addresses in the file. If any errors are found in the memory dump file, Dumpchk reports them. The following is an example of the output of a Dumpchk command:


   Filename . . . . . . .memory.dmp
   Signature. . . . . . .PAGE
   ValidDump. . . . . . .DUMP
   MajorVersion . . . . .free system
   MinorVersion . . . . .1057
   DirectoryTableBase . .0x00030000
   PfnDataBase. . . . . .0xffbae000
   PsLoadedModuleList . .0x801463d0
   PsActiveProcessHead. .0x801462c8
   MachineImageType . . .i386
   NumberProcessors . . .1
   BugCheckCode . . . . .0xc000021a
   BugCheckParameter1 . .0xe131d948
   BugCheckParameter2 . .0x00000000
   BugCheckParameter3 . .0x00000000
   BugCheckParameter4 . .0x00000000

   ExceptionCode. . . . .0x80000003
   ExceptionFlags . . . .0x00000001
   ExceptionAddress . . .0x80146e1c

   NumberOfRuns . . . . .0x3
   NumberOfPages. . . . .0x1f5e
   Run #1
     BasePage . . . . . .0x1
     PageCount. . . . . .0x9e
   Run #2
     BasePage . . . . . .0x100
     PageCount. . . . . .0xec0
   Run #3
     BasePage . . . . . .0x1000
     PageCount. . . . . .0x1000


   **************
   **************--> Validating the integrity of the PsLoadedModuleList
   **************

   **************
   **************--> Performing a complete check (^C to end)
   **************
   **************
   **************--> Validating all physical addresses
   **************
   **************
   **************--> Validating all virtual addresses
   **************
   **************
   **************--> This dump file is good!
   **************

If, during any portion of the output displayed above, there is an error, the dump file is corrupted and no analysis can be performed.

In this example, the most important information (from a debugging standpoint) is the following:


   MajorVersion . . . . .free system
   MinorVersion . . . . .1057
   MachineImageType . . .i386
   NumberProcessors . . .1
   BugCheckCode . . . . .0xc000021a
   BugCheckParameter1 . .0xe131d948
   BugCheckParameter2 . .0x00000000
   BugCheckParameter3 . .0x00000000
   BugCheckParameter4 . .0x00000000

This information can be used to determine what Kernel STOP Error occurred and, to a certain extent, what version of Windows NT was in use.

The information in this article is from the Windows NT Resource Kit. For more information on Dumpchk.exe and other debugging utilities, see Appendix A in the Windows NT 3.51 Resource Kit Update and Update 2.

For additional information, please see the following article in the Microsoft Knowledge Base:

Article-ID: Q119490
TITLE : Checking Crashdump File for Corruption

Additional query words: prodnt


Keywords          : kbnetwork ntsetup NTSrvWkst 
Version           : 3.5 3.51 4.0
Platform          : winnt 
Issue type        :

Last Reviewed: January 21, 1999