kdmp-parser icon indicating copy to clipboard operation
kdmp-parser copied to clipboard
verified publisher icon 0vercl0k

Win11 bsod dump compatibility

Open frendguo opened this issue 1 year ago • 3 comments

I tested the latest code on Windows 11 BSOD dump files and found that while the kernel dump could be identified correctly, issues arose with all other types of dumps. image

Error info:

MapViewOfFile failed with GLE=8.
MapFile failed.
Parsing of the dump failed, exiting.

Windows version: Win11 26063 MP (4 procs) Free x64 Dump files: https://drive.google.com/file/d/1t5cGnG-XaDpIGw6upJ4ovA-Jm_JtFbHY/view?usp=drive_link

How to generate

  1. System Properties -> Startup And Recovery -> System failure image
  2. In [Write debugging information], select [Small memory dump], [Kernel memory dump], [Complete memory dump], [Automatic memory dump], and [Active memory dump] one at a time.
  3. After selecting a specific dump type, use notmyfault to trigger a crash and generate the dump file.

frendguo avatar Aug 13 '24 09:08 frendguo

Thank you for the detailed report 🙏🏽

Based on your screenshot, it looks like what is failing is the MapViewOfFile call - how big are those dump files? They might just be too big to map; that's what the GetLastError means:

ERROR_NOT_ENOUGH_MEMORY

8 (0x8)

Not enough memory resources are available to process this command.

If you want to still try to read those dump files, you can try the parser executable from kdmp-parser-rs - it is able to use file read and not only a memory mapping.

0vercl0k avatar Aug 13 '24 14:08 0vercl0k

Okay, got it.

Any plans to add a file-reading version of this repository?

frendguo avatar Aug 14 '24 06:08 frendguo

I did prototype it at one point - you can find it in https://github.com/0vercl0k/kdmp-parser/tree/fbl_fileread.

Let me know if you would be interested in testing it out, I could revive it and we can work to get it merged.

Cheers

0vercl0k avatar Aug 14 '24 14:08 0vercl0k