Advanced Crash Investigation Using Crash Dumps

-
This guide is intended to give you an idea on how to use crash dumps to find the root cause of an application crash. I don't really know how to fully utilize crash dumps, but I know enough to get some data out of them.

Following these steps will not lead you to a window that says "here is the problem". Rather, it will give you a bunch of information that you will need to piece together to find the cause of the problem.

Prerequisites

Troubleshooting


We will be troubleshooting this error:



  1. On the affected machine, provoke the application into a crash
    1. If you cannot provoke the issue go to the next step and see if there are any files
  2. Go to: %LOCALAPPDATA%\CrashDumps. There should be some .dmp files
  3. Copy all the files to the machine that has WinDbg installed
  4. Open WinDbg and add the symbols server
    1. srv*c:\mss*http://msdl.microsoft.com/download/symbols
  5. Open the crash dump
  6. click on the console window all the way at the bottom and type in
    1. !analyze -v
    2. The Debugger will now analyze the Dump
  7. The dump spits out a bunch of data that we need to decipher
    1. I immediately see a bunch of references to MtMUifTS.dll 
  8. A Google search don't reveal any results so let's try something else
  9. I run WizTree on the computer and I search for MtMUifTS.dll which returns two DLLs
  10. I look at the Digital signature on the files and the signer is Black Ice Software
  11. A google search for the company tells me that they handle document conversion and faxing
  12. I go to the affected server and I see that there is a Printer called "Multi-Tech FaxFinder", also the port has the name Black Ice
  13. I remove the printer, and the crashing stops

Things to keep in mind

As stated previously, this is a game of assumptions. A lot of times the name of the DLLs will point you in the direction you want to go. For instance, if you see the Audioses.dll pop up in the dump the issue is probably related to Audio and updating/reverting the audio drivers of the machine might fix the issue.


Comments

Post a Comment

Popular posts from this blog

FSLogix Troubleshooting guide

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org This article will cover some common issues I have ran into, and steps on how to resolve them. The guide should be followed  in order  since most of the advanced items are usually not the cause of a problem. If you just set up FSLogix, make sure that you followed every step under  Deploying FSLogix Office 365 Containers  and  Deploying FSLogix Profile Containers Terminology ODFC = Office Data File Containers This is there Office (Outlook, Teams, Licensing) data is stored This can be used in conjunction with UPDs FSL Profiles Replacement for UPDs User profiles are stored here (Office data is stored in the ODFC) Cannot  be used in conjunction with UPDs Non-Issues The items below should be ignored when troubleshooting Local_ files under C:\Users If FSLogix profiles are enabled, these folders can be ignored. They will be deleted the next
Read more

Best Practices for Deploying User Profile Disks

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org Last Updated 2020-01-03 After months of testing I recommend deploying FSLogix Profile Containers instead of User Profile Disks. You can find my guide here . Some of the items below apply to FSL Profile Containers.  User Profile Disks (UPDs) are great for load balanced RDS farms since it allows users to seamlessly roam from server to server. The goal of this article will be to configure the RDS and file servers in a way that maximizes performance and reduces the likelihood of UPD disconnects. I'll keep this updated any time I find new improvements. Use FSLogix Before you even consider deploying UPDs you need to be aware of  this limitation . On Server 2012 and 2016 (Server 2019 does not have this issue,  but it doesn't support Office ) the Windows Search index is machine wide. This means that when a UPD is disconnected the user's index data is d
Read more

Removing Application UAC Requirements with Shims

-
Image
This guide will show you how to create shims that allow regular users to run applications that normally require local admin. Shims should only be used as a measure of last resort. In many cases simply granting users to certain folders or reg keys eliminates the need to create a shim. You can use LUA Buglight to identify what those reg keys/files are.   How it works The shim will force the application to use "RunAsInvoker" when it is launched. RunAsInvoker tells the application to open with the privilege level of whatever launched it. For example, if a regular user opens the application through explorer.exe (a non admin process) then the application will open with regular user permissions.  Things to keep in mind: Shims should be installed after the application Shims might need to be re-installed if an application is updated Not all apps play well with shims. Make sure to test the application before putting it into production Pre-Requisites Install the Microsoft Application C
Read more