IT博客-Share Mind ----GuoMing's Blogs-随笔分类-Windows Applicatios

How to open crash dump (e.g. memory.DMP) file

GuoMing — Thu, 14 Feb 2008 15:02:00 GMT

memory.dmp was created when your computer shutdown unexpected or blue screen or application crash. just google , found out using windebug (dbg_x86_6.6.07.5.exe) to analys it. (all method from internet)

method 1:

系統藍屏debug方法
1. 我的電腦，屬性->高級->啟動，最下面的記憶體調試選最後一項的全部，確定後重新啟動
2. 藍屏後不要急著重啟，系統會保存整個記憶體內容，然後會自動重啟
3. 重啟後,windows目錄會多出 MEMORY.DMP, 如果1步驟選完全調試，那麼這個檔和你的記憶體一樣大
4. 下載安裝windwos 的 debug tools, 我這有下載地址，或微軟網站
http://public.hshh.org/SysTools/debug/dbg_x86_6.6.07.5.exe
5. 安裝後創建一個臨時目錄，例如 c:\temp
6. 啟動 windbg
7. windbg介面: file->symbol file path (ctrl+s) 輸入:
SRV*c:\temp*http://msdl.microsoft.com/download/symbols
然後確定

(为什么要这样输入，请参考KB311503)
8. windbg介面: file->open crash dump(ctrl+d)，打開windows目錄下面的 memory.dmp
9. 打開後，等待提示
當出現 Use !analyze -v to get detailed debugging information. 字樣後，在下面輸入框
!analyze -v
10. 等待分析完畢，可以知道什麼導致的出錯
11. windbg使用中需要網上下載調試內容，這個速度嘛，取決於你的網路了。

method 2:

一、下載並安裝dbg_x86_6.6.07.5.exe(用google找一下就有了)
二、cmd, 切換到C:\Program Files\Debugging Tools for Windows
三、執行
dumpchk - y http://msdl.microsoft.com/download/symbols c:

\windows\memory.dmp > dmp.txt

註一、http://msdl.microsoft.com/download/symbols 是MS提供的網路symbol server
註二、c:\windows\Memory.dmp 是memory.dmp預設的存放路徑
註三、將結果寫到bbb.txt檔案

GuoMing 2008-02-14 23:02 发表评论

security log _ Audit object access_delete

GuoMing — Thu, 14 Feb 2008 09:25:00 GMT

purpose of the test is for obviousing the security log entry when you delete a audited file:

test approach:

1. delete an auditing file.

2. open eventvwr.msc, check security event. have 3 event about the delete audit(notice those font be highlight in red)

first event entry:

**************************************************************************

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Open:
     Object Server:    Security
     Object Type:    File
     Object Name:    D:\Temp\rbgwssuser.txt
     Handle ID:    2608
     Operation ID:    {0,25009233}
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe
     Primary User Name:    dmnroyhu
     Primary Domain:    ASIA
     Primary Logon ID:    (0x0,0x13E8845)
     Client User Name:    -
     Client Domain:    -
     Client Logon ID:    -
     Accesses:        DELETE
            READ_CONTROL
            ReadAttributes
     Privileges:        -
     Restricted Sid Count: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*******************************************************************************************

second event entry:
*******************************************************************************************
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    567
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Access Attempt:
     Object Server:    Security
     Handle ID:    2608
     Object Type:    File
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe
     Access Mask:    DELETE
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*******************************************************************************************
third event entry:
*******************************************************************************************
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    564
Date:        2008-2-14
Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Object Deleted:
     Object Server:    Security
     Handle ID:    2608
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************
forth event entry:
*******************************************************************************************
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    562
Date:        2008-2-14

Time:        17:00:08
User:        ASIA\dmnroyhu
Computer:    DMNM3037
Description:
Handle Closed:
     Object Server:    Security
     Handle ID:    2608
     Process ID:    752
     Image File Name:    C:\WINDOWS\explorer.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************************************************************************************

GuoMing 2008-02-14 17:25 发表评论

How to configure Live Writer for cnitlbolg

GuoMing — Tue, 16 Oct 2007 08:52:00 GMT

1、在菜单中选择“Weblog”，然后选择“Another Weblog Service”。
2、在Weblog Homepage URL中输入Blog主页地址:http://www.cnitblog.com/royhuang/。
3、输入用户名与密码。
4、在“Type of weblog that you are using”中选择“Metaweblog API”。
5、“Remote posting URL for your weblog”中输入“http://www.cnitblog.com/royhuang/services/metaweblog.aspx”。

refer document : http://www.cnblogs.com/dudu/articles/495718.html

GuoMing 2007-10-16 16:52 发表评论