시스템에 문제가 발생하여 원인 분석을 위해 전체 메모리 덤프를 수집해야 하는 상황입니다. 그런데 C Drive 에 덤프를 받을 수 있는 여유공간이 충분하지 않으며 이미 커널 메모리 덤프로 설정되어 있다면 어떻게 하면 좋을까요?
LiveKD를 사용하여 원하는 드라이브에 전체 메모리 덤프를 내려받을 수 있는 방법이 있습니다. Windows Server 2003, Windows 2000 Server 환경에서 테스트 되었으며 아래와 같이 정리하였습니다.
1. Debugging Tools for Windows 디버깅 툴 설치 (툴을 설치할 수 없다면 이미 설치된 머신에서 폴더를 복사해 옵니다)
2. LiveKD.EXE 바이너리 다운로드 후 Debugging Tools for Windows 설치 폴더에 복사
3. D:\Symbols 폴더 생성 (Web 에서 다운로드 받을 symbols 이 저장될 폴더)
4. LiveKD 실행
LiveKd v3.10 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2009 Mark Russinovich
Symbols are not configured. Would you like LiveKd to set the _NT_SYMBOL_PATH
directory to reference the Microsoft symbol server so that symbols can be
obtained automatically? (y/n) y
Enter the folder to which symbols download (default is c:\symbols): d:\symbols
Launching C:\Program Files\Debugging Tools for Windows (x86)\kd.exe:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
Symbol search path is: srv*d:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.070304-2240
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x8089ffa8
Debug session time: Sun Feb 13 11:34:57.897 17420 (GMT+9)
System Uptime: 0 days 0:17:36.739
WARNING: Process directory table base 3BA5A520 doesn't match CR3 3BA5A3C0
WARNING: Process directory table base 3BA5A520 doesn't match CR3 3BA5A3C0
Loading Kernel Symbols
...............................................................
...................................
Loading User Symbols
...........
Loading unloaded module list
...
*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS
*******************************************************************************
* Bugcheck Analysis *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 0, {0, 0, 0, 0}
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
Probably caused by : LiveKdD.SYS ( LiveKdD+12f1 )
Followup: MachineOwner
---------
kd> .dump /f /o d:\dump\memory.dmp
Please consider including the "/b" option to compress the dump file in a CAB. Di
sk space required could be cut by around 75%.
Creating d:\dump\memory.dmp - Full kernel dump
Percent written 0
Percent written 1
Percent written 2
Percent written 3
Percent written 4
Percent written 5
Percent written 6
Percent written 7
Percent written 8
Percent written 9
Percent written 10
Percent written 11
..........
Percent written 97
Percent written 98
Percent written 99
Dump successfully written
작업이 완료되면 전체 메모리 덤프 1GB 가 D Drive 에 생성되었음을 확인할 수 있습니다.
WinDbg 설정 후 symbols 을 설정하고 생성된 덤프를 확인하였습니다.
재부팅을 하지 않고 덤프를 내려받을 수 있는 방법이니 장애 현상을 유지한 채 원인을 분석할 수 있는 방법이기도 합니다.
[참고자료]
LiveKd v3.1
http://technet.microsoft.com/en-in/sysinternals/bb897415(en-us).aspx
Debugging Tools for Windows - Overview
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx
작성자 : Lai Go / 작성일자 : 2009.10.28
