Home > Blog > Format of a minidump (mdmp) file.

Introduction

This blog describes the basic structure and contents of a minidump file for those that want a brief overview without having to trawl the header files. A mdmp file is generated when an application crash (known as an exception) occurs in a Windows application. It contains varying amounts of information that can help the application developer determine the reason for the crash. Minidumps are normally analyzed using a debugger (windbg or Visual Studio).

A minidump created following an application crash is optionally sent to the Microsoft Windows Error Reporting (WinQual) site by the user where it is added to a database ready for the application developer to download and debug, either manually or with a productivity tool such as StackHash. A minidump can be generated manually for a live application using a debugger or by loading Task Manager, right clicking the application and selecting Create Dump File.

You can analyze the structure of a dump file using the dumpchk.exe utility that comes with Debugging Tools for Windows by simply opening an MSDOS prompt in the folder containing the minidump and typing:

dumpchk -v some.mdmp >log.txt
notepad log.txt

Much of the detailed structure of the minidump file can be found in the header files ImageHlp.h and dbghelp.h which are installed as part of the Windows SDK. A full description of all fields can be found in the DbgHelp API documentation. Other resources include the toolhelp API and the ApplicationVerifier help.

I'll update this blog over time as I discover anything non-obvious about the stream data.

Minidump File Header

The file starts with a header section (_MINIDUMP_HEADER) identifying the contents of the file. A dump file contains a number of Streams of data. Each Stream contains a particular type of information as follows.

ThreadListStream(3) Identifies the threads that were alive in the application at the time of the crash.
ModuleListStream(4) List of modules (DLLs and EXEs) that were loaded in the address space of the application.
MemoryListStream(5) Dump of various parts of memory that existed at the time of the crash.
ExceptionStream(6) Contains information about the exception that occurred in the application (if any).
SystemInfoStream(7) Contains information about the machine on which the application was running.
ThreadExListStream(8) Similar to the ThreadListStream but contains BackingStore information (Intel Itanium only).
Memory64ListStream(9) Memory blocks from a 64 bit machine.
CommentStreamA(10) ANSI string describing the dump.
CommentStreamW(11) UNICODE string describing the dump.
HandleDataStream(12) Contains additional information about system level handles for processes, threads and mutants.
FunctionTableStream(13) Contatins a number of function tables each describing 1 or more functions.
UnloadedModuleListStream(14) Includes a list of modules that were recently unloaded, if this information is maintained by the operating system.
MiscInfoStream(15) Contains general system wide information such as process up time, processor information and timezone.
MemoryInfoListStream(16) Contains memory region description information. It corresponds to the information that would be returned for the process from the VirtualQuery function.
ThreadInfoListStream(17) Contains thread state information.
HandleOperationListStream(18) Contains a list of operations performed on selected OS handles.

An example header and stream directory is shown below.

Minidump Header
===========
Signature:                         MDMP
Version:                            A793(5128)
Number of Streams:           9
Stream RVA:                     20
Checksum:                        0
TimeDateStamp/Reserved: 4B7CD4F6
Flags:                                21
      (00000001) MiniDumpWithDataSegs
      (00000020) MiniDumpWithUnloadedModules

Stream Directory...
Stream 0: type ThreadListStream (3), size 00000394, RVA 00000184
Stream 1: type ModuleListStream (4), size 00002818, RVA 00000518
Stream 2: type UnloadedModuleListStream (14), size 000000CC, RVA 00002D30
Stream 3: type MemoryListStream (5), size 00000154, RVA 00009B22
Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000DC
Stream 5: type SystemInfoStream (7), size 00000038, RVA 0000008C
Stream 6: type MiscInfoStream (15), size 00000018, RVA 000000C4
Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
Stream 8: type UnusedStream (0), size 00000000, RVA 00000000

The following sections describe some of the main stream types in more detail.

ThreadListStream(3) and ThreadExListStream(8)

The ThreadList stream identifies the threads that were alive in the application at the time of the crash. A thread is the basic unit that is scheduled by the operating system (OS). An application may have 1 or more threads. The OS allocates processor time for each thread to run in turn depending on its priority. Each thread has:

ThreadId Uniquely identifes the thread.
SuspendCount Indicates whether the thread is suspended (a number greater than 0 indicates it is).
PriorityClass Determines the system wide scheduling priority class of the thread (IDLE, BELOW_NORMAL, NORMAL, ABOVE_NORMAL, HIGH, REALTIME) and is specified as a thread behaviour requirement when the thread is created.
Priority Within a process, threads can be given different priorities. e.g. a user input thread might be given a higher priority than a computationally intensive thread so that the latter doesn't make user input unresponsive for long periods. (IDLE, LOWEST, BELOW_NORMAL, NORMAL, ABOVE_NORMAL, HIGHEST, TIME_CRITICAL).
Thread Environment Block (TEB) Contains per-thread context information used by the Windows components running in user mode (e.g. Windows subsystem and the Application Image Loader). This field contains the address of the TEB (as opposed to its contents). A typical value is 0x7FFDF000.
Stack Start address on the stack as well as the location of the stack information in the file.
ThreadContext Locates the architecture specific thread context data including the thread's volatile register contents, stacks and private storage area.
BackingStore Only valid for ThreadExListStream. Contains backing store information for the thread on Itanium machines.

The following is an example of the first 2 threads of a thread stream.

StreamType: ThreadListStream
Location: Length: 394, Rva: 184
NumberOfThreads: 19
 RVA: 0188  ThreadId:000003C4 SuspendCount:1 PriorityClass:0 Priority:0 TEB:000000007FFDF000 Stack: (Address: 12F2A8 Length: D58, Rva: E776) ThreadContext: (Length: 2CC, Rva: 5708)
 RVA: 01B8  ThreadId:000004EC SuspendCount:1 PriorityClass:0 Priority:0 TEB:000000007FFDE000 Stack: (Address: ABFE38 Length: 1C8, Rva: F4CE) ThreadContext: (Length: 2CC, Rva: 59D4)

ThreadInfoListStream(17)

The ThreadInfoList stream contains dynamic information about threads including information about how long the thread has been running and how much time the thread spent in user and kernel mode.

ThreadId Uniquely identifies the thread.
DumpFlags Indicates if the thread had exited at the time of the dump. Also defines the progress during the attempt to dump the thread information.
DumpError Status of the dump.
CreateTime The time when the thread was created, in 100-nanosecond intervals since January 1, 1601 (UTC).
ExitTime The time when the thread exited, in 100-nanosecond intervals since January 1, 1601 (UTC).
KernelTime The time executed in kernel mode, in 100-nanosecond intervals.
UserTime The time executed in user mode, in 100-nanosecond intervals.
StartAddress The starting address of the thread.
Affinity The processor affinity mask. This is a bit mask indicating the processors that the thread is allowed to run on. This will normally be the same as the owning process and is usually allocated by the OS.

HandleOperationListStream(18)

Some operating systems can track the last operations performed on a handle.  Application Verifier can enable this for some versions of Windows. Application Verifier is a tool that can be downloaded from Microsoft to detect unusual behaviour in native Win32 applications. The recorded information for each handle includes the ProcessId and ThreadId of the thread accessing the handle; the OperationType (Open, Close or BadRef); and the back trace identifying the code addresses that made the access. An example of an open and close operation on a handle is shown below.

   SizeOfHeader: 10
   SizeOfEntry: 120
   NumberOfEntries: 1000
   Reserved: 0

   HeapHandle: B24
   ProcessId: 1A5C
   ThreadId: 1B94
   OperationType: 2-OperationDbCLOSE
   Spare0: 0
   BackTraceInfo:     Depth: 10
    Index: 0
    ReturnAddresses: FFFFF80002FEB254 FFFFF80002CD6993 7715F7AA 7FEF57D6237 7FEF57D6368 7FEF57DB26C 772086C8 7716ED9A 7714B80D 771444CE 7FEEF1F7048 7FEFD12A4CC 7FEF3325E91 7FEF3326035 7FEF3323596 7FEF706A317 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

   HeapHandle: B24
   ProcessId: 1A5C
   ThreadId: 1B94
   OperationType: 1-OperationDbOPEN
   Spare0: 0
   BackTraceInfo:     Depth: 10
    Index: 0
    ReturnAddresses: FFFFF80002FDA617 FFFFF80002FE4360 FFFFF80002CD6993 7715FC0A 7FEF57D60DF 7FEF57D6368 7FEF57DB26C 772086C8 7716ED9A 7714B80D 771444CE 7FEEF1F7048 7FEFD12A4CC 7FEF3325E91 7FEF3326035 7FEF3323596 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

ModuleListStream(4)

The ModuleList stream contains a list of modules (DLLs and EXEs) that were loaded in the address space of the application. The presence of unrecognised modules, such as viruses or virus checkers that have been injected into the application address space may indicate a problem. The absence of some DLLs may help identify how far the application got in its processing before it failed if delayed loading of DLLs was enabled. The list of modules is used when identifying the instruction addresses contained in other streams. An address lying within the range ImageBase to (ImageBase + ImageSize) means the instruction refers to code in that module. For each module the following information is listed.

ImageBase Base address in memory of the image.
ImageSize Size of the image.
Name Full path and filename of the DLL or EXE file.
VersionInfo Full version information for the file including: FileVersion; ProductVersion; OS the file was designed for (e.g. Win32); FileType - e.g. DLL, EXE.
CheckSum Hash of bytes in the file.
TimeStamp Date and Time of file creation.
CodeViewRecord This record may contain a symbol filename (PDB or DBG) and GUID that a debugger can use to locate the correct symbol file matching the binary file. The CodeView data is part of the original DLL or EXE file and is extracted from the Portable Executable - (PE = COFF) format.
MiscRecord This contains miscellaneous symbol information.

An example of module data extracted from the module stream is shown below.

Base: 7E410000 Size: 91000 Rva: 3098 C:\WINDOWS\system32\user32.dll CheckSum: 8FC76 TimeDateStamp: 4802A11B
 FileVersionInfo:      
      Signature: FEEF04BD
      StrucVersion: 1.0
      FileVersion: 5.1.2600.5512
      ProductVersion: 5.1.2600.5512
      FileFlagsMask: 3F
      FileFlags: 00
      FileOS: 40004 VOS_NT_WINDOWS32
      FileType: 2 VFT_DLL
      FileSubtype: 0
      FileDateMS: 0
      FileDateLS: 0

 CodeView record: Length: 23, Rva: 8D91
    52 53 44 53 B7 41 8A D1 7F 4E 8C 45 AA AC 18 47 RSDS?A???N?E???G
    E2 D8 BF 02 02 00 00 00 75 73 65 72 33 32 2E 70   ?????????user32.p
    64 62 00 db

      CodeView Signature: RSDS
      CodeView GUID:     B7 41 8A D1 7F 4E 8C 45 AA AC 18 47 E2 D8 BF 02    
      CodeView Age: 2
      CodeView PDB FileName: user32.pdb

 Misc record: Length: 0, Rva: 0

UnloadedModuleListStream(14)

Includes a list of modules that were recently unloaded, if this information is maintained by the operating system. For Windows Server 2003 and Windows XP:  The operating system does not maintain information for unloaded modules until Windows Server 2003 with SP1 and Windows XP with SP2. An example of the data stored in the UnloadedModuleList is shown below.

StreamType: UnloadedModuleListStream
Location: Length: CC, Rva: 2D30
NumberOfModules: 8
 Base: 78080000-78091000 Size: 11000 NameRva: 5354 MSVCRT40.dll CheckSum: F7C0 TimeDateStamp: 48025155
 Base: 747B0000-747F7000 Size: 47000 NameRva: 5372 msnsspc.dll CheckSum: 4D6A9 TimeDateStamp: 4802A16A
 ...

MemoryListStream(5) and Memory64ListStream(9)

The memory stream contains blocks of memory whose contents might be useful for debugging a crash. They include portions of the stack.

  21 memory ranges
  range#    RVA      Address      Size
       0 00009C76    7c90e494   00000100
       1 00009D76    7c97e000   00004a00
       2 0000E776    0012f2a8   00000d58
       3 0000F4CE    00abfe38   000001c8
       4 0000F696    00c8fcd0   00000330
       ...

StreamType: MemoryListStream
Location: Length: 154, Rva: 9B22
NumberOfMemoryRanges: 21
 Address: 7C90E494 Length: 100, Rva: 9C76
    C6 EB FF FF EB 0B 5B 59 6A 00 51 53 E8 09 F5 FF ??????[Yj?QS????
    FF 83 C4 EC 89 04 24 C7 44 24 04 01 00 00 00 89 ??????$?D$?????
    5C 24 08 C7 44 24 10 00 00 00 00 54 E8 63 00 00 \$?D???T?c
    00 C2 08 00 55 8B EC 83 EC 50 89 44 24 0C 64 A1  ???U????P?D$?d?
   
 Address: 7C97E000 Length: 4A00, Rva: 9D76
    63 6F 73 00 00 00 00 00 00 00 00 00 00 00 00 00 cos????????????
    6C 6F 67 00 00 00 00 00 00 00 00 00 00 00 E0 3F log????????????
    70 6F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 pow???????????
    73 69 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 sin????????????

MemoryInfoListStream(16)

This stream contains memory region description information. It corresponds to the information that would be returned for the process from the VirtualQuery function. VirtualQuery retrieves information about a range of pages in the virtual address space of the calling process.

SizeOfHeader: 10
SizeOfEntry: 30
NumberOfEntries: 8C67

   BaseAddress: 1981000 AllocationBase: 1980000 AllocationProtect: 1(PAGE_NOACCESS) RegionSize: 69000 State: 1000(MEM_COMMIT) Protect: 4(PAGE_READWRITE) Type: 20000(MEM_PRIVATE)
   BaseAddress: 10000 AllocationBase: 10000 AllocationProtect: 4(PAGE_READWRITE) RegionSize: 2000 State: 1000(MEM_COMMIT) Protect: 4(PAGE_READWRITE) Type: 20000(MEM_PRIVATE)
   BaseAddress: 12000 AllocationBase: 0 AllocationProtect: 0(0) RegionSize: E000 State: 10000(MEM_FREE) Protect: 1(PAGE_NOACCESS) Type: 0(0)
   BaseAddress: 40000 AllocationBase: 40000 AllocationProtect: 2(PAGE_READONLY) RegionSize: 2000 State: 1000(MEM_COMMIT) Protect: 2(PAGE_READONLY) Type: 40000(MEM_MAPPED)
   BaseAddress: 19EA000 AllocationBase: 1980000 AllocationProtect: 1(PAGE_NOACCESS) RegionSize: 1000 State: 2000(MEM_RESERVE) Protect: 0(0) Type: 20000(MEM_PRIVATE)
... 

SystemInfoStream(7)

The SystemInfo stream contains details of the hardware and operating system that the application was running on.

StreamType: SystemInfoStream
Location: Length: 38, Rva: 8C
 ProcessorArchitecture: 0 - PROCESSOR_ARCHITECTURE_INTEL
 ProcessorLevel: 15
 ProcessorRevision: 20226
 NumberOfProcessors: 1
 ProductType: 1 - VER_NT_WORKSTATION
 Version: 5.1.2600
 PlatformId: VER_PLATFORM_WIN32_NT
 ServicePack: Service Pack 3
 SuiteMask: 300 - VER_SUITE_SINGLEUSERTS, VER_SUITE_PERSONAL

ExceptionStream(6)

The exception stream contains information about any exception that may have occurred in the application. An exception is a condition that gave rise to an application crash. Inner exceptions may also be present by following the ExceptionRecord field. The ExceptionAddress probably points into one of the modules in the ModuleStream so the exact position of the crash inside the binary file should be determinable.

StreamType: ExceptionStream
Location: Length: A8, Rva: DC
 ThreadId: 3C4
  ExceptionCode: CFFFFFFF-Application Hang
  ExceptionFlags: 0-EXCEPTION_CONTINUABLE
  ExceptionAddress: 7C90E514
  ExceptionRecord (InnerException): 0
  NumberOfExceptionParams: 0

 Location: Length: 0, Rva: 0

Common ExceptionCode values include

        EXCEPTION_ACCESS_VIOLATION = 0x0C0000005,
        EXCEPTION_ARRAY_BOUNDS_EXCEEDED = 0x0C000008C,
        EXCEPTION_BAD_COMPRESSION_BUFFER = 0x0C0000242,
        EXCEPTION_BREAKPOINT = 0x080000003,
        EXCEPTION_CALLBACK_POP_STACK = 0x0C0000423,
        EXCEPTION_DATATYPE_MISALIGNMENT = 0x080000002,
        EXCEPTION_FLOAT_DENORMAL_OPERAND = 0x0C000008D,
        EXCEPTION_FLOAT_DIVIDE_BY_ZERO = 0x0C000008E,
        EXCEPTION_FLOAT_INEXACT_RESULT = 0x0C000008F,
        EXCEPTION_FLOAT_INVALID_OPERATION = 0x0C0000090,
        EXCEPTION_FLOAT_OVERFLOW = 0x0C0000091,
        EXCEPTION_FLOAT_STACK_CHECK = 0x0C0000092,
        EXCEPTION_FLOAT_UNDERFLOW = 0x0C0000093,
        EXCEPTION_FLOAT_MULTIPLE_FAULTS = 0x0C00002B4,
        EXCEPTION_FLOAT_MULTIPLE_TRAPS = 0x0C00002B5,
        EXCEPTION_GUARD_PAGE_VIOLATION = 0x080000001,
        EXCEPTION_ILLEGAL_FLOAT_CONTEXT = 0x0C000014A,
        EXCEPTION_ILLEGAL_INSTRUCTION = 0x0C000001D,
        EXCEPTION_INSTRUCTION_MISALIGNMENT = 0x0C00000AA,
        EXCEPTION_INVALID_HANDLE = 0x0C0000008,
        EXCEPTION_INVALID_LOCK_SEQENCE = 0x0C000001E,
        EXCEPTION_INVALID_OWNER = 0x0C000005A,
        EXCEPTION_INVALID_PARAMETER = 0x0C000000D,
        EXCEPTION_INVALID_PARAMETER_1 = 0x0C00000EF,
        EXCEPTION_INVALID_SYSTEM_SERVICE = 0x0C000001C,
        EXCEPTION_INVALID_THREAD = 0x0C000071C,
        EXCEPTION_INTEGER_DIVIDE_BY_ZERO = 0x0C0000094,
        EXCEPTION_INTEGER_OVERFLOW = 0x0C0000095,
        EXCEPTION_IN_PAGE_ERROR = 0x0C0000006,
        EXCEPTION_KERNEL_APC = 0x00100,
        EXCEPTION_LONGJUMP = 0x080000026,
        EXCEPTION_NO_CALLBACK_ACTIVE = 0x0C0000258,
        EXCEPTION_NO_EVENT_PAIR = 0x0C000014E,
        EXCEPTION_PRIVILEGED_INSTRUCTION = 0x0C0000096,
        EXCEPTION_SINGLE_STEP = 0x080000004,
        EXCEPTION_STACK_BUFFER_OVERRUN = 0xC0000409,
        EXCEPTION_STACK_OVERFLOW = 0xC00000FD,
        EXCEPTION_SUCCESS = 0x00000,
        EXCEPTION_THREAD_IS_TERMINATING = 0x0C000004B,
        EXCEPTION_TIMEOUT = 0x00102,
        EXCEPTION_UNWIND = 0x0C0000027,
        EXCEPTION_UNWIND_CONSOLIDATE = 0x080000029,
        EXCEPTION_USER_APC = 0x000C0,
        EXCEPTION_WAKE_SYSTEM_DEBUGGER = 0x080000007,
        EXCEPTION_APPLICATION_HANG = 0xcfffffff,

CommentStreamA(10) and CommentStreamW(11)

These stream contains a string used for documentation purposes. For CommentStreamA, this is an ANSI string and for CommentStreamW this is a Unicode (double byte) string.

HandleDataStream(12)

A handle is a pointer to a data structure containing information about a consumed system resource such as a process, thread, registry key, event and mutant. The Handle stream, if present, contains data associated with these high level system handles. The HandleId, TypeName, ObjectName, Attributes, GrantedAccess, HandleCount and PointerCount are stored for each handle. Most of these fields are specific to the type of handle that is being stored.

Extended object information may also exist for a handle. The extended information may be present for threads, mutants and process handles. This data varies depending on the architecture of the machine. More than 1 extended block may exist for each handle as shown in the example below.

StreamType: HandleDataStream
Location: Length: 7B8, Rva: B44AAC
   SizeOfHeader: 10
   SizeOfDescriptor: 28
   NumberOfDescriptors: 31
   Reserved: 0

   Handle: 4
   TypeNameRva: B44000
   TypeName: Key
   ObjectNameRva: B4400C
   ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
   Attributes: 0
   GrantedAccess: 9
   HandleCount: 2
   PointerCount: 3

   Handle: 40
   TypeNameRva: B443EE
   TypeName: Mutant
   ObjectNameRva: 0
   ObjectName:
   Attributes: 0
   GrantedAccess: 1F0001
   HandleCount: 2
   PointerCount: 3
 Next: B44400 InfoType: 3-MiniMutantInformation2 SizeOfInfo: 8
    00 00 00 00 00 00 00 00     ????????

 Next: 0 InfoType: 2-MiniMutantInformation1 SizeOfInfo: 8
    01 00 00 00 00 00 47 00     G???????

FunctionTableStream(13)

The function table stream contains a number of function tables, one for each module. Each function table contains one or more function entry.

MiscInfoStream(15)

The MiscInfo contains miscellaneous information pertaining mainly to the process and processor. The amount of information stored has changed over time so different OS's may contain different information. Information includes...

ProcessId ID of the crashing process.
ProcessCreationTime - Time the process was started.
ProcessUserTime Time the process (all of its threads) has spent running user mode code.
ProcessKernelTime Time the process (all of its threads) has spent running kernel mode code.
ProcessorMaxMhz The maximum specified clock frequency of the system processor.
ProcessorCurrentMhz The processor clock frequency, in MHz. This number is the maximum specified processor clock frequency multiplied by the current processor throttle.
ProcessorMhzLimit The limit on the processor clock frequency, in MHz. This number is the maximum specified processor clock frequency multiplied by the current processor thermal throttle limit.
ProcessorMaxIdleState The maximum idle state of the processor.
ProcessorCurrentIdleState The current idle state of the processor.
ProcessIntegrityLevel (low,medium,high,system). Lower integrity programs have more limited access to the file system and other system resources.
ProcessExecuteFlags  
ProtectedProcess The process is to be run as a protected process. The system restricts access to protected processes and the threads of protected processes.
TimeZoneId and TimeZoneInformation TimeZone under which the machine is running.


An example Misc information sections follows...

StreamType: MiscInfoStream
Location: Length: 18, Rva: C4
 SizeOfInfo: 18
 ValidFieldFlags: 3-MINIDUMP_MISC1_PROCESS_ID, MINIDUMP_MISC1_PROCESS_TIMES
 ProcessId: 394
 ProcessCreateTime: 4B7CD46A
 ProcessUserTime: 0
 ProcessKernelTime: 1

 

 

 

 

Comments

Add comment


(Will show your Gravatar icon)

  Country flag

biuquote
  • Comment
  • Preview
Loading



 

StackHash Online

StackHash is a division of Cucku, Inc.
© Copyright 2011 Cucku, Inc.