This blog describes the basic structure and contents of a minidump file for those that want a brief overview without having to trawl the header files. A mdmp file is generated when an application crash (known as an exception) occurs in a Windows application. It contains varying amounts of information that can help the application developer determine the reason for the crash. Minidumps are normally analyzed using a debugger (windbg or Visual Studio).
A minidump created following an application crash is optionally sent to the Microsoft Windows Error Reporting (WinQual) site by the user where it is added to a database ready for the application developer to download and debug, either manually or with a productivity tool such as StackHash. A minidump can be generated manually for a live application using a debugger or by loading Task Manager, right clicking the application and selecting Create Dump File.
You can analyze the structure of a dump file using the dumpchk.exe utility that comes with Debugging Tools for Windows by simply opening an MSDOS prompt in the folder containing the minidump and typing:
dumpchk -v some.mdmp >log.txt
Much of the detailed structure of the minidump file can be found in the header files ImageHlp.h and dbghelp.h which are installed as part of the Windows SDK. A full description of all fields can be found in the DbgHelp API documentation. Other resources include the toolhelp API and the ApplicationVerifier help.
I'll update this blog over time as I discover anything non-obvious about the stream data.
Minidump File Header
The file starts with a header section (_MINIDUMP_HEADER) identifying the contents of the file. A dump file contains a number of Streams of data. Each Stream contains a particular type of information as follows.
||Identifies the threads that were alive in the application at the time of the crash.
||List of modules (DLLs and EXEs) that were loaded in the address space of the application.
||Dump of various parts of memory that existed at the time of the crash.
||Contains information about the exception that occurred in the application (if any).
||Contains information about the machine on which the application was running.
||Similar to the ThreadListStream but contains BackingStore information (Intel Itanium only).
||Memory blocks from a 64 bit machine.
||ANSI string describing the dump.
||UNICODE string describing the dump.
||Contains additional information about system level handles for processes, threads and mutants.
||Contatins a number of function tables each describing 1 or more functions.
||Includes a list of modules that were recently unloaded, if this information is maintained by the operating system.
||Contains general system wide information such as process up time, processor information and timezone.
||Contains memory region description information. It corresponds to the information that would be returned for the process from the VirtualQuery function.
||Contains thread state information.
||Contains a list of operations performed on selected OS handles.
An example header and stream directory is shown below.
Number of Streams: 9
Stream RVA: 20
Stream 0: type ThreadListStream (3), size 00000394, RVA 00000184
Stream 1: type ModuleListStream (4), size 00002818, RVA 00000518
Stream 2: type UnloadedModuleListStream (14), size 000000CC, RVA 00002D30
Stream 3: type MemoryListStream (5), size 00000154, RVA 00009B22
Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000DC
Stream 5: type SystemInfoStream (7), size 00000038, RVA 0000008C
Stream 6: type MiscInfoStream (15), size 00000018, RVA 000000C4
Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
Stream 8: type UnusedStream (0), size 00000000, RVA 00000000
The following sections describe some of the main stream types in more detail.
ThreadListStream(3) and ThreadExListStream(8)
The ThreadList stream identifies the threads that were alive in the application at the time of the crash. A thread is the basic unit that is scheduled by the operating system (OS). An application may have 1 or more threads. The OS allocates processor time for each thread to run in turn depending on its priority. Each thread has:
||Uniquely identifes the thread.
||Indicates whether the thread is suspended (a number greater than 0 indicates it is).
||Determines the system wide scheduling priority class of the thread (IDLE, BELOW_NORMAL, NORMAL, ABOVE_NORMAL, HIGH, REALTIME) and is specified as a thread behaviour requirement when the thread is created.
||Within a process, threads can be given different priorities. e.g. a user input thread might be given a higher priority than a computationally intensive thread so that the latter doesn't make user input unresponsive for long periods. (IDLE, LOWEST, BELOW_NORMAL, NORMAL, ABOVE_NORMAL, HIGHEST, TIME_CRITICAL).
|Thread Environment Block (TEB)
||Contains per-thread context information used by the Windows components running in user mode (e.g. Windows subsystem and the Application Image Loader). This field contains the address of the TEB (as opposed to its contents). A typical value is 0x7FFDF000.
||Start address on the stack as well as the location of the stack information in the file.
||Locates the architecture specific thread context data including the thread's volatile register contents, stacks and private storage area.
||Only valid for ThreadExListStream. Contains backing store information for the thread on Itanium machines.
The following is an example of the first 2 threads of a thread stream.
Location: Length: 394, Rva: 184
RVA: 0188 ThreadId:000003C4 SuspendCount:1 PriorityClass:0 Priority:0 TEB:000000007FFDF000 Stack: (Address: 12F2A8 Length: D58, Rva: E776) ThreadContext: (Length: 2CC, Rva: 5708)
RVA: 01B8 ThreadId:000004EC SuspendCount:1 PriorityClass:0 Priority:0 TEB:000000007FFDE000 Stack: (Address: ABFE38 Length: 1C8, Rva: F4CE) ThreadContext: (Length: 2CC, Rva: 59D4)
The ThreadInfoList stream contains dynamic information about threads including information about how long the thread has been running and how much time the thread spent in user and kernel mode.
||Uniquely identifies the thread.
||Indicates if the thread had exited at the time of the dump. Also defines the progress during the attempt to dump the thread information.
||Status of the dump.
||The time when the thread was created, in 100-nanosecond intervals since January 1, 1601 (UTC).
||The time when the thread exited, in 100-nanosecond intervals since January 1, 1601 (UTC).
||The time executed in kernel mode, in 100-nanosecond intervals.
||The time executed in user mode, in 100-nanosecond intervals.
||The starting address of the thread.
||The processor affinity mask. This is a bit mask indicating the processors that the thread is allowed to run on. This will normally be the same as the owning process and is usually allocated by the OS.
Some operating systems can track the last operations performed on a handle. Application Verifier can enable this for some versions of Windows. Application Verifier is a tool that can be downloaded from Microsoft to detect unusual behaviour in native Win32 applications. The recorded information for each handle includes the ProcessId and ThreadId of the thread accessing the handle; the OperationType (Open, Close or BadRef); and the back trace identifying the code addresses that made the access. An example of an open and close operation on a handle is shown below.
BackTraceInfo: Depth: 10
ReturnAddresses: FFFFF80002FEB254 FFFFF80002CD6993 7715F7AA 7FEF57D6237 7FEF57D6368 7FEF57DB26C 772086C8 7716ED9A 7714B80D 771444CE 7FEEF1F7048 7FEFD12A4CC 7FEF3325E91 7FEF3326035 7FEF3323596 7FEF706A317 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
BackTraceInfo: Depth: 10
ReturnAddresses: FFFFF80002FDA617 FFFFF80002FE4360 FFFFF80002CD6993 7715FC0A 7FEF57D60DF 7FEF57D6368 7FEF57DB26C 772086C8 7716ED9A 7714B80D 771444CE 7FEEF1F7048 7FEFD12A4CC 7FEF3325E91 7FEF3326035 7FEF3323596 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The ModuleList stream contains a list of modules (DLLs and EXEs) that were loaded in the address space of the application. The presence of unrecognised modules, such as viruses or virus checkers that have been injected into the application address space may indicate a problem. The absence of some DLLs may help identify how far the application got in its processing before it failed if delayed loading of DLLs was enabled. The list of modules is used when identifying the instruction addresses contained in other streams. An address lying within the range ImageBase to (ImageBase + ImageSize) means the instruction refers to code in that module. For each module the following information is listed.
||Base address in memory of the image.
||Size of the image.
||Full path and filename of the DLL or EXE file.
||Full version information for the file including: FileVersion; ProductVersion; OS the file was designed for (e.g. Win32); FileType - e.g. DLL, EXE.
||Hash of bytes in the file.
||Date and Time of file creation.
||This record may contain a symbol filename (PDB or DBG) and GUID that a debugger can use to locate the correct symbol file matching the binary file. The CodeView data is part of the original DLL or EXE file and is extracted from the Portable Executable - (PE = COFF) format.
||This contains miscellaneous symbol information.
An example of module data extracted from the module stream is shown below.
Base: 7E410000 Size: 91000 Rva: 3098 C:\WINDOWS\system32\user32.dll CheckSum: 8FC76 TimeDateStamp: 4802A11B
FileOS: 40004 VOS_NT_WINDOWS32
FileType: 2 VFT_DLL
CodeView record: Length: 23, Rva: 8D91
52 53 44 53 B7 41 8A D1 7F 4E 8C 45 AA AC 18 47 RSDS?A???N?E???G
E2 D8 BF 02 02 00 00 00 75 73 65 72 33 32 2E 70 ?????????user32.p
64 62 00 db
CodeView Signature: RSDS
CodeView GUID: B7 41 8A D1 7F 4E 8C 45 AA AC 18 47 E2 D8 BF 02
CodeView Age: 2
CodeView PDB FileName: user32.pdb
Misc record: Length: 0, Rva: 0
Includes a list of modules that were recently unloaded, if this information is maintained by the operating system. For Windows Server 2003 and Windows XP: The operating system does not maintain information for unloaded modules until Windows Server 2003 with SP1 and Windows XP with SP2. An example of the data stored in the UnloadedModuleList is shown below.
Location: Length: CC, Rva: 2D30
Base: 78080000-78091000 Size: 11000 NameRva: 5354 MSVCRT40.dll CheckSum: F7C0 TimeDateStamp: 48025155
Base: 747B0000-747F7000 Size: 47000 NameRva: 5372 msnsspc.dll CheckSum: 4D6A9 TimeDateStamp: 4802A16A
MemoryListStream(5) and Memory64ListStream(9)
The memory stream contains blocks of memory whose contents might be useful for debugging a crash. They include portions of the stack.
21 memory ranges
range# RVA Address Size
0 00009C76 7c90e494 00000100
1 00009D76 7c97e000 00004a00
2 0000E776 0012f2a8 00000d58
3 0000F4CE 00abfe38 000001c8
4 0000F696 00c8fcd0 00000330
Location: Length: 154, Rva: 9B22
Address: 7C90E494 Length: 100, Rva: 9C76
C6 EB FF FF EB 0B 5B 59 6A 00 51 53 E8 09 F5 FF ??????[Yj?QS????
FF 83 C4 EC 89 04 24 C7 44 24 04 01 00 00 00 89 ??????$?D$?????
5C 24 08 C7 44 24 10 00 00 00 00 54 E8 63 00 00 \$?D???T?c
00 C2 08 00 55 8B EC 83 EC 50 89 44 24 0C 64 A1 ???U????P?D$?d?
Address: 7C97E000 Length: 4A00, Rva: 9D76
63 6F 73 00 00 00 00 00 00 00 00 00 00 00 00 00 cos????????????
6C 6F 67 00 00 00 00 00 00 00 00 00 00 00 E0 3F log????????????
70 6F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 pow???????????
73 69 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 sin????????????
This stream contains memory region description information. It corresponds to the information that would be returned for the process from the VirtualQuery function. VirtualQuery retrieves information about a range of pages in the virtual address space of the calling process.
BaseAddress: 1981000 AllocationBase: 1980000 AllocationProtect: 1(PAGE_NOACCESS) RegionSize: 69000 State: 1000(MEM_COMMIT) Protect: 4(PAGE_READWRITE) Type: 20000(MEM_PRIVATE)
BaseAddress: 10000 AllocationBase: 10000 AllocationProtect: 4(PAGE_READWRITE) RegionSize: 2000 State: 1000(MEM_COMMIT) Protect: 4(PAGE_READWRITE) Type: 20000(MEM_PRIVATE)
BaseAddress: 12000 AllocationBase: 0 AllocationProtect: 0(0) RegionSize: E000 State: 10000(MEM_FREE) Protect: 1(PAGE_NOACCESS) Type: 0(0)
BaseAddress: 40000 AllocationBase: 40000 AllocationProtect: 2(PAGE_READONLY) RegionSize: 2000 State: 1000(MEM_COMMIT) Protect: 2(PAGE_READONLY) Type: 40000(MEM_MAPPED)
BaseAddress: 19EA000 AllocationBase: 1980000 AllocationProtect: 1(PAGE_NOACCESS) RegionSize: 1000 State: 2000(MEM_RESERVE) Protect: 0(0) Type: 20000(MEM_PRIVATE)
The SystemInfo stream contains details of the hardware and operating system that the application was running on.
Location: Length: 38, Rva: 8C
ProcessorArchitecture: 0 - PROCESSOR_ARCHITECTURE_INTEL
ProductType: 1 - VER_NT_WORKSTATION
ServicePack: Service Pack 3
SuiteMask: 300 - VER_SUITE_SINGLEUSERTS, VER_SUITE_PERSONAL
The exception stream contains information about any exception that may have occurred in the application. An exception is a condition that gave rise to an application crash. Inner exceptions may also be present by following the ExceptionRecord field. The ExceptionAddress probably points into one of the modules in the ModuleStream so the exact position of the crash inside the binary file should be determinable.
Location: Length: A8, Rva: DC
ExceptionCode: CFFFFFFF-Application Hang
ExceptionRecord (InnerException): 0
Location: Length: 0, Rva: 0
Common ExceptionCode values include
EXCEPTION_ACCESS_VIOLATION = 0x0C0000005,
EXCEPTION_ARRAY_BOUNDS_EXCEEDED = 0x0C000008C,
EXCEPTION_BAD_COMPRESSION_BUFFER = 0x0C0000242,
EXCEPTION_BREAKPOINT = 0x080000003,
EXCEPTION_CALLBACK_POP_STACK = 0x0C0000423,
EXCEPTION_DATATYPE_MISALIGNMENT = 0x080000002,
EXCEPTION_FLOAT_DENORMAL_OPERAND = 0x0C000008D,
EXCEPTION_FLOAT_DIVIDE_BY_ZERO = 0x0C000008E,
EXCEPTION_FLOAT_INEXACT_RESULT = 0x0C000008F,
EXCEPTION_FLOAT_INVALID_OPERATION = 0x0C0000090,
EXCEPTION_FLOAT_OVERFLOW = 0x0C0000091,
EXCEPTION_FLOAT_STACK_CHECK = 0x0C0000092,
EXCEPTION_FLOAT_UNDERFLOW = 0x0C0000093,
EXCEPTION_FLOAT_MULTIPLE_FAULTS = 0x0C00002B4,
EXCEPTION_FLOAT_MULTIPLE_TRAPS = 0x0C00002B5,
EXCEPTION_GUARD_PAGE_VIOLATION = 0x080000001,
EXCEPTION_ILLEGAL_FLOAT_CONTEXT = 0x0C000014A,
EXCEPTION_ILLEGAL_INSTRUCTION = 0x0C000001D,
EXCEPTION_INSTRUCTION_MISALIGNMENT = 0x0C00000AA,
EXCEPTION_INVALID_HANDLE = 0x0C0000008,
EXCEPTION_INVALID_LOCK_SEQENCE = 0x0C000001E,
EXCEPTION_INVALID_OWNER = 0x0C000005A,
EXCEPTION_INVALID_PARAMETER = 0x0C000000D,
EXCEPTION_INVALID_PARAMETER_1 = 0x0C00000EF,
EXCEPTION_INVALID_SYSTEM_SERVICE = 0x0C000001C,
EXCEPTION_INVALID_THREAD = 0x0C000071C,
EXCEPTION_INTEGER_DIVIDE_BY_ZERO = 0x0C0000094,
EXCEPTION_INTEGER_OVERFLOW = 0x0C0000095,
EXCEPTION_IN_PAGE_ERROR = 0x0C0000006,
EXCEPTION_KERNEL_APC = 0x00100,
EXCEPTION_LONGJUMP = 0x080000026,
EXCEPTION_NO_CALLBACK_ACTIVE = 0x0C0000258,
EXCEPTION_NO_EVENT_PAIR = 0x0C000014E,
EXCEPTION_PRIVILEGED_INSTRUCTION = 0x0C0000096,
EXCEPTION_SINGLE_STEP = 0x080000004,
EXCEPTION_STACK_BUFFER_OVERRUN = 0xC0000409,
EXCEPTION_STACK_OVERFLOW = 0xC00000FD,
EXCEPTION_SUCCESS = 0x00000,
EXCEPTION_THREAD_IS_TERMINATING = 0x0C000004B,
EXCEPTION_TIMEOUT = 0x00102,
EXCEPTION_UNWIND = 0x0C0000027,
EXCEPTION_UNWIND_CONSOLIDATE = 0x080000029,
EXCEPTION_USER_APC = 0x000C0,
EXCEPTION_WAKE_SYSTEM_DEBUGGER = 0x080000007,
EXCEPTION_APPLICATION_HANG = 0xcfffffff,
CommentStreamA(10) and CommentStreamW(11)
These stream contains a string used for documentation purposes. For CommentStreamA, this is an ANSI string and for CommentStreamW this is a Unicode (double byte) string.
A handle is a pointer to a data structure containing information about a consumed system resource such as a process, thread, registry key, event and mutant. The Handle stream, if present, contains data associated with these high level system handles. The HandleId, TypeName, ObjectName, Attributes, GrantedAccess, HandleCount and PointerCount are stored for each handle. Most of these fields are specific to the type of handle that is being stored.
Extended object information may also exist for a handle. The extended information may be present for threads, mutants and process handles. This data varies depending on the architecture of the machine. More than 1 extended block may exist for each handle as shown in the example below.
Location: Length: 7B8, Rva: B44AAC
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Next: B44400 InfoType: 3-MiniMutantInformation2 SizeOfInfo: 8
00 00 00 00 00 00 00 00 ????????
Next: 0 InfoType: 2-MiniMutantInformation1 SizeOfInfo: 8
01 00 00 00 00 00 47 00 G???????
The function table stream contains a number of function tables, one for each module. Each function table contains one or more function entry.
The MiscInfo contains miscellaneous information pertaining mainly to the process and processor. The amount of information stored has changed over time so different OS's may contain different information. Information includes...
||ID of the crashing process.
ProcessCreationTime - Time the process was started.
||Time the process (all of its threads) has spent running user mode code.
||Time the process (all of its threads) has spent running kernel mode code.
||The maximum specified clock frequency of the system processor.
||The processor clock frequency, in MHz. This number is the maximum specified processor clock frequency multiplied by the current processor throttle.
||The limit on the processor clock frequency, in MHz. This number is the maximum specified processor clock frequency multiplied by the current processor thermal throttle limit.
||The maximum idle state of the processor.
||The current idle state of the processor.
||(low,medium,high,system). Lower integrity programs have more limited access to the file system and other system resources.
||The process is to be run as a protected process. The system restricts access to protected processes and the threads of protected processes.
|TimeZoneId and TimeZoneInformation
||TimeZone under which the machine is running.
An example Misc information sections follows...
Location: Length: 18, Rva: C4
ValidFieldFlags: 3-MINIDUMP_MISC1_PROCESS_ID, MINIDUMP_MISC1_PROCESS_TIMES