用户模式转储文件User-Mode Dump Files

本部分包括:This section includes:

有关分析转储文件的信息,请参阅分析用户模式转储文件For information on analyzing a dump file, see Analyzing a User-Mode Dump File.

各种用户模式转储文件 Varieties of User-Mode Dump Files

用户模式故障转储文件有多种,但分为两类:There are several kinds of user-mode crash dump files, but they are divided into two categories:

完全用户模式转储Full User-Mode Dumps

小型转储Minidumps

这些转储文件之间的差异是大小之一。The difference between these dump files is one of size. 小型转储通常更紧凑,可轻松发送到分析师。Minidumps are usually more compact, and can be easily sent to an analyst.

请注意,可以通过分析转储文件来获取   多的信息。Note   Much information can be obtained by analyzing a dump file. 但是,任何转储文件都不能提供与实际使用调试器直接调试故障一样多的信息。However, no dump file can provide as much information as actually debugging the crash directly with a debugger.

完全用户模式转储Full User-Mode Dumps

完整的用户模式转储是基本用户模式转储文件。A full user-mode dump is the basic user-mode dump file.

此转储文件包括进程的整个内存空间、程序的可执行文件映像本身、句柄表以及在重新构建转储时使用的内存时对调试器有用的其他信息。This dump file includes the entire memory space of a process, the program's executable image itself, the handle table, and other information that will be useful to the debugger in reconstructing the memory that was in use when the dump occurred.

可以将完整的用户模式转储文件 "收缩" 到小型转储。It is possible to "shrink" a full user-mode dump file into a minidump. 只需将转储文件加载到调试器中,然后使用 "转储" (创建转储文件) 命令以小型转储格式保存新转储文件。Simply load the dump file into the debugger and then use the .dump (Create Dump File) command to save a new dump file in minidump format.

  请注意,尽管名称相同,但最大的 "小型转储" 文件实际上包含了比完整用户模式转储更多的信息。Note   Despite their names, the largest "minidump" file actually contains more information than the full user-mode dump. 例如, dump/mf/ma将创建比dump/f更大、更完整的文件。For example, .dump /mf or .dump /ma will create a larger and more complete file than .dump /f.

在用户模式下, [ MiniOptions ] 是最佳选择。In user mode, .dump /m[MiniOptions] is the best choice. 用此开关创建的转储文件的大小可能会很小到非常大。The dump files created with this switch can vary in size from very small to very large. 通过指定正确的MiniOptions ,你可以精确控制所包含的信息。By specifying the proper MiniOptions you can control exactly what information is included.

小型转储Minidumps

仅包含与进程关联的内存的选定部分的用户模式转储文件称为小型转储。A user-mode dump file that includes only selected parts of the memory associated with a process is called a minidump.

小型转储文件的大小和内容因正在转储的程序和执行转储的应用程序而异。The size and contents of a minidump file vary depending on the program being dumped and the application doing the dumping. 通常,小型转储文件相当大,并且包括完整的内存和句柄表。Sometimes, a minidump file is fairly large and includes the full memory and handle table. 其他情况下,它会小得多,例如,它可能只包含单个线程的相关信息,或者只包含有关堆栈中实际引用的模块的信息。Other times, it is much smaller -- for example, it might only contain information about a single thread, or only contain information about modules that are actually referenced in the stack.

名称 "小型转储" 会产生误导性,因为最大的小型转储文件实际包含的信息比 "完全" 用户模式转储多。The name "minidump" is misleading, because the largest minidump files actually contain more information than the "full" user-mode dump. 例如, dump/mf/ma将创建比dump/f更大、更完整的文件。For example, .dump /mf or .dump /ma will create a larger and more complete file than .dump /f. 出于此原因,为所有用户模式转储文件创建,请使用转储/m[MiniOptions] For this reason, .dump /m[MiniOptions] recommended over .dump /f for all user-mode dump file creation.

如果要使用调试器创建小型转储文件,则可以准确选择要包括的信息。If you are creating a minidump file with the debugger, you can choose exactly what information to include. 简单的 "转储"/m命令将包含有关构成目标进程、线程信息和堆栈信息的已加载模块的基本信息。A simple .dump /m command will include basic information about the loaded modules that make up the target process, thread information, and stack information. 这可以使用以下任一选项进行修改:This can be modified by using any of the following options:

dump 选项.dump option 对转储文件的影响Effect on dump file

/ma/ma

创建包含所有可选添加项的小型转储。Creates a minidump with all optional additions. /Ma选项等效于/mfFhut --它将完整内存数据、处理数据、卸载的模块信息、基本内存信息和线程时间信息添加到小型转储。The /ma option is equivalent to /mfFhut -- it adds full memory data, handle data, unloaded module information, basic memory information, and thread time information to the minidump.

/mf/mf

将完整内存数据添加到小型转储。Adds full memory data to the minidump. 将包括目标应用程序拥有的所有可访问的已提交页面。All accessible committed pages owned by the target application will be included.

/mF/mF

将所有基本内存信息添加到小型转储。Adds all basic memory information to the minidump. 这会将流添加到小型转储,其中包含所有基本内存信息,而不仅仅是有关有效内存的信息。This adds a stream to the minidump that contains all basic memory information, not just information about valid memory. 这使调试器能够在调试小型转储时重新构造进程的完整虚拟内存布局。This allows the debugger to reconstruct the complete virtual memory layout of the process when the minidump is being debugged.

/mh/mh

将有关与目标应用程序关联的句柄的数据添加到小型转储。Adds data about the handles associated with the target application to the minidump.

/mu/mu

将卸载的模块信息添加到小型转储。Adds unloaded module information to the minidump. 此功能仅在 Windows Server 2003 和更高版本的 Windows 中可用。This is only available in Windows Server 2003 and later versions of Windows.

/mt/mt

向小型转储添加其他线程信息。Adds additional thread information to the minidump. 这包括线程时间,在调试小型转储时,可以使用ttime (显示线程时间)来显示线程时间。This includes thread times, which can be displayed by using .ttime (Display Thread Times) when debugging the minidump.

/mi/mi

辅助内存添加到小型转储。Adds secondary memory to the minidump. "辅助内存" 是指堆栈或后备存储中的指针所引用的任何内存以及此地址周围的小区域。Secondary memory is any memory referenced by a pointer on the stack or backing store, plus a small region surrounding this address.

/mp/mp

将进程环境块(PEB)和线程环境块(TEB)数据添加到小型转储。Adds process environment block (PEB) and thread environment block (TEB) data to the minidump. 如果需要访问有关应用程序进程和线程的 Windows 系统信息,这会很有用。This can be useful if you need access to Windows system information regarding the application's processes and threads.

/mw/mw

将所有提交的读写专用页面添加到小型转储。Adds all committed read-write private pages to the minidump.

/md/md

将可执行映像内的所有读写数据段添加到小型转储。Adds all read-write data segments within the executable image to the minidump.

/mc/mc

在图像中添加代码段。Adds code sections within images.

/mr/mr

从小型转储中删除堆栈的部分,并存储用于重新创建堆栈跟踪的内存。Deletes from the minidump those portions of the stack and store memory that are not useful for recreating the stack trace. 还会删除本地变量和其他数据类型值。Local variables and other data type values are deleted as well. 此选项不会使小型转储更小(因为这些内存部分只是归零),但如果你想要保护其他应用程序的隐私,则此选项很有用。This option does not make the minidump smaller (since these memory sections are simply zeroed), but it is useful if you wish to protect the privacy of other applications.

/mR/mR

从小型转储中删除完整的模块路径。Deletes the full module paths from the minidump. 只包含模块名称Only the module names will be included. 如果要保护用户的目录结构的隐私,这是一个非常有用的选项。This is a useful option if you wish to protect the privacy of the user's directory structure.

/mk " FileName "/mk " FileName "

(仅适用于 Windows Vista)除了用户模式小型转储,还会创建一个内核模式小型转储。(Windows Vista only) Creates a kernel-mode minidump in addition to the user-mode minidump. 内核模式小型转储将限制为存储在用户模式小型转储中的相同线程。The kernel-mode minidump will be restricted to the same threads that are stored in the user-mode minidump. 文件名必须用引号引起来。FileName must be enclosed in quotation marks.

这些选项可以组合在一起。These options can be combined. 例如, /mfiu可用于创建相当大的小型转储,或命令 。转储/mrR可用于创建保留用户隐私的小型转储。For example, the command .dump /mfiu can be used to create a fairly large minidump, or the command .dump /mrR can be used to create a minidump that preserves the user's privacy. 有关完整的语法详细信息,请参阅dump (创建转储文件) For full syntax details, see .dump (Create Dump File).

创建用户模式转储文件Creating a User-Mode Dump File

有多种不同的工具可用于创建用户模式转储文件: CDB、WinDbg 和 Procdump。There are several different tools that can be used to create a user-mode dump file: CDB, WinDbg and Procdump.

ProcDumpProcDump

ProcDump 是一个命令行实用程序,其主要用途是监视应用程序的 CPU 峰值,并在高峰期间生成故障转储,管理员或开发人员可以使用这些功能来确定高峰的原因。ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump 还包括挂起的窗口监视(使用 Windows 和任务管理器使用的窗口挂起定义)、未经处理的异常监视,并可基于系统性能计数器的值生成转储。ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. 它还可以用作可嵌入到其他脚本中的常规进程转储实用工具。It also can serve as a general process dump utility that you can embed in other scripts.

有关使用 Sysinternals ProcDump 实用工具创建用户模式转储文件的信息,请参阅ProcDumpFor information about creating a user-mode dump file using the Sysinternals ProcDump utility, see ProcDump.

CDB 和 WinDbgCDB and WinDbg

CDB 和 WinDbg 可以通过多种方式创建用户模式转储文件。CDB and WinDbg can create user-mode dump files in a variety of ways.

自动创建转储文件Creating a Dump File Automatically

出现应用程序错误时,Windows 可以通过几种不同的方式进行响应,具体取决于事后调试设置。When an application error occurs, Windows can respond in several different ways, depending on the postmortem debugging settings. 如果这些设置指示调试工具创建转储文件,则将创建一个用户模式内存转储文件。If these settings instruct a debugging tool to create a dump file, a user-mode memory dump file will be created. 有关详细信息,请参阅启用事后调试For more information, see Enabling Postmortem Debugging.

在调试时创建转储文件Creating Dump Files While Debugging

当 CDB 或 WinDbg 正在调试用户模式应用程序时,您还可以使用dump (创建转储文件) 命令创建转储文件。When CDB or WinDbg is debugging a user-mode application, you can also the .dump (Create Dump File) command to create a dump file.

此命令不会导致目标应用程序终止。This command does not cause the target application to terminate. 通过选择适当的命令选项,你可以创建包含所需信息的完全相同的小型转储文件。By selecting the proper command options, you can create a minidump file that contains exactly the amount of information you wish.

收缩现有转储文件Shrinking an Existing Dump File

CDB 和 WinDbg 还可用于收缩转储文件。CDB and WinDbg can also be used to shrink a dump file. 为此,请开始调试现有转储文件,然后使用dump命令创建大小较小的转储文件。To do this, begin debugging an existing dump file, and then use the .dump command to create a dump file of smaller size.

行程调试(TTD) Time Travel Debugging (TTD)

除了 CDB、WinDbg 和 Procdump 以外,调试用户模式应用程序的另一个选项是时间旅行调试(TTD)。In addition to CDB, WinDbg and Procdump, another option to debug user mode applications is Time Travel Debugging (TTD). 时间行程调试是一种工具,可让你记录正在运行的进程的执行,然后在以后向前和向后重播。Time Travel Debugging, is a tool that allows you to record an execution of your process running, then replay it later both forwards and backwards. 旅行调试(TTD)可让您通过 "倒带" 调试器会话来更轻松地调试问题,而无需在发现 bug 之前重现问题。Time Travel Debugging (TTD) can help you debug issues easier by letting you "rewind" your debugger session, instead of having to reproduce the issue until you find the bug.

TTD 可让你返回时间,以便更好地了解导致错误的条件并多次重播,以了解如何最好地解决问题。TTD allows you to go back in time to better understand the conditions that lead up to the bug and replay it multiple times to learn how best to fix the problem.

与故障转储文件相比,TTD 具有更多优点,这通常会导致最终失败导致的代码执行。TTD can have advantages over crash dump files, which often are missing the code execution that led up to the ultimate failure.

有关时间行程调试(TTD)的详细信息,请参阅行程调试-概述For more information on Time Travel Debugging (TTD), see Time Travel Debugging - Overview.