The world of Windows development and system administration can sometimes feel like navigating a complex maze. When things go wrong – a dreaded bug check (Blue Screen of Death/BSOD) or an application hang – the right tools are essential for unraveling the mystery. One such indispensable tool is the !analyze extension within WinDbg, the Windows debugger. This article provides an in-depth look at the !analyze command, exploring its features, parameters, and practical applications in both user-mode and kernel-mode debugging.
!analyze Extension?The !analyze extension in WinDbg is a powerful command that displays information about the current exception or bug check. Think of it as a detective providing initial clues at a crime scene. It analyzes the available data and presents a summary of the issue, often pointing towards the root cause. Whether you're dealing with a user-mode application crash or a kernel-mode stop error, !analyze is your first port of call. This makes it a critical tool for driver developers working with complex systems.
The functionality of !analyze adapts to the context in which it's used, behaving differently in user-mode and kernel-mode debugging scenarios.
!analyze focuses on exceptions within a specific application. It helps you understand why an application crashed or hung, often by examining thread stacks and identifying potential deadlocks.!analyze deals with system-level issues like bug checks (BSODs). It displays information about the bug check code, associated parameters, and potential causes of the system crash.!analyzeThe !analyze command offers a range of parameters to control the level of detail and the type of analysis performed. Knowing these parameters is key to effectively using the tool.
General Parameters:
-v[0..99]: This controls the verbosity of the output. -v (or -v1) provides a default level of detail. Increasing the number (e.g., -v6) provides progressively more information. For maxiumum detail, use the shorthand -vv.-f: Forces the generation of exception output, even if the debugger hasn't automatically detected an exception. This is useful when you suspect an exception occurred but the debugger hasn't caught it.-hang: Specifically designed for analyzing hung applications. In kernel mode, it investigates system locks and the DPC queue. In user mode, it analyzes thread stacks to identify blocking threads.Show Parameter:
-show BugCheckCode [BugParameters]: Displays information about a specific bug check code and, optionally, its parameters. This is invaluable for understanding the meaning of a specific BSOD. For instance, !analyze -show 0x0000007E will display information about the SYSTEM_THREAD_EXCEPTION_NOT_HANDLED bug check. The BugParameters allow you to drill down into the circumstances of the event. You can find a comprehensive Bug Check Code Reference on the Microsoft website.Continue Execution Parameters
-c: Continues execution after encountering a known issue. This is used in conjunction with known issue files. Think of it as adding exceptions to an error handler, allowing the debugger to ignore known inconsequential faults.
-load KnownIssuesFile: Loads a known issues XML file.-unload: Unloads the current known issues list.-help: Displays help for the -c subcommands.XML Load Option Parameters:
-xml: Generates the analysis output in XML format, making it suitable for automated parsing and analysis.-xmi: Adds module information to the XML output, which helps in identifying the modules involved in the crash. This option requires -xml or -xmf.-xcs: Adds context and call stack frames to the XML output, providing a detailed view of the execution flow leading to the crash. This also requires -xml or -xmf.-xmf OutputXmlFile: Writes the analysis output to a specified XML file. This is useful for archiving and offline analysis and requires the -xml flag to output the XML in addition to writing to a file.Let's explore a few practical scenarios to see how !analyze can be used effectively.
Scenario 1: Analyzing a Kernel-Mode Crash (BSOD)
Suppose you encounter a BSOD with the bug check code 0x00000050 (PAGE_FAULT_IN_NONPAGED_AREA). You'd start by using !analyze -v in WinDbg after a crash dump is loaded.
!analyze -v
The output will provide information about the bug check code, the faulting address, and the module that likely caused the crash. The verbose output helps pinpoint the driver or component responsible for the page fault. You can refine the serach for the cause using:
!analyze -show 0x00000050
Scenario 2: Analyzing a User-Mode Application Hang
If an application hangs, you can attach WinDbg to the process and use !analyze -hang. Before running this you must first switch to the application's context:
~#s ; replace # with the thread number suspected of hanging
!analyze -hang
This command will analyze the thread stacks and attempt to identify any threads that are blocking others, potentially revealing a deadlock situation.
Scenario 3: Automating Analysis with XML Output
For automated crash analysis, you can use the -xml and -xmf parameters to generate XML output that can be parsed by scripts or other tools.
!analyze -v -xml -xmf crash_analysis.xml
This command will generate a verbose analysis and save it to the crash_analysis.xml file.
.sympath+ to add symbol server paths. See Using Symbol Servers to download symbol files.!analyze with other WinDbg commands for a more comprehensive analysis. For example, use !process to examine process information or !thread to inspect thread details.The !analyze extension in WinDbg is an essential tool for debugging Windows applications and system issues. By understanding its parameters and usage scenarios, you can quickly diagnose crashes, hangs, and other problems. Whether you're a seasoned driver developer or a system administrator troubleshooting a BSOD, mastering !analyze will significantly enhance your debugging capabilities. Remember to explore the related documentation and practice using the command in various scenarios to become a true WinDbg expert. Remember to consult the official Microsoft documentation for the most up-to-date information and advanced usage techniques.
