KD Memory.dmp debugging

One of our Citrix server encountered a BSOD, luckily we had RSA and managed to hard reboot the server.

I've gathered the memory dump to view the cause of BSOD and found the Symantec Antivirus has caused a module error on the NIC driver.

We have then disabled the Network Drives in the File System Auto Protect and it had not experienced the same ever since.

Did not find any help from Symantec regarding the root cause other than it's a known issue.

Below are some steps that you could use for debbuging:

1. Launch windbg passing it the location of the symbol files, the source files (i386 directory) and the dump file. Example: windbg -y dump\symbols -i SRC\i386 -z dump\Memory.dmp


2. At the bottom of the Command window there is a kd> prompt.


3. The commands are entered into that prompt: kd>!analyze -v


4. Two things to look for in the results: the memory referenced and the FAULTING_IP


5. The command: kd>lm - will produce a listing of modules and their memory location.


6. Look to see which module's memory the memory referenced identified above falls in.


7. That usually indicates the process that caused the crashed and will probably match the FAULTING_IP if listed.


8. Also informative: kd>.reload –v

If at first you fail, call it version 1.0