Unknown Type 0x6

Question

Unknown Type 0x6

Closed this issue 5 months ago · 13 comments

I crashed Windows via notmyfault.exe with debugging file option [Automatic memory dump].
The generated dump file is passed through the
. \parser.exe -c -e -p 0x1000 D:\vmware_share\MEMORY.DMP
Execution, hint:
Unknown Type 0x6. The header looks wrong. ParseDmpHeader failed. Parsing of the dump failed, exiting.
So this dump format itself won't be supported? How is it different from other types?

Answer 1 · 2024-02-20T09:50:44.000Z

When I debug parser.exe to parse a dmp file with dumptype 6 via windbg, I found that it is able to parse it. Does that mean it's supported?

Answer 2 · 2024-02-21T00:34:04.000Z

Let me see..

Answer 3 · 2024-02-21T00:42:38.000Z

Indeed, the type '6' isn't supported; here are the ones currently supported:

enum class DumpType_t : uint32_t {
  // Old dump types from dbgeng.dll
  FullDump = 0x1,
  KernelDump = 0x2,
  BMPDump = 0x5,

  // New stuff
  MiniDump = 0x4,                // Produced by `.dump /m`
  KernelMemoryDump = 0x8,        // Produced by `.dump /k`
  KernelAndUserMemoryDump = 0x9, // Produced by `.dump /ka`
  CompleteMemoryDump = 0xa,      // Produced by `.dump /f`
};

I don't think I have ever ran into a type 6 dump yet 😅

What you are saying is the first header of the dump file which is the same across dumps, but then it is followed by other header / data that depends on the type of dump it is. Because kdmp-parser doesn't know about this type 6, it doesn't know how to handle what follow the main header.

I'll leave this issue opened in case somebody feels like reverse-engineering / implementing it!

Thank you for your report :)

Cheers

Answer 4 · 2024-02-21T06:28:51.000Z

Thank you for your reply.

I've searched the web and haven't found a specific meaning for dumptype being BMPDump. What is the source of the various types of dumptype, please?

Answer 5 · 2024-02-21T15:40:49.000Z

Sorry I am not sure I understood the question - I believe 'BMP' means 'Bitmap' and refer to the way the physical memory is stored in the dump if I remember correctly. Cheers

…

On Tue, Feb 20, 2024 at 10:29 PM frendguo ***@***.***> wrote: Thank you for your reply. I've searched the web and haven't found a specific meaning for dumptype being BMPDump. What is the source of the various types of dumptype, please? — Reply to this email directly, view it on GitHub <#26 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORK7MBF77KK7FY23EH3YUWH25AVCNFSM6AAAAABDQXHKN6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJVHE3TSMBZHA> . You are receiving this because you commented.Message ID: ***@***.***>

Answer 6 · 2024-02-23T01:59:40.000Z

Thanks for the reply.

Cheers

Answer 7 · 2024-03-04T16:58:14.000Z

@frendguo I don't think I've ever seen a type 6 dump. How did you generate it?

Answer 8 · 2024-06-18T15:00:10.000Z

I came across this error.

Type 6 is a live kernel dump. We can create this with the task manager. On the process list view, right click on the System process -> Create live kernel memory dump file. You see two options but both generate a type 6 dump file.

Answer 9 · 2024-06-19T04:37:36.000Z

Type 6 is a live kernel dump. We can create this with the task manager. On the process list view, right click on the System process -> Create live kernel memory dump file. You see two options but both generate a type 6 dump file.

Thanks for that update @tandasat I can reproduce on Win11 22H2 and up. I will look into it!

Answer 10 · 2024-07-04T23:20:22.000Z

@tandasat / @frendguo FYI this should be fixed in v0.7.4.

Cheers

Answer 11 · 2024-07-04T23:41:13.000Z

Excellent. Thank you for fixing the issue!

Answer 12 · 2024-07-04T23:45:34.000Z

Thank you for sharing the repro information @tandasat, and thank you @hugsy for implementing it 🫡

Answer 13 · 2024-08-13T08:10:30.000Z

@hugsy @0vercl0k wow, thank you for fixing this issue!