Memory Dump Analysis Anthology, Volume 8b

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

No credit card required

PART 1: Professional Crash Dump Analysis and Debugging

Win32 Start Address Fallacy

One of the common mistakes is not double-checking symbolic output (Volume 5, page 21). Another example here is related to Win32 Start Address. In the output of !thread WinDbg command (or !process and !sprocess Stack Trace Collection commands, Volume 1, page 409) we can see Win32 Start Address and, in cases of Truncated Stack Traces (Volume 6, page 86) or No Component Symbols (Volume 1, page 298), we may use this information to guess the purpose of the thread. Unfortunately, it is shown without function offsets and may give a false sense of the thread purpose.

For example, this Win32 Start Address ModuleA!DoSomething may suggest that the purpose of the thread was ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.