Hangs Explained 31
HANGS EXPLAINED
Another category of problems happens very often where we also need a dump
for analysis: hangs. There is some confusion exists in understanding the difference be-
tween these two categories: crash and hang. Although sometimes a hang is a direct
consequence of a crash most of the time hangs happen independently. They also manif-
est themselves differently. Let’s look at application (process) crashes and hangs first.
When a crash happens an application (process) often disappears. When a hang hap-
pens an application (process) is still in memory: we can see it in Task Manager, for
example, but it doesn’t respond to user commands or to any other requests like ping-
ing a TCP/IP port. If we have a crash in OS then the most visible manifestation is blue
screen and/or reboot. If we have a hang then everything freezes.
Application or system hang happens because from the high level of view the
interaction between applications and OS components (modules) is done via messages.
One component sends a message to another and waits for a response. Some
components are critical, for example, a registry. The following hand-made
picture depicts very common system hang situations when the register component
stops responding. Then every running application (process) stops responding if its
execution path depends on registry access.
Registry
Internet Explorer
ServiceDriver

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
32 PART 1: Crash Dumps for Beginners
The very common reason for hang is the so called deadlock when two running
applications, their execution paths or threads are waiting for each other. Here is an anal-
ogy with a blocked road:
Car 1 blocked the road,
waiting for service Car 2
car

dumps are smaller and less susceptible to corruption or truncation due to small page file
size. If you discover that you need to peer inside running user applications then you can
always ask for another complete memory dump when the problem happens again.

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
34 PART 1: Crash Dumps for Beginners
SYMBOL FILES EXPLAINED
Symbol files are usually called PDB files because they have .PDB extension al-
though the older ones can have .DBG extension. PDB files are needed to read dump files
properly. Without PDB files the dump file data is just a collection of numbers, the con-
tents of memory, without any meaning. PDB files help tools like WinDbg to interpret the
data and present it in a human-readable format. Roughly speaking, PDB
files contain associations between numbers and their meanings expressed in short text
strings:
Dump data (memory contents)
...
...
...
773f8ea4 0012f9f4 6be82f08
00000000 7e4188da 00000000
0012fa80 7fffffff 000003e8
00406258 00000000 00000001
00da00ab 00aa00f3 00dc0000
...
...
...
comctl32.pdb
...
773f8ea4 Button_WndProc
...

0:000> .symfix c:\websymbols
0:000> .sympath
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
0:000> .reload

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
36 PART 1: Crash Dumps for Beginners
CRASHES AND HANGS DIFFERENTIATED
In the articles Crashes Explained (page 28) and Hangs Explained (page 31)
I highlighted the difference between crashes and hangs. In this part I will elaborate on
this terminology a bit further. First of all, we have to unify them as manifestations of a
functional failure. Considering a computer as a system of components having certain
functions we shall subdivide failures into system and component failures. Of course,
systems themselves may be components in some larger hierarchy, like in the case of
virtualization. Application and service process failures fall under component failures
category. Blue screen and server freezes fall under system failures category. Now it is
obvious why most computer users confuse crashes and hangs. They are just failures and
often the distinction between them is blurred from the user perspective.
Software developers tend to make sharp distinction between crashes and
hangs because they consider a situation when a computer accesses wrong memory or
gets and executes an invalid instruction as a crash. However, after such situation a com-
puter system may or may not terminate that application or service.
Therefore, I propose to consider crashes as situations when a system or a compo-
nent is not observed anymore. For example, a running application or service disappears
from Task Manager, computer system shows blue screen or reboots. In hang situations
we can observe that existence of a failed component in Task Manager or a computer
system doesn’t reboot automatically and shows some screen image different from BSOD
or panic message. The so called sluggish behavior or long response time can also be
considered as hang situations.

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Proactive Crash Dumps 39
PROACTIVE CRASH DUMPS
In Crashes and Hangs Differentiated article (page 36) I introduced clear separa-
tion between crashes and hangs and outlined memory dump capturing methods for
each category. However, looking from user point of view we need to tell them what is
the best way to capture a dump based on observations they have and their failure level,
system or component. The latter failure type usually happens with user applications and
services.
For user applications the best way is to get a memory dump proactively or put in
another words, manually, and do not rely on a postmortem debugger that may not be
set up correctly on a problem server in one hundred server farm. If any error message
box appears with a message that an application stopped working or that it has encoun-
tered an application error then we can use process dumpers like userdump.exe.
Suppose we have the following error message when TestDefaultDebugger
application crashes on Vista x64 (the same technique is applicable to earlier OS too): Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
40 PART 1: Crash Dumps for Beginners
Then we can dump the process while it displays the problem message if we know
its process ID:

In Vista this can be done even more easily by dumping the process from Task
Manager directly: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Proactive Crash Dumps 41
If we choose Create Dump File we see this message box: