debuggingmemory.dmp需要哪些步骤？ （包括演练）

我今天在事件日志中醒了过来：

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000ef (0xffffe0018668f080, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 082615-29515-01. 

我正在使用这个MSFT文章作为指导如何debugging它。

1. 首先我search0x000000ef这是Critical Process Died的含义

2. 尝试使用visual studio，如文章所示，但得到错误debugging older format crash dumps is not supported

   • 在备份过程中进行并发修改：rsync vs dump vs tar vs？
   • 如何在CentOS 6上启用核心文件
   • 如何查找事件日志中提到的核心转储
   • Linux转储文件 – 可以在Windows系统上读取吗？
   • 使用CTRL – SCROLL LOCK组合键导致系统转储

3. 为运行Exchange的2012 R2服务器安装WDK 8.1安装

4. 打开WinDBG，位于：C：\ Program Files（x86）\ Windows Kits \ 8.1 \ Debuggers \ x64

5. 将符号服务器设置为srv*c:\cache*http://msdl.microsoft.com/download/symbols;

6. 打开dmp文件并得到这个输出：

产量

 Executable search path is: Windows 8 Kernel Version 9600 MP (32 procs) Free x64 Product: Server, suite: TerminalServer SingleUserTS Built by: 9600.17936.amd64fre.winblue_ltsb.150715-0840 Machine Name: Kernel base = 0xfffff801`c307c000 PsLoadedModuleList = 0xfffff801`c33517b0 Debug session time: Wed Aug 26 08:58:08.719 2015 (UTC - 4:00) System Uptime: 0 days 8:12:03.493 Loading Kernel Symbols ............................................................... ................................................................ ................... Loading User Symbols ................................................................ ................................................................ .............................................. Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck EF, {ffffe0018668f080, 0, 0, 0} *** WARNING: Unable to verify checksum for System.ni.dll Probably caused by : wininit.exe Followup: MachineOwner 

input！分析

 23: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_PROCESS_DIED (ef) A critical system process died Arguments: Arg1: ffffe0018668f080, Process object or thread object Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died. Arg3: 0000000000000000 Arg4: 0000000000000000 Debugging Details: ------------------ PROCESS_OBJECT: ffffe0018668f080 IMAGE_NAME: wininit.exe DEBUG_FLR_IMAGE_TIMESTAMP: 0 MODULE_NAME: wininit FAULTING_MODULE: 0000000000000000 PROCESS_NAME: msexchangerepl BUGCHECK_STR: 0xEF_msexchangerepl DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre MANAGED_STACK: !dumpstack -EE OS Thread Id: 0x0 (23) TEB information is not available so a stack size of 0xFFFF is assumed Current frame: Child-SP RetAddr Caller, Callee LAST_CONTROL_TRANSFER: from fffff801c368e160 to fffff801c31cb9a0 STACK_TEXT: **privacy** : nt!KeBugCheckEx **privacy** : nt!PspCatchCriticalBreak+0xa4 **privacy** : nt! ?? ::NNGAKEGL::`string'+**privacy** **privacy** : nt!PspTerminateProcess+0xe5 **privacy** : nt!NtTerminateProcess+0x9e **privacy** : nt!KiSystemServiceCopyEnd+0x13 **privacy** : ntdll!NtTerminateProcess+0xa **privacy**: KERNELBASE!TerminateProcess+0x25 **privacy** : System_ni+**privacy** STACK_COMMAND: kb FOLLOWUP_NAME: MachineOwner IMAGE_VERSION: FAILURE_BUCKET_ID: 0xEF_msexchangerepl_IMAGE_wininit.exe BUCKET_ID: 0xEF_msexchangerepl_IMAGE_wininit.exe ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xef_msexchangerepl_image_wininit.exe FAILURE_ID_HASH: {9cb4f9d6-5f45-6583-d4ab-0dae45299dee} Followup: MachineOwner --------- 

题

1. 我应该在Exchange Server本身上运行吗？
2. 分析得到从公共MSFT服务器的交易所符号？
3. 没有!analyze出0xffffe0018668f080的含义？ 这是一个失败的进程的内存地址？ 我如何find这个过程？
4. 我需要为互联网标记**privacy**吗？ 我不认识的内容。
5. Visual Studio是否曾经在打开内存转储？
6. 我在分析这件事时应该做些什么？
7. 接下来我应该做什么？