Friday 8 November 2013

Access Denied Message with WinDbg and Dump Files - ProcMon

Okay, recently I have ran into a few Access is Denied messages when attempting to open Kernel Memory dump files. There's currently three solutions or least partial suggestions which may help you, but first let's investigate further into the problem with ProcMon (Process Monitor). You will need to have Process Monitor running while you recreate the problem, in order to gain a stack trace of the issue, and then search for the Access or Denied keyword until you find the WinDbg process.

The above image simply shows the general process of loading WinDbg, and then attempting to open the file. I've highlighted the line in which the problem occurs.

The next important aspect, is right-click the line with the problem and then select Properties, and view the Stack tab. This will show you a stack trace of WinDbg. I believe the error message was produced on stack frames 12 and 13, with the CreateFileW routine. Specifically, the CreateFileW routine, is used to create or open a file object, and then return a handle to the process which accessed the file object.

Possible Solutions:

1. Move the dump file from the C:\Windows or C:\Windows\Minidump directory onto your Desktop or Documents folder. Personally, I chose the Desktop option.

2. Open Windows Explorer, with Administrative privileges and then attempt to open the file. Search for Windows Explorer in Start menu search box, and the right-click the program name. Select Run As Administrator. 

3. Open WinDbg, with Administrative privileges (same procedure as Windows Explorer), and then open the dump file from within the Windows Debugger program. File > Open Crash Dump (Ctrl + D).

1 comment:

  1. Tried all of these and it still didn't work. I even tried adding my local account and the User's group as owners to the C:\Windows\Minidump folder and no luck. I am completely stumped.