Logs, User Mode Dumps, and Complete Memory Dumps

Creating and Gathering Logs

If you encounter a problem with a Norton product, occasionally our teams need to gather detailed information about the issue. These come in a few forms, most commonly as logs. Most of the time, your system won't create the logs unless you get the problem to occur again with a logging tool enabled. Below are steps to setup the tool and to generate those logs. 

1) Download SymNRA.zip from https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080507162141EN
2) Extract SymNRA.zip to C:\SymNRA.
3) Run C:\SymNRA\SymNRA.exe.

If a "User Access Control" dialog comes up asking if Norton Report Assistant should be allowed to make changes, select "Yes".

4) Read and click on "I accept the License Agreement", then click "Next".
5) When the window comes up asking for the User Information, click on the "Advanced" button.
6) Make sure that "Turn on Performance Monitoring", "Turn on Debug Logging", and "Do not upload" are CHECKED, then click "OK".
7) Click "Yes" and then "OK" to restart your computer.

Your computer will now restart.

8) When your computer boots back up, click "Run" to let C:\SymNRA\SymSL.exe run.

If a "User Access Control" dialog comes up asking if Norton Report Assistant should be allowed to make changes, select "Yes".

9) Once you see the little window on the top-right corner, reproduce the issue that you're having. After you have fully reproduced the issue, click the "Finish" button on the little window on the top-right corner.

10) Click "OK" to restart the computer.
11) When the computer boots back up, allow "SymNRA.exe" to "Run".
12) When the User Information window comes up, click on "OK".

SymNRA is now gathering all the logs and system information relevant to the issue you are having. This may take several minutes to complete.

13) After all the information is gathered, click on "Finish".

No files will be submitted to Symantec automatically. The file to upload will be in the "Documents\Symantec\ErrLogs" folder ("My Documents\Symantec\ErrLogs" in Windows XP).

14) Rename the file to your username, and upload the logs to the location provided by the Symantec Employee.

Creating and Gathering Complete Memory Dumps

We all dread the Blue Screen error, commonly referred to as Blue Screen of Death (BSOD). By default, Windows is only configured to create a small memory dump --
the minidump -- when a BSOD occurs. However, the minidump does not provide us with enough information
to figure out the problem. For this reason, we ask that you first
manually configure your computer to write a full memory dump in case
the system failure occurs again. This way, we can capture all the
critical data. By default, the full memory dump will be located in your
Windows folder, and will be called "MEMORY.DMP".

NOTE: You need to be logged in as Administrator to be able to create a Complete Memory Dump.

Windows XP:
1) Go to the System portion of the Control Panel (Shortcut: Windows Key + Pause/Break), then Click on the Advanced tab.

2) Under Startup and Recovery click Settings.

3) Click the drop-down menu under Write debugging information and select Complete memory dump.

Windows Vista:
1) Go to the System portion of the Control Panel (Shortcut: Windows Key + Pause/Break), click Advanced system settings, and click on the Advanced tab.

2) Under "Startup and Recovery" click Settings.

3) Click the drop-down menu under Write debugging information and select Complete memory dump.

4) Perform the action that causes the BSOD.

5) Find and compress the dump file, rename it to your username, and upload it to the location provided by the Symantec Employee.

Creating and Gathering User Mode Dumps

There may also be program crashes or hangs that do not cause a Blue Screen Error. In Symantec products, you'll typically see a spike in CPU use of the process "ccsvchst.exe" and a Symantec Service Framework error. For these types of issues, we will need to gather a User Mode Dump of process. Creating User Mode Dumps of running processes is very easy for Windows Vista, but it is a little more complicated in Windows XP. Below are instructions for creating User Mode Dumps for both operating systems. The dump creation process may take a long time, so please be patient.

Windows Vista:
1) Launch Task Manager. (CTRL+SHIFT+ESC)
2) Select the Processes tab.
3) Click Show processes from all users. (if not running as Administrator or not the only user account on the system)
4) Right-Click all ccsvchst.exe processes, and select Create Dump File.

5) Perform the action that causes the crash.

6) Compress and upload the dump to the location provided by the Symantec Employee.

Windows XP:
1) Install Debugging Tools for Windows:
    a) http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx download and install the most recent program, doing a COMPLETE install.
    b) Locate ntsd.exe. (probably in "C:\Program Files\Debugging Tools for Windows")
    c) Launch command prompt.
    d) Switch to directory containing ntsd.exe in command prompt.
    e) Leave the command prompt open for the duration; you will be entering a command in this window to obtain the dump.

2) Shutoff SymProtect Tamper Protection before the problem happens. This can be done in Settings > Administrative Settings. You should only shut off SymProtect temporarily. Perform the action that causes the crash. When the dump is collected, be sure to TURN IT BACK ON.

3) Locate ccSvcHst.exe using too much CPU time:
    a) Launch Task Manager. (CTRL+SHIFT+ESC)
    b) Select the Processes tab.
    c) Click show processes from all users.Check the box for PID and click OK.
    d) Wait for or re-create hung process.
    e) Write down PID of ccSvcHst using too much CPU.

4) Create dump of ccsvchst from the command prompt (it will take a long time to create the dump). Type all of the below, replacing [PID] with the PID number you wrote down:

        ntsd.exe -p [PID] -c ".dump /mfh c:\ccSvcHst.dmp; .detach; q"

5) IMPORTANT: turn back on SymProtect Tamper Protection when the dump is finished being created.

6) Compress and upload the dump to the location provided by the Symantec Employee.

Creating and Gathering SEAST Logs for Norton Ghost

The log gathering tools for Norton Ghost are a bit different -- they are included with the software. Also note that you can type anything into the case number field; it doesn't matter what you enter:

1) In [Installed Drive Letter]:\Program Files\Norton Ghost\Utility, launch seast.exe.
2) Choose Gather Technical Support Information and wait for the confirmation screen.
3) Navigate to [Installed Drive Letter]:\Documents and Settings\All Users\Application Data\Symantec\Norton Ghost. Several files should have been generated in the "Support" folder. (for Vista, [Installed Drive Letter]:\ProgramData\Symantec\Norton Ghost\Support)
4) Zip the contents of the Support folder, name it with your USERNAME, and upload it to the location provided by the Symantec Employee.