DavidOverton.com
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small.  
David Overton's Blog » How to find out what is causing a Blue Screen of Death (BSOD) by using the kernel debugger tools
How to find out what is causing a Blue Screen of Death (BSOD) by using the kernel debugger tools

Having had James take up an offer to find out what is causing his BSODs, her has now asked me how I found out which driver appears to be having the problem.

While there is no substite for lots of debug work, a very simple process is to run the crash dumps through our debugging tool (full dumps are best, followed by kernel dumps and then finally mini-dumps).

The first thing is to find the dump files - it will either be c:\windows\memory.dmp or mini-dumps under c:\windows\minidump.  Find the file you want and copy it somewhere so you can examine it.

Then get the debugging tools - http://www.microsoft.com/whdc/devtools/debugging/default.mspx and download the x86 (32-bit) version. 

Once the tools are extracted, open a cmd window and go to c:\Program Files\Debugging Tools for Windows and type kd -z c:\mydumpfile.dmp -v -y SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols.  Wait for it to load and do an analyze.  The debugger will open and if it has not done it already, type !analyze -v and see what drivers get listed as possible errors. Press Q to exit :-)

An example output might be like this:

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

TRAP_CAUSE_UNKNOWN (12)
Arguments:
Arg1: 00000001, Unexpected interrupt.
Arg2: 00000000, Unknown floating point exception.
Arg3: 00000000, The enabled and asserted status bits (see processor definition).

Arg4: 00000000

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Debugger CompCtrlDb Connection::Open failed 80004005
Connecting as Provider=SQLOLEDB.1;server=CCDSQL03;OLE DB Services=-4;database=Un
ifiedCompCentral;UID=compcentralro;PWD=compcentralro
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
Loading symbols for bad2d000      ALCXWDM.SYS ->   ALCXWDM.SYS
*** WARNING: Unable to verify timestamp for ALCXWDM.SYS
*** ERROR: Module load completed but symbols could not be loaded for ALCXWDM.SYS

Debugger Dbgportaldb Connection::Open failed 80004005
Connecting as Provider=SQLOLEDB.1;Server=dqtksql04.partners.extranet.microsoft.c
om;OLE DB Services=-4;Database=AtlasLite;UID=Debugger;PWD=OCADebug!1
Database Dbgportaldb not connected
ADO ERROR 80004005,11: [DBNETLIB][ConnectionOpen (Connect()).]SQL Server does no
t exist or access denied.

MODULE_NAME:  ALCXWDM

FAULTING_MODULE: 80800000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  419b3079

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR:  0x12

LAST_CONTROL_TRANSFER:  from 00405b3c to 80884d9e

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b82d2d64 00405b3c badb0d00 479f0064 00000000 nt+0x84d9e
b82d2d68 badb0d00 479f0064 00000000 00000000 0x405b3c
b82d2d6c 479f0064 00000000 00000000 00000000 ALCXWDM+0x83d00
b82d2d70 00000000 00000000 00000000 00000000 0x479f0064


FOLLOWUP_IP:
ALCXWDM+83d00
badb0d00 ??               ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  ALCXWDM+83d00

IMAGE_NAME:  ALCXWDM.SYS

STACK_COMMAND:  kb

FOLLOWUP_NAME:  Machine_Owner;http://dbg/symbols

BUCKET_ID:  WRONG_SYMBOLS

Followup: Machine_Owner;http://dbg/symbols
---------

kd>

ttfn

David

 

Posted Fri, Jun 9 2006 12:59 PM by David Overton
Filed under: , , ,

Comments

David Overton wrote re: How to find out what is causing a Blue Screen of Death (BSOD) by using the kernel debugger tools
on Fri, Jun 16 2006 11:32 AM
So, there I was glad that I had produced this and then read Susan's blog entry at http://msmvps.com/blogs/bradley/archive/2006/06/15/101628.aspx and realised I had carefully re-created the blog entry from http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx. Ho hum, oh well.

ttfn

David
TrackBack wrote http://forums.windowsforum.org/index.php?s=e769661e6c0f5c6796c62205046a330b&showtopic=25714&pid=198221&st=0&#entry198221
on Sun, Jul 9 2006 8:42 PM
Michaele Hicks wrote re: How to find out what is causing a Blue Screen of Death (BSOD) by using the kernel debugger tools
on Wed, Jul 12 2006 6:21 PM
Thanx for the info.  I've sent it off to the rest of my IT guys.
Michael Carney wrote re: How to find out what is causing a Blue Screen of Death (BSOD) by using the kernel debugger tools
on Sat, May 5 2007 11:36 PM

Your blog is fascinating.  I just used your "How to find out what is causing a Blue Screen of Death (BSOD)" post, and discovered that my recurring BSOD in Vista Ultimate 32-bit is caused by tcpip.sys . . . Microsoft tech support has said it was the memory, however, not the network . . . do you have any thoughts as to why?

David Overton wrote re: How to find out what is causing a Blue Screen of Death (BSOD) by using the kernel debugger tools
on Sun, May 6 2007 7:09 AM

Michael,

take several crash dumps and see if each one is happening in the same place - if it is, then it is consistent.  What often happens if memory is bad is that the dumps show failures all over the place.

Also, what error code is it in the dump - it could be showing something like a memory checksum error, which again points to memory.

If the crash is happening in TCPIP.SYS it does not necessarily point to that file being at fault since th TCP/IP stack works very closely with network drivers it might also be worth updating the network drivers on that box too and making sure that they are certified.

Finally, have you run the Memory Diagnosis tool?  Go to oca.microsoft.com/.../windiag.asp and burn the ISO there to a CD and run that for a couple of hours.  If you do have faulty memory it should show it up.

thanks

David

Bob S. wrote re: How to find out what is causing a Blue Screen of Death (BSOD) by using the kernel debugger tools
on Tue, Jun 5 2007 8:59 PM
You people probably already know this and may have already discussed it, but Vista and Windows XP Pro x64 and probably other OS's are having issues with running greater than 4GB. I'm running XP Pro x64 and have been seeing the BSOD with various reasons identified. I ran some of the Memory Tests from The Ultimate Boot CD. When I had 4GBs installed, 1 GB (DDR2) per DIMM slot, two slots failed some test. I would switch slots, but as long as I had 4GBs, two out of 4 sticks always indicated a problem. Different slots and different sticks each time after a swap. Finally, I ran the tests with just 2 slots occupied and eventually verified that all 4 sticks were good. My system is working for the moment and recognizes the full 4GBs, but tomorrow when I boot it up again, I may have to boot several times before the OS is up and running or it may go great and crash later or it may run well all day.
Alchemist wrote re: How to find out what is causing a Blue Screen of Death (BSOD) by using the kernel debugger tools
on Mon, Jun 11 2007 7:56 AM
Hi David, I appreciate your help and your concern,ithanks a lot.Could you please tell me whethere following error message is normal or do we have to do something to fix this. Thanks again Best Regards, Alchemist *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** ***
TParker.net » Post Topic » DriveImage XML - Awesome Drive Imaging Tool wrote TParker.net » Post Topic » DriveImage XML - Awesome Drive Imaging Tool
on Mon, Dec 10 2007 3:45 PM

Pingback from  TParker.net  » Post Topic   » DriveImage XML - Awesome Drive Imaging Tool

Blue screen after ~24 hours of folding - Overclock.net - Overclocking.net wrote Blue screen after ~24 hours of folding - Overclock.net - Overclocking.net
on Fri, Jun 11 2010 1:52 PM

Pingback from  Blue screen after ~24 hours of folding - Overclock.net - Overclocking.net

How To Find Out What Is Causing Bsod | Information wrote How To Find Out What Is Causing Bsod | Information
on Fri, Oct 14 2016 4:30 AM

Pingback from  How To Find Out What Is Causing Bsod | Information

phpinfo() wrote phpinfo()
on Thu, Mar 23 2023 7:24 PM

Pingback from  phpinfo()

Add a Comment

(required)
(optional)
(required)
Remember Me?

(c)David Overton 2006-23