[Step by Step] How to Analyze BlueScreen Dump

Lowyat.NET Rules and Regulations FAQ Help Search Members

[Step by Step] How to Analyze BlueScreen Dump, by using Microsoft Windows Debugger

views

TSphilipcs	Sep 20 2004, 11:51 AM, updated 20y ago Return to original view \| Post #1
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	Step by step guide how to use Microsoft Windows Debugger (WinDbg) to analyze Minidump a.k.a Crash Dump 1.Download and install Microsoft Windows Debugger (WinDbg) from http://www.microsoft.com/whdc/devtools/deb...installx86.mspx 2.Run WinDbg. 3.Before analyze the minidump, you need to setup "Symbol File Path". a.File -> Symbol File Path -> type "SRVc:\websymbolshttp://msdl.microsoft.com/download/symbols" (without quotes) to the text box. b.Check the Reload check box and click OK. 4.Now you can open a crash dump for analysis. a.File -> Open Crash Dump. b.Open a minidump file that you would like to analyze. c.After you have opened a minidump file, system will ask you to save "Base Workspace Information" and just click YES. 5.Now the debugger is analyzing your dump file and please waits... 6.If you see this screen, you can type "!analyze -v" in the kd> text box and press ENTER. 7.After analyze -v operation is completed, the process of dump analysis is DONE and you can find the crash information here. 8.This is the result: Microsoft � Windows Debugger Version 6.3.0017.0 Copyright � Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini091904-04.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRVc:\websymbolshttp://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_rtm.040803-2158 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20 Debug session time: Sun Sep 19 23:34:08 2004 System Uptime: 0 days 0:15:39.343 Loading Kernel Symbols .......................................... Loading unloaded module list .................... Loading User Symbols **************************************************************** * * * Bugcheck Analysis * * * ************************************************************** Use !analyze -v to get detailed debugging information. BugCheck 10000050, {ac191633, 0, ac191633, 0} Could not read faulting driver name Probably caused by : win32k.sys ( win32k!IsRestricted+5 ) Followup: MachineOwner --------- kd> .reload Loading Kernel Symbols .......................................... Loading unloaded module list .................... Loading User Symbols kd> !analyze -v ************************************************************** * * * Bugcheck Analysis * * * ************************************************************** PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ac191633, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: ac191633, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ Could not read faulting driver name READ_ADDRESS: ac191633 FAULTING_IP: +ffffffffac191633 ac191633 ?? ??? MM_INTERNAL_CODE: 0 CUSTOMER_CRASH_COUNT: 4 DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT BUGCHECK_STR: 0x50 LAST_CONTROL_TRANSFER: from bf8dc034 to ac191633 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. ed332c14 bf8dc034 bf83ad9d 824ae420 e478aab8 0xac191633 ed332c84 bf83b0b7 0364a780 00000000 00000001 win32k!IsRestricted+0x5 ed332ca0 bf801a55 00000000 00000001 00000000 win32k!xxxCallHook+0x26 ed332ce8 bf80365e ed332d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x264 ed332d48 804df06b 052fec5c 00000000 00000000 win32k!NtUserPeekMessage+0x40 ed332d48 7c90eb94 052fec5c 00000000 00000000 nt!KiFastCallEntry+0xf8 052febdc 00000000 00000000 00000000 00000000 0x7c90eb94 FAILED_INSTRUCTION_ADDRESS: +ffffffffac191633 ac191633 ?? ??? FOLLOWUP_IP: win32k!IsRestricted+5 bf8dc034 51 push ecx SYMBOL_STACK_INDEX: 1 FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: win32k!IsRestricted+5 MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a STACK_COMMAND: kb BUCKET_ID: 0x50_CODE_AV_BAD_IP_win32k!IsRestricted+5 Followup: MachineOwner --------- 9.In this example, the error is PAGE_FAULT_IN_NONPAGED_AREA (50). You can copy the exact error and search the related info from www.google.com. This is the website that I found to tell you what this error is about. http://www.dslreports.com/forum/remark,109...e=flat~start=20 10.The error that I got is related to MEMORY_CORRUPTION. 11.I have downloaded a memory test tool called MEMTEST86 from http://www.memtest86.com/memt31a.zip. Please follow the guideline for how to create bootable CD and use the tool. 12.I have ran the test for my memory and found a lot of error in my 2nd slot Kingston KVR333X64C25/256. Now I will bring my faulty memory and the test result for my memory warranty. ~ Good Luck & Happy Analyzing ~ This post has been edited by samurai1337**: Nov 30 2006, 07:23 AM
Card PM	Report Top Like Quote Reply

TSphilipcs	Sep 20 2004, 12:33 PM Return to original view \| Post #2
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	I saw some post regarding someone asking should we send the error to Microsoft. my advise is DO NOT send the error to MS because you dont know what MS have coded with this feature. your info might leak to MS as well. Disable the error reporting feature: right click my computer -> properties -> click advanced tab -> click Error Reporting -> select Disable error reporting but do check "but notify me when critical errors occur". at least we know some critical error happended.
Card PM	Report Top Like Quote Reply

TSphilipcs

Sep 21 2004, 08:59 PM

Return to original view | Post #3

Look at all my stars!!

Senior Member
2,581 posts

Joined: Jan 2003

QUOTE (philipcs @ Sep 21 2004, 08:58 PM)

sorry, noob question, i don't get this! where it show your 2nd slot ram got problems ?!

1 got 2 x 256mb.

1mb to 256mb = 1st slot

257mb to 512mb = 2nd slot

this is based on my working experience but not 100% acculate.

I will replace the 2nd slot memory and run the test again.

I will update all of you after i replace my memory.

Card PM

Report Top

Like

Quote Reply

TSphilipcs

Sep 22 2004, 11:33 AM

Return to original view | Post #4

Look at all my stars!!

Senior Member
2,581 posts

Joined: Jan 2003

QUOTE (disket @ Sep 22 2004, 02:35 AM)

this article might be useful to some of u, How to Use Dumpchk.exe to Check a Memory Dump File

its for memory dump file though. nonetheless its closely related to the topic

dumpchk.exe doesnt show much info.
normally we use dumpchk.exe to verify the dump is it a good or corrupted copy.

Card PM

Report Top

Like

Quote Reply

TSphilipcs	Oct 1 2004, 05:29 PM Return to original view \| Post #5
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	the websymbols folder created under c: drive? try to close it and run again
Card PM	Report Top Like Quote Reply

TSphilipcs	Oct 11 2004, 12:09 AM Return to original view \| Post #6
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	QUOTE(wishbone @ Oct 6 2004, 12:34 AM) I had this Bluescreen dump problem thingy the other day after installing SP2, again it's SP2! I left my pc switched on overnight to download some stuffs using ABC Bittorrent client and got the shock of my life when I got up in the morning and saw the blue screen on my monitor.I couldn't start my pc after that, it asked me to repair my OS because some files are missing/corrupted. However, I switched on my pc 3 days after that and the pc was working fine. My question : Should I do anything about it or just leave well alone ? post ur crash dump file here and let us help u
Card PM	Report Top Like Quote Reply

TSphilipcs	Oct 11 2004, 12:14 AM Return to original view \| Post #7
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	QUOTE(andythology @ Oct 5 2004, 11:32 PM) *** Kernel symbols are WRONG. Please fix symbols to do analysis. Unable to load image emDevice.sys, Win32 error 2 * WARNING: Unable to verify timestamp for emDevice.sys * ERROR: Module load completed but symbols could not be loaded for emDevice.sys Unable to load image emStream.sys, Win32 error 2 * WARNING: Unable to verify timestamp for emStream.sys * ERROR: Module load completed but symbols could not be loaded for emStream.sys Probably caused by : emDevice.sys ( emDevice+a0d4 ) Followup: MachineOwner --------- kd> .reload Unable to load image ntoskrnl.exe, Win32 error 2 * WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe ------------------------------------------------------------------------------------- wow..lots of problem. dunno how to fix it.. now, this is how we tell the amateur , intermediate and pro. haha are you using Leadtek WinFast TV USB II? should be video Driver corrupted. post ur crash dump file here and let us help u since ur analysis is not complete
Card PM	Report Top Like Quote Reply

TSphilipcs	Oct 11 2004, 12:18 AM Return to original view \| Post #8
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	QUOTE(leadaxer @ Oct 3 2004, 04:25 PM) Nope, there's no websymbols folder created. Ran it again a few times and still the same error pops out. Edit: Got a new screenshot wif different error msg. make sure websymbols folder is created under c:
Card PM	Report Top Like Quote Reply

TSphilipcs	Oct 13 2004, 10:27 PM Return to original view \| Post #9
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	QUOTE(UltramanToron @ Oct 12 2004, 03:42 PM) this thing can rely 100% ah? Depending from case to case. if yours error is generated from hardware, driver or os, then 90% of the accuracy.
Card PM	Report Top Like Quote Reply

TSphilipcs	Oct 13 2004, 10:29 PM Return to original view \| Post #10
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	QUOTE(leadaxer @ Oct 12 2004, 03:41 PM) How do i make certain of that? I've followed ur steps one-by-one. Btw, i'm using XP SP2. dont know how to make new folder in C: go to C Drive, right click and select NEW and select FOLDER. after that, rename the new folder to websymbols.
Card PM	Report Top Like Quote Reply

TSphilipcs	Oct 15 2004, 11:12 AM Return to original view \| Post #11
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	QUOTE(leadaxer @ Oct 14 2004, 09:07 PM) Hehe, no biggie. Anyway, still doesn't work. Do i have to be connected to the net to analyze? Yes. because need to download the symbols from microsoft website to analyse your dump file http://www.microsoft.com/whdc/devtools/deb...ng/symbols.mspx
Card PM	Report Top Like Quote Reply

TSphilipcs	Oct 29 2004, 10:19 PM Return to original view \| Post #12
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	try to find more info from event viewer. event viewer will show you basic info.
Card PM	Report Top Like Quote Reply

TSphilipcs	Nov 3 2004, 10:24 PM Return to original view \| Post #13
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	QUOTE(ncbf @ Oct 31 2004, 07:32 PM) Microsoft � Windows Debugger Version 6.4.0004.4 Copyright � Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini082704-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRVc:\websymbolshttp://msdl.microsoft.com/download/symbols Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 2 * WARNING: Unable to verify timestamp for ntoskrnl.exe * ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20 Debug session time: Fri Aug 27 00:49:10.406 2004 (GMT+8) System Uptime: 0 days 0:09:43.010 Unable to load image ntoskrnl.exe, Win32 error 2 * WARNING: Unable to verify timestamp for ntoskrnl.exe * ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Loading Kernel Symbols ..................................................................................................................... Loading unloaded module list ......... Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ***************************************************************************** Use !analyze -v to get detailed debugging information. BugCheck 1000008E, {c0000005, 1, ed21c86c, 0} * Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ks.sys ( ks!ntoskrnl_NULL_THUNK_DATA+14c ) Followup: MachineOwner --------- kd> !analyze -v ***************************************************************************** * * * Bugcheck Analysis * * * ***************************************************************************** Use !analyze -v to get detailed debugging information. BugCheck 1000008E, {c0000005, 1, ed21c86c, 0} * Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ks.sys ( ks!ntoskrnl_NULL_THUNK_DATA+14c ) Followup: MachineOwner --------- kd> !analyze -v ***************************************************************************** * * * Bugcheck Analysis * * * ***************************************************************************** KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 00000001, The address that the exception occurred at Arg3: ed21c86c, Trap Frame Arg4: 00000000 Debugging Details: ------------------ *** Kernel symbols are WRONG. Please fix symbols to do analysis. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: +1 00000001 ?? ??? TRAP_FRAME: ed21c86c -- (.trap ffffffffed21c86c) ErrCode = 00000000 eax=00000000 ebx=ff811a68 ecx=00000000 edx=00000000 esi=ff811aa8 edi=00000018 eip=00000001 esp=ed21c8e0 ebp=ff6b9f48 iopl=0 nv up ei pl zr na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=ed21c364 00000001 ?? ??? Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x8E LAST_CONTROL_TRANSFER: from ed21cb00 to 00000001 SYMBOL_ON_RAW_STACK: 1 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. ed21c8dc ed21cb00 f13eef4d f13ef398 ffffffff 0x1 ff6b9f48 00000000 001a59ec 00000000 45ffaaa0 0xed21cb00 STACK_COMMAND: dds @$csp ; kb FOLLOWUP_IP: ks!ntoskrnl_NULL_THUNK_DATA+14c f13ef398 ffff ??? FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: ks!ntoskrnl_NULL_THUNK_DATA+14c MODULE_NAME: ks IMAGE_NAME: ks.sys DEBUG_FLR_IMAGE_TIMESTAMP: 41107ef8 BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner --------- I got this message...but do not know how to solve it...anyone can help? and i have the message as philipcs(1st page)..and i downloaded memtest,but i do not know how to make a boot up disk..in the manual,it says the installation is for linux...? KS.sys is related to Intel Hyper-Threading CPU Please see the solution from Microsoft below: http://support.microsoft.com/?kbid=812035
Card PM	Report Top Like Quote Reply

TSphilipcs	Nov 3 2004, 10:26 PM Return to original view \| Post #14
Look at all my stars!! Senior Member 2,581 posts Joined: Jan 2003	QUOTE(shawnlst @ Oct 31 2004, 08:36 PM) what do u mean by that? check through the net? or is there any this 'event viewer' option in the s/w? event viwer is the built function in windows. start --> run --> type: eventvwr in system log, you can see those error due to system related issue such as driver, hardware error, OS error.
Card PM	Report Top Like Quote Reply

« Next Oldest · Reviews and Guides · Next Newest »