BSOD ~ How to use Debugging Tools For Windows
The Blue Screen Of Death (BSOD)
Every one has had them.
When these occur there is generally going to be a STOP Message associated with it.
STOP messages are identified by an 8-digit hexadecimal number such as STOP 0x0000000Z or Stop 0xZ.
When a STOP message occurs a Memory.dmp file is created.
I'm going to show you how to use Windows Debugging Tools and hopefully point you in the right direction to solving your BSOD.
You are going to need to download and install two things.
Debugging Tools for Windows which can be found here:
http://www.microsoft.com/whdc/devtoo...llx86.mspx#ERB
And Windows Symbol Packages which can be found here:
http://www.microsoft.com/whdc/devtoo...symbolpkg.mspx
When I installed the Symbols Package, Windows created a folder located at C:\WINDOWS\Symbols
It is important that when you run "The Bug Checker" you point the utility to the right place.
Let's start.
Go to Start/Programs/Debugging Tools For Windows/Windbg.
The 1st thing you will see is a blank screen.
http://www.redhour.us/ghostdog/BgCk1.jpg
Click File/Symbol File Path...
http://www.redhour.us/ghostdog/BgCk2.jpg
Point the utility to where you have your symbols. In my case C:\WINDOWS\Symbols. Click OK.
http://www.redhour.us/ghostdog/BgCk3.jpg
Click File/Save Workspace.
http://www.redhour.us/ghostdog/BgCk4.jpg
Click File/Open Crash Dump...
http://www.redhour.us/ghostdog/BgCk5.jpg
We now work our way to the .dmp files. They will be located in a file called Minidump
http://www.redhour.us/ghostdog/BgCk6.jpg
http://www.redhour.us/ghostdog/BgCk7.jpg
http://www.redhour.us/ghostdog/BgCk8.jpg
When you get to the Minidump file click Open and there they are.
You can see I've had a few.
http://www.redhour.us/ghostdog/BgCk9.jpg
When you click on a file, this screen will pop up. Click No and the debugging process starts.
http://www.redhour.us/ghostdog/BgCk10.jpg
(Continued next post)
Re: BSOD ~ How to use Debugging Tools For Windows
After "The Bug Check" has finished it's analysis you will see this screen.
(Which I've expanded so that everything fits into the window.)
If you look near the bottom it says "Probably caused by : ati2cqaq.dll"
http://www.redhour.us/ghostdog/BgCk11.jpg
Next click on the blue !analyze-v (See above screen)
(I've scrolled all the way to the bottom of the screen below)
Three things should be noted here.
1) BUGCHECK_STR : 0xEA
2) PROCESS_NAME : RavenShield.exe
3) MODUL_NAME : ati2cqaq.dll
http://www.redhour.us/ghostdog/BgCk12.jpg
So what does this tell me.
First. I blue screened while playing RainBow 6 Ravenshield.
Second. The "ati" deal is leading me to believe it might be a display driver.
For the third part (0xEA) I went here: http://aumha.org/a/stop.htm and found this:
Quote:
0x000000EA: THREAD_STUCK_IN_DEVICE_DRIVER
A device driver problem has caused the system to pause indefinitely (hang).
Typically, this is caused by a display driver waiting for the video hardware to enter an idle state.
This might indicate a hardware problem with the video adapter, or a faulty video driver.
In my case it turned out to be the video driver.
Updating the driver took care of the problem.
Hope this helps demystify the bug check process.
Re: BSOD ~ How to use Debugging Tools For Windows
Nice work there Ghost. Belongs linked in one of the stickys for reference.
Who hasnt wondered about a Blue Screen message and what all the garble actually means.:cool:
You have done this:
http://www.ibzp.net/pohlitics/files/...entry134_1.jpg
Re: BSOD ~ How to use Debugging Tools For Windows
Nice work IAGD.
The bug checker does come in handy. Well worth a sticky.!
Re: BSOD ~ How to use Debugging Tools For Windows
I hate to say it, but I'm actually excited for my next BSOD to give this a shot. Thanks Ghost dog.
Re: BSOD ~ How to use Debugging Tools For Windows
...wow some to learn...but when i see bosd (on comps mades by me newer)
im putting abit+adata+seag.....
p.s. this bosd must newer happend!..(bad mbo,sees wrong timings of mem
hddd in coma....U manage to ride of "this" but this is final staff of some bad
is on...means will happend again...so adv;newest bios ,make mem like its timings is,defrag offtenc...
Re: BSOD ~ How to use Debugging Tools For Windows
Re: BSOD ~ How to use Debugging Tools For Windows
Quote:
Originally Posted by
jimzinsocal
Nice work there Ghost.
Quote:
Originally Posted by
zetachi
Nice work IAGD.
Quote:
Originally Posted by
Gator650
Thanks Ghost dog.
Quote:
Originally Posted by
Ned Slider
Nice guide Ghost :)
Thanks boys.
Something I learned how to do when I had a rash of BSOD's last summer.
I thought it might help some one somewhere down the line.
Re: BSOD ~ How to use Debugging Tools For Windows
Quote:
Originally Posted by
IAmGhostDog
Thanks boys.
Something I learned how to do when I had a rash of BSOD's last summer.
I thought it might help some one somewhere down the line.
I was going to say ... that looked like a whole lotta minidumps in a short time.
Good job!
Re: BSOD ~ How to use Debugging Tools For Windows
IAmGhostDog, what about this ***ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe***
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini110507-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: G\Window\Symbol
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054c150
Debug session time: Mon Nov 5 18:52:12.375 2007 (GMT-6)
System Uptime: 0 days 19:26:21.984
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
.................................................................................................... ....................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 10000050, {ccecccce, 0, ccecccce, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
***Next Post***
Re: BSOD ~ How to use Debugging Tools For Windows
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ccecccce, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: ccecccce, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
FAULTING_MODULE: 804d4000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 0
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
ccecccce
FAULTING_IP:
+ffffffffccecccce
ccecccce ?? ???
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x50
LAST_CONTROL_TRANSFER: from cecccccc to ccecccce
FAILED_INSTRUCTION_ADDRESS:
+ffffffffccecccce
ccecccce ?? ???
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f75785c0 cecccccc 33333333 3333b333 cccccccc 0xccecccce
f75785c4 33333333 3333b333 cccccccc cccccccc 0xcecccccc
f75785c8 3333b333 cccccccc cccccccc 3b333333 0x33333333
f75785cc cccccccc cccccccc 3b333333 33333333 0x3333b333
f75785d0 cccccccc 3b333333 33333333 ccccc8cc 0xcccccccc
f75785d4 3b333333 33333333 ccccc8cc cccccccc 0xcccccccc
f75785d8 33333333 ccccc8cc cccccccc 33333233 0x3b333333
f75785dc ccccc8cc cccccccc 33333233 33333373 0x33333333
f75785e0 cccccccc 33333233 33333373 cccccccc 0xccccc8cc
f75785e4 33333233 33333373 cccccccc cccccccc 0xcccccccc
f75785e8 33333373 cccccccc cccccccc 33333333 0x33333233
f75785ec cccccccc cccccccc 33333333 33733333 0x33333373
f75785f0 cccccccc 33333333 33733333 cccccccc 0xcccccccc
f75785f4 33333333 33733333 cccccccc cccccccc 0xcccccccc
f75785f8 33733333 cccccccc cccccccc 33333333 0x33333333
f75785fc cccccccc cccccccc 33333333 33333333 0x33733333
f7578600 cccccccc 33333333 33333333 cccccccc 0xcccccccc
f7578604 33333333 33333333 cccccccc cccccecc 0xcccccccc
f7578608 33333333 cccccccc cccccecc 33333333 0x33333333
f757860c cccccccc cccccecc 33333333 33333333 0x33333333
f7578610 cccccecc 33333333 33333333 cccccccc 0xcccccccc
f7578614 33333333 33333333 cccccccc cccccccc 0xcccccecc
f7578618 33333333 cccccccc cccccccc 13333333 0x33333333
f757861c cccccccc cccccccc 13333333 33333333 0x33333333
f7578620 cccccccc 13333333 33333333 cccccccc 0xcccccccc
f7578624 13333333 33333333 cccccccc cccccccc 0xcccccccc
f7578628 33333333 cccccccc cccccccc 33333737 0x13333333
f757862c cccccccc cccccccc 33333737 33333333 0x33333333
f7578630 cccccccc 33333737 33333333 cccccccc 0xcccccccc
f7578634 33333737 33333333 cccccccc cccccccc 0xcccccccc
f7578638 33333333 cccccccc cccccccc 33333333 0x33333737
f757863c cccccccc cccccccc 33333333 33333333 0x33333333
f7578640 cccccccc 33333333 33333333 cccceccc 0xcccccccc
f7578644 33333333 33333333 cccceccc cccccccc 0xcccccccc
f7578648 33333333 cccceccc cccccccc 33333333 0x33333333
f757864c cccceccc cccccccc 33333333 33333333 0x33333333
f7578650 cccccccc 33333333 33333333 cccccccc 0xcccceccc
f7578654 33333333 33333333 cccccccc cccccccc 0xcccccccc
f7578658 33333333 cccccccc cccccccc 33333333 0x33333333
f757865c cccccccc cccccccc 33333333 33333233 0x33333333
f7578660 cccccccc 33333333 33333233 ccccc6cc 0xcccccccc
f7578664 33333333 33333233 ccccc6cc cccccccc 0xcccccccc
f7578668 33333233 ccccc6cc cccccccc 33333333 0x33333333
f757866c ccccc6cc cccccccc 33333333 33333333 0x33333233
f7578670 cccccccc 33333333 33333333 cccccccc 0xccccc6cc
f7578674 33333333 33333333 cccccccc dccccccc 0xcccccccc
f7578678 33333333 cccccccc dccccccc 33333333 0x33333333
f757867c cccccccc dccccccc 33333333 33335333 0x33333333
f7578680 dccccccc 33333333 33335333 cccccccc 0xcccccccc
f7578684 33333333 33335333 cccccccc cccccccc 0xdccccccc
f7578688 33335333 cccccccc cccccccc 3b333333 0x33333333
f757868c cccccccc cccccccc 3b333333 33333231 0x33335333
f7578690 cccccccc 3b333333 33333231 cccccccc 0xcccccccc
f7578694 3b333333 33333231 cccccccc cccccccc 0xcccccccc
f7578698 33333231 cccccccc cccccccc 33333333 0x3b333333
f757869c cccccccc cccccccc 33333333 33333333 0x33333231
f75786a0 cccccccc 33333333 33333333 cccccccc 0xcccccccc
f75786a4 33333333 33333333 cccccccc cccccccc 0xcccccccc
f75786a8 33333333 cccccccc cccccccc 33333333 0x33333333
f75786ac cccccccc cccccccc 33333333 33333333 0x33333333
f75786b0 cccccccc 33333333 33333333 cccccccc 0xcccccccc
f75786b4 33333333 33333333 cccccccc cccccccc 0xcccccccc
f75786b8 33333333 cccccccc cccccccc 33333333 0x33333333
f75786bc cccccccc cccccccc 33333333 33333333 0x33333333
f75786c0 cccccccc 33333333 33333333 cccccccc 0xcccccccc
f75786c4 33333333 33333333 cccccccc cccccccc 0xcccccccc
f75786c8 33333333 cccccccc cccccccc 33333333 0x33333333
f75786cc cccccccc cccccccc 33333333 33333333 0x33333333
f75786d0 cccccccc 33333333 33333333 cccccccc 0xcccccccc
f75786d4 33333333 33333333 cccccccc cccccccc 0xcccccccc
f75786d8 33333333 cccccccc cccccccc 33333333 0x33333333
f75786dc cccccccc cccccccc 33333333 33333333 0x33333333
f75786e0 cccccccc 33333333 33333333 cccccccc 0xcccccccc
f75786e4 33333333 33333333 cccccccc cccccccc 0xcccccccc
f75786e8 33333333 cccccccc cccccccc 3333333f 0x33333333
STACK_COMMAND: kb
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
Re: BSOD ~ How to use Debugging Tools For Windows
nice! this will help me out at work.
Re: BSOD ~ How to use Debugging Tools For Windows
Quote:
Originally Posted by
falcon_view
IAmGhostDog, what about this ***ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe***
Quote:
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
Did you get the latest Symbols Package?
Did you point the Bug Checker to the right spot?
Re: BSOD ~ How to use Debugging Tools For Windows
Yep, I messed up. Got right this time.
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini110607-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054c150
Debug session time: Tue Nov 6 22:23:03.343 2007 (GMT-6)
System Uptime: 0 days 3:07:51.090
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
.................................................................................................... ......................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {10000148, 1c, 0, 804fd519}
*** WARNING: Unable to verify timestamp for tcpip.sys
Probably caused by : tcpip.sys ( tcpip!GetGeneralIFConfig+98 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 10000148, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804fd519, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 10000148
CURRENT_IRQL: 1c
FAULTING_IP:
nt!CcMapAndCopy+dc
804fd519 8b01 mov eax,dword ptr [ecx]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: Idle
LAST_CONTROL_TRANSFER: from 805346e6 to 804f573b
STACK_TEXT:
80540248 805346e6 0000000a 10000148 0000001c nt!PsChargeProcessNonPagedPoolQuota+0x44
80540284 804f58e9 b0e789d0 80540308 00000000 nt!SdbQueryDataExTagID+0x275
80540308 b0f12080 88847b20 72424166 00000206 nt!IopCheckVpbMounted+0x83
8054032c 80540340 806bcfd8 8889e01c 000000e1 tcpip!GetGeneralIFConfig+0x98
00000000 00000000 00000000 00000000 00000000 nt!KiDoubleFaultStack+0x1140
STACK_COMMAND: kb
FOLLOWUP_IP:
tcpip!GetGeneralIFConfig+98
b0f12080 ?? ???
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: tcpip!GetGeneralIFConfig+98
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: tcpip
IMAGE_NAME: tcpip.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 444772c2
FAILURE_BUCKET_ID: 0xA_tcpip!GetGeneralIFConfig+98
BUCKET_ID: 0xA_tcpip!GetGeneralIFConfig+98
Followup: MachineOwner
---------
Re: BSOD ~ How to use Debugging Tools For Windows
May have fixed it with this
Start-->Run-->cmd
the following command:
netsh int ip reset c:\reset_tcpip.txt
Hope:worship:
