Image by taberandrew via Flickr
This morning I woke up and was greeted by a Blue Screen of Death (BSOD) on my computer. For most people, this would be terrifying, but I worked for 5 years fixing problems just like this. If you do have a BSOD there are some steps you can do to find out why you are having it. These tips work if you can still access your operation system. If you can’t you would have to plug your hard drive into another computer to try and analyze the crash dump from the working system.
In my case, the BSOD showed win32k.sys as being the culprit, but sometimes all you will have is a stop error. These stop errors may look cryptic, but a Google search can turn up a wealth of information about it. This site has a big listing of stop codes http://www.aumha.org/a/stop.php. Just write down the stop code that you see on the blue screen then look it up to see what could be causing the problem. For example, STOP: 0×0000000A: IRQL_NOT_LESS_OR_EQUAL is usually a bad drive so that narrows down what is causing your problem. If say you install a new video card then you start getting STOP: 0×0A then that new card is a likely cause of your stop error.
Something that is a bit more advanced that you can try is called the Windows Debugger. If you look at the bottom of the BSOD you will hopefully see a line that says “Begining dump of physical memory”. You can use the windows debugger to analyze this crash dump and find out what caused your computer to blue screen.
When using the debugger the first thing you need to do is download it. For the debugger to work you also need something called symbols. The symbols are operating system specific so you need to make sure you get the XP symbols if you are using XP or the Vista symobls if you are using Vista. However, you can also have the debugger download the needed symbols automatically from microsofts online symbol server. I usually go with this method since the symobls files are nearly 300MB. Here are the instructions from microsoft on how to use the symbol server:
To use the Microsoft Symbol Server
| 1. | Make sure you have installed the latest version of Debugging Tools for Windows. |
| 2. | Start a debugging session. |
| 3. | Decide where to store the downloaded symbols (the “downstream store”). This can be a local drive or a UNC path. |
| 4. | Set the debugger symbol path as follows, substituting your downstream store path for DownstreamStore.
SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols |
For example, to download symbols to c:\websymbols, you would add the following to your symbol path:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
To use the Microsoft Symbol Server
| 1. | Make sure you have installed the latest version of Debugging Tools for Windows. |
| 2. | Start a debugging session. |
| 3. | Decide where to store the downloaded symbols (the “downstream store”). This can be a local drive or a UNC path. |
| 4. | Set the debugger symbol path as follows, substituting your downstream store path for DownstreamStore.
SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols |
For example, to download symbols to c:\websymbols, you would add the following to your symbol path:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Now, if you have you debugging tools installed and your symbols all setup you need to actually analyze the crash dump. The debugging tools install in the start menu under all programs >> debugging tools for windows >> windbg. To open the crash dump you can either click file >> open crash dump, or press CTRL + D to hotkey it. By default, the crash dump file is located at C:\windows\MEMORY.DMP. Here is a sample of what I got on my crash dump.
Now !analyze -v
After you load the crash dump the debugger will take a few moments to read the file then you should see something that says type !analyze to analyze your crash dump. This is where you will hopefully find out what is causing the problem. In my case, the debugger found this
PROCESS_NAME: LCDMedia.exe
to be the process that caused my problem. This process is for my logitech G15 keyboard software so I uninstalled it. If you don’t recognize the process you can do a google search to find what it is or search your computer for the process name and see what you find. Be careful though and don’t just delete the process because this could cause more problems.
Any questions?
That is about it if you have any questions please post a comment and I’ll try and answerr it.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=b129b79f-746a-44c8-80d2-8865057cc1ac)
Thanks for this, it will definitely be a reference. Is there something similar to the BSOD with Macs? Because I used to have Windows and I got the Blue Screen sometimes, but with Macs there doesn’t seem to be something like that. Is there any I don’t know anything about it?
http://en.wikipedia.org/wiki/Screens_of_death Here is a whole list of them. I’ve heard of a Grey screen of death on a Mac before, but I haven’t seen it.
Thanks. I haven’t seen the grey screen of death on a Mac either, and it’s fortunate, most likely. And I love Wikipedia, you can count on an entry on most anything. The thing that you can’t count on is the material. But it’s a great resource if there’s something to back it up.
Please check your email, Marcus. You’ll find something from me.
I got it I’ll reply soon.
Thanks. Take your time, I’m not trying to push you into doing something you don’t want to do or something like that.
you’re far too modest
Just careful, Shameen
. On the internet you have to be cautious about offending people….
yeah sarcasm never works
btw great work marcus on jennettes website :O
What? I don’t get it . . . haha (sarcasm detector beeping). But speaking truthfully, you do have to be a bit careful, which stinks for me because in real life I’m really sarcastic.
yeah and trying to be sarcastic still sounds offensive
btw i got the BSOD screensaver
Yeah funny story about that screen saver I put it on my work computer then went to lunch and I freaked out for a second when I came back and saw the screen saver up because I completely forgot about it.
Thanks for that very helpful post. My computer crashed and showed me a “blue screen” that was apparently caused by a faulty RAM stick.
Since you’re into computers, I’m inviting you to join BetaArchive.co.uk. You can share your knowledge with other enthusiasts. It’s a pretty amazing community if you ask me.
Hello Marcus,
I have followed your post re: debug and got the following reply which makes no sense to me. Any idea what it means?
Thanks for your help so far
Rob
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini072409-04.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0×804d7000 PsLoadedModuleList = 0×8055d720
Debug session time: Fri Jul 24 08:17:33.031 2009 (GMT+1)
System Uptime: 0 days 0:12:00.734
Loading Kernel Symbols
………………………………………………………
…………………………………………………….
Loading User Symbols
Loading unloaded module list
…………
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c000001d, bf80a499, f69839d8, 0}
Probably caused by : hardware ( win32k!xxxMsgWaitForMultipleObjects+b6 )
Followup: MachineOwner
———
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0×80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c000001d, The exception code that was not handled
Arg2: bf80a499, The address that the exception occurred at
Arg3: f69839d8, Trap Frame
Arg4: 00000000
Debugging Details:
——————
EXCEPTION_CODE: (NTSTATUS) 0xc000001d – {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
win32k!xxxMsgWaitForMultipleObjects+b6
bf80a499 ff ???
TRAP_FRAME: f69839d8 — (.trap 0xfffffffff69839d8)
ErrCode = 00000000
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=e1b01eb0 edi=804fab14
eip=bf80a499 esp=f6983a4c ebp=f6983a5c iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
win32k!xxxMsgWaitForMultipleObjects+0xb6:
bf80a499 ff ???
Resetting default scope
CUSTOMER_CRASH_COUNT: 4
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
BUGCHECK_STR: 0×8E
PROCESS_NAME: csrss.exe
MISALIGNED_IP:
win32k!xxxMsgWaitForMultipleObjects+b6
bf80a499 ff ???
LAST_CONTROL_TRANSFER: from bf89b736 to bf80a499
FAILED_INSTRUCTION_ADDRESS:
win32k!xxxMsgWaitForMultipleObjects+b6
bf80a499 ff ???
STACK_TEXT:
f6983a5c bf89b736 00000002 8708fba8 bf89e684 win32k!xxxMsgWaitForMultipleObjects+0xb6
f6983d30 bf8846e9 bf9ab400 00000001 f6983d54 win32k!xxxDesktopThread+0×339
f6983d40 bf8010ed bf9ab400 f6983d64 0072fff4 win32k!xxxCreateSystemThreads+0×6a
f6983d54 8054162c 00000000 00000022 00000000 win32k!NtUserCallOneParam+0×23
f6983d54 7c90e514 00000000 00000022 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0×7c90e514
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!xxxMsgWaitForMultipleObjects+b6
bf80a499 ff ???
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: win32k!xxxMsgWaitForMultipleObjects+b6
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: hardware
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: hardware
FAILURE_BUCKET_ID: IP_MISALIGNED
BUCKET_ID: IP_MISALIGNED
Followup: MachineOwner
———
0: kd> lmvm hardware
start end module name
and this:
0: kd> .trap 0xfffffffff69839d8
ErrCode = 00000000
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=e1b01eb0 edi=804fab14
eip=bf80a499 esp=f6983a4c ebp=f6983a5c iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
win32k!xxxMsgWaitForMultipleObjects+0xb6:
bf80a499 ff ???