Marcus McCurdy's Blog

Image by taberandrew via Flickr

This morning I woke up and was greeted by a Blue Screen of Death (BSOD) on my computer. For most people, this would be terrifying, but I worked for 5 years fixing problems just like this. If you do have a BSOD there are some steps you can do to find out why you are having it. These tips work if you can still access your operation system. If you can’t you would have to plug your hard drive into another computer to try and analyze the crash dump from the working system.

In my case, the BSOD showed win32k.sys as being the culprit, but sometimes all you will have is a stop error. These stop errors may look cryptic, but a Google search can turn up a wealth of information about it. This site has a big listing of stop codes http://www.aumha.org/a/stop.php. Just write down the stop code that you see on the blue screen then look it up to see what could be causing the problem. For example, STOP: 0×0000000A: IRQL_NOT_LESS_OR_EQUAL is usually a bad drive so that narrows down what is causing your problem. If say you install a new video card then you start getting STOP: 0×0A then that new card is a likely cause of your stop error.

Something that is a bit more advanced that you can try is called the Windows Debugger. If you look at the bottom of the BSOD you will hopefully see a line that says “Begining dump of physical memory”. You can use the windows debugger to analyze this crash dump and find out what caused your computer to blue screen.

When using the debugger the first thing you need to do is download it. For the debugger to work you also need something called symbols. The symbols are operating system specific so you need to make sure you get the XP symbols if you are using XP or the Vista symobls if you are using Vista. However, you can also have the debugger download the needed symbols automatically from microsofts online symbol server. I usually go with this method since the symobls files are nearly 300MB. Here are the instructions from microsoft on how to use the symbol server:

To use the Microsoft Symbol Server

For example, to download symbols to c:\websymbols, you would add the following to your symbol path:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

To use the Microsoft Symbol Server

For example, to download symbols to c:\websymbols, you would add the following to your symbol path:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

Now, if you have you debugging tools installed and your symbols all setup you need to actually analyze the crash dump. The debugging tools install in the start menu under all programs >> debugging tools for windows >> windbg.  To open the crash dump you can either click file >> open crash dump, or press CTRL + D to hotkey it. By default, the crash dump file is located at C:\windows\MEMORY.DMP. Here is a sample of what I got on my crash dump.

Now !analyze -v

After you load the crash dump the debugger will take a few moments to read the file then you should see something that says type !analyze to analyze your crash dump. This is where you will hopefully find out what is causing the problem. In my case, the debugger found this

PROCESS_NAME:  LCDMedia.exe

to be the process that caused my problem. This process is for my logitech G15 keyboard software so I uninstalled it. If you don’t recognize the process you can do a google search to find what it is or search your computer for the process name and see what you find. Be careful though and don’t just delete the process because this could cause more problems.

Any questions?

That is about it if you have any questions please post a comment and I’ll try and answerr it.