Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo
* * * * * 2 votes

How To Use Event Viewer


  • Please log in to reply
3 replies to this topic

#1 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 21,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:27 AM

Posted 06 January 2006 - 11:51 AM

How To Use the Event Viewer Applet


Guide Overview

The purpose of this guide is to teach you how to use the Event Viewer to find technical information on errors and crashes in your system. Please check the subsequent posts for updates to this guide - IE7 and non-BSOD errors in particular.

By default Windows will log an event to the Event log when a system crashes. This tool can be used to find the Blue Screen of Death (BSOD) information if you didn't write it down. It's good for other crashes also. Here's a picture of a BSOD that I've annotated for your reference: Posted Image
FWIW - this is also referred to as a STOP 0xD1 error (shorthand for the long stuff), and also is referred to as a BugCheck Code (BCC). They all mean the same thing for our purposes here.

Tools Needed
  • None
Windows VersionsWindows NT
Windows 2000
Windows XP
Windows 2003
Windows Vista
Instructions
  • Go to Start, then to Control Panel, then to Administrative Tools, then to Event Viewer. Alternately, got to Start, then to Run, and type in "eventvwr.msc" (without the quotes) and press Enter. You'll see this: Posted Image

  • When the Event Viewer window opens, you'll see 2 panes (see picture above). The pane on the left will contain the 3 categories of events (they are Application, Security, and System). The pane on the right will reflect the messages for the category that is selected on the left. They will be listed as Information, Warnings, or Errors. Errors are what will concern us here.

  • Left click once on the Application category in the left hand pane - then check the right hand pane for errors. Locate an error (example in the System description below) that occurred around the time of the problem (there may or may not be one here depending on the type of error). Then, right click on it and select "Properties". The information in the resulting window may be able to be used by board members to help troubleshoot your problem. Here's an example of it:
    Posted Image

  • Next, we'll do the same thing for the Security category. You'll left click on the Security category in the left hand pane, then will check for errors in the right hand pane. Locate an error (example in the System description below) that occurred around the time of the problem (there may or may not be one here depending on the type of error). Then, right click on it and select "Properties". The information in the resulting window may be able to be used by board members to help troubleshoot your problem. An example:
    Posted Image

  • Now, we'll do the same thing for the System category. You'll left click on the System category in the left hand pane, then will check for errors in the right hand pane. An example:
    Posted Image

    Locate an error that occurred around the time of the problem (there may or may not be one here depending on the type of error). Then, right click on it and select "Properties". The information in the window may be used by board members to help troubleshoot your problem. Here's an example: Posted Image
  • Sometimes there will just be too many errors for you to pick just one out. In this case, generate a report using the "Action" menu item. Select "Export list" from the dropdown menu, and save it as a text file (that's the default). Then, open the text file by double clicking on it. Select the lines around the time that the error occurred by highlighting it with your cursor. Then, right click on the blue highlighting and select "Copy". Now, when you reply to your post, you can right click on the post and select "Paste" to insert the lines into your post. With this information, someone will be able to suggest which errors should be checked in detail.

  • Lastly, a quick word about error messages. Often they will come in a format similar to this:
    STOP: 0x0000007B (0xEB82784C, 0xC0000034, 0x00000000, 0x00000000)
    These numbers are very important when diagnosing a problem with your system. They're written in hexadecimal notation, so they don't make much sense to most of us - but they do point to the errors and where they occur. Also, often a filename will be mentioned along with all these numbers. It's important so that we can tell where the error occurred (this isn't the same thing as what caused the error BTW)
With this information, there's a good chance that someone can identify your problem and can use the error messages to track down a solution.

For those interested in learning more about Error messages, here's a link to one type (the STOP error message): http://aumha.org/win5/kbestop.htm

EDIT - 23Jul06 to restore picture links

Edited by usasma, 30 October 2006 - 10:14 AM.

- John  Microsoft MVP - Windows Experience ( http://www.carrona.org/ )
**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message.

 

Help BleepingComputer Defend Freedom of Speech


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 21,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:27 AM

Posted 30 October 2006 - 10:20 AM

Non-BSOD errors

This guide was originally written to help with BSOD issues. As such, I didn't include much information for troubleshooting other errors.

The procedure remains the same for non-BSOD events - the only thing that changes is what you're looking for.

For non-BSOD errors you won't just look for the BSOD error codes and filenames - you'll look for all the error information related to the problem.

You'll still look for errors that occur at or shortly before the actual error message on your screen - but will concentrate on all of the Categories (Application, Security, System, and Internet Explore (that's for the next post)).

It's important to get all of the information for the errors that caused this. Generally, you don't need the "Information" entries, and most times you won't need the "Warning" entries - but all of the "Error" entries are significant. For example, if there's an error in your network card, it may also affect your Internet Explorer - so there may be several error messages to pick from.

Just get what you can - and we'll ask for more info if needed! :huh:

- John  Microsoft MVP - Windows Experience ( http://www.carrona.org/ )
**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message.

 

Help BleepingComputer Defend Freedom of Speech


#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 21,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:27 AM

Posted 30 October 2006 - 10:23 AM

Internet Explorer Section

With the debut of Internet Explorer version 7, there's been a new category added to the Event Viewer just for Internet Explorer.

For now (I haven't used it a great deal), just consider it another location to look for errors. The errors can point us towards where the error is occurring.

Please remember that just because the error is occurring in Internet Explorer (iexplore.exe) doesn't mean that Internet Explorer is bad - it could be another program improperly accessing it that is causing the error. In other words, what causes the error isn't necessarily where the error occurs.

Other Sections

I've just recently found a Media Center section and one other section that I can't recall. These were on systems that we were repairing, and I didn't find any significant information in either of them.

Edited by usasma, 28 November 2006 - 10:21 AM.

- John  Microsoft MVP - Windows Experience ( http://www.carrona.org/ )
**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message.

 

Help BleepingComputer Defend Freedom of Speech


#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 21,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:27 AM

Posted 28 November 2006 - 10:19 AM

Troubleshooting the BSOD with memory dumps
or How to Analyze Memory Dumps

This is an alternate method for finding out information about the crash. It's actually very simple to do.

1) Search your hard drive for files ending in .dmp or .mdmp

FWIW - if you get the "Do you want to send the error report" thingie from Microsoft - search for the .mdmp file before sending the report. Once the report is sent, the .mdmp file is usually deleted. Just save it to another location (like your desktop) and it'll be available when you need it.

2) When you find the files, go to this link and read the post there. Follow the directions exactly. http://forums.majorgeeks.com/showthread.php?t=35246
Quote from this link at the end of this post.

Be sure to enter the command !analyze -v in the box at the bottom of the debugger's window once the first analysis is done. This'll generate a more indepth analysis.

3) Copy the information and paste it to your next post. Someone will take a look at it and make some suggestions for you to try.

FWIW - quite a few of the error messages will point to Windows system files. This DOES NOT mean that your Windows is corrupted. When an error occurs in a program, Windows captures that program's filename. BUT, this is just where the error occurred - not necessarily what caused it!

For example -

If your car's motor stops running - that's the error,
but if you've run out of gas - that's the cause of the error.

*******************************************************************************
From the link above ( http://forums.majorgeeks.com/showthread.php?t=35246 ):

...HOW TO: Debug Memory Dumps
When you get a stop error (Blue Screen of Death), your system writes a small file called a minidump. This is a small write up on how to debug memory dumps. This becomes extremely useful when you are trying to figure out what caused a particular stop error, and no filename was mentioned and/or it is undocumented.

You could always let Microsoft do it for you, but there is no gurantee they will answer, and it takes a very long time (over a month in my case).


Your first step is to download and install the Microsoft Debugging Tools found here: http://www.microsoft.com/whdc/devtoo...nstallx86.mspx

Once you have downloaded and installed these tools, go to start, all programs, Debugging Tools For Windows, Windbg. Once you open Windbg, you will presented with a blank screen. Click on File, Symbol File Path. Here you will enter the symbols path. Symbols are needed to effectively debug.

The path will be:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Enter in this path and click OK. Now, go to File, Save Workspace so that your symbols path is saved for future use. Now what you want to do is locate your memory dumps. They are usually located in %systemroot%/minidump (in my case C:/windows/minidump).

If you notice, they are usually named the date, and then a -*number* to indicate the order of minidumps that day. My example is called Mini061904-01.dmp (it happened today).

Inside of Windbg, go to File, Open Crash Dump and load the file. You will get a message to save base workspace information. Choose no.

Now you will get a debugging screen. Now it takes a little bit to run it, as the symbols have to be downloaded as they are needed. Then you will see information such as:


Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Microsoft Windows Debugger Version 6.3.0017.0
Copyright Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini061904-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.030422-1633
Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
Debug session time: Sat Jun 19 19:06:57 2004
System Uptime: 0 days 1:03:36.951
Loading Kernel Symbols
....................................................................................................................................
Loading unloaded module list
..........
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 86427532, {1db, 2, 3, b} <--This is your stop code

Unable to load image pavdrv51.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for pavdrv51.sys
*** ERROR: Module load completed but symbols could not be loaded for pavdrv51.sys
Probably caused by : pavdrv51.sys ( pavdrv51+7fc0 )

Followup: MachineOwner
---------

Now, we can already see what it was most likely caused by, in my case it was pavdrv51.sys, which is a Panda AV file.

If we want to get further in depth, we can use the command, !analyze -v at the kd> prompt to delve more info about the error:

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (86427532)
Unknown bugcheck description <--Its unknown, and not listed on the MS KB at all.
Arguments:
Arg1: 000001db
Arg2: 00000002
Arg3: 00000003
Arg4: 0000000b

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x86427532

LAST_CONTROL_TRANSFER: from f4198fc0 to 804f4103

STACK_TEXT:
f41f0964 f4198fc0 86427532 000001db 00000002 nt!KeBugCheckEx+0x19
WARNING: Stack unwind information not available. Following frames may be wrong.
f41f0ba0 f419920b 864db520 f419ccf0 00000000 pavdrv51+0x7fc0
f41f0c34 804ea221 865b8910 864a52c0 806ad190 pavdrv51+0x820b
f41f0c44 8055d0fe 864a5330 86305028 864a52c0 nt!IopfCallDriver+0x31
f41f0c58 8055de46 865b8910 864a52c0 86305028 nt!IopSynchronousServiceTail+0x5e
f41f0d00 80556cea 000000a4 00000000 00000000 nt!IopXxxControlFile+0x5c2
f41f0d34 8052d571 000000a4 00000000 00000000 nt!NtDeviceIoControlFile+0x28
f41f0d34 7ffe0304 000000a4 00000000 00000000 nt!KiSystemService+0xc4
00cdff70 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4


FOLLOWUP_IP:
pavdrv51+7fc0
f4198fc0 ?? ???

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: pavdrv51+7fc0

MODULE_NAME: pavdrv51

IMAGE_NAME: pavdrv51.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3e8c072b

STACK_COMMAND: kb

BUCKET_ID: 0x86427532_pavdrv51+7fc0

Followup: MachineOwner
---------

Update: After the intial run of the debug process, you can use the command !analyze -v to gather more information.


Now that may be more infor than you need. This tutorial only covers minidumps, however, if needed, you could change your memory dump options to do a complete dump. This is useful, however, very cumbersome, as the file generated will be the same size as your amount of ram.

Note: Make absolutely sure that your symbol path is correct. If it isn't, then you will get symbol errors and not likely be able to debug the dump to get the info you desire.

Screenshots to follow. I hope this info is useful, I find it invaluable to finding out what is causing random, sporadic, and/or obscure stop errors.
__________________
Real knowledge is to know the extent of one's ignorance.
Last edited by Adrynalyne : 01-24-05 at 20:25.


Edited by usasma, 28 November 2006 - 10:29 AM.

- John  Microsoft MVP - Windows Experience ( http://www.carrona.org/ )
**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message.

 

Help BleepingComputer Defend Freedom of Speech





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users