BleepingComputer.com: How to receive help diagnosing Blue Screens and Windows crashes

How to receive help diagnosing Blue Screens and Windows crashes


Please note that though this process may appear long and daunting, it has been explained in such a way so that the steps will be easy to follow.

A memory dump is what happens when Windows crashes. The memory is dumped into the pagefile and saved for the next reboot. Once Windows reboots, it reclaims the memory dump data from the pagefile and saves it to a file, which usually ends with the .dmp extension. Analyzing these dump files can help to figure out what's causing your system to crash. While they don't offer a "sure" fix, they provide clues to the cause of a crash so that we can work on fixing them. In my experience most system crashes are caused by faulty/corrupted drivers, malware, or hardware failures (in that order). Following the steps below will help us determine what may be causing your computer to Blue Screen, or crash.

The first thing to do when your system crashes is to reboot. Doing so will create the memory dump file so it's able to be accessed. Windows may also ask permission to send the file for online analysis. I suggest that you always allow it to be sent. Most times you won't get anything back, but occasionally it will point out the problem and save you a lot of work trying to determine it on your own. Also, quite often the first crash is the only crash as Windows will fix the problem when it reboots, so there's no need to worry unless Windows crashes repeatedly. If you can't get into Windows, either in normal or Safe Mode, then just post straight to the appopriate forum and we'll help you from there. The various forums that we help diagnose crashes are:

• Windows Vista Forum
  
• Windows XP Forum
  
• Windows 2000 Forum

The next thing to do is to ensure that you are free of malware. If malware is present on your computer, it may have corrupted your installation, and be the cause of your crashes. I suggest you perform one of the free online scans that can be found at the following links:
ADVISORY: Some or any of the above listed scanners will pick up items listed as "in quarantine" from other anti-virus programs. Therefore review your results carefully:


Once you have completed an online scan, or two, please search your hard drive for files ending with the .dmp extension. There are several types of memory dumps that Windows may create. These are distinguished below:

• A complete memory dump or a kernel memory dump that are usually saved in the C:\Windows directory and named MEMORY.DMP.
  
• A small memory dump, aka a minidump, which are usually saved in the C:\Windows\Minidump directory. These are named Miniwwxxyy-zz.dmp, where the ww is the number of the month, the xx is the number of the day, the yy is the number of the year, and the zz is the number of the crash dump that day. For example, a minidump with the name of Mini070108-03.dmp is the 3rd minidump generated on July 1, 2008.

On some systems the directories where the dump files are stored are protected by being Hidden and System files.

To show Hidden and System files in Windows Explorer, click on the Start button, then select All Programs, then select Accessories, and finally select Windows Explorer.

• Once opened, select the Tools menu and then select the File Options menu item. In Vista you may have to press and hold the Alt key to view this menu.
  
• Then go to the View tab and check the box labeled Show Hidden Files and Folders and uncheck Hide Protected Operating System Files
  
• You will now be at a dialog that asks you if you're sure you want to do this. Click on the Yes button to allow the change to take place.
  
• Then click the OK buttons at the prompts to exit the dialog. You will now be able to view hidden and system directories.

Warning - These files are hidden for a reason and messing with some of them may cause problems with your system.

Once you've located the memory dump file(s), then you'll have to get a debugger to analyze them. The one that I'm familiar with is the free Microsoft Debugging Tools for Windows. Download the version, 32 or 64 bit, that's appropriate for the operating system that you'll be running the debugger on. The debugger can be found at the following link: Debugging Tools for Windows

Once it's downloaded, double click on it to install it. Once it's installed, open the debugger by doing the following:

• Click on the Start Menu.
  
• Click on the All Programs menu.
  
• Select the Debugging Tools for Windows program folder.
  
• Click on the WinDbg icon to start the program.

Once you've opened the program, click on the File menu item, then on Symbol File Path.

In the window that opens, insert the exact text on the next line in the Symbol File Path box. This is a critical step, and if done incorrectly you'll end up with symbol errors:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

The easiest thing to do is copy the above bolded text and then paste it into the box. Once that is done, click on OK to exit the dialog. Next, click on File menu and then select the Save Workspace menu option. This will save the symbol path for future use.

NOTE: You MUST be connected to the internet in order to use the Symbol server listed above.

Next, click on the File menu and select the Open Crash Dump option. When the dialog box opens, click on the Browse button and browse to the location of the memory dump file and then double-click on it to load it into the Debugger. You may be prompted to save the workspace again, but just click on the No button. A window will now open and the dump file text will fill the debugging screen.

Here's an example of of an analysis report from a Minidump file. If this was a complete or kernel dump, it would be much larger.



The next step is to click on the !analyze -v link that's highlighted in blue in the report above. This will generate more information, which would look something like this:



Once this is done, we want to copy the text of the dump file analysis report. To do this, select the Edit menu item in the Debugging Tools window and then select Copy Window Text to Clipboard. Now, return to Bleeping Computer and paste the information into your next post.

If you haven't started a topic for your issue yet, you can start one at the appropriate link below. Please be sure and let us know the make and model of your system along with the symptoms that you're experiencing.

• Windows Vista Forum
  
• Windows XP Forum
  
• Windows 2000 Forum

That post is a thing of beauty Usasma!!!

Thanks m0le!
The credit should go to Grinler.
He suggested the topic and made what I'd written understandable.

thank u guys for this very informative post!

Help please, I am running Windows Vista in a HP pavillon laptop and my problem started with the Key ports I was not able to access email and messenger. Reading forums on internet I decided that my problem was my norton antivirus so I decide to uninstalled it and since then the computer crashed I got this Blue screen each time windows is about to start in normal mode. I've tried to restore the system to a past date but it didn't resolve the problem. Now I followed all the steps in this post found the dump files and download the debugger but I can't run in safe mode. I got a message saying it does not run in safe mode and also the system doesn't want to connect internet so I don't know what else to do. Any suggestion is welcome.
Thanks

Gr8 Info buddy!!
Keep it up

Hi
I had a complete HDD crash...Recently bought and installd the new western digital SATA hard drive @5200 rpm.
I installed a clean copy of VISTA Home Premium as my OS but suddenly after that started getting the BSOD's.
Updated all the required drivers and other updates installed, but then again suddenly the BSOD!!! Finally i read topics here, followed a couple of steps suggested by usasma. Since the Hard Drive is new i dont really think that a memory test/hdd self test would be of much significance. I have also thought of performing the RAM test but havent done that yet. Neither have i done the malware analysis yet.
Its getting difficult to undrstand wots gone wrong with my notebook(HP Pavillion dv2519tu, warranty expired) and im really looking for some help which im sure members here are more that capable of...
I did the dump analysis and thought of posting it here hoping someone might want to have a look at it and come up with an advise...



Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:UsersPuNteRDesktopMini050309-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6000.16830.x86fre.vista_gdr.090302-1506
Machine Name:
Kernel base = 0x81c00000 PsLoadedModuleList = 0x81d11e10
Debug session time: Sun May 3 00:59:54.640 2009 (GMT-7)
System Uptime: 0 days 1:29:53.750
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {badbae06, 2, 0, 84eae516}

Unable to load image SystemRootsystem32DRIVERSepfwwfpr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for epfwwfpr.sys
*** ERROR: Module load completed but symbols could not be loaded for epfwwfpr.sys
Probably caused by : NETIO.SYS ( NETIO!WfpFindCalloutEntry+1f )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: badbae06, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 84eae516, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d117e0
badbae06

CURRENT_IRQL: 2

FAULTING_IP:
NETIO!WfpFindCalloutEntry+1f
84eae516 8b780c mov edi,dword ptr [eax+0Ch]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: ekrn.exe

TRAP_FRAME: b3835a60 -- (.trap 0xffffffffb3835a60)
ErrCode = 00000000
eax=badbadfa ebx=a13ec180 ecx=00000001 edx=00000000 esi=b3835af8 edi=00000000
eip=84eae516 esp=b3835ad4 ebp=b3835adc iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
NETIO!WfpFindCalloutEntry+0x1f:
84eae516 8b780c mov edi,dword ptr [eax+0Ch] ds:0023:badbae06=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 84eae516 to 81c8fdc4

STACK_TEXT:
b3835a60 84eae516 badb0d00 00000000 b3835ab0 nt!KiTrap0E+0x2ac
b3835adc 84eba355 a4105b58 00000014 0000011a NETIO!WfpFindCalloutEntry+0x1f
b3835b00 84ebb1fc 00000326 00000000 00000014 NETIO!WfpFindAndDeRefFlowContext+0x4c
b3835b30 8ac1804a 00000326 00000000 0000011a NETIO!FwppStreamInject+0xce
b3835b60 a4bed15c 8b3f0da0 00000000 00000000 fwpkclnt!FwpsStreamInjectAsync0+0x60
WARNING: Stack unwind information not available. Following frames may be wrong.
b3835ba8 a4bee1cc a41b7228 00000005 03d79ea0 epfwwfpr+0x615c
b3835bd4 a4bf731c a4bfafe0 00000326 a41b7228 epfwwfpr+0x71cc
b3835bfc a4bf747a a40dab40 03d79e88 00000018 epfwwfpr+0x1031c
b3835c58 81d89b19 a40dab40 00000001 03d79e88 epfwwfpr+0x1047a
b3835d00 81d8ee7d a4051518 00000000 00000000 nt!IopXxxControlFile+0x2cf
b3835d34 81c8caea 000001f8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b3835d34 777e0f34 000001f8 00000000 00000000 nt!KiFastCallEntry+0x12a
03d79e04 00000000 00000000 00000000 00000000 0x777e0f34


STACK_COMMAND: kb

FOLLOWUP_IP:
NETIO!WfpFindCalloutEntry+1f
84eae516 8b780c mov edi,dword ptr [eax+0Ch]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: NETIO!WfpFindCalloutEntry+1f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME: NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 478ad439

FAILURE_BUCKET_ID: 0xD1_NETIO!WfpFindCalloutEntry+1f

BUCKET_ID: 0xD1_NETIO!WfpFindCalloutEntry+1f

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: badbae06, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 84eae516, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d117e0
badbae06

CURRENT_IRQL: 2

FAULTING_IP:
NETIO!WfpFindCalloutEntry+1f
84eae516 8b780c mov edi,dword ptr [eax+0Ch]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: ekrn.exe

TRAP_FRAME: b3835a60 -- (.trap 0xffffffffb3835a60)
ErrCode = 00000000
eax=badbadfa ebx=a13ec180 ecx=00000001 edx=00000000 esi=b3835af8 edi=00000000
eip=84eae516 esp=b3835ad4 ebp=b3835adc iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
NETIO!WfpFindCalloutEntry+0x1f:
84eae516 8b780c mov edi,dword ptr [eax+0Ch] ds:0023:badbae06=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 84eae516 to 81c8fdc4

STACK_TEXT:
b3835a60 84eae516 badb0d00 00000000 b3835ab0 nt!KiTrap0E+0x2ac
b3835adc 84eba355 a4105b58 00000014 0000011a NETIO!WfpFindCalloutEntry+0x1f
b3835b00 84ebb1fc 00000326 00000000 00000014 NETIO!WfpFindAndDeRefFlowContext+0x4c
b3835b30 8ac1804a 00000326 00000000 0000011a NETIO!FwppStreamInject+0xce
b3835b60 a4bed15c 8b3f0da0 00000000 00000000 fwpkclnt!FwpsStreamInjectAsync0+0x60
WARNING: Stack unwind information not available. Following frames may be wrong.
b3835ba8 a4bee1cc a41b7228 00000005 03d79ea0 epfwwfpr+0x615c
b3835bd4 a4bf731c a4bfafe0 00000326 a41b7228 epfwwfpr+0x71cc
b3835bfc a4bf747a a40dab40 03d79e88 00000018 epfwwfpr+0x1031c
b3835c58 81d89b19 a40dab40 00000001 03d79e88 epfwwfpr+0x1047a
b3835d00 81d8ee7d a4051518 00000000 00000000 nt!IopXxxControlFile+0x2cf
b3835d34 81c8caea 000001f8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b3835d34 777e0f34 000001f8 00000000 00000000 nt!KiFastCallEntry+0x12a
03d79e04 00000000 00000000 00000000 00000000 0x777e0f34


STACK_COMMAND: kb

FOLLOWUP_IP:
NETIO!WfpFindCalloutEntry+1f
84eae516 8b780c mov edi,dword ptr [eax+0Ch]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: NETIO!WfpFindCalloutEntry+1f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME: NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 478ad439

FAILURE_BUCKET_ID: 0xD1_NETIO!WfpFindCalloutEntry+1f

BUCKET_ID: 0xD1_NETIO!WfpFindCalloutEntry+1f

Followup: MachineOwner
---------

thank you.........

How do i locate the faulty driver from this???????????????????
Or generally how does one interpret the myriad information??????

I suspect bad memory.
Try one stick at a time
Download and run Memtest:
http://www.memtest.org/

First, the link for malware online sources does not work. I did use two I found and removed items. Something I didn't mention before was that when I initially tried to do a disk check i would get a unable to disk check pop up.

Computer Specifications
CPU: Intel® Celeron® Processor 2.20GHz (w/128KB L2 cache & 400MHz FSB)
Operating System: Genuine Microsoft® Windows® XP Home Edition
Chipset: Intel® 845GL chipset
Memory: 256MB DDR (PC2100)
Hard Drive: 40GB HDD
Optical Drive: 40 × 12x40x Max. CD-RW Drive; 16x Max. DVD Drive; 3.5" 1.44MB FDD
Video: Intel® Extreme Graphics 3D (integrated)
Sound: AC '97 Audio
Network: 10/100Mbps built-in Ethernet
Modem: 56K ITU v.92-ready Fax/Modem
Peripherals: Standard Multimedia Keyboard, 2-Button Wheel Mouse, Standard Speakers
Ports/Other: 6 USB 2.0 ports (2 on front), 1 Serial, 1 Parallel, 2 PS/2, Microphone-In & Head Phone jack on front, Audio-In & Out, 3 PCI slots (2 available)
Dimensions: 7.25"W x 14.125"H x 16"D

The dump file (latest date wise) follows.

Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini061509-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Mon Jun 15 08:33:18.781 2009 (GMT-7)
System Uptime: 0 days 0:30:19.399
Loading Kernel Symbols
...............................................................
................................................................
..................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {e1a43000, 2, 0, b8564e85}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: e1a43000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: b8564e85, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: e1a43000

CURRENT_IRQL: 2

FAULTING_IP:
+16
b8564e85 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

CUSTOMER_CRASH_COUNT: 3

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from b8566a21 to b8564e85

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f78dad4c b8566a21 804e26a8 89f9d240 805622fc 0xb8564e85
f78dad74 804e426b 89f9d240 00000000 8a3023c8 0xb8566a21
f78dadac 8057aeff 89f9d240 00000000 00000000 nt!ExpWorkerThread+0x100
f78daddc 804f88ea 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: 0xD1_ANALYSIS_INCONCLUSIVE

BUCKET_ID: 0xD1_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------

Thank you, GOO GOO A JOOB

Hi i am having blue screen crash dumps quite often on my computer...I am using a Sony Vaio VGCLT35E, ita an all in one computer. Its about a year old now, but ever since I started using it...it had that bluescreen crash. It happens quite often sometimes. I thought it would go away but it seems to happen quite often. My warranty on this computer ends on July 31st this year so I called sony and the tech asked me to do these tests but they all turned out fine. I told him I did a memtest before and he didnt understand/and said he wasnt familiar with it and therefore ignored it. Next the he told me to reformat the whole computer and see if it still does it before deciding to send it in for service repair. Any advice? I think I still have some of those .dmp files i did from the memtest but my computer cant open the files to view them and I am not an expert in these matters. please help thanks.

Hello,

If you are posting about a problem, please do not post it in this thread as it will likely get over-looked. Instead please start a new topic in the appropriate forum for your operating system.

Orange Blossom :chery: