 How to receive help diagnosing Blue Screens and Windows crashes |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
BleepingComputer.com > Bleeping Computer Applications and Guides > Mini guides and how-tos - Simple answers to common questions > Microsoft Windows Mini-Guides  |
 Oct 23 2008, 11:48 AM
Post
#1
|
|
 Still visually handicapped, new avatar (a camel) :0)  Group: BC Advisor Posts: 16,689 Joined: 2-October 05 From: Southeastern CT, USA Member No.: 35,824  |
How to receive help diagnosing Blue Screens and Windows crashes Please note that though this process may appear long and daunting, it has been explained in such a way so that the steps will be easy to follow. A memory dump is what happens when Windows crashes. The memory is dumped into the pagefile and saved for the next reboot. Once Windows reboots, it reclaims the memory dump data from the pagefile and saves it to a file, which usually ends with the .dmp extension. Analyzing these dump files can help to figure out what's causing your system to crash. While they don't offer a "sure" fix, they provide clues to the cause of a crash so that we can work on fixing them. In my experience most system crashes are caused by faulty/corrupted drivers, malware, or hardware failures (in that order). Following the steps below will help us determine what may be causing your computer to Blue Screen, or crash.  The first thing to do when your system crashes is to reboot. Doing so will create the memory dump file so it's able to be accessed. Windows may also ask permission to send the file for online analysis. I suggest that you always allow it to be sent. Most times you won't get anything back, but occasionally it will point out the problem and save you a lot of work trying to determine it on your own. Also, quite often the first crash is the only crash as Windows will fix the problem when it reboots, so there's no need to worry unless Windows crashes repeatedly. If you can't get into Windows, either in normal or Safe Mode, then just post straight to the appopriate forum and we'll help you from there. The various forums that we help diagnose crashes are: The next thing to do is to ensure that you are free of malware. If malware is present on your computer, it may have corrupted your installation, and be the cause of your crashes. I suggest you perform one of the free online scans that can be found at the following link: Free Online Malware Scanners  Once you have completed an online scan, or two, please search your hard drive for files ending with the .dmp extension. There are several types of memory dumps that Windows may create. These are distinguished below:
To show Hidden and System files in Windows Explorer, click on the Start button, then select All Programs, then select Accessories, and finally select Windows Explorer.
 Once you've located the memory dump file(s), then you'll have to get a debugger to analyze them. The one that I'm familiar with is the free Microsoft Debugging Tools for Windows. Download the version, 32 or 64 bit, that's appropriate for the operating system that you'll be running the debugger on. The debugger can be found at the following link: Debugging Tools for WindowsOnce it's downloaded, double click on it to install it. Once it's installed, open the debugger by doing the following:
 In the window that opens, insert the exact text on the next line in the Symbol File Path box. This is a critical step, and if done incorrectly you'll end up with symbol errors:SRV*c:\symbols*http://msdl.microsoft.com/download/symbols The easiest thing to do is copy the above bolded text and then paste it into the box. Once that is done, click on OK to exit the dialog. Next, click on File menu and then select the Save Workspace menu option. This will save the symbol path for future use. NOTE: You MUST be connected to the internet in order to use the Symbol server listed above.  Next, click on the File menu and select the Open Crash Dump option. When the dialog box opens, click on the Browse button and browse to the location of the memory dump file and then double-click on it to load it into the Debugger. You may be prompted to save the workspace again, but just click on the No button. A window will now open and the dump file text will fill the debugging screen.Here's an example of of an analysis report from a Minidump file. If this was a complete or kernel dump, it would be much larger. Microsoft ® Windows Debugger Version 6.8.0004.0 AMD64  The next step is to click on the !analyze -v link that's highlighted in blue in the report above. This will generate more information, which would look something like this:Microsoft ® Windows Debugger Version 6.8.0004.0 AMD64  Once this is done, we want to copy the text of the dump file analysis report. To do this, select the Edit menu item in the Debugging Tools window and then select Copy Window Text to Clipboard. Now, return to Bleeping Computer and paste the information into your next post. If you haven't started a topic for your issue yet, you can start one at the appropriate link below. Please be sure and let us know the make and model of your system along with the symptoms that you're experiencing.
-------------------- - John
**If you need a more detailed explanation, please ask for it. I have the Knack. ** |
 |
 
|
|
Oct 23 2008, 03:00 PM
Post
#2
|
|
 I know the drill! Group: HJT Team Posts: 6,236 Joined: 24-July 08 From: London Member No.: 224,929 |
That post is a thing of beauty Usasma!!!
This post has been edited by m0le: Oct 23 2008, 03:04 PM --------------------  m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Oct 25 2008, 08:57 AM
Post
#3
|
|
|
Still visually handicapped, new avatar (a camel) :0) Group: BC Advisor Posts: 16,689 Joined: 2-October 05 From: Southeastern CT, USA Member No.: 35,824 |
Thanks m0le!
The credit should go to Grinler. He suggested the topic and made what I'd written understandable. -------------------- - John
**If you need a more detailed explanation, please ask for it. I have the Knack. ** |
|
|
|
|
Mar 17 2009, 06:36 PM
Post
#4
|
|
|
New Member Group: Members Posts: 1 Joined: 5-February 09 Member No.: 291,881 |
thank u guys for this very informative post!
|
|
|
|
|
Apr 19 2009, 02:55 PM
Post
#5
|
|
|
New Member Group: Members Posts: 1 Joined: 19-April 09 Member No.: 322,897 |
Help please, I am running Windows Vista in a HP pavillon laptop and my problem started with the Key ports I was not able to access email and messenger. Reading forums on internet I decided that my problem was my norton antivirus so I decide to uninstalled it and since then the computer crashed I got this Blue screen each time windows is about to start in normal mode. I've tried to restore the system to a past date but it didn't resolve the problem. Now I followed all the steps in this post found the dump files and download the debugger but I can't run in safe mode. I got a message saying it does not run in safe mode and also the system doesn't want to connect internet so I don't know what else to do. Any suggestion is welcome.
Thanks This post has been edited by Varex: Apr 19 2009, 02:56 PM |
|
|
|
|
Apr 22 2009, 12:29 AM
Post
#6
|
|
 Member Group: Members Posts: 15 Joined: 21-April 09 From: Mumbai, Maharashtra Member No.: 323,842 |
Gr8 Info buddy!!
Keep it up -------------------- With Best Regards,
Scorpion king.............! |
|
|
|
|
May 3 2009, 01:43 AM
Post
#7
|
|
|
New Member Group: Members Posts: 2 Joined: 2-May 09 Member No.: 327,743 |
Hi
I had a complete HDD crash...Recently bought and installd the new western digital SATA hard drive @5200 rpm. I installed a clean copy of VISTA Home Premium as my OS but suddenly after that started getting the BSOD's. Updated all the required drivers and other updates installed, but then again suddenly the BSOD!!! Finally i read topics here, followed a couple of steps suggested by usasma. Since the Hard Drive is new i dont really think that a memory test/hdd self test would be of much significance. I have also thought of performing the RAM test but havent done that yet. Neither have i done the malware analysis yet. Its getting difficult to undrstand wots gone wrong with my notebook(HP Pavillion dv2519tu, warranty expired) and im really looking for some help which im sure members here are more that capable of... I did the dump analysis and thought of posting it here hoping someone might want to have a look at it and come up with an advise... Microsoft ® Windows Debugger Version 6.11.0001.404 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\PuNteR\Desktop\Mini050309-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 6000.16830.x86fre.vista_gdr.090302-1506 Machine Name: Kernel base = 0x81c00000 PsLoadedModuleList = 0x81d11e10 Debug session time: Sun May 3 00:59:54.640 2009 (GMT-7) System Uptime: 0 days 1:29:53.750 Loading Kernel Symbols ............................................................... ................................................................ ........................ Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck D1, {badbae06, 2, 0, 84eae516} Unable to load image \SystemRoot\system32\DRIVERS\epfwwfpr.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for epfwwfpr.sys *** ERROR: Module load completed but symbols could not be loaded for epfwwfpr.sys Probably caused by : NETIO.SYS ( NETIO!WfpFindCalloutEntry+1f ) Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: badbae06, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: 84eae516, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac Unable to read MiSystemVaType memory at 81d117e0 badbae06 CURRENT_IRQL: 2 FAULTING_IP: NETIO!WfpFindCalloutEntry+1f 84eae516 8b780c mov edi,dword ptr [eax+0Ch] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0xD1 PROCESS_NAME: ekrn.exe TRAP_FRAME: b3835a60 -- (.trap 0xffffffffb3835a60) ErrCode = 00000000 eax=badbadfa ebx=a13ec180 ecx=00000001 edx=00000000 esi=b3835af8 edi=00000000 eip=84eae516 esp=b3835ad4 ebp=b3835adc iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 NETIO!WfpFindCalloutEntry+0x1f: 84eae516 8b780c mov edi,dword ptr [eax+0Ch] ds:0023:badbae06=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 84eae516 to 81c8fdc4 STACK_TEXT: b3835a60 84eae516 badb0d00 00000000 b3835ab0 nt!KiTrap0E+0x2ac b3835adc 84eba355 a4105b58 00000014 0000011a NETIO!WfpFindCalloutEntry+0x1f b3835b00 84ebb1fc 00000326 00000000 00000014 NETIO!WfpFindAndDeRefFlowContext+0x4c b3835b30 8ac1804a 00000326 00000000 0000011a NETIO!FwppStreamInject+0xce b3835b60 a4bed15c 8b3f0da0 00000000 00000000 fwpkclnt!FwpsStreamInjectAsync0+0x60 WARNING: Stack unwind information not available. Following frames may be wrong. b3835ba8 a4bee1cc a41b7228 00000005 03d79ea0 epfwwfpr+0x615c b3835bd4 a4bf731c a4bfafe0 00000326 a41b7228 epfwwfpr+0x71cc b3835bfc a4bf747a a40dab40 03d79e88 00000018 epfwwfpr+0x1031c b3835c58 81d89b19 a40dab40 00000001 03d79e88 epfwwfpr+0x1047a b3835d00 81d8ee7d a4051518 00000000 00000000 nt!IopXxxControlFile+0x2cf b3835d34 81c8caea 000001f8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a b3835d34 777e0f34 000001f8 00000000 00000000 nt!KiFastCallEntry+0x12a 03d79e04 00000000 00000000 00000000 00000000 0x777e0f34 STACK_COMMAND: kb FOLLOWUP_IP: NETIO!WfpFindCalloutEntry+1f 84eae516 8b780c mov edi,dword ptr [eax+0Ch] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: NETIO!WfpFindCalloutEntry+1f FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 478ad439 FAILURE_BUCKET_ID: 0xD1_NETIO!WfpFindCalloutEntry+1f BUCKET_ID: 0xD1_NETIO!WfpFindCalloutEntry+1f Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: badbae06, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: 84eae516, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac Unable to read MiSystemVaType memory at 81d117e0 badbae06 CURRENT_IRQL: 2 FAULTING_IP: NETIO!WfpFindCalloutEntry+1f 84eae516 8b780c mov edi,dword ptr [eax+0Ch] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0xD1 PROCESS_NAME: ekrn.exe TRAP_FRAME: b3835a60 -- (.trap 0xffffffffb3835a60) ErrCode = 00000000 eax=badbadfa ebx=a13ec180 ecx=00000001 edx=00000000 esi=b3835af8 edi=00000000 eip=84eae516 esp=b3835ad4 ebp=b3835adc iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 NETIO!WfpFindCalloutEntry+0x1f: 84eae516 8b780c mov edi,dword ptr [eax+0Ch] ds:0023:badbae06=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 84eae516 to 81c8fdc4 STACK_TEXT: b3835a60 84eae516 badb0d00 00000000 b3835ab0 nt!KiTrap0E+0x2ac b3835adc 84eba355 a4105b58 00000014 0000011a NETIO!WfpFindCalloutEntry+0x1f b3835b00 84ebb1fc 00000326 00000000 00000014 NETIO!WfpFindAndDeRefFlowContext+0x4c b3835b30 8ac1804a 00000326 00000000 0000011a NETIO!FwppStreamInject+0xce b3835b60 a4bed15c 8b3f0da0 00000000 00000000 fwpkclnt!FwpsStreamInjectAsync0+0x60 WARNING: Stack unwind information not available. Following frames may be wrong. b3835ba8 a4bee1cc a41b7228 00000005 03d79ea0 epfwwfpr+0x615c b3835bd4 a4bf731c a4bfafe0 00000326 a41b7228 epfwwfpr+0x71cc b3835bfc a4bf747a a40dab40 03d79e88 00000018 epfwwfpr+0x1031c b3835c58 81d89b19 a40dab40 00000001 03d79e88 epfwwfpr+0x1047a b3835d00 81d8ee7d a4051518 00000000 00000000 nt!IopXxxControlFile+0x2cf b3835d34 81c8caea 000001f8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a b3835d34 777e0f34 000001f8 00000000 00000000 nt!KiFastCallEntry+0x12a 03d79e04 00000000 00000000 00000000 00000000 0x777e0f34 STACK_COMMAND: kb FOLLOWUP_IP: NETIO!WfpFindCalloutEntry+1f 84eae516 8b780c mov edi,dword ptr [eax+0Ch] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: NETIO!WfpFindCalloutEntry+1f FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 478ad439 FAILURE_BUCKET_ID: 0xD1_NETIO!WfpFindCalloutEntry+1f BUCKET_ID: 0xD1_NETIO!WfpFindCalloutEntry+1f Followup: MachineOwner --------- thank you.........  How do i locate the faulty driver from this??????????????????? Or generally how does one interpret the myriad information?????? This post has been edited by garmanma: May 3 2009, 11:41 AM |
|
|
|
|
May 3 2009, 11:46 AM
Post
#8
|
|
 Computer Masochist Group: Moderator Posts: 23,580 Joined: 27-January 07 From: Cleveland, Ohio Member No.: 108,618 |
I suspect bad memory.
Try one stick at a time Download and run Memtest: http://www.memtest.org/ -------------------- Mark
 why won't my laptop work? Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits Become a BleepingComputer fan: Facebook and Twitter |
|
|
|
|
Jun 16 2009, 08:18 AM
Post
#9
|
|
|
Member Group: Members Posts: 69 Joined: 4-May 08 From: California Member No.: 206,943 |
First, the link for malware online sources does not work. I did use two I found and removed items. Something I didn't mention before was that when I initially tried to do a disk check i would get a unable to disk check pop up.
Computer Specifications CPU: Intel® Celeron® Processor 2.20GHz (w/128KB L2 cache & 400MHz FSB) Operating System: Genuine Microsoft® Windows® XP Home Edition Chipset: Intel® 845GL chipset Memory: 256MB DDR (PC2100) Hard Drive: 40GB HDD Optical Drive: 40 × 12x40x Max. CD-RW Drive; 16x Max. DVD Drive; 3.5" 1.44MB FDD Video: Intel® Extreme Graphics 3D (integrated) Sound: AC '97 Audio Network: 10/100Mbps built-in Ethernet Modem: 56K ITU v.92-ready Fax/Modem Peripherals: Standard Multimedia Keyboard, 2-Button Wheel Mouse, Standard Speakers Ports/Other: 6 USB 2.0 ports (2 on front), 1 Serial, 1 Parallel, 2 PS/2, Microphone-In & Head Phone jack on front, Audio-In & Out, 3 PCI slots (2 available) Dimensions: 7.25"W x 14.125"H x 16"D The dump file (latest date wise) follows. Microsoft ® Windows Debugger Version 6.11.0001.404 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini061509-03.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp_sp3_gdr.090206-1234 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0 Debug session time: Mon Jun 15 08:33:18.781 2009 (GMT-7) System Uptime: 0 days 0:30:19.399 Loading Kernel Symbols ............................................................... ................................................................ .................. Loading User Symbols Loading unloaded module list .............. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 100000D1, {e1a43000, 2, 0, b8564e85} Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: e1a43000, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: b8564e85, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: e1a43000 CURRENT_IRQL: 2 FAULTING_IP: +16 b8564e85 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] CUSTOMER_CRASH_COUNT: 3 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD1 PROCESS_NAME: System LAST_CONTROL_TRANSFER: from b8566a21 to b8564e85 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. f78dad4c b8566a21 804e26a8 89f9d240 805622fc 0xb8564e85 f78dad74 804e426b 89f9d240 00000000 8a3023c8 0xb8566a21 f78dadac 8057aeff 89f9d240 00000000 00000000 nt!ExpWorkerThread+0x100 f78daddc 804f88ea 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb SYMBOL_NAME: ANALYSIS_INCONCLUSIVE FOLLOWUP_NAME: MachineOwner MODULE_NAME: Unknown_Module IMAGE_NAME: Unknown_Image DEBUG_FLR_IMAGE_TIMESTAMP: 0 FAILURE_BUCKET_ID: 0xD1_ANALYSIS_INCONCLUSIVE BUCKET_ID: 0xD1_ANALYSIS_INCONCLUSIVE Followup: MachineOwner --------- Thank you, GOO GOO A JOOB This post has been edited by I am the Walrus: Jun 16 2009, 08:24 AM |
|
|
|
|
Jul 6 2009, 08:51 PM
Post
#10
|
|
|
New Member Group: Members Posts: 1 Joined: 6-July 09 Member No.: 349,152 |
Hi i am having blue screen crash dumps quite often on my computer...I am using a Sony Vaio VGCLT35E, ita an all in one computer. Its about a year old now, but ever since I started using it...it had that bluescreen crash. It happens quite often sometimes. I thought it would go away but it seems to happen quite often. My warranty on this computer ends on July 31st this year so I called sony and the tech asked me to do these tests but they all turned out fine. I told him I did a memtest before and he didnt understand/and said he wasnt familiar with it and therefore ignored it. Next the he told me to reformat the whole computer and see if it still does it before deciding to send it in for service repair. Any advice? I think I still have some of those .dmp files i did from the memtest but my computer cant open the files to view them and I am not an expert in these matters. please help thanks.
|
|
|
|
|
Jul 9 2009, 09:14 PM
Post
#11
|
|
 OBleepin Investigator Group: Moderator Posts: 17,849 Joined: 14-July 06 From: Bloomington, IN Member No.: 76,150 |
Hello,
If you are posting about a problem, please do not post it in this thread as it will likely get over-looked. Instead please start a new topic in the appropriate forum for your operating system. Orange Blossom :chery: -------------------- Orange Blossom An ounce of prevention is worth a pound of cure ESET NOD32, SuperAntiSpyware Pro, SpywareBlaster, Spybot 1.6.2.46, WinPatrol Plus, Sunbelt Personal Firewall - Full, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 04:51 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.