How To Find Bsod Error Messages

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Bleeping Computer Applications and Guides > Mini guides and how-tos - Simple answers to common questions > Microsoft Windows Mini-Guides

How To Find Bsod Error Messages, For use in troubleshooting system crashes.

Rating

Options

usasma View Member Profile	Dec 9 2006, 12:44 AM Post #1
Visually handicapped, hence the avatar :0) Group: Moderator Posts: 13,915 Joined: 2-October 05 From: Southeastern CT, USA Member No.: 35,824	How to Find BSOD (Blue Screen) Error Messages Guide Overview This guide will explain how to locate and analyze BSOD error reports. There are 4 places (by default) where Windows presents this information. If you've disabled the Error Reporting Service or the Event Viewer, then I'm afraid that you're just SOL The Blue Screen of Death (also known as the BSOD) is a screen that Windows shows you when it shuts down your computer in order to prevent damage to it. It's also known as a STOP error or as a BugCheck Code. It is a hardware error by definition - but this doesn't mean that it's caused by faulty hardware. Viruses, corrupt drivers, and even poorly written programs can cause it. Here's an example of the screen with some notations on what to look for: Finally, a note on shorthand. A STOP 0x0000007a error is referred to (in shorthand) as a STOP 0x7a error. It's just a way of not having to write all them zero's out each time that you refer to it. References How To Disable Automatic Restarts How To Use The Event Viewer How To Debug Memory Dumps Instructions The first place to get the information is from the Blue Screen itself. Write down all of the long numbers, the description that's in all Caps with underscores ( _ ) between the words, and any file names that may be mentioned (be sure to note if there wasn't a filename in your post). A more in depth look at this is included in the second reference ( How To Use The Event Viewer ). In the event that the BSOD flashes by too fast to read, use the first reference to disable the Automatically Restart function ( How To Disable Automatic Restarts ). The next place to find the information is in the Event Viewer. Use the mini-guide in the second reference to see how to do this ( How To Use The Event Viewer ). The last place to find the information is on your hard drive. Search your hard drive for files ending in .dmp and .mdmp. You're looking for the most recent file (or the one closest to the last BSOD that you experienced). Once you find it, use the third reference ( How To Debug Memory Dumps ) to perform an analysis of the memory dump. Be sure to use the !analyze -v command in the bottom of the Debugger's window before closing out your session. Then copy and paste the results into your next post. Someone will have a look at it to see if we can figure out what's gone wrong. Sometimes, when Error Reporting is enabled, the dump files will be stored temporarily on your system and are erased once the report is sent. To save this info, you'll have to copy the dump file before sending the report. To do this, just click on the "Details" link in the error report and you'll see some file locations listed. Choose the one that ends in .dmp or .mdmp, locate it in Windows Explorer, and copy it to your Desktop (you'll have to enable viewing of hidden files to do this). Here's an example of the Details: QUOTE ERROR REPORT CONTENTS Following files will be included in this error report C:\DOCUME~ 1\Owner\ LOCALS~1\Temp\WER7fde.dir00\Mini112706-02.dmp C:\DOCUME~1\Owner\LOCALS~1\Temp\WER7fde.dir00\sysdata.xml What follows is a quote from the third reference (in the event that their server goes down): QUOTE HOW TO: Debug Memory Dumps When you get a stop error (Blue Screen of Death), your system writes a small file called a minidump. This is a small write up on how to debug memory dumps. This becomes extremely useful when you are trying to figure out what caused a particular stop error, and no filename was mentioned and/or it is undocumented. You could always let Microsoft do it for you, but there is no gurantee they will answer, and it takes a very long time (over a month in my case). Your first step is to download and install the Microsoft Debugging Tools found here: http://www.microsoft.com/whdc/devtoo...nstallx86.mspx Once you have downloaded and installed these tools, go to start, all programs, Debugging Tools For Windows, Windbg. Once you open Windbg, you will presented with a blank screen. Click on File, Symbol File Path. Here you will enter the symbols path. Symbols are needed to effectively debug. The path will be: SRVc:\symbolshttp://msdl.microsoft.com/download/symbols Enter in this path and click OK. Now, go to File, Save Workspace so that your symbols path is saved for future use. Now what you want to do is locate your memory dumps. They are usually located in %systemroot%/minidump (in my case C:/windows/minidump). If you notice, they are usually named the date, and then a -number to indicate the order of minidumps that day. My example is called Mini061904-01.dmp (it happened today). Inside of Windbg, go to File, Open Crash Dump and load the file. You will get a message to save base workspace information. Choose no. Now you will get a debugging screen. Now it takes a little bit to run it, as the symbols have to be downloaded as they are needed. Then you will see information such as: Symbol search path is: SRVc:\symbolshttp://msdl.microsoft.com/download/symbols Microsoft ® Windows Debugger Version 6.3.0017.0 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini061904-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRVc:\symbolshttp://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp2.030422-1633 Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530 Debug session time: Sat Jun 19 19:06:57 2004 System Uptime: 0 days 1:03:36.951 Loading Kernel Symbols ................................................................................ .................................................... Loading unloaded module list .......... Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ***************************************************************************** Use !analyze -v to get detailed debugging information. BugCheck 86427532, {1db, 2, 3, b} <--This is your stop code Unable to load image pavdrv51.sys, Win32 error 2 * WARNING: Unable to verify timestamp for pavdrv51.sys * ERROR: Module load completed but symbols could not be loaded for pavdrv51.sys Probably caused by : pavdrv51.sys ( pavdrv51+7fc0 ) Followup: MachineOwner --------- Now, we can already see what it was most likely caused by, in my case it was pavdrv51.sys, which is a Panda AV file. If we want to get further in depth, we can use the command, !analyze -v at the kd> prompt to delve more info about the error: kd> !analyze -v ***************************************************************************** * * * Bugcheck Analysis * * * ***************************************************************************** Unknown bugcheck code (86427532) Unknown bugcheck description <--Its unknown, and not listed on the MS KB at all. Arguments: Arg1: 000001db Arg2: 00000002 Arg3: 00000003 Arg4: 0000000b Debugging Details: ------------------ CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x86427532 LAST_CONTROL_TRANSFER: from f4198fc0 to 804f4103 STACK_TEXT: f41f0964 f4198fc0 86427532 000001db 00000002 nt!KeBugCheckEx+0x19 WARNING: Stack unwind information not available. Following frames may be wrong. f41f0ba0 f419920b 864db520 f419ccf0 00000000 pavdrv51+0x7fc0 f41f0c34 804ea221 865b8910 864a52c0 806ad190 pavdrv51+0x820b f41f0c44 8055d0fe 864a5330 86305028 864a52c0 nt!IopfCallDriver+0x31 f41f0c58 8055de46 865b8910 864a52c0 86305028 nt!IopSynchronousServiceTail+0x5e f41f0d00 80556cea 000000a4 00000000 00000000 nt!IopXxxControlFile+0x5c2 f41f0d34 8052d571 000000a4 00000000 00000000 nt!NtDeviceIoControlFile+0x28 f41f0d34 7ffe0304 000000a4 00000000 00000000 nt!KiSystemService+0xc4 00cdff70 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 FOLLOWUP_IP: pavdrv51+7fc0 f4198fc0 ?? ??? SYMBOL_STACK_INDEX: 1 FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: pavdrv51+7fc0 MODULE_NAME: pavdrv51 IMAGE_NAME: pavdrv51.sys DEBUG_FLR_IMAGE_TIMESTAMP: 3e8c072b STACK_COMMAND: kb BUCKET_ID: 0x86427532_pavdrv51+7fc0 Followup: MachineOwner --------- Update: After the intial run of the debug process, you can use the command !analyze -v to gather more information. Now that may be more infor than you need. This tutorial only covers minidumps, however, if needed, you could change your memory dump options to do a complete dump. This is useful, however, very cumbersome, as the file generated will be the same size as your amount of ram. Note: Make absolutely sure that your symbol path is correct. If it isn't, then you will get symbol errors and not likely be able to debug the dump to get the info you desire. Screenshots to follow. I hope this info is useful, I find it invaluable to finding out what is causing random, sporadic, and/or obscure stop errors. __________________ Real knowledge is to know the extent of one's ignorance. Last edited by Adrynalyne : 01-24-05 at 20:25. This post has been edited by Grinler: Dec 17 2006, 09:35 AM -------------------- - John If you need a more detailed explanation, please ask for it. I have the Knack. **

« Next Oldest · Microsoft Windows Mini-Guides · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 12th October 2008 - 04:26 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides