windows bugcheck analysis - technet articles - united states (english) - technet wiki

Sign in

HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs

Resources For IT Professionals

United States (English) Россия (Pусский)中国（简体中文）Brasil (Português)

Post an article

Wikis - Page Details

First published by Luigi BrunoWhen: 20 Dec 2011 11:21 AM

Last revision by Carsten Siemens (Microsoft Partner)When: 22 Aug 2013 2:21 PMRevisions: 45Comments: 51

OptionsSubscribe to Article (RSS)

Share this

Can You Improve This Article?Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.

Wiki > TechNet Articles > Windows Bugcheck Analysis

Windows Bugcheck Analysis - TechNet Articles - United States (Engli... https://social.technet.microsoft.com/wiki/contents/articles/6302.windo...

1 sur 20 08/11/2013 09:10

Windows Bugcheck AnalysisArticleHistory

Windows Bugcheck Analysis

Table of Contents

Why Windows Crashes?Some TerminologyThe Blue ScreenIdentifying the Stop ErrorUnderstanding the Stop MessageCollecting a Kernel-Mode Crash DumpPreparing the EnvironmentAnalyzing the Crash Dump FileCommon Stop Messages

Stop 0xA (IRQL_NOT_LESS_OR_EQUAL)Stop 0xD1 (IRQL_NOT_LESS_OR_EQUAL)Stop 0x00000124 (WHEA_UNCORRECTABLE_ERROR)

Community ResourcesMSDN Web PagesBlogsMicrosoft Knowledge Base ArticlesVideos

See AlsoBooksTechnical ArticlesWeb Sites

Other LanguagesItaliano (it-IT)

Why Windows Crashes?

Windows crashes (i.e.: stops executions and displays the blue screen) for many different reasons: areference to a memory address that causes an access violation, an unexpected exception or trap, a faultingkernel mode driver and so on. It's important to understand that Windows could go on even in presence ofserious problems during its execution, isolating the error and trying to recover someway: but the detectedproblem could be caused by a more deep and serious error that could result in more exceptions raisedduring the operating system processing that could finally lead to RAM and/or disk data corruption. This isunacceptable, of course, so Windows adopts a sort of "fail, fast and safe policy" that consists instopping the execution, switching the display in a low-resolution VGA mode, painting a blue background,


2 sur 20 08/11/2013 09:10

writing memory status and crash informations to a file (the memory dump file) and displaying a stop codecontaining a message and some indications to the user. "Blue Screen Of Death", "Bugcheck" and "Stoperrors" are different words that represent the same class of unhandled exception that occurs in kernelmode execution and causes the system to shut down (and possibly reboot). The source of the issue can beanything from a power fluctuation in the system to a damaged component or a software/hardware bug.In Windows 7 and previous versions, the BSOD looks like the following

Figure 1: the "actual" BSOD.

whereas in Windows 8 Developer Preview it actually looks like the following (a little less "scary" than theprevious one)

Figure 2: the "future" (?) BSOD.


3 sur 20 08/11/2013 09:10

It's interesting to observe the distribution of the bugcheck according to their causes: the book "WindowsInternals, 5th Edition" provides the following chart displaying the distribution of error categories forWindows Vista SP1 in September 2008.

Figure 3: distribution of error categories.

↑ Back to top

Some Terminology

Blue screen: when the system encounters a hardware problem, data inconsistency, or similar error, it maydisplay a blue screen containing information that can be used to determine the cause of the error. Thisinformation includes the STOP code and whether a crash dump file was created. It may also include a listof loaded drivers and a stack trace.Crash dump file: you can configure the system to write information to a crash dump file on your harddisk whenever a STOP code is generated. The file (memory.dmp) contains information the debugger canuse to analyze the error. This file can be as big as the physical memory contained in the computer. Bydefault, it's located in the Windows\Minidump folder.Debugger: a program designed to help detect, locate, and correct errors in another program. It allows theuser to step through the execution of the process and its threads, monitoring memory, variables, and otherelements of process and thread context.Kernel mode: the processor mode in which system services and device drivers run. All interfaces andCPU instructions are available, and all memory is accessible.Minidump file : a minidump is a smaller version of a complete, or kernel memory dump. UsuallyMicrosoft will want a kernel memory dump. But the debugger will analyze a mini-dump and quitepossibly give information needed to resolve. If it's all you have, then debug it, rather than waiting for themachine to crash again. Open the file in the debugger (see below) just as opening memory.dmp in thedemonstration.STOP code: the error code that identifies the error that stopped the system kernel from continuing to run.It is the first set of hexadecimal values displayed on the blue screen. At a minimum, frontline Adminsshould be required to note this code, and the four other codes displayed in parenthesis and any drivers


4 sur 20 08/11/2013 09:10

identified on the screen. Often, this is all you really need.Symbol files: all system applications, drivers, and DLLs are built such that their debugging informationresides in separate files known as symbol files. Therefore, the system is smaller and faster, yet it can stillbe debugged if the symbol files are available. You don't need the Symbol files to debug: the debugger willautomatically access the ones it needs from Microsoft's public site.

↑ Back to top

The Blue Screen

Regardless of the reason for a system crash, the function that actually performs the crash isKeBugCheckEx, documented in the Windows Driver Kit (WDK). This function takes a stop code (alsocalled a bugcheck code) and four parameters that must be interpreted on a per–stop code basis. AfterKeBugCheckEx masks out all interrupts on all processors of the system, it switches the display into alow-resolution VGA graphics mode (one implemented by all Windows-supported video cards), paints ablue background and displays the stop code, followed by some text suggesting what the user can do.Finally, KeBugCheckEx calls any registered device driver bugcheck callbacks (registered by callingthe KeRegisterBugCheckCallback function), allowing drivers an opportunity to stop their devices. Itthen calls registered reason callbacks (registered by calling the KeRegisterBugCheckReasonCallbackfunction), which allow drivers to append data to the crash dump or write crash dump information toalternate devices. KeBugCheckEx displays the textual representation of the stop code near the top of theblue screen as well as the numeric stop code and the four parameters at the bottom of the blue screen: thefirst line in the Technical Information section lists the stop code and the four additional parameters passedto KeBugCheckEx; a text line near the top of the screen provides the text equivalent of the stop code’snumeric identifier (sometimes it's even possible that system data structures have been so seriouslycorrupted that the blue screen isn’t displayed).

↑ Back to top

Identifying the Stop Error

Many different types of Stop errors occur: each has its own possible causes and requires a uniquetroubleshooting process; therefore, the first step in troubleshooting a Stop error is to identify the Stoperror. You need the following information about the Stop error to begin troubleshooting:

stop error number: this number uniquely identifies the Stop error;stop error parameters: these parameters provide additional information about the Stop error. Theirmeaning is specific to the Stop error number;driver information : when available, the driver information identifies the most likely source of theproblem. Not all Stop errors are caused by drivers, however.

This information is often displayed as part of the Stop message: if possible, write it down to use as areference during the troubleshooting process. If the operating system restarts before you can write downthe information, you can often retrieve the information from the "System" Event Log in Event Viewer. Ifyou are unable to gather the Stop error number from the Stop message and the System Log, you canretrieve it from a memory dump file. By default, Windows is configured to create a memory dumpwhenever a Stop error occurs. If no memory dump file was created, configure the system to create amemory dump file. Then, if the Stop error reoccurs, you will be able to extract the necessary informationfrom the memory dump file.


5 sur 20 08/11/2013 09:10

↑ Back to top

Understanding the Stop Message

The Stop message reports informations about the Stop error and assists the system administrator (whounderstands how to interpret the information) in isolating and eventually resolving the problem thatcaused the Stop error. The Stop message provides a great deal of useful information, including the Stoperror number, or bugcheck code. The Stop message uses a full-screen character mode format and consistsof several major sections, as shown in Figure 1, which display the following informations:

Bugcheck Information: this section lists the Stop error descriptive name. Descriptive names aredirectly related to the Stop error number listed in the Technical Information section.Recommended User Action: this section informs the user that a problem has occurred and thatWindows was shut down. It also provides the symbolic name of the Stop error (in Figure 1, thesymbolic name is DRIVER_IRQL_NOT_LESS_OR_EQUAL). It also attempts to describe theproblem and lists suggestions for recovery.Technical Information: this section lists the Stop error number, also known as the bugcheckcode, followed by up to four Stop error–specific codes (displayed as hexadecimal numbersbeginning with a "0x" prefix and enclosed in parentheses), which identify related parameters. InFigure 1, the Stop error number is 0x000000D1 (often written as 0xD1).Driver Information: this section identifies the driver associated with the Stop error.Debug Port and Dump Status Information: this section lists Component Object Model (COM)port parameters that a kernel debugger uses, if enabled. If you have enabled memory dump filesaves, this section also indicates whether one was successfully written.

↑ Back to top

Collecting a Kernel-Mode Crash Dump

Most modern desktop installations of Windows are configured to collect small memory dumpsautomatically. The file dump generation settings can be configured in the "Advanced" tab of the "SystemProperties" window, as you can see in the Figure 4.


6 sur 20 08/11/2013 09:10

Figure 4: setting the dump generation options.

Table 1 summarizes the different locations that Windows uses to store the memory dump files (also readthe Microsoft Knowledge Base article KB254649 "Overview of memory dump file options for Windows2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 andWindows Server 2008 R2").

MemoryDumpType

Default Location (variable)Default

Location(typical)

Paging FileRequirements

Smallmemorydump

%systemroot%\Minidump\c:\Windows\Minidump

>2 MB

Kernelmemorydump

%systemroot%\Memory.dmpc:\Windows\Memory.dmp

Large enough forkernel memory

Completememorydump

%systemroot%\Memory.dmpc:\Windows\Memory.dmp

All physicalRAM + 1 MB

Table 1: memory dump file location and size.


7 sur 20 08/11/2013 09:10

You can verify that the system correctly creates a dump file whenever a Stop error occurs by manuallyforcing a system crash: read the "How To Manually Initiate a Windows Stop Error and Create a DumpFile (en-US)" page for further informations.

↑ Back to top

Preparing the Environment

The first step is getting the Debugging Tools you need to analyze the crash dump files produced after asystem crash.Older versione of the Debugging Tools were provided as standalone installers, that you can downloadfrom the Microsoft Windows Hardware Dev Center, paying attention to download and install theappropriate version according to your system's architecture (32 bit or 64 bit); modern versions areincluded with the Microsoft Windows SDK and the Windows Driver Kit.If you decide to install the Windows SDK, be sure to check the check box to include the Debugging Toolsin the installation process, as you can see in Figure 5.

Figure 5: installing the Windows SDK.

After installation, the symbols path needs to be set to ensure that there are enough symbols for thedebugger to determine what actually occurred and what was loaded. The entire symbol collection offeredto the public can be downloaded and placed on a local drive, or an Internet location can be specified topull the symbols on demand. I suggest you to pull them from the Internet: the correct version of thesymbols will be downloaded on demand and will not become outdated by installation of hotfixes andservice packs. The Microsoft Knowledge Base article "Use the Microsoft Symbol Server to obtain debugsymbol files" (KB311503) provides you with the instructions to follow to use the Microsoft SymbolServer to obtain debug symbol files: basically, you can create a folder (for example, C:\Symbols) and setthe environment variable

_NT_SYMBOL_PATH = srv*c:\Symbols*http://msdl.microsoft.com/download/symbols


8 sur 20 08/11/2013 09:10

as you can see in Figure 6.

Figure 6: setting the _NT_SYMBOL_PATH variable.

↑ Back to top

Analyzing the Crash Dump File

Start WinDbg from the Start menu (the exact position of WinDbg will vary according to your Windowsversion) and select File -> Open Crash Dump... (or press CTRL+D): select the appropriate .DMP file andlet the debugger perform its initial operations: the kernel symbols are loaded and the debugger displayssome basic informations about the analyzed system and the reported bugcheck, along with the indicationof the module that probably made the system crash.


9 sur 20 08/11/2013 09:10

Figure 7: starting the debugging process.

After that, you need to get detailed informations about the current exception or bug check: in the lowerpane of the Command windows, type the command "!analyze -v" and hit ENTER (the "-v" optiondisplays verbose output).


10 sur 20 08/11/2013 09:10

Figure 8-a: analyzing the dump file (part 1).


11 sur 20 08/11/2013 09:10

Figure 8-b: analyzing the dump file (part 2).

As you can see, the system crashed because of a DRIVER_IRQL_NOT_LESS_OR_EQUAL bugcheck,whose Stop code is 0x000000D1. The faulting module seems to be "e1k6232" (the image file ise1k6232.sys): we enter the "lm" command with some options ("v" causes the display to be verbose,including the symbol file name, the image file name, checksum information, version information, datestamps, time stamps, and information about whether the module is managed code; "m" specifies a patternthat the module name must match) as in the following


12 sur 20 08/11/2013 09:10

Figure 9: displaying module informations.

and we can get more informations about that module.Then we perform a quich search on the web (http://systemexplorer.net/db/e1k6232.sys.html) and discoverthat "e1k6232.sys" is a driver belonging to the Intel Gigabit Adapter developed by Intel Corporation: inthis case, we could fix the issue by downloading and installing an updated version of this driver (thisDMP file comes from a PC really affected by this problem and updating the driver effectively solved theissue). Further troubleshooting is dependent on the specific error. Some errors may require the driververifier to be enabled to determine a root cause: this tool verifies that drivers are not making illegalfunction calls or causing system corruption and it can identify conditions such as memory corruption,mishandled I/O request packets (IRPs), invalid direct memory access (DMA) buffer usage and possible


13 sur 20 08/11/2013 09:10

deadlocks. The !verifier extension in the kernel debugger can be used to monitor and report on statisticsrelated to Driver Verifier in context of a debugging session.

↑ Back to top

Common Stop Messages

The following Stop error descriptions can help you to troubleshoot problems that cause Stop errors.

Stop 0xA (IRQL_NOT_LESS_OR_EQUAL)

The Stop 0xA message indicates that a kernel-mode process or driver attempted to access a memorylocation to which it did not have permission or at a kernel IRQL that was too high. A kernel-mode processcan access only other processes that have an IRQL lower than or equal to its own. This Stop message istypically the result of faulty or incompatible hardware or software. This Stop message has fourparameters:

memory address that was improperly referenced1.IRQL that was required to access the memory2.type of access

0x00 = read operation0x01 = write operation

3.

address of the instruction that attempted to reference memory specified in parameter 14.

If the last parameter is within the address range of a device driver used by the system, the driver itself canbe determined by reading the line that begins with

**Address 0xZZZZZZZZ has base at <address>- <driver name>

If the third parameter is the same as the first parameter, a special condition exists in which a systemworker routine—carried out by a worker thread to handle background tasks known as work items—returned at a higher IRQL. In that case, some of the four parameters take on new meanings

address of the worker routine1.kernel IRQL2.address of the worker routine3.address of the work item4.

To resolve an error caused by a faulty device driver, system service or basic input/output system(BIOS), follow these steps

restart the system;1.press F8 at the character-based menu that displays the operating system choices;2.select the Last Known Good Configuration option from the Windows Advanced Options menu; thisoption is most effective when only one driver or service is added at a time.

3.

To resolve an error caused by an incompatible device driver, system service, virus scanner or backuptool, follow these steps

check the System Log in Event Viewer for error messages that might identify the device or driverthat caused the error;

1.


14 sur 20 08/11/2013 09:10

try disabling memory caching of the BIOS;2.run the hardware diagnostics supplied by the system manufacturer, especially the memory scanner;3.make sure the latest Service Pack and Windows updates are installed;4.if the system has small computer system interface (SCSI) adapters, contact the adaptermanufacturer to obtain updated Windows drivers. Try disabling sync negotiation in the SCSI BIOS,checking the cabling and the SCSI IDs of each device and confirming proper termination;

5.

for integrated device electronics (IDE) devices, define the onboard IDE port as Primary only. Also,check each IDE device for the proper master/subordinate/stand-alone setting. Try removing all IDEdevices except for hard disks.

6.

If the Stop 0xA message is encountered while upgrading to a newer Windows version, the problem mightbe due to an incompatible driver, system service, virus scanner or backup. To avoid problems whileupgrading, simplify hardware configuration and remove all third-party device drivers and system services(including virus scanners) prior to running setup. After successfully installing Windows, contact thehardware manufacturer to obtain compatible updates.

If the Stop error occurs when resuming from hibernation or suspend, read the Microsoft Knowledge Basearticles 941492 and 945577.

If the Stop error occurs when starting a mobile computer that has the lid closed, refer to the MicrosoftKnowledge Base article 941507.

↑ Back to top

Stop 0xD1 (IRQL_NOT_LESS_OR_EQUAL)

The Stop 0xD1 message indicates that the system attempted to access pageable memory using a kernelprocess IRQL that was too high. Drivers that have used improper addresses typically cause this error. ThisStop message has four parameters:

memory referenced1.IRQL at time of reference2.type of access

0x00 = read operation0x01 = write operation

3.

address that referenced memory4.

Stop 0xD1 messages can occur after you install faulty drivers or system services. If a driver is listed byname, disable, remove, or roll back that driver to resolve the error. If disabling or removing driversresolves the error, contact the manufacturer about a possible update. Using updated software is especiallyimportant for backup programs, multimedia applications, antivirus scanners, DVD playback, and CDmastering tools.

↑ Back to top

Stop 0x00000124 (WHEA_UNCORRECTABLE_ERROR)

The Stop 0x00000124 message occurs when Windows has a problem handling a PCI-Express device.Most often, this occurs when adding or removing a hot-pluggable PCI-Express card; however, it can


15 sur 20 08/11/2013 09:10

occur with driver- or hardware-related problems for PCI-Express cards.

To troubleshoot 0x00000124 stop errors, first make sure you have applied all Windows updates and driverupdates. If you recently updated a driver, roll back the change. If the stop error continues to occur, removePCI-Express cards one by one to identify the problematic hardware. When you have identified the cardcausing the problem, contact the hardware manufacturer for further troubleshooting assistance. The drivermight need to be updated, or the card itself could be faulty.

The meanings of the parameters are described in Table 2.

Parameter1

Parameter 2 Parameter 3 Parameter 4 Cause of error

0x0Address ofWHEA_ERROR_RECORDstructure.

High 32 bits ofMCi_STATUSMSR for theMCA bank thathad the error.

Low 32 bits ofMCi_STATUSMSR for theMCA bank thathad the error.

A machine checkexception occurred.

These parameterdescriptions apply if theprocessor is based onthe x64 architecture, orthe x86 architecture thathas the MCA featureavailable (for example,Intel Pentium Pro,Pentium IV, or Xeon).


Reserved. Reserved.A corrected machinecheck exceptionoccurred.


Reserved. Reserved.A corrected platformerror occurred.


Reserved. Reserved.A nonmaskableInterrupt (NMI) erroroccurred.


Reserved Reserved.An uncorrectable PCIExpress error occurred.


Reserved. Reserved.A generic hardwareerror occurred.


16 sur 20 08/11/2013 09:10

Table 2: meanings of the parameters.

↑ Back to top

Community Resources

MSDN Web Pages

Blue Screen DataGeneral Troubleshooting TipsBug Check Code Reference - Descriptions of the common bug checks, including the parameterspassed to the blue screen. It also describes how you can diagnose the fault which led to the bugcheck and possible ways to deal with the error.Using Driver VerifierInterpreting a Bug Check Code (Windows Drivers)

Blogs

Ntdebugging BlogAsk the Core Team Blog"The Case of the Crashed Phone Call" - Another example of a bugcheck analysis by MarkRussinovich.Troubleshoot a Windows bluescreen, a.k.a bugcheck, a.k.a blue screen of death - An example ofbugcheck analysis from the NDIS MSDN Blog.What causes a bug check 0xD1 (IRQL_NOT_LESS_OR_EQUAL) - Suggestions abouttroubleshooting a very common bugcheck from the NDIS MSDN Blog.You got a B.S.O.D. (Blue Screen of Death, known as Bug Checks), now what?Understanding BugchecksUnderstanding Crash Dump Files

Microsoft Knowledge Base Articles

Checking Crashdump File for Corruption (KB119490)Blue Screen Preparation Before Contacting Microsoft (KB129845)How to Verify Windows Debug Symbols (KB148660)Using Driver Verifier to identify issues with Windows drivers for advanced users (KB244617)How to read the small memory dump files that Windows creates for debugging (KB315263)

Videos

Windows Crash Dump Analysis (TechEd 2009 Videos) - Daniel Pearson of David Solomon ExpertSeminars wades into crash dumps using Microsoft Debugging Tools in real-life cases of hung andcrashing systems at Tech•Ed Europe.

↑ Back to top


17 sur 20 08/11/2013 09:10

See Also

Books

Windows Internals, 4th Edition (Chapter 14, "Crash Dump Analysis") by David A. Solomon andMark E. Russinovich (Microsoft Press, December 2004)Windows Internals, 5th Edition (Chapter 14, "Crash Dump Analysis") by David A. Solomon, MarkE. Russinovich and Alex Ionescu (Microsoft Press, June 2009)Windows 7 Resource Kit (Chapter 32, "Troubleshooting Stop Messages") by Mitch Tulloch, TonyNorthrup, Jerry Honeycutt, Ed Wilson, and the Windows 7 Team at Microsoft (Microsoft Press,October 2009)Inside Windows Debugging (Chapter 4, "Postmortem Debugging") by Tarik Soulami (MicrosoftPress, May 2012)

Technical Articles

Analyzing Windows Crash Dump Files (The Code Project, 31 October 2008)How to Use Microsoft's Driver Verifier to Interpret Unanalyzable Crash Dump Files (The CodeProject, 19 November 2008)

Web Sites

Dumpanalysis.org - Memory Dump, Software Trace, Debugging, Malware and IntelligenceAnalysis Portal.

↑ Back to top

Other Languages

This article is also available in the following languages:

Italiano (it-IT)

Analisi dei bugcheck di Windows (it-IT)

bsod, bugcheck, dump, en-US, has Back to Top link, has comment, has image, has Other Languages, hasSee Also, Has Table, Has TOC, Luigi Bruno, Multi Language Wiki Articles, Windows


18 sur 20 08/11/2013 09:10

Sort by: Published Date | Most Recent | Most UsefulComments

Ed Price - MSFT20 Dec 2011 6:00 PM

Great article! Good detail!

Luigi Bruno20 Dec 2011 11:10 PM

Thanks Ed. Of course, I'll review it and improve it.

I've noticed the "Has Table" tag: is that a way of grouping all the articles that have a TOC?

Las D. Rashid3 Jan 2012 2:11 PM

Thank you very much for spending your time to create a Great article like that.

Luigi Bruno4 Jan 2012 4:32 AM

Thanks, Rashid. As you can see, this article is still something like a work in progress: I update itevery time I find something useful or important to add to what I wrote.

Mikail NAZLI12 Jan 2012 6:04 AM

thanks for this useful informations,

Yagmoth55517 May 2012 6:12 PM

Really good article Luigi !

Livio von Büren17 Sep 2012 5:08 AM


19 sur 20 08/11/2013 09:10

Yes, good article!

Ed Price - MSFT2 Nov 2012 7:04 PM

Luigi, "Has Table" is for grouping all the articles with tables, in case we want to browse them tosee how they were built. I added "has TOC", which groups all the articles with TOCs in case youwant to check the header HTML on them, if you want to see how others have organized theirarticles with headers, or if the TOC tool ever changes for any reason.

Thanks!

TK MAHATO19 Dec 2012 12:00 PM

thnx

TK MAHATO19 Dec 2012 12:00 PM

thnx

Page 1 of 2 (17 items) 12

© 2013 Microsoft Corporation. All rights reserved.Terms of UseTrademarksPrivacy Statement5.6.426.415

TechNetProductsIT ResourcesDownloadsTrainingSupport


20 sur 20 08/11/2013 09:10

windows bugcheck analysis - technet articles - united states (english) - technet wiki

Documents