Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How Can I Debug BSOD Errors?

07 Oct 2014   #1
callumm

Windows 7 64bit
 
 
How Can I Debug BSOD Errors?

Hi,

I want to learn how to debug BSODs. I work with computers, so learning this would really help!
I can use Windbg to certain level and find out some information about the crash. I get to a certain point where I cannot be sure what caused the crash. Please see the example. Can anyone help me become "Good" at debugging these?

The example posted below is one that I cannot figure out the cause. Can you please take me through debugging this? What commands I should use/ What I should look for?

Thanks!


My System SpecsSystem Spec
.
07 Oct 2014   #2
callumm

Windows 7 64bit
 
 

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\********\Documents\New folder (2)\091114-23025-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: symsrv*symsrv.dll*c:\Windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18247.amd64fre.win7sp1_gdr.130828-1532
Machine Name:
Kernel base = 0xfffff800`0340a000 PsLoadedModuleList = 0xfffff800`0364d6d0
Debug session time: Thu Sep 11 18:09:11.716 2014 (UTC + 1:00)
System Uptime: 0 days 8:30:04.479
Loading Kernel Symbols
...............................................................
................................................................
......................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 4A, {7702160a, 1, 0, fffff8800ade3b60}

Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+245 )

Followup: MachineOwner
---------

4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_GT_ZERO_AT_SYSTEM_SERVICE (4a)
Returning to usermode from a system call at an IRQL > PASSIVE_LEVEL.
Arguments:
Arg1: 000000007702160a, Address of system function (system call routine)
Arg2: 0000000000000001, Current IRQL
Arg3: 0000000000000000, 0
Arg4: fffff8800ade3b60, 0

Debugging Details:
------------------


PROCESS_NAME: svchost.exe

BUGCHECK_STR: RAISED_IRQL_FAULT

FAULTING_IP:
+6161646137623265
00000000`7702160a ?? ???

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from fffff8000347f169 to fffff8000347fbc0

STACK_TEXT:
fffff880`0ade3928 fffff800`0347f169 : 00000000`0000004a 00000000`7702160a 00000000`00000001 00000000`00000000 : nt!KeBugCheckEx
fffff880`0ade3930 fffff800`0347f0a0 : fffffa80`1359cb50 fffff880`0ade3b60 00000000`03fbf5b8 fffff880`0ade3a88 : nt!KiBugCheckDispatch+0x69
fffff880`0ade3a70 00000000`7702160a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x245
00000000`03fbf598 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7702160a


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiSystemServiceExit+245
fffff800`0347f0a0 4883ec50 sub rsp,50h

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiSystemServiceExit+245

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 521ea035

FAILURE_BUCKET_ID: X64_RAISED_IRQL_FAULT_svchost.exe_nt!KiSystemServiceExit+245

BUCKET_ID: X64_RAISED_IRQL_FAULT_svchost.exe_nt!KiSystemServiceExit+245

Followup: MachineOwner
---------

4: kd> lmvm nt
start end module name
fffff800`0340a000 fffff800`039ef000 nt (pdb symbols) C:\ProgramData\dbg\sym\ntkrnlmp.pdb\F69D000687EC491E87FC0425D4D378AC2\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Mapped memory image file: C:\ProgramData\dbg\sym\ntoskrnl.exe\521EA0355e5000\ntoskrnl.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Thu Aug 29 02:13:25 2013 (521EA035)
CheckSum: 0054CBB3
ImageSize: 005E5000
File version: 6.1.7601.18247
Product version: 6.1.7601.18247
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18247
FileVersion: 6.1.7601.18247 (win7sp1_gdr.130828-1532)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
My System SpecsSystem Spec
07 Oct 2014   #3
Arc

Microsoft Community Contributor Award Recipient

Microsoft Windows 10 Pro Insider Preview 64-bit
 
 

No need to verbose NT, as it is a system element.

If there is no precise probable cause found upto the second break point, it is the best to have a look at the probable causes. Carrona.org says it is device driver that causes such BSODs.
http://carrona.org/bsodindx.html#0x0000004A

So, driver verifier would be a sure next step.

If DV also failed to catch any driver as failing, test the RAM with memtest86+, for at lease 8 continuous passes.
My System SpecsSystem Spec
.

07 Oct 2014   #4
callumm

Windows 7 64bit
 
 

Quote   Quote: Originally Posted by Arc View Post
Hi.

I guess you missed to post the example?
Yeah lol! Now added it!
My System SpecsSystem Spec
07 Oct 2014   #5
Arc

Microsoft Community Contributor Award Recipient

Microsoft Windows 10 Pro Insider Preview 64-bit
 
 

Quote   Quote: Originally Posted by callumm2 View Post
Quote   Quote: Originally Posted by Arc View Post
Hi.

I guess you missed to post the example?
Yeah lol! Now added it!
▲ Above your post. ^
My System SpecsSystem Spec
07 Oct 2014   #6
callumm

Windows 7 64bit
 
 

Quote   Quote: Originally Posted by Arc View Post
Quote   Quote: Originally Posted by callumm2 View Post
Quote   Quote: Originally Posted by Arc View Post
Hi.

I guess you missed to post the example?
Yeah lol! Now added it!
▲ Above your post. ^
Thanks for your input! I was just using that as an example wasn't a very good one! What sort of process should I go through to debug one? Like what commands should I be using to find out information?
My System SpecsSystem Spec
07 Oct 2014   #7
Arc

Microsoft Community Contributor Award Recipient

Microsoft Windows 10 Pro Insider Preview 64-bit
 
 

It depends. Your ability to use extensions is a bare minimum when you are dealing with a minidump, and it varies depending on the necessity.

In general, the output upto the second break point is good enough.
My System SpecsSystem Spec
07 Oct 2014   #8
callumm

Windows 7 64bit
 
 

Quote   Quote: Originally Posted by Arc View Post
It depends. Your ability to use extensions is a bare minimum when you are dealing with a minidump, and it varies depending on the necessity.

In general, the output upto the second break point is good enough.
Yeah ok! Could you please walk me through this one? Or is it as easy as it seems? Looking at this is seems like it was caused by the PTC driver. (We use PTC software) Is it this?
My System SpecsSystem Spec
07 Oct 2014   #9
matts6887

Windows 7 ultimate 64-bit
 
 

Ive been wondering the same thing myself; as I am far from a expert at debugging and figuring out where the issue lies in a bsod. For the most part Ive been leaving bsod's up to the experts cause Im not a expert at it.
My System SpecsSystem Spec
07 Oct 2014   #10
callumm

Windows 7 64bit
 
 

Quote   Quote: Originally Posted by callumm2 View Post
Quote   Quote: Originally Posted by Arc View Post
It depends. Your ability to use extensions is a bare minimum when you are dealing with a minidump, and it varies depending on the necessity.

In general, the output upto the second break point is good enough.
Yeah ok! Could you please walk me through this one? Or is it as easy as it seems? Looking at this is seems like it was caused by the PTC driver. (We use PTC software) Is it this?
Again forgetting the code! lol!

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\*******\Documents\New folder (2)\091114-11356-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: symsrv*symsrv.dll*c:\Windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18247.amd64fre.win7sp1_gdr.130828-1532
Machine Name:
Kernel base = 0xfffff800`03452000 PsLoadedModuleList = 0xfffff800`036956d0
Debug session time: Thu Sep 11 07:13:19.667 2014 (UTC + 1:00)
System Uptime: 2 days 16:36:14.000
Loading Kernel Symbols
...............................................................
................................................................
......................................................
Loading User Symbols
Loading unloaded module list
......
Unable to load image \SystemRoot\system32\DRIVERS\PtcVFsd.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for PtcVFsd.sys
*** ERROR: Module load completed but symbols could not be loaded for PtcVFsd.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {ffffffffc0000005, fffff800034e6527, fffff88003377848, fffff880033770a0}

Probably caused by : PtcVFsd.sys ( PtcVFsd+93be )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800034e6527, The address that the exception occurred at
Arg3: fffff88003377848, Exception Record Address
Arg4: fffff880033770a0, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ExfReleaseRundownProtection+7
fffff800`034e6527 488b09 mov rcx,qword ptr [rcx]

EXCEPTION_RECORD: fffff88003377848 -- (.exr 0xfffff88003377848)
ExceptionAddress: fffff800034e6527 (nt!ExfReleaseRundownProtection+0x0000000000000007)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

CONTEXT: fffff880033770a0 -- (.cxr 0xfffff880033770a0)
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000008
rdx=fffffa800ff4a860 rsi=fffffa800ff4a860 rdi=fffffa8013f70e40
rip=fffff800034e6527 rsp=fffff88003377a80 rbp=0000000000000001
r8=0000000000000008 r9=0000000000000005 r10=0000000000000000
r11=fffffa800ca99e58 r12=fffffa8013f70e48 r13=0000000000000001
r14=0000000000000000 r15=0000000000000001
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
nt!ExfReleaseRundownProtection+0x7:
fffff800`034e6527 488b09 mov rcx,qword ptr [rcx] ds:002b:00000000`00000008=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000008

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800036ff100
0000000000000008

FOLLOWUP_IP:
PtcVFsd+93be
fffff880`049c63be ?? ???

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from fffff880049c63be to fffff800034e6527

STACK_TEXT:
fffff880`03377a80 fffff880`049c63be : 00000000`00000000 fffffa80`0f5c8510 fffffa80`00000000 00000000`00000001 : nt!ExfReleaseRundownProtection+0x7
fffff880`03377ab0 00000000`00000000 : fffffa80`0f5c8510 fffffa80`00000000 00000000`00000001 00000000`00000001 : PtcVFsd+0x93be


SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: PtcVFsd+93be

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: PtcVFsd

IMAGE_NAME: PtcVFsd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4d432fd9

STACK_COMMAND: .cxr 0xfffff880033770a0 ; kb

FAILURE_BUCKET_ID: X64_0x7E_PtcVFsd+93be

BUCKET_ID: X64_0x7E_PtcVFsd+93be

Followup: MachineOwner
---------
My System SpecsSystem Spec
Reply

 How Can I Debug BSOD Errors?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
BSOD unknown cause need debug
i have the .dmp files however i do not know how to take ownership inorder to upload them.
BSOD Help and Support
Debug Errors
Hi, would someone please have a look at the attached log file and see if they can suggest ways to resolves the errors I keep getting. Windows 7 64 bit Professional Service Pack 1 Processor: Intel Core i5 2500K Motherboard: Foxconn H67M-S/H67M-V/H67 Memory: 8192MB (2 x 4096 DDR3-SDRAM ) ...
BSOD Help and Support
BSOD With No Debug File
My PC will encounter a bluescreen and not write a minidump file. Current Settings: Startup and Recovery: checked write an event to system log and automatically restart, write small dump, small dump directory: %SystemRoot%\Minidump Services: Windows Error Reporting Services...
BSOD Help and Support
Expression Blend Help... Debug Errors
i am using expression blend 4 on windows 7 with .net framework 4.0, when i debug, build, or rebuild, i get an error, to long to remember and it wont let me copy and paste the text. it happens with all programs, wpf, silverlight, c # and VB. i can get it t work in expression web only if i use visual...
General Discussion
Debug 0x10D BSOD
I'll be very grateful if I can get some help debugging a BSOD with the 0x10D Stop code. I attached the minidump file, which is from a Win 7 Starter Edition 32-bit system. The crash occurs within a few seconds of logon, while Win 7 is trying to install drivers. I can't get to the description of the...
BSOD Help and Support
BSOD Please help debug
Hello, Can someone please take a look at my dump file. I get lots of win7 crashes with different error codes, and I'm not sure where to start. Thanks, Bill
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 19:12.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App