How Can I Debug BSOD Errors?

Hi,

I want to learn how to debug BSODs. I work with computers, so learning this would really help!
I can use Windbg to certain level and find out some information about the crash. I get to a certain point where I cannot be sure what caused the crash. Please see the example. Can anyone help me become "Good" at debugging these?

The example posted below is one that I cannot figure out the cause. Can you please take me through debugging this? What commands I should use/ What I should look for?

Thanks!

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\********\Documents\New folder (2)\091114-23025-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: symsrv*symsrv.dll*c:\Windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18247.amd64fre.win7sp1_gdr.130828-1532
Machine Name:
Kernel base = 0xfffff800`0340a000 PsLoadedModuleList = 0xfffff800`0364d6d0
Debug session time: Thu Sep 11 18:09:11.716 2014 (UTC + 1:00)
System Uptime: 0 days 8:30:04.479
Loading Kernel Symbols
...............................................................
................................................................
......................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 4A, {7702160a, 1, 0, fffff8800ade3b60}

Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+245 )

Followup: MachineOwner
---------

4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_GT_ZERO_AT_SYSTEM_SERVICE (4a)
Returning to usermode from a system call at an IRQL > PASSIVE_LEVEL.
Arguments:
Arg1: 000000007702160a, Address of system function (system call routine)
Arg2: 0000000000000001, Current IRQL
Arg3: 0000000000000000, 0
Arg4: fffff8800ade3b60, 0

Debugging Details:
------------------


PROCESS_NAME: svchost.exe

BUGCHECK_STR: RAISED_IRQL_FAULT

FAULTING_IP:
+6161646137623265
00000000`7702160a ?? ???

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from fffff8000347f169 to fffff8000347fbc0

STACK_TEXT:
fffff880`0ade3928 fffff800`0347f169 : 00000000`0000004a 00000000`7702160a 00000000`00000001 00000000`00000000 : nt!KeBugCheckEx
fffff880`0ade3930 fffff800`0347f0a0 : fffffa80`1359cb50 fffff880`0ade3b60 00000000`03fbf5b8 fffff880`0ade3a88 : nt!KiBugCheckDispatch+0x69
fffff880`0ade3a70 00000000`7702160a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x245
00000000`03fbf598 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7702160a


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiSystemServiceExit+245
fffff800`0347f0a0 4883ec50 sub rsp,50h

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiSystemServiceExit+245

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 521ea035

FAILURE_BUCKET_ID: X64_RAISED_IRQL_FAULT_svchost.exe_nt!KiSystemServiceExit+245

BUCKET_ID: X64_RAISED_IRQL_FAULT_svchost.exe_nt!KiSystemServiceExit+245

Followup: MachineOwner
---------

4: kd> lmvm nt
start end module name
fffff800`0340a000 fffff800`039ef000 nt (pdb symbols) C:\ProgramData\dbg\sym\ntkrnlmp.pdb\F69D000687EC491E87FC0425D4D378AC2\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Mapped memory image file: C:\ProgramData\dbg\sym\ntoskrnl.exe\521EA0355e5000\ntoskrnl.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Thu Aug 29 02:13:25 2013 (521EA035)
CheckSum: 0054CBB3
ImageSize: 005E5000
File version: 6.1.7601.18247
Product version: 6.1.7601.18247
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18247
FileVersion: 6.1.7601.18247 (win7sp1_gdr.130828-1532)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.

Arc said:

Hi. :)

I guess you missed to post the example?

Yeah lol! Now added it!

Arc said:

callumm2 said:

Arc said:

Hi. :)

I guess you missed to post the example?

Yeah lol! Now added it!

▲ Above your post. :) ^

Thanks for your input! I was just using that as an example wasn't a very good one! What sort of process should I go through to debug one? Like what commands should I be using to find out information? :)

Arc said:

It depends. Your ability to use extensions is a bare minimum when you are dealing with a minidump, and it varies depending on the necessity.

In general, the output upto the second break point is good enough.

Yeah ok! Could you please walk me through this one? Or is it as easy as it seems? Looking at this is seems like it was caused by the PTC driver. (We use PTC software) Is it this?

callumm2 said:

Arc said:

It depends. Your ability to use extensions is a bare minimum when you are dealing with a minidump, and it varies depending on the necessity.

In general, the output upto the second break point is good enough.

Yeah ok! Could you please walk me through this one? Or is it as easy as it seems? Looking at this is seems like it was caused by the PTC driver. (We use PTC software) Is it this?

Again forgetting the code! lol!

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\*******\Documents\New folder (2)\091114-11356-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: symsrv*symsrv.dll*c:\Windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18247.amd64fre.win7sp1_gdr.130828-1532
Machine Name:
Kernel base = 0xfffff800`03452000 PsLoadedModuleList = 0xfffff800`036956d0
Debug session time: Thu Sep 11 07:13:19.667 2014 (UTC + 1:00)
System Uptime: 2 days 16:36:14.000
Loading Kernel Symbols
...............................................................
................................................................
......................................................
Loading User Symbols
Loading unloaded module list
......
Unable to load image \SystemRoot\system32\DRIVERS\PtcVFsd.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for PtcVFsd.sys
*** ERROR: Module load completed but symbols could not be loaded for PtcVFsd.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {ffffffffc0000005, fffff800034e6527, fffff88003377848, fffff880033770a0}

Probably caused by : PtcVFsd.sys ( PtcVFsd+93be )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800034e6527, The address that the exception occurred at
Arg3: fffff88003377848, Exception Record Address
Arg4: fffff880033770a0, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ExfReleaseRundownProtection+7
fffff800`034e6527 488b09 mov rcx,qword ptr [rcx]

EXCEPTION_RECORD: fffff88003377848 -- (.exr 0xfffff88003377848)
ExceptionAddress: fffff800034e6527 (nt!ExfReleaseRundownProtection+0x0000000000000007)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

CONTEXT: fffff880033770a0 -- (.cxr 0xfffff880033770a0)
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000008
rdx=fffffa800ff4a860 rsi=fffffa800ff4a860 rdi=fffffa8013f70e40
rip=fffff800034e6527 rsp=fffff88003377a80 rbp=0000000000000001
r8=0000000000000008 r9=0000000000000005 r10=0000000000000000
r11=fffffa800ca99e58 r12=fffffa8013f70e48 r13=0000000000000001
r14=0000000000000000 r15=0000000000000001
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
nt!ExfReleaseRundownProtection+0x7:
fffff800`034e6527 488b09 mov rcx,qword ptr [rcx] ds:002b:00000000`00000008=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000008

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800036ff100
0000000000000008

FOLLOWUP_IP:
PtcVFsd+93be
fffff880`049c63be ?? ???

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from fffff880049c63be to fffff800034e6527

STACK_TEXT:
fffff880`03377a80 fffff880`049c63be : 00000000`00000000 fffffa80`0f5c8510 fffffa80`00000000 00000000`00000001 : nt!ExfReleaseRundownProtection+0x7
fffff880`03377ab0 00000000`00000000 : fffffa80`0f5c8510 fffffa80`00000000 00000000`00000001 00000000`00000001 : PtcVFsd+0x93be


SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: PtcVFsd+93be

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: PtcVFsd

IMAGE_NAME: PtcVFsd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4d432fd9

STACK_COMMAND: .cxr 0xfffff880033770a0 ; kb

FAILURE_BUCKET_ID: X64_0x7E_PtcVFsd+93be

BUCKET_ID: X64_0x7E_PtcVFsd+93be

Followup: MachineOwner
---------