New
#1
User-friendly: Analyzing your first BSoD!
Introduction
NoteSo this will be a little bit different guide for analysing dump files and hopefully figure out the cause of a BSoD. It'll be userfriendly for sure, and I will share my own experience. The tutorial will start off with the very basic things, and will probably get a little harder, but not that hard at all!
So there you have it! Read it through a couple of times if you misunderstood something, or just ask in the thread itself.
Happy analysing!
TipIf your Windbg shows errors related to the symbol path, you should read the Windbg tutorial again and check up on it.
WarningDelete the bunch of dumps you're analyzing once a month or so. It can run up in Gigabytes!
Get the Windbg ready!
Windbg stands for Windows Debugging as you probably guessed, and it's the visualizer for the dump file. It works a bit like a command prompt, a bit different though; you enter a command, you will get it. But we will get to all this later, first let's get your Windbg ready. The tutorial below covers it all, return when you're ready!
Configuring the Debugging Tools
What is a dump file?
A dump file, also called a crash dump, is created when a BSoD appears. It'll make you able to see what the BSoD caused in many cases. It'll tell you what kind of events that has been happening till the BSoD took place. Bigger dumps takes longer to load. If the user doesn't have this included in the zip file, you should link to the page below.
Posting Instructions
Let's get started
If you followed the "Configuring the Debugging Tools" you're able to simply double-click on a .dmp file and Windbg will open. Let Windbg load the dump, it can take time. If it takes more than 2min or so, the dump is in-complete. If this is the case, you should pick another dump in the .zip.
Probably caused by
So in the very first beginning there's a lot of text just when you open the dump. That's actually information about the symbols you picked earlier. When you see a text field where it says:
.. the dump is loaded. In most cases, it shoots the fault at 'ntoskrnl.exe' which is likely very incorrect. It'll just put the fault on that .exe file if it can't figure out what's 'Probably' causing the dump.Code:Probably caused by: (something)
If the dump points to something else, go to a driver reference (Carrona), and search for it. A dump is fairly easy to analyse if this is the case.
Bugcheck
The Bugcheck is probably something you know by own experience. It's a number and some text which shows what kind of BSoD the user has been experiencing. Here's an example of a Bugcheck.
You can check this website (BSOD Index) and search for the probably causes.Code:STOP 0x1000007F: UNEXPECTED_KERNEL_MODE_TRAP_M
In this case, it could be the CPU.
So, where's the Bugcheck?
the command '!analyse -v' will give you a more detailed analyse-dump. You can't really miss it. It's surrounded by stars and says Bugcheck.
In a lot of cases, the Bugcheck says it's caused by a memory corruption, and you should inform the user to run a Memtest86+.
Check for old drivers.
That's a command for showing drivers, but I certainly do not recommend it that way. Do it this way:Code:lmntsm
i) click Debug
ii) click Modules
iii) sort it by date
Wrap the old drivers in a [CODE][/CODE ] and post it for the user. If the user wonders how to find the drivers make a [QUOTE][/QUOTE ] saying:
What if a process is set as 'Probably caused by'?How to Find Drivers
search Google for the name of the driver
- compare the Google results with what's installed on your system to figure out which device/program it belongs to
- visit the web site of the manufacturer of the hardware/program to get the latest drivers (DON'T use Windows Update or the Update driver function of Device Manager).
- if there are difficulties in locating them, post back with questions and someone - will help you search Google for the name of the driver
- compare the Google results with what's installed on your system to figure out which device/program it belongs to
- - if there are difficulties in locating them, post back with questions and someone will try and help you locate the appropriate program.
- The most common drivers are listed on this page: Driver Reference
- - Driver manufacturer links are on this page: Drivers and Downloads
To remove any left over driver remnants, especially from graphics cards, use driver sweeper
Guru3D - Driver Sweeper
When the Probably caused by function ends with .exe and the Bugcheck informs a process, you know it's a process, for now. It'll likely be a worm also known as Malware. For that we have the awesome tool for a scan. You should link to the following:
Malwarebytes
It could also be a broken system file in that case, they should run the 'sfc /scannow command in a command prompt. It'll likely restore some Windows 7 files. Tell the user to run it 2-3 times as it won't likely repair at first run.
SFC-command
Antivirus error
If you discover a Antivirus error, you should ask the user to uninstall their current Antivirus, and ask them to install Microsoft Security Essentials. An antivirus should be uninstalled with the manufactures' software. Here's a list of uninstallers.
Uninstallers
Conclusion
There are much more ways to analyse dumps, much more advanced too, but this is just the general things I look for first. Somehow I find the pattern analyses quite irrelevant. Of course it can be used if the dump is a bit harder to analyse, but in most cases you can just pick another dump from the zip. I will probably make more detailed guides next time. For now, I hope you enjoyed it, and i'm sure that you can use it sometime. I totally understand if you find this hard and thinks there's a lot of writing, well, even the professionals can have trouble with all this.
Change-log
Code:- added malwarebytes option - added sfc /scannow command - added anitivirus - added antivirus-uninstallers - added goodies in the conclusion - added lmntsm instead of lm t n - added tip/warning
Fred.
Last edited by FredeGail; 24 Nov 2011 at 11:21. Reason: change-log updated EU: 23-11-2011 US: 11-23-2011