User-friendly: Analyzing your first BSoD!

Page 1 of 2 12 LastLast

  1. Posts : 2,393
    Microsoft Windows 7 Ultimate: x64 (SP1)
       #1

    User-friendly: Analyzing your first BSoD!


    Introduction
       Note
    So this will be a little bit different guide for analysing dump files and hopefully figure out the cause of a BSoD. It'll be userfriendly for sure, and I will share my own experience. The tutorial will start off with the very basic things, and will probably get a little harder, but not that hard at all!
    So there you have it! Read it through a couple of times if you misunderstood something, or just ask in the thread itself.

    Happy analysing!

       Tip
    If your Windbg shows errors related to the symbol path, you should read the Windbg tutorial again and check up on it.

       Warning
    Delete the bunch of dumps you're analyzing once a month or so. It can run up in Gigabytes!


    Get the Windbg ready!
    Windbg stands for Windows Debugging as you probably guessed, and it's the visualizer for the dump file. It works a bit like a command prompt, a bit different though; you enter a command, you will get it. But we will get to all this later, first let's get your Windbg ready. The tutorial below covers it all, return when you're ready!

    Configuring the Debugging Tools

    What is a dump file?
    A dump file, also called a crash dump, is created when a BSoD appears. It'll make you able to see what the BSoD caused in many cases. It'll tell you what kind of events that has been happening till the BSoD took place. Bigger dumps takes longer to load. If the user doesn't have this included in the zip file, you should link to the page below.

    Posting Instructions

    Let's get started
    If you followed the "Configuring the Debugging Tools" you're able to simply double-click on a .dmp file and Windbg will open. Let Windbg load the dump, it can take time. If it takes more than 2min or so, the dump is in-complete. If this is the case, you should pick another dump in the .zip.

    Probably caused by
    So in the very first beginning there's a lot of text just when you open the dump. That's actually information about the symbols you picked earlier. When you see a text field where it says:
    Code:
    Probably caused by: (something)
    .. the dump is loaded. In most cases, it shoots the fault at 'ntoskrnl.exe' which is likely very incorrect. It'll just put the fault on that .exe file if it can't figure out what's 'Probably' causing the dump.
    If the dump points to something else, go to a driver reference (Carrona), and search for it. A dump is fairly easy to analyse if this is the case.

    Bugcheck
    The Bugcheck is probably something you know by own experience. It's a number and some text which shows what kind of BSoD the user has been experiencing. Here's an example of a Bugcheck.
    Code:
    STOP 0x1000007F: UNEXPECTED_KERNEL_MODE_TRAP_M
    You can check this website (BSOD Index) and search for the probably causes.

    In this case, it could be the CPU.

    So, where's the Bugcheck?
    the command '!analyse -v' will give you a more detailed analyse-dump. You can't really miss it. It's surrounded by stars and says Bugcheck.
    In a lot of cases, the Bugcheck says it's caused by a memory corruption, and you should inform the user to run a Memtest86+.

    Check for old drivers.
    Code:
    lmntsm
    That's a command for showing drivers, but I certainly do not recommend it that way. Do it this way:

    i) click Debug
    ii) click Modules
    iii) sort it by date

    Wrap the old drivers in a [CODE][/CODE ] and post it for the user. If the user wonders how to find the drivers make a [QUOTE][/QUOTE ] saying:

    How to Find Drivers
    search Google for the name of the driver
    - compare the Google results with what's installed on your system to figure out which device/program it belongs to
    - visit the web site of the manufacturer of the hardware/program to get the latest drivers (DON'T use Windows Update or the Update driver function of Device Manager).
    - if there are difficulties in locating them, post back with questions and someone - will help you search Google for the name of the driver
    - compare the Google results with what's installed on your system to figure out which device/program it belongs to
    - - if there are difficulties in locating them, post back with questions and someone will try and help you locate the appropriate program.
    - The most common drivers are listed on this page: Driver Reference
    - - Driver manufacturer links are on this page: Drivers and Downloads
    To remove any left over driver remnants, especially from graphics cards, use driver sweeper
    Guru3D - Driver Sweeper
    What if a process is set as 'Probably caused by'?
    When the Probably caused by function ends with .exe and the Bugcheck informs a process, you know it's a process, for now. It'll likely be a worm also known as Malware. For that we have the awesome tool for a scan. You should link to the following:

    Malwarebytes

    It could also be a broken system file in that case, they should run the 'sfc /scannow command in a command prompt. It'll likely restore some Windows 7 files. Tell the user to run it 2-3 times as it won't likely repair at first run.

    SFC-command

    Antivirus error
    If you discover a Antivirus error, you should ask the user to uninstall their current Antivirus, and ask them to install Microsoft Security Essentials. An antivirus should be uninstalled with the manufactures' software. Here's a list of uninstallers.

    Uninstallers

    Conclusion
    There are much more ways to analyse dumps, much more advanced too, but this is just the general things I look for first. Somehow I find the pattern analyses quite irrelevant. Of course it can be used if the dump is a bit harder to analyse, but in most cases you can just pick another dump from the zip. I will probably make more detailed guides next time. For now, I hope you enjoyed it, and i'm sure that you can use it sometime. I totally understand if you find this hard and thinks there's a lot of writing, well, even the professionals can have trouble with all this.

    Change-log
    Code:
    - added malwarebytes option
    - added sfc /scannow command
    - added anitivirus
    - added antivirus-uninstallers
    - added goodies in the conclusion
    - added lmntsm instead of lm t n
    - added tip/warning


    Fred.
    Last edited by FredeGail; 24 Nov 2011 at 11:21. Reason: change-log updated EU: 23-11-2011 US: 11-23-2011
      My Computer


  2. Posts : 8,476
    Windows® 8 Pro (64-bit)
       #2

    Great job mate.
      My Computer


  3. Posts : 2,393
    Microsoft Windows 7 Ultimate: x64 (SP1)
    Thread Starter
       #3

    Dinesh said:
    Great job mate.
    Thanks Dinesh!
      My Computer


  4. Posts : 3,302
    Windows 7 Home Premium x64 SP1
       #4

    Very interesting FredeGail especially for someone who doesn't know where to start like me lol:)

    Danny
      My Computer


  5. Posts : 2,393
    Microsoft Windows 7 Ultimate: x64 (SP1)
    Thread Starter
       #5

    xxxdannyxxx said:
    Very interesting FredeGail especially for someone who doesn't know where to start like me lol:)

    Danny
    Glad you also could use it Danny.
    Thanks!

    Fred.
      My Computer


  6. Posts : 7,730
    Windows 7 Ultimate SP1 64-Bit
       #6

    Cheers Fred, BSOD analysis left me cold as I didn't know where to start.

    Now I know where to start I need to find a road map for the rest of the journey! :)
      My Computer


  7. Posts : 2,393
    Microsoft Windows 7 Ultimate: x64 (SP1)
    Thread Starter
       #7

    seavixen32 said:
    Cheers Fred, BSOD analysis left me cold as I didn't know where to start.

    Now I know where to start I need to find a road map for the rest of the journey! :)
    Haha, glad you liked it seavixen!

    Fred.
      My Computer


  8. Posts : 2,393
    Microsoft Windows 7 Ultimate: x64 (SP1)
    Thread Starter
       #8

    I updated some stuff. You can check the change-log in the end of the main post! :)

    Fred.
      My Computer


  9. Posts : 12,177
    Windows 7 Ult x64 - SP1/ Windows 8 Pro x64
       #9

    Nice tut Fred, good information.

    It's actually pretty easy once you do it a couple times.

    When looking for causes and clues, open the Event logs, $evtx_app_dump and $evtx_sys_dump, these are application and system event logs.
    These are usually big files, so use the 'Find' in the 'EDIT' tab, enter 'error' (no quotation marks).
    This will take you to all the errors and usually you will find some interesting information.
      My Computer


  10. Posts : 2,009
    Windows 7 Ultimate x86
       #10

    Nice work !
    Just a remark:
    Instead of
    Code:
    lm t n
    I use
    Code:
    lmntsm
    which sorts by name and serves me better when looking for a specific driver.

    -DG
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:39.
Find Us