New
#1
How to pick a specific event for BSOD analysis be found in the dmp?
OK, so how can I pick a specific event for BSOD analysis?
I've had two BSOD events, one yesterday, one almost exactly one month ago. So I installed, configured and tested WinDBG for BSOD Analysis according to this thread:
WinDBG - Install and Configure for BSOD Analysis
Worked fine.
Then I went ahead and just tried Open Crashdump, and pushed the analyze-v to get detailed debugging information. I got four pages of text, mixing English and my local language. I got three "Followup: MachineOwner", which I understand to mean that three *.dmp files have been completely read.
But they only refer to, partially at that, to the latest BSOD, not the one I had a month ago. How can I find that one? Is it a buffer, so previous files get over written? They can still be found in the Log Book for administrative occurences (sorry if this is the incorrect term, Windows mixes English with local language).
Now, the codes displayed for the errors don't seem to correspond to the two crashes I've had. For example it says BugCheck 24, whereas the BugcheckCode for both crashes in the logbook was 244.
So the first Bugcheck Analysis text says:
BugCheck 24, {1904fb, fffff88008f94c48, fffff88008f944a0, fffff80002ddde2e}
Probably caused by : ntkrnlmp.exe ( nt!FsRtlNotifyFilterReportChange+122 )
The second is probably related to the crash I had yesterday as the BugcheckParameter is identical to the BugcheckParameter2 number in the logbook. The text reads "Can't switch processors on a kernel triage dump" But the BugcheckParameters3 and 4 which are part of the LogBook reading, are not part of the Bugcheck analysis reading. The Bugcheck Analysis refers to the NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
So this looks like I have to do additional processing. However, there are only a Parameter 2, and a Parameter 1. Then there's two more pages of stack_text. Part of that includes
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
PROCESS_NAME: qw.exe
Which I suspect then is the culprit of the crash.
Apart from trying to find out what happened, I wonder howcome the first BSOD event, a month ago, doesn't show up. Are the dumps overwritten as more events happen?
Furthermore, as I tried to redo the BugcheckAnalysis, after this first run, the Windows system now says no memory.dmp files can be found. Once analyzed, gone?