Introduction: How to Analyze a BSOD Crash Dump

Picture of How to Analyze a BSOD Crash Dump

Blue screens of death can be caused by a multitude of factors. There are many tools on the internet that can analyze these; however, Microsoft has its own tool. When a computer is exhibiting problems, most users are reluctant to download a 3rd party tool that "might make things worse." This is where the Windows Debugging Tools come into play.

This How to Will Instruct a User on How to Install the Tool and How to Analyze a Crash Dump to Determine the Cause.

Step 1: Download the Debugging Tools for Windows

The tools are included as part of the Windows Software Development Kit (SDK) for Windows. We only want the tools.

Step 2: Run the Setup for the SDK

Picture of Run the Setup for the SDK
The installer is a downloader for the complete SDK. We don't want all the extras, we just want the tools.
  1. Click Next through the installer until you reach the screen that downloads the packages, labeled: "Select the features you want to install."
  2. Deselect all the checkboxes next to all the packages except Debugging tools for Windows
  3. Click Install.

Step 3: Wait for the Installer

Picture of Wait for the Installer

Wait for the installer to download the packages and install them. Once the installation is complete, click on Close.

Step 4: Run WinDbg

Picture of Run WinDbg
  1. Run Windbg as administrator. The screenshot is from Windows 8.1, but this step is the same for all Operating systems Vista and higher, run as Administrator.
    1. On Windows 8.1, this is achieved by searching for the program, then Right Clicking it in the list to the right.
    2. It is important that Windbg be ran as Administrator.
      1. On Windows 8 and higher machines, there are permission issues reading crash dumps when the user isn't elevated.

Step 5: Set the Symbol Path

Picture of Set the Symbol Path
Windbg requires a symbol file path.
  1. Click on File
  2. Click on Symbol File Path ...

Step 6: Input the Symbols File Path

Picture of Input the Symbols File Path
  1. Paste the following text into the Symbol Search Path Dialog
    1. SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
  2. Click OK

Step 7: Save the Workspace

Picture of Save the Workspace
  1. Click on File
  2. Click on Save Workspace

Step 8: Open the Crash Dump

Picture of Open the Crash Dump
  1. Click on File
  2. Click on Open Crash Dump...
  3. Navigate to: C:\Windows\
  4. Select the file named MEMORY.DMP
  5. Click Open

Step 9: Analyze!

Picture of Analyze!
After opening the crash dump, a window will spawn. The window will rapidly fill with text.
  1. At the bottom of the wall of text, you will notice a line with the text:
    1. Probably caused by :
      1. If you can imagine, thats what caused the BSOD.
      2. Google the thing that caused your bsod
        1. For example: In this instance i would google
          1. BSOD Win8.1 NETIO.SYS
OPTIONAL
At the bottom of the block of text, there will be a blue link with the words !analyze -v
  1. Click on the blue link named !analyze -v
  2. This will give a further detailed analysis to post on a forum, or send to someone else.
  3. It will also tell you what kind of fault it was, in this instance, my bsod was a
    1. DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

Step 10: Optional: Save the Output

Picture of Optional: Save the Output
If you wish to save the output to a Text File:
  1. Click on Edit
  2. Click on Write Window Text to File...
  3. Choose a location that is easy to remember, such as Documents.
  4. Share the text file with people that can help!
  5. Done!

Comments

thebear1 (author)2013-12-04

nice job on this
will this work on windows xp pro sp3

Azerial (author)thebear12013-12-04

Hi thebear1, I have modified the first step to include information (a different download link) about Vista and Windows XP.

All the sequential steps will be the same. The only difference is the GUI will be slightly different, but the package to download will be named the same. (Also you won't need to run as Administrator on Windows XP unless you're a limited user) 

Thanks for pointing that out! :)

MattK9 (author)Azerial2015-06-22

Hi Azerial,

I ran through all of the steps as described. However, when I try to open the Memory.dmp file I get the following message:

"Loading Dump File [C:\Windows\MEMORY.DMP]

Kernel Bitmap Dump File: Only kernel address space is available

Invalid directory table base value 0x0"

I also get a popup window titled "WinDgb:6.3.9600.17298 AMD64"

The windows says:

"Could not find the C:\\Windows\MEMORY.DMP Dump File, Win32 error 0n1392

The file or directory is corrupted or unreadable."

I'm using Windows 8.1 on a late 2014 Dell XPS 13. I recently reinstalled Windows per Dell customer support's advice. Subsequently, I got a BSOD with a "Bad_Pool_Caller" code.

I really don't have much of an idea where to go from here. I'd appreciate any advice you could offer. Thanks in advance!

LeeAnneA (author)2017-08-02

Hi everyone can you please help me analyze the BSOD I'm encountering here. I'm trying to use a serial com port device and upon receiving an incoming file a bsod will appear. I can't replicate the bsod though on my own computer. Thanks for the help.

..........................................................

Loading User Symbols

Loading unloaded module list

...........

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffcc003d3227b0, ffffcc003d322708, 0}

*** WARNING: Unable to verify timestamp for nptdrv2.sys

*** ERROR: Module load completed but symbols could not be loaded for nptdrv2.sys

Probably caused by : memory_corruption

Followup: memory_corruption

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)

A kernel component has corrupted a critical data structure. The corruption

could potentially allow a malicious user to gain control of this machine.

Arguments:

Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).

Arg2: ffffcc003d3227b0, Address of the trap frame for the exception that caused the bugcheck

Arg3: ffffcc003d322708, Address of the exception record for the exception that caused the bugcheck

Arg4: 0000000000000000, Reserved

Debugging Details:

------------------

TRAP_FRAME: ffffcc003d3227b0 -- (.trap 0xffffcc003d3227b0)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=ffffdd0bbf047618 rbx=0000000000000000 rcx=0000000000000003

rdx=ffffdd0bc18eb8a0 rsi=0000000000000000 rdi=0000000000000000

rip=fffff80f78ea7cd4 rsp=ffffcc003d322940 rbp=0000000000000000

r8=ffffdd0bc18eb8a0 r9=ffffdd0bc18eb070 r10=0000000000000000

r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz ac po nc

nptdrv2+0x7cd4:

fffff80f`78ea7cd4 cd29 int 29h

Resetting default scope

EXCEPTION_RECORD: ffffcc003d322708 -- (.exr 0xffffcc003d322708)

ExceptionAddress: fffff80f78ea7cd4 (nptdrv2+0x0000000000007cd4)

ExceptionCode: c0000409 (Security check failure or stack buffer overrun)

ExceptionFlags: 00000001

NumberParameters: 1

Parameter[0]: 0000000000000003

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0x139

PROCESS_NAME: ORiON Virtual

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0x0

LAST_CONTROL_TRANSFER: from fffff8018797b8a9 to fffff801879704c0

STACK_TEXT:

ffffcc00`3d322488 fffff801`8797b8a9 : 00000000`00000139 00000000`00000003 ffffcc00`3d3227b0 ffffcc00`3d322708 : nt!KeBugCheckEx

ffffcc00`3d322490 fffff801`8797bc10 : ffffdd0b`c53d0c20 ffffdd0b`c50ddef0 ffffdd0b`c514eae0 fffff801`00000000 : nt!KiBugCheckDispatch+0x69

ffffcc00`3d3225d0 fffff801`8797abf7 : 00000000`00000000 00000000`00000000 00000000`00000005 ffffdd0b`c18eb1c0 : nt!KiFastFailDispatch+0xd0

ffffcc00`3d3227b0 fffff80f`78ea7cd4 : 00000000`00000070 00000000`00000000 00000000`00000002 ffffdd0b`c4aed230 : nt!KiRaiseSecurityCheckFailure+0xf7

ffffcc00`3d322940 00000000`00000070 : 00000000`00000000 00000000`00000002 ffffdd0b`c4aed230 ffffdd0b`c18eb9d8 : nptdrv2+0x7cd4

ffffcc00`3d322948 00000000`00000000 : 00000000`00000002 ffffdd0b`c4aed230 ffffdd0b`c18eb9d8 fffff80f`78ea9f88 : 0x70

STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt

fffff80187a84383-fffff80187a84385 3 bytes - nt!ExFreePoolWithTag+363

[ 40 fb f6:80 43 87 ]

3 errors : !nt (fffff80187a84383-fffff80187a84385)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: LARGE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

Followup: memory_corruption

---------

JochemJ1 (author)2016-01-28

thanks!!!

SandeepA8 (author)2016-01-25

Thanks.

Nafaaaaa (author)2016-01-01

I have a Windows 8 this blue screen appears and restart it self and then says Window repearing it self but failed to do that and then blue screen appears and restart again and I don't want to lose my data photos and videos so what should I do need help plz

BattulgaB1 (author)2015-07-01

Dear Azerial,

Thank you for your valuable information, It's very clear. I've successfully install the debugging tools.

When I following your guideline just faced following information. What does it mean ?
How to understand that messages ? It has any other commands ?

********************************#######################*********************************
Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [F:\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (40 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`01810000 PsLoadedModuleList = 0xfffff800`01a53670
Debug session time: Tue Jun 30 15:16:55.617 2015 (UTC + 9:00)
System Uptime: 0 days 6:48:24.546
Loading Kernel Symbols
...............................................................
................................................................
...................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1A, {41201, fffff68000125000, 7f87312b, fffffa8067073a40}

Page 625d2f not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+13702 )

Followup: MachineOwner
---------

DuaneW1 (author)2015-05-21

iv'e added the debugging tool to the firewall, and for some reason i still cant seem find memory.dmp . im running windows 8.1

AnilG4 (author)2015-05-09

If i delete the dump files i.e memory.dmp or *.dmp any problem will occur to my system.

jonathanj4 (author)2015-04-23

Hello! just found this post and I am going to try it out now

I will be back if it didnt work x)

Azerial (author)jonathanj42015-04-23

I will work if you follow the instructions :) The hard part if what do you do after you figure out what causes it!

dwightwalker (author)2015-04-21

Many thanks. This solved a random graphics driver crash on Windows 8.1 atikmpag.sys from AMD. Before that I tried changing antivirus but crash kept coming with fuzzy message (graphic card screwed up) so I could not read crash message. Opening MEMORY.DMP with Windbg had there in clear letters the name of the driver above. Old laptop with old driver. I tried AMD Catalyst Omega driver with High Performance Power and am hoping this will fix it. Otherwise frustrating that graphics card is not easily fixable.

Azerial (author)dwightwalker2015-04-23

You might try using an older version of the driver. I dont know much about amd drivers, but i wonder if you can figure out in what version it was that they changed that module and go one version before that. Might just be trial and error.

jbutler2 (author)2015-04-15

Is there a forum that you'd recommend people send there file/info?

NogintheNog made it! (author)2014-03-16

Hi,

I followed your very clear instructions, but when I run Windbg I have the problem that the Symbols file path (entered in Step 6) cannot be found which generates a lengthy list of error messages. Any advice appreciated.

Regards,

Nogin

Azerial (author)NogintheNog2015-04-06

After looking at this again, the problem is that you actually pasted the 1. with the symbol path. You pasted "1.SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols" when it should have been just "SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols"

Azerial (author)NogintheNog2014-07-29

Hi NogintheNog,
Looks like your symbol path is correct...(according to this article http://support.microsoft.com/kb/311503) Are you connected to the internet? It needs to download the symbols from the net in order to work. If you are connected to the internet, make sure your firewall isn't blocking the debugger. Good Luck!

Cube_ (author)2015-04-06

Why thanks, this helped me prove my suspicion (that skype is a buggy pos) :P
Skype was the process responsible (which is what I suspected because that's really the only thing that was running).

Azerial (author)Cube_2015-04-06

Ha! I love stories like this! It's really empowering being able to diagnose your own computer issues and fixing them.

robin.m.thuresson (author)2014-08-07

so how did it go with the problem?

This one? It was actually a bug in Windows 8 that microsoft couldnt reproduce. It eventually went away, so something must have fixed it.

PhenomHTPC (author)2014-03-06

HI Azerial, Thanks for the helpful post. I have a question, that I hope you may help with. I have a Intel NUC D34010WYK with windows 8.1. And since the first initial install my OS will randomly freeze and just hang. i.e. spinning wheel, can not enter the task manager in any way, and eventually a window pops up "Windows Not responding". I have done multiple installs of W8.1 with different dongles from my friends, but still the same result. Additionally if I leave the computer on for the day, my OS will crash and on will try to reboot automatically however when it reboots on it's own it cannot find a boot image. I've ran every test under the sun, Ram Mem test, SSD tests, and everything checks out. I have googled for a few weeks now, resorting to diagnosing the issue myself with these SDK tools. For some reason I don't get a Memory.dmp file, even though I have had a BSOD in the last couple of days. Would you have any recommendations on where to start to diagnose this issue/possibly create and capture a log of some sort when my OS hangs?

Any help is much appreciated. Thanks.

Azerial (author)PhenomHTPC2014-07-29

Hi PhenomHTPC,
While I can't give you any insight on why your computer is acting up, i can give you some advice on the dump file.

1. From the desktop, open Windows Explorer (tan folder at the right of the taskbar)
2. In the Windows Explorer address bar, type "Control Panel" and hit enter
3. In the search box on the upper right of the window, type in "System"
4. Click on the link that reads "View advanced system settings"
5. On the Advanced tab, click on the "Startup and Recovery" button
6. At the bottom of the window, there will be a "System failure" section
7. Validate the settings. I have attached a sceenshot of what mine looks like. You might also change the dump from Automatic to Complete. (Complete will give you a very large file, but eh its sometimes worth it if you need more info. Just don't forget to change it back)

Hope you figure out what it is!

thebear1 (author)2013-12-04

thank you for posting this and the reply back
i thought there was something for windows xp but mav been to busy working to check on it
again thanls