How to Analyze a BSOD Crash Dump

by Azerial

704K6643

Intro: How to Analyze a BSOD Crash Dump

Blue screens of death can be caused by a multitude of factors. There are many tools on the internet that can analyze these; however, Microsoft has its own tool. When a computer is exhibiting problems, most users are reluctant to download a 3rd party tool that "might make things worse." This is where the Windows Debugging Tools come into play.

23-12-31Update!

Microsoft has made the tool available for download without having to install it as part of a package. WooHoo! This package, according to their documentation, only works with Windows 10/11. I am currently running Linux, so I cant test it. ( side note: If you want to try Linux, id highly recommend this https://fedoraproject.org/spins/kde/ It's a Fedora spin called Plasma. Its a lot like Windows, but its ultra stable and secure out of the box, let me know if you're interested or need help.) I might make a tutorial; however, we are talking about Windows now, here's the link: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/Download the tool and continue from Step 4.

This How to Will Instruct a User on How to Install the Tool and How to Analyze a Crash Dump to Determine the Cause.

STEP 1: Download the Debugging Tools for Windows

The tools are included as part of the Windows Software Development Kit (SDK) for Windows. We only want the tools.

STEP 2: Run the Setup for the SDK

The installer is a downloader for the complete SDK. We don't want all the extras, we just want the tools.
  1. Click Next through the installer until you reach the screen that downloads the packages, labeled: "Select the features you want to install."
  2. Deselect all the checkboxes next to all the packages except Debugging tools for Windows
  3. Click Install.

STEP 3: Wait for the Installer

Wait for the installer to download the packages and install them. Once the installation is complete, click on Close.

STEP 4: Run WinDbg

  1. Run Windbg as administrator. The screenshot is from Windows 8.1, but this step is the same for all Operating systems Vista and higher, run as Administrator.
    1. On Windows 8.1, this is achieved by searching for the program, then Right Clicking it in the list to the right.
    2. It is important that Windbg be ran as Administrator.
      1. On Windows 8 and higher machines, there are permission issues reading crash dumps when the user isn't elevated.

STEP 5: Set the Symbol Path

Windbg requires a symbol file path.
  1. Click on File
  2. Click on Symbol File Path ...

STEP 6: Input the Symbols File Path

  1. Paste the following text into the Symbol Search Path Dialog
    1. SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
  2. Click OK

STEP 7: Save the Workspace

  1. Click on File
  2. Click on Save Workspace

STEP 8: Open the Crash Dump

  1. Click on File
  2. Click on Open Crash Dump...
  3. Navigate to: C:\Windows\
  4. Select the file named MEMORY.DMP
  5. Click Open

STEP 9: Analyze!

After opening the crash dump, a window will spawn. The window will rapidly fill with text.
  1. At the bottom of the wall of text, you will notice a line with the text:
    1. Probably caused by :
      1. If you can imagine, thats what caused the BSOD.
      2. Google the thing that caused your bsod
        1. For example: In this instance i would google
          1. BSOD Win8.1 NETIO.SYS
OPTIONAL
At the bottom of the block of text, there will be a blue link with the words !analyze -v
  1. Click on the blue link named !analyze -v
  2. This will give a further detailed analysis to post on a forum, or send to someone else.
  3. It will also tell you what kind of fault it was, in this instance, my bsod was a
    1. DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

STEP 10: Optional: Save the Output

If you wish to save the output to a Text File:
  1. Click on Edit
  2. Click on Write Window Text to File...
  3. Choose a location that is easy to remember, such as Documents.
  4. Share the text file with people that can help!
  5. Done!

28 Comments

thebear1 10 years ago

nice job on this
will this work on windows xp pro sp3

Azerial 10 years ago

Hi thebear1, I have modified the first step to include information (a different download link) about Vista and Windows XP.

All the sequential steps will be the same. The only difference is the GUI will be slightly different, but the package to download will be named the same. (Also you won't need to run as Administrator on Windows XP unless you're a limited user) 

Thanks for pointing that out! :)

MattK9 8 years ago

Hi Azerial,

I ran through all of the steps as described. However, when I try to open the Memory.dmp file I get the following message:

"Loading Dump File [C:\Windows\MEMORY.DMP]

Kernel Bitmap Dump File: Only kernel address space is available

Invalid directory table base value 0x0"

I also get a popup window titled "WinDgb:6.3.9600.17298 AMD64"

The windows says:

"Could not find the C:\\Windows\MEMORY.DMP Dump File, Win32 error 0n1392

The file or directory is corrupted or unreadable."

I'm using Windows 8.1 on a late 2014 Dell XPS 13. I recently reinstalled Windows per Dell customer support's advice. Subsequently, I got a BSOD with a "Bad_Pool_Caller" code.

I really don't have much of an idea where to go from here. I'd appreciate any advice you could offer. Thanks in advance!

TapioV1 2 years ago

Great guide! Works well, now I have more visibility on BSODs. Thanks!

Nafaaaaa 8 years ago

I have a Windows 8 this blue screen appears and restart it self and then says Window repearing it self but failed to do that and then blue screen appears and restart again and I don't want to lose my data photos and videos so what should I do need help plz

xxhayleyemeryxx 3 years ago

Hi Nafaaaaa, my laptop is doing this. Did you find an answer please?
Many Thanks in advance.
Hayley

Azerial 3 years ago

The location (and type) of these dump files can be verified in the Advanced System Settings. This would be in "Control Panel>System>Advanced System Settings>Startup & Recovery Box>Settings button". From there you can verify where windows is saving these files and what type of memory dump is being collected.

zed099 3 years ago

Hello sir Azerial can you tell me what is this? how to know the reason of my BSOD?


Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 18362 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff805`59a00000 PsLoadedModuleList = 0xfffff805`59e480f0
Debug session time: Sun Aug 16 09:37:32.398 2020 (UTC + 8:00)
System Uptime: 0 days 0:03:54.092
Loading Kernel Symbols
...............................................................
................................................................
.............................................................
Loading User Symbols
................................................................
................................
Loading unloaded module list
................
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_PROCESS_DIED (ef)
A critical system process died
Arguments:
Arg1: ffffb38b34b342c0, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 5
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-D7SFLGE
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 40
Key : Analysis.Memory.CommitPeak.Mb
Value: 81
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: ef
BUGCHECK_P1: ffffb38b34b342c0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 0
PROCESS_NAME: svchost.exe
CRITICAL_PROCESS: svchost.exe
EXCEPTION_RECORD: ffffb38b34b34880 -- (.exr 0xffffb38b34b34880)
ExceptionAddress: 0000000000000000
ExceptionCode: 00000000
ExceptionFlags: 00000000
NumberParameters: 0
ERROR_CODE: (NTSTATUS) 0x34b6d240 - <Unable to get error code text>
EXCEPTION_STR: 0x0
SYMBOL_NAME: ntdll!RtlVirtualUnwind+33
MODULE_NAME: ntdll
IMAGE_NAME: ntdll.dll
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 33
FAILURE_BUCKET_ID: 0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_34b6d240_ntdll!RtlVirtualUnwind
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {c5f11e70-fc8e-2563-6c6f-c30a939b0290}
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_PROCESS_DIED (ef)
A critical system process died
Arguments:
Arg1: ffffb38b34b342c0, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-D7SFLGE
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 3
Key : Analysis.Memory.CommitPeak.Mb
Value: 89
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: ef
BUGCHECK_P1: ffffb38b34b342c0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 0
PROCESS_NAME: svchost.exe
CRITICAL_PROCESS: svchost.exe
EXCEPTION_RECORD: ffffb38b34b34880 -- (.exr 0xffffb38b34b34880)
ExceptionAddress: 0000000000000000
ExceptionCode: 00000000
ExceptionFlags: 00000000
NumberParameters: 0
ERROR_CODE: (NTSTATUS) 0x34b6d240 - <Unable to get error code text>
EXCEPTION_STR: 0x0
SYMBOL_NAME: ntdll!RtlVirtualUnwind+33
MODULE_NAME: ntdll
IMAGE_NAME: ntdll.dll
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 33
FAILURE_BUCKET_ID: 0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_34b6d240_ntdll!RtlVirtualUnwind
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {c5f11e70-fc8e-2563-6c6f-c30a939b0290}
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_PROCESS_DIED (ef)
A critical system process died
Arguments:
Arg1: ffffb38b34b342c0, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-D7SFLGE
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 3
Key : Analysis.Memory.CommitPeak.Mb
Value: 91
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: ef
BUGCHECK_P1: ffffb38b34b342c0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 0
PROCESS_NAME: svchost.exe
CRITICAL_PROCESS: svchost.exe
EXCEPTION_RECORD: ffffb38b34b34880 -- (.exr 0xffffb38b34b34880)
ExceptionAddress: 0000000000000000
ExceptionCode: 00000000
ExceptionFlags: 00000000
NumberParameters: 0
ERROR_CODE: (NTSTATUS) 0x34b6d240 - <Unable to get error code text>
EXCEPTION_STR: 0x0
SYMBOL_NAME: ntdll!RtlVirtualUnwind+33
MODULE_NAME: ntdll
IMAGE_NAME: ntdll.dll
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 33
FAILURE_BUCKET_ID: 0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_34b6d240_ntdll!RtlVirtualUnwind
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {c5f11e70-fc8e-2563-6c6f-c30a939b0290}
Followup: MachineOwner
---------
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols

Clabbb 4 years ago

I don't have the MEMORY.DMP files, what do I do?

e-ferrari 6 years ago

Hi Azerial,

thanks for sharing that. Is it also possible to examine minidumps with that procedure ? I loaded one into the debugger and got:
"Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )".
Furthermore (clicking on the link):
"KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine."

Furthermore:
"Das System hat in dieser Anwendung den berlauf eines stapelbasierten Puffers ermittelt. Dieser berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu bernehmen." This is german and means s.th. like "It's a stack overflow" (which isn't nice).

Bernd

LeeAnneA 6 years ago

Hi everyone can you please help me analyze the BSOD I'm encountering here. I'm trying to use a serial com port device and upon receiving an incoming file a bsod will appear. I can't replicate the bsod though on my own computer. Thanks for the help.

..........................................................

Loading User Symbols

Loading unloaded module list

...........

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffcc003d3227b0, ffffcc003d322708, 0}

*** WARNING: Unable to verify timestamp for nptdrv2.sys

*** ERROR: Module load completed but symbols could not be loaded for nptdrv2.sys

Probably caused by : memory_corruption

Followup: memory_corruption

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)

A kernel component has corrupted a critical data structure. The corruption

could potentially allow a malicious user to gain control of this machine.

Arguments:

Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).

Arg2: ffffcc003d3227b0, Address of the trap frame for the exception that caused the bugcheck

Arg3: ffffcc003d322708, Address of the exception record for the exception that caused the bugcheck

Arg4: 0000000000000000, Reserved

Debugging Details:

------------------

TRAP_FRAME: ffffcc003d3227b0 -- (.trap 0xffffcc003d3227b0)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=ffffdd0bbf047618 rbx=0000000000000000 rcx=0000000000000003

rdx=ffffdd0bc18eb8a0 rsi=0000000000000000 rdi=0000000000000000

rip=fffff80f78ea7cd4 rsp=ffffcc003d322940 rbp=0000000000000000

r8=ffffdd0bc18eb8a0 r9=ffffdd0bc18eb070 r10=0000000000000000

r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz ac po nc

nptdrv2+0x7cd4:

fffff80f`78ea7cd4 cd29 int 29h

Resetting default scope

EXCEPTION_RECORD: ffffcc003d322708 -- (.exr 0xffffcc003d322708)

ExceptionAddress: fffff80f78ea7cd4 (nptdrv2+0x0000000000007cd4)

ExceptionCode: c0000409 (Security check failure or stack buffer overrun)

ExceptionFlags: 00000001

NumberParameters: 1

Parameter[0]: 0000000000000003

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0x139

PROCESS_NAME: ORiON Virtual

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0x0

LAST_CONTROL_TRANSFER: from fffff8018797b8a9 to fffff801879704c0

STACK_TEXT:

ffffcc00`3d322488 fffff801`8797b8a9 : 00000000`00000139 00000000`00000003 ffffcc00`3d3227b0 ffffcc00`3d322708 : nt!KeBugCheckEx

ffffcc00`3d322490 fffff801`8797bc10 : ffffdd0b`c53d0c20 ffffdd0b`c50ddef0 ffffdd0b`c514eae0 fffff801`00000000 : nt!KiBugCheckDispatch+0x69

ffffcc00`3d3225d0 fffff801`8797abf7 : 00000000`00000000 00000000`00000000 00000000`00000005 ffffdd0b`c18eb1c0 : nt!KiFastFailDispatch+0xd0

ffffcc00`3d3227b0 fffff80f`78ea7cd4 : 00000000`00000070 00000000`00000000 00000000`00000002 ffffdd0b`c4aed230 : nt!KiRaiseSecurityCheckFailure+0xf7

ffffcc00`3d322940 00000000`00000070 : 00000000`00000000 00000000`00000002 ffffdd0b`c4aed230 ffffdd0b`c18eb9d8 : nptdrv2+0x7cd4

ffffcc00`3d322948 00000000`00000000 : 00000000`00000002 ffffdd0b`c4aed230 ffffdd0b`c18eb9d8 fffff80f`78ea9f88 : 0x70

STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt

fffff80187a84383-fffff80187a84385 3 bytes - nt!ExFreePoolWithTag+363

[ 40 fb f6:80 43 87 ]

3 errors : !nt (fffff80187a84383-fffff80187a84385)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: LARGE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

Followup: memory_corruption

---------

BattulgaB1 8 years ago

Dear Azerial,

Thank you for your valuable information, It's very clear. I've successfully install the debugging tools.

When I following your guideline just faced following information. What does it mean ?
How to understand that messages ? It has any other commands ?

********************************#######################*********************************
Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [F:\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (40 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`01810000 PsLoadedModuleList = 0xfffff800`01a53670
Debug session time: Tue Jun 30 15:16:55.617 2015 (UTC + 9:00)
System Uptime: 0 days 6:48:24.546
Loading Kernel Symbols
...............................................................
................................................................
...................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1A, {41201, fffff68000125000, 7f87312b, fffffa8067073a40}

Page 625d2f not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+13702 )

Followup: MachineOwner
---------

DuaneW1 9 years ago

iv'e added the debugging tool to the firewall, and for some reason i still cant seem find memory.dmp . im running windows 8.1

AnilG4 9 years ago

If i delete the dump files i.e memory.dmp or *.dmp any problem will occur to my system.

jonathanj4 9 years ago

Hello! just found this post and I am going to try it out now

I will be back if it didnt work x)

Azerial 9 years ago

I will work if you follow the instructions :) The hard part if what do you do after you figure out what causes it!

dwightwalker 9 years ago

Many thanks. This solved a random graphics driver crash on Windows 8.1 atikmpag.sys from AMD. Before that I tried changing antivirus but crash kept coming with fuzzy message (graphic card screwed up) so I could not read crash message. Opening MEMORY.DMP with Windbg had there in clear letters the name of the driver above. Old laptop with old driver. I tried AMD Catalyst Omega driver with High Performance Power and am hoping this will fix it. Otherwise frustrating that graphics card is not easily fixable.

Azerial 9 years ago

You might try using an older version of the driver. I dont know much about amd drivers, but i wonder if you can figure out in what version it was that they changed that module and go one version before that. Might just be trial and error.

More Comments