How to Analyze a BSOD Crash Dump




Blue screens of death can be caused by a multitude of factors. There are many tools on the internet that can analyze these; however, Microsoft has its own tool. When a computer is exhibiting problems, most users are reluctant to download a 3rd party tool that "might make things worse." This is where the Windows Debugging Tools come into play.

This How to Will Instruct a User on How to Install the Tool and How to Analyze a Crash Dump to Determine the Cause.

Step 1: Download the Debugging Tools for Windows

The tools are included as part of the Windows Software Development Kit (SDK) for Windows. We only want the tools.

Step 2: Run the Setup for the SDK

The installer is a downloader for the complete SDK. We don't want all the extras, we just want the tools.
  1. Click Next through the installer until you reach the screen that downloads the packages, labeled: "Select the features you want to install."
  2. Deselect all the checkboxes next to all the packages except Debugging tools for Windows
  3. Click Install.

Step 3: Wait for the Installer

Wait for the installer to download the packages and install them. Once the installation is complete, click on Close.

Step 4: Run WinDbg

  1. Run Windbg as administrator. The screenshot is from Windows 8.1, but this step is the same for all Operating systems Vista and higher, run as Administrator.
    1. On Windows 8.1, this is achieved by searching for the program, then Right Clicking it in the list to the right.
    2. It is important that Windbg be ran as Administrator.
      1. On Windows 8 and higher machines, there are permission issues reading crash dumps when the user isn't elevated.

Step 5: Set the Symbol Path

Windbg requires a symbol file path.
  1. Click on File
  2. Click on Symbol File Path ...

Step 6: Input the Symbols File Path

  1. Paste the following text into the Symbol Search Path Dialog
    1. SRV*C:\Windows\symbol_cache*
  2. Click OK

Step 7: Save the Workspace

  1. Click on File
  2. Click on Save Workspace

Step 8: Open the Crash Dump

  1. Click on File
  2. Click on Open Crash Dump...
  3. Navigate to: C:\Windows\
  4. Select the file named MEMORY.DMP
  5. Click Open

Step 9: Analyze!

After opening the crash dump, a window will spawn. The window will rapidly fill with text.
  1. At the bottom of the wall of text, you will notice a line with the text:
    1. Probably caused by :
      1. If you can imagine, thats what caused the BSOD.
      2. Google the thing that caused your bsod
        1. For example: In this instance i would google
          1. BSOD Win8.1 NETIO.SYS
At the bottom of the block of text, there will be a blue link with the words !analyze -v
  1. Click on the blue link named !analyze -v
  2. This will give a further detailed analysis to post on a forum, or send to someone else.
  3. It will also tell you what kind of fault it was, in this instance, my bsod was a

Step 10: Optional: Save the Output

If you wish to save the output to a Text File:
  1. Click on Edit
  2. Click on Write Window Text to File...
  3. Choose a location that is easy to remember, such as Documents.
  4. Share the text file with people that can help!
  5. Done!

2 People Made This Project!


  • Classroom Science Contest

    Classroom Science Contest
  • Pets Challenge

    Pets Challenge
  • Backyard Contest

    Backyard Contest

23 Discussions


Reply 5 years ago on Introduction

Hi thebear1, I have modified the first step to include information (a different download link) about Vista and Windows XP.

All the sequential steps will be the same. The only difference is the GUI will be slightly different, but the package to download will be named the same. (Also you won't need to run as Administrator on Windows XP unless you're a limited user) 

Thanks for pointing that out! :)


Reply 3 years ago on Introduction

Hi Azerial,

I ran through all of the steps as described. However, when I try to open the Memory.dmp file I get the following message:

"Loading Dump File [C:\Windows\MEMORY.DMP]

Kernel Bitmap Dump File: Only kernel address space is available

Invalid directory table base value 0x0"

I also get a popup window titled "WinDgb:6.3.9600.17298 AMD64"

The windows says:

"Could not find the C:\\Windows\MEMORY.DMP Dump File, Win32 error 0n1392

The file or directory is corrupted or unreadable."

I'm using Windows 8.1 on a late 2014 Dell XPS 13. I recently reinstalled Windows per Dell customer support's advice. Subsequently, I got a BSOD with a "Bad_Pool_Caller" code.

I really don't have much of an idea where to go from here. I'd appreciate any advice you could offer. Thanks in advance!


1 year ago

Hi Azerial,

thanks for sharing that. Is it also possible to examine minidumps with that procedure ? I loaded one into the debugger and got:
"Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )".
Furthermore (clicking on the link):
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine."

"Das System hat in dieser Anwendung den berlauf eines stapelbasierten Puffers ermittelt. Dieser berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu bernehmen." This is german and means like "It's a stack overflow" (which isn't nice).



1 year ago

Hi everyone can you please help me analyze the BSOD I'm encountering here. I'm trying to use a serial com port device and upon receiving an incoming file a bsod will appear. I can't replicate the bsod though on my own computer. Thanks for the help.


Loading User Symbols

Loading unloaded module list



* *

* Bugcheck Analysis *

* *


Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffcc003d3227b0, ffffcc003d322708, 0}

*** WARNING: Unable to verify timestamp for nptdrv2.sys

*** ERROR: Module load completed but symbols could not be loaded for nptdrv2.sys

Probably caused by : memory_corruption

Followup: memory_corruption


0: kd> !analyze -v


* *

* Bugcheck Analysis *

* *



A kernel component has corrupted a critical data structure. The corruption

could potentially allow a malicious user to gain control of this machine.


Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).

Arg2: ffffcc003d3227b0, Address of the trap frame for the exception that caused the bugcheck

Arg3: ffffcc003d322708, Address of the exception record for the exception that caused the bugcheck

Arg4: 0000000000000000, Reserved

Debugging Details:


TRAP_FRAME: ffffcc003d3227b0 -- (.trap 0xffffcc003d3227b0)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=ffffdd0bbf047618 rbx=0000000000000000 rcx=0000000000000003

rdx=ffffdd0bc18eb8a0 rsi=0000000000000000 rdi=0000000000000000

rip=fffff80f78ea7cd4 rsp=ffffcc003d322940 rbp=0000000000000000

r8=ffffdd0bc18eb8a0 r9=ffffdd0bc18eb070 r10=0000000000000000

r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz ac po nc


fffff80f`78ea7cd4 cd29 int 29h

Resetting default scope

EXCEPTION_RECORD: ffffcc003d322708 -- (.exr 0xffffcc003d322708)

ExceptionAddress: fffff80f78ea7cd4 (nptdrv2+0x0000000000007cd4)

ExceptionCode: c0000409 (Security check failure or stack buffer overrun)

ExceptionFlags: 00000001

NumberParameters: 1

Parameter[0]: 0000000000000003






ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1: 0000000000000003


LAST_CONTROL_TRANSFER: from fffff8018797b8a9 to fffff801879704c0


ffffcc00`3d322488 fffff801`8797b8a9 : 00000000`00000139 00000000`00000003 ffffcc00`3d3227b0 ffffcc00`3d322708 : nt!KeBugCheckEx

ffffcc00`3d322490 fffff801`8797bc10 : ffffdd0b`c53d0c20 ffffdd0b`c50ddef0 ffffdd0b`c514eae0 fffff801`00000000 : nt!KiBugCheckDispatch+0x69

ffffcc00`3d3225d0 fffff801`8797abf7 : 00000000`00000000 00000000`00000000 00000000`00000005 ffffdd0b`c18eb1c0 : nt!KiFastFailDispatch+0xd0

ffffcc00`3d3227b0 fffff80f`78ea7cd4 : 00000000`00000070 00000000`00000000 00000000`00000002 ffffdd0b`c4aed230 : nt!KiRaiseSecurityCheckFailure+0xf7

ffffcc00`3d322940 00000000`00000070 : 00000000`00000000 00000000`00000002 ffffdd0b`c4aed230 ffffdd0b`c18eb9d8 : nptdrv2+0x7cd4

ffffcc00`3d322948 00000000`00000000 : 00000000`00000002 ffffdd0b`c4aed230 ffffdd0b`c18eb9d8 fffff80f`78ea9f88 : 0x70


CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt

fffff80187a84383-fffff80187a84385 3 bytes - nt!ExFreePoolWithTag+363

[ 40 fb f6:80 43 87 ]

3 errors : !nt (fffff80187a84383-fffff80187a84385)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption





Followup: memory_corruption



3 years ago



3 years ago

I have a Windows 8 this blue screen appears and restart it self and then says Window repearing it self but failed to do that and then blue screen appears and restart again and I don't want to lose my data photos and videos so what should I do need help plz


3 years ago on Introduction

Dear Azerial,

Thank you for your valuable information, It's very clear. I've successfully install the debugging tools.

When I following your guideline just faced following information. What does it mean ?
How to understand that messages ? It has any other commands ?

Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [F:\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*
Symbol search path is: SRV*C:\Windows\symbol_cache*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (40 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`01810000 PsLoadedModuleList = 0xfffff800`01a53670
Debug session time: Tue Jun 30 15:16:55.617 2015 (UTC + 9:00)
System Uptime: 0 days 6:48:24.546
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for details
Loading unloaded module list
* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck 1A, {41201, fffff68000125000, 7f87312b, fffffa8067073a40}

Page 625d2f not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+13702 )

Followup: MachineOwner


4 years ago on Introduction

iv'e added the debugging tool to the firewall, and for some reason i still cant seem find memory.dmp . im running windows 8.1


4 years ago on Introduction

If i delete the dump files i.e memory.dmp or *.dmp any problem will occur to my system.


Reply 4 years ago on Introduction

I will work if you follow the instructions :) The hard part if what do you do after you figure out what causes it!


4 years ago on Introduction

Many thanks. This solved a random graphics driver crash on Windows 8.1 atikmpag.sys from AMD. Before that I tried changing antivirus but crash kept coming with fuzzy message (graphic card screwed up) so I could not read crash message. Opening MEMORY.DMP with Windbg had there in clear letters the name of the driver above. Old laptop with old driver. I tried AMD Catalyst Omega driver with High Performance Power and am hoping this will fix it. Otherwise frustrating that graphics card is not easily fixable.

1 reply

Reply 4 years ago on Introduction

You might try using an older version of the driver. I dont know much about amd drivers, but i wonder if you can figure out in what version it was that they changed that module and go one version before that. Might just be trial and error.


4 years ago on Step 10

Is there a forum that you'd recommend people send there file/info?


4 years ago on Introduction

Why thanks, this helped me prove my suspicion (that skype is a buggy pos) :P
Skype was the process responsible (which is what I suspected because that's really the only thing that was running).

1 reply

Reply 4 years ago on Introduction

Ha! I love stories like this! It's really empowering being able to diagnose your own computer issues and fixing them.


Reply 4 years ago on Step 10

This one? It was actually a bug in Windows 8 that microsoft couldnt reproduce. It eventually went away, so something must have fixed it.