WINDOWS BLUE SCREEN OF DEATH AFTER CRASH

DEBUGGINGAlex McleanAmy ValleyDerek Visch

What is a BSOD?Blue Screen of Death

What is a BSOD?

Blue Screen Of Death

The function that is called to generate the BSOD is KeBugCheckEx.

Occurs in windows when the operating system encounters a critical error that it cannot recover from.

Why generate a BSOD?

Why not just ignore the exception

Is likely that driver that caused the first exception will continue to do so

Therefore high risk of data to be corrupted

Most Common BSOD Causes

By Stop Code Category

Source: Russinovich, Mark E., David A. Solomon, and Alex Ionescu. Windows Internals: Part 2. 6th ed. Redmond, WA: Microsoft, 2012. Print.

Memory Dump Types

⬜ Kernel Memory Dumps

⬜ Complete Memory Dumps

⬜ Small Memory Dumps

Small Memory Dumps

⬜Only information about the current process and thread context, the bug check stop code, and the kernel portion of the stack trace that caused the crash.

Basic windbg commands like !process will not

have the information they need

Kernel Memory Dumps

⬜ Collected on kernel crashes ⬜ Contains the kernel-mode memory pages

at the time of the crash⬜ Does not show user-mode pages

Complete Memory Dumps

⬜ A dump of the entire physical memory (RAM)

⬜ Does show user-mode pages at the time of the crash

⬜ Not always available on computers with 2 GB or more of RAM due to size

Sample Complete Memory Dump

Sample Kernel Memory Dump

Getting memory dumps

Choose Type of Memory Dump

Cause the crash

Reading the Crash

Run WinDbg as administratorFile Open Crash Dump

C:\Windows\MEMORY.DMPRun the following commands:

kd> .symfixkd> .reloadkd> !process -1 0kd> !analyze -vkd> lm kv m myfault