Windows Bugcheck Analysis

8/19/2019 Windows Bugcheck Analysis

1/22

Windows Bugcheck

Analysis

Why Windows Crashes?

Windows crashes (i.e.: stops executions and displays the blue screen) for many dierent reasons: a

reference to a memory address that causes an access violation, an unexpected exception or trap, a

faultin !ernel mode driver and so on. "t#s important to understand that Windows could o on even in

presence of serious problems durin its execution, isolatin the error and tryin to recover some way:

but the detected problem could be caused by a more deep and serious error that could result in more

exceptions raised durin the operatin system processin that could $nally lead to %&' andor dis!

data corruption. his is unacceptable, of course, so Windows adopts a sort of "fail, fast and safe

policy" that consists in stoppin the execution, switchin the display in a low*resolution +& mode,

paintin a blue bac!round, writin memory status and crash information-s to a $le (the memory

dump $le) and displayin a stop code containin a messae and some indications to the user. /lue

0creen 1f 2eath, /uchec! and 0top errors are dierent words that represent the same class of

unhandled exception that occurs in !ernel.

l mode execution and causes the system to shut down (and possibly reboot). he source of the issue

can be anythin from a power 3uctuation in the system to a damaed component or a

softwarehardware bu.

"n Windows 4 and previous versions, the /012 loo!s li!e the followin

Figure 1: the actual /012.


2/22

Windows Bugcheck

Analysiswhereas in Windows 5 it actually loo!s li!e the followin (a little less scary than the previous one)

Figure 2: /012.

"t#s interestin to observe the distribution of the buchec! accordin to their causes: the boo!

Windows Internals, 5th Edition provides the followin chart displayin the distribution of error

cateories for Windows +ista 067 in 0eptember 8995.

http://technet.microsoft.com/en-us/sysinternals/bb963901http://technet.microsoft.com/en-us/sysinternals/bb963901


3/22

Windows Bugcheck

Analysis

Figure 3: distribution of error cateories.

/ac! to top

0ome erminoloy

Blue screen: when the system encounters a hardware problem, data inconsistency, or similar error, it

may display a blue screen containin information that can be used to determine the cause of the error.

his information includes the 016 code and whether a crash dump $le was created. "t may also

include a list of loaded drivers and a stac! trace.

Crash dup !le: you can con$ure the system to write information to a crash dump $le on your

hard dis! whenever a 016 code is enerated. he $le (memory.dmp) contains information the

debuer can use to analy;e the error. his $le can be as bi as the physical memory contained in the

computer. /y default, it#s located in the Windowsuite

possibly ive information needed to resolve. "f it#s all you have, then debu it, rather than waitin for

the machine to crash aain. 1pen the $le in the debuer (see below) ust as openin memory.dmp in

http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://googleblog.kinja.com/http://googleblog.kinja.com/http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://googleblog.kinja.com/


4/22

Windows Bugcheck

Analysisthe demonstration.

&'() code: the error code that identi$es the error that stopped the system !ernel from continuin to

run. "t is the $rst set of hexadecimal values displayed on the blue screen. &t a minimum, frontline&dmins should be re>uired to note this code, and the four other codes displayed in parenthesis and

any drivers identi$ed on the screen. 1ften, this is all you really need.

&y#ol !les: all system applications, drivers, and 2@@s are built such that their debuin

information resides in separate $les !nown as symbol $les. herefore, the system is smaller and faster,

yet it can still be debued if the symbol $les are available. Aou don#t need the 0ymbol $les to debu:

the debuer will automatically access the ones it needs from 'icrosoft#s public site.

/ac! to top

he /lue 0creen

%eardless of the reason for a system crash, the function that actually performs the crash

is $eBugCheck*+ , documented in the Windows 2river Bit (W2B). his function ta!es a stop code

(also called a buchec! code) and four parameters that must be interpreted on a perstop code basis.

&fter Be/uChec!Dx mas!s out all interrupts on all processors of the system, it switches the display

into a lowresolution -.A graphics ode (one implemented by all Windows*supported video

cards), paints a blue bac!round and displays the stop code, followed by some text suestin what

the user can do. Einally, Be/uChec!Dx calls any reistered device driver buchec! callbac!s

(reistered by callin the $e/egisterBugCheckCall#ack function), allowin drivers an opportunity

to stop their devices. "t then calls reistered reason callbac!s (reistered by callin

the $e/egisterBugCheck/easonCall#ack function), which allow drivers to append data to the

crash dump or write crash dump information to alternate devices. Be/uChec!Dx displays the textual

representation of the stop code near the top of the blue screen as well as the numeric stop code and

the four parameters at the bottom of the blue screen: the $rst line in the echnical "nformation section

lists the stop code and the four additional parameters passed to Be/uChec!DxF a text line near the

top of the screen provides the text e>uivalent of the stop code-s numeric identi$er (sometimes it#s

even possible that system data structures have been so seriously corrupted that the blue screen isn-t

displayed).

/ac! to top

"dentifyin the 0top Drror

'any dierent types of 0top errors occur: each has its own possible causes and re>uires a uni>ue

troubleshootin processF therefore, the $rst step in troubleshootin a 0top error is to identify the 0top

error. Aou need the followin information about the 0top error to bein troubleshootin:

• stop error nu#er: this number uni>uely identi$es the 0top errorF

• stop error paraeters: these parameters provide additional information about the 0top

error. heir meanin is speci$c to the 0top error numberF

http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://msdn.microsoft.com/en-us/library/windows/hardware/ff551961(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff551961(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553105(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553110(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553110(v=vs.85).aspxhttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://msdn.microsoft.com/en-us/library/windows/hardware/ff551961(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553105(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553110(v=vs.85).aspxhttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Top


5/22

Windows Bugcheck

Analysis• dri0er inforation: when available, the driver information identi$es the most li!ely source of

the problem. Got all 0top errors are caused by drivers, however.

his information is often displayed as part of the 0top messae: if possible, write it down to use as areference durin the troubleshootin process. "f the operatin system restarts before you can writedown the information, you can often retrieve the information from the "&yste" *0ent og in Dvent+iewer. "f you are unable to ather the 0top error number from the 0top messae and the 0ystem @o,you can retrieve it from a memory dump $le. /y default, Windows is con$ured to create a memorydump whenever a 0top error occurs. "f no memory dump $le was created, con$ure the system tocreate a memory dump $le. hen, if the 0top error reoccurs, you will be able to extract the necessaryinformation from the memory dump $le.

/ac! to top

=nderstandin the 0top 'essae

he 0top messae reports inforations a#out the &top error and assists the system

administrator (who understands how to interpret the information) in isolatin and eventually resolvin

the problem that caused the 0top error. he 0top messae provides a reat deal of useful information,

includin the 0top error number, or buchec! code. he 0top messae uses a full*screen character

mode format and consists of several maor sections, as shown in Figure 1, which display the followin

informations:

• Bugcheck nforation: this section lists the 0top error descriptive name. 2escriptive names

are directly related to the 0top error number listed in the echnical "nformation section.

• /ecoended ser Action: this section informs the user that a problem has occurred and

that Windows was shut down. "t also provides the sy#olic nae of the 0top error (in Figure

1, the symbolic name is 2%"+D%H"%I@HG1H@D00H1%HDI=&@). "t also attempts to descri#e the

problem and lists suggestions for reco0ery.

• 'echnical nforation: this section lists the &top error nu#er, also !nown as the

buchec! code, followed by up to four 0top errorspeci$c codes (displayed as hexadecimal

numbers beinnin with a 9x pre$x and enclosed in parentheses), which identify related

paraeters. "n Figure 1, the 0top error number is 9x99999927 (often written as 9x27).

• ri0er nforation: this section identi$es the dri0er associated with the 0top error.

• e#ug )ort and up &tatus nforation: this section lists Component 1bect 'odel

(C1') port paraeters that a !ernel debuer uses, if enabled. "f you have enabled memory

dump $le saves, this section also indicates whether one was successfully written.

/ac! to top

Collectin a Bernel*'ode Crash 2ump

http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Top


6/22

Windows Bugcheck

Analysis'ost modern des!top installations of Windows are con$ured to collect small memory dumps

automatically. he $le dump eneration settins can be con$ured in the &dvanced tab of the

0ystem 6roperties window, as you can see in the Figure 4.

Figure 4: settin the dump eneration options.

'a#le 1 summari;es the dierent locations that Windows uses to store the memory dump $les (also

read the 'icrosoft Bnowlede /ase article B/8JKLKM 1verview of memory dump $le options for

Windows 8999, Windows N6, Windows 0erver 899O, Windows +ista, Windows 0erver 8995, Windows 4and Windows 0erver 8995 %8 ).

%eory

up

'ype

efault ocation

50aria#le6

efault ocation

5typical6

)aging File

/e7uireent

s

http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/


7/22

Windows Bugcheck

Analysis

0mall

memory

dump

Psystemroot

P


8/22

Windows Bugcheck

Analysis

Figure 9: installin the Windows 02B.

&fter installation, the symbols path needs to be set to ensure that there are enouh symbols for the

debuer to determine what actually occurred and what was loaded. he entire symbol collectionoered to the public can be downloaded and placed on a local drive, or an "nternet location can be

speci$ed to pull the symbols on demand. " suest you to pull them from the "nternet: the correct

version of the symbols will be downloaded on deand and willnot #ecoe outdated #y

installation of hot!+es and ser0ice packs. he 'icrosoft Bnowlede /ase article =se the

'icrosoft 0ymbol 0erver to obtain debu symbol $les (B/O77J9O) provides you with the

instructions to follow to use the 'icrosoft 0ymbol 0erver to obtain debu symbol $les: basically, you

can create a folder (for example, C:


9/22


10/22

Windows Bugcheck

Analysis


11/22

Windows Bugcheck

AnalysisFigure ;: startin the debuin process.

&fter that, you need to et detailed informations about the current exception or bu chec!: in the lowerpane of the Command windows, type the command


12/22


13/22

Windows Bugcheck

AnalysisFigure >a: analy;in the dump $le (part 7).


14/22

Windows Bugcheck

Analysis


15/22

Windows Bugcheck

AnalysisFigure >#: analy;in the dump $le (part 8).

&s you can see, the system crashed because of a 2%"+D%H"%I@HG1H@D00H1%HDI=&@ buchec!,whose 0top code is 9x99999927. he faultin module seems to be e7!L8O8 (the imae $le is

e7!L8O8.sys): we enter the l command with some options (0 causes the display to be verbose,

includin the symbol $le name, the imae $le name, chec!sum information, version information, date

stamps, time stamps, and information about whether the module is manaed codeF speci$es a

pattern that the module name must match) as in the followin


16/22

Windows Bugcheck

Analysis


17/22

Windows Bugcheck

AnalysisFigure ?: displayin module informations.

and we can et more informations about that module. hen we perform a >uich search on the web (http:systemexplorer.netdbe7!L8O8.sys.html ) and

discover that e7!L8O8.sys is a driver belonin to the "ntel iabit &dapter developed by "ntel

Corporation: in this case, we could $x the issue by downloadin and installin an updated version of

this driver (this 2'6 $le comes from a 6C really aected by this problem and updatin the driver

eectively solved the issue). Eurther troubleshootin is dependent on the speci$c error. 0ome errors

may re>uire the driver veri$er to be enabled to determine a root cause: this tool veri$es that drivers

are not ma!in illeal function calls or causin system corruption and it can identify conditions such as

memory corruption, mishandled "1 re>uest pac!ets ("%6s), invalid direct memory access (2'&) buer

usae and possible deadloc!s. he


18/22

Windows Bugcheck

Analysis**Addr&ss '()))))))) h%s b%s& %t %ddr&ss+, dr!v&r $%m&+

"f the third parameter is the same as the $rst parameter, a special condition exists in which a systemwor!er routineUcarried out by a wor!er thread to handle bac!round tas!s !nown as wor! itemsU

returned at a hiher "%I@. "n that case, some of the four parameters ta!e on new meanins

7. address of the wor!er routine

8. !ernel "%I@

O. address of the wor!er routine

K. address of the wor! item

o resolve an error caused by a faulty de0ice dri0er, syste ser0ice or #asic inputoutput

syste 5B(&6, follow these steps

7. restart the systemF

8. press E5 at the character*based menu that displays the operatin system choicesF

O. select the @ast Bnown ood Con$uration option from the Windows &dvanced 1ptions menuF

this option is most eective when only one driver or service is added at a time.

o resolve an error caused by an incopati#le de0ice dri0er, syste ser0ice, 0irus scanner or

#ackup tool, follow these steps

7. chec! the 0ystem @o in Dvent +iewer for error messaes that miht identify the device or

driver that caused the errorF

8. try disablin memory cachin of the /"10F

O. run the hardware dianostics supplied by the system manufacturer, especially the memory

scannerF

K. ma!e sure the latest 0ervice 6ac! and Windows updates are installedF

J. if the system has small computer system interface (0C0") adapters, contact the adaptermanufacturer to obtain updated Windows drivers. ry disablin sync neotiation in the 0C0"

/"10, chec!in the cablin and the 0C0" "2s of each device and con$rmin proper terminationF

L. for interated device electronics ("2D) devices, de$ne the onboard "2D port as 6rimary only.

&lso, chec! each "2D device for the proper mastersubordinatestand*alone settin. ry

removin all "2D devices except for hard dis!s.


19/22

Windows Bugcheck

Analysis"f the 0top 9x& messae is encountered while upradin to a newer Windows version, the problem

miht be due to an incompatible driver, system service, virus scanner or bac!up. o avoid problems

while upradin, simplify hardware con$uration and remove all third*party device drivers and systemservices (includin virus scanners) prior to runnin setup. &fter successfully installin Windows,

contact the hardware manufacturer to obtain compatible updates.

"f the 0top error occurs when resumin from hibernation or suspend, read the 'icrosoft Bnowlede

/ase articlesMK7KM8 and MKJJ44 .

"f the 0top error occurs when startin a mobile computer that has the lid closed, refer to the 'icrosoft

Bnowlede /ase article MK7J94 .

/ac! to top

0top 9x27 ("%I@HG1H@D00H1%HDI=&@)

he 0top 9x27 messae indicates that the system attempted to access paeable memory usin a

!ernel process "%I@ that was too hih. 2rivers that have used improper addresses typically cause this

error. his 0top messae has fourparaeters:

7. memory referenced

8. "%I@ at time of reference

O. type of access

o @+@@ T read operation

o @+@1 T write operation

K. address that referenced memory

0top 9x27 messaes can occur after you install faulty dri0ers or syste ser0ices. "f a driver is

listed by name, disable, remove, or roll bac! that driver to resolve the error. "f disablin or removin

drivers resolves the error, contact the manufacturer about a possible update. =sin updated software

is especially important for bac!up prorams, multimedia applications, antivirus scanners, 2+2

playbac!, and C2 masterin tools.

/ac! to top

0top 9x9999978K (WSD&H=GC1%%DC&/@DHD%%1%)

http://support.microsoft.com/kb/941492http://support.microsoft.com/kb/945577http://support.microsoft.com/kb/941507http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://support.microsoft.com/kb/941492http://support.microsoft.com/kb/945577http://support.microsoft.com/kb/941507http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Top


20/22

Windows Bugcheck

Analysis he 0top 9x9999978K messae occurs when Windows has a problem handlin a 6C"*Dxpress device.

'ost often, this occurs when addin or removin a hot*pluable 6C"*Dxpress cardF however, it can

occur with driver* or hardware*related problems for 6C"*Dxpress cards.

o troubleshoot 9x9999978K stop errors, $rst ma!e sure you have applied all Windows updates and

driver updates. "f you recently updated a driver, roll bac! the chane. "f the stop error continues to

occur, remove 6C"*Dxpress cards one by one to identify the problematic hardware. When you have

identi$ed the card causin the problem, contact the hardware manufacturer for further troubleshootin

assistance. he driver miht need to be updated, or the card itself could be faulty.

he meanins of the parameters are described in 'a#le 2.

)araet

er 1 )araeter 2 )araeter 3 )araeter 4 Cause of error

9x9

&ddress of

WSD&HD%%1%H%DC1%

2 structure.

Sih O8 bits of

'CiH0&=0 '0%

for the 'C& ban!

that had the

error.

@ow O8 bits of

'CiH0&=0 '0%

for the 'C& ban!

that had the

error.

& machine chec! exception

occurred.

hese parameter descriptions

apply if the processor is based

on the xLK architecture, or the

x5L architecture that has the

'C& feature available (for

example, "ntel 6entium 6ro,6entium "+, or Neon).

9x7

&ddress of

WSD&HD%%1%H%DC1%

2 structure.

%eserved. %eserved.& corrected machine chec!

exception occurred.

9x8

&ddress of

WSD&HD%%1%H%DC1%

2 structure.

%eserved. %eserved.& corrected platform error

occurred.

9xO

&ddress of

WSD&HD%%1%H%DC1%

2 structure.

%eserved. %eserved.& nonmas!able "nterrupt (G'")

error occurred.


21/22

Windows Bugcheck

Analysis

9xK

&ddress of

WSD&HD%%1%H%DC1%2 structure.

%eserved %eserved. &n uncorrectable 6C" Dxpresserror occurred.

9xJ

&ddress of

WSD&HD%%1%H%DC1%

2 structure.

%eserved. %eserved.& eneric hardware error

occurred.

9xL

&ddress of

WSD&HD%%1%H%DC1%

2 structure

%eserved. %eserved. &n initiali;ation error occurred.

9x4

&ddress of

WSD&HD%%1%H%DC1%

2 structure.

%eserved. %eserved. & /11 error occurred.

9x5

&ddress of

WSD&HD%%1%H%DC1%

2 structure

%eserved. %eserved.& 0calable Coherent "nterface

(0C") eneric error occurred.

9xM

&ddress of

WSD&HD%%1%H%DC1%

2 structure.

@enth, in bytes,

of the 0&@ lo.

&ddress of the

0&@ lo.

&n uncorrectable "tanium*

based machine chec! abort

error occurred.

9x&

&ddress of

WSD&HD%%1%H%DC1%

2 structure

%eserved. %eserved.& corrected "tanium*based

machine chec! error occurred.

9x/

&ddress of

WSD&HD%%1%H%DC1%

2 structure.

%eserved. %eserved.& corrected "tanium platform

error occurred.

'a#le 2: meanins of the parameters.


22/22

Windows Bugcheck

Analysis

Windows Bugcheck Analysis

Documents

Transcript of Windows Bugcheck Analysis