Windows Bugcheck Analysis
Transcript of Windows Bugcheck Analysis
-
8/19/2019 Windows Bugcheck Analysis
1/22
Windows Bugcheck
Analysis
Why Windows Crashes?
Windows crashes (i.e.: stops executions and displays the blue screen) for many dierent reasons: a
reference to a memory address that causes an access violation, an unexpected exception or trap, a
faultin !ernel mode driver and so on. "t#s important to understand that Windows could o on even in
presence of serious problems durin its execution, isolatin the error and tryin to recover some way:
but the detected problem could be caused by a more deep and serious error that could result in more
exceptions raised durin the operatin system processin that could $nally lead to %&' andor dis!
data corruption. his is unacceptable, of course, so Windows adopts a sort of "fail, fast and safe
policy" that consists in stoppin the execution, switchin the display in a low*resolution +& mode,
paintin a blue bac!round, writin memory status and crash information-s to a $le (the memory
dump $le) and displayin a stop code containin a messae and some indications to the user. /lue
0creen 1f 2eath, /uchec! and 0top errors are dierent words that represent the same class of
unhandled exception that occurs in !ernel.
l mode execution and causes the system to shut down (and possibly reboot). he source of the issue
can be anythin from a power 3uctuation in the system to a damaed component or a
softwarehardware bu.
"n Windows 4 and previous versions, the /012 loo!s li!e the followin
Figure 1: the actual /012.
-
8/19/2019 Windows Bugcheck Analysis
2/22
Windows Bugcheck
Analysiswhereas in Windows 5 it actually loo!s li!e the followin (a little less scary than the previous one)
Figure 2: /012.
"t#s interestin to observe the distribution of the buchec! accordin to their causes: the boo!
Windows Internals, 5th Edition provides the followin chart displayin the distribution of error
cateories for Windows +ista 067 in 0eptember 8995.
http://technet.microsoft.com/en-us/sysinternals/bb963901http://technet.microsoft.com/en-us/sysinternals/bb963901
-
8/19/2019 Windows Bugcheck Analysis
3/22
Windows Bugcheck
Analysis
Figure 3: distribution of error cateories.
/ac! to top
0ome erminoloy
Blue screen: when the system encounters a hardware problem, data inconsistency, or similar error, it
may display a blue screen containin information that can be used to determine the cause of the error.
his information includes the 016 code and whether a crash dump $le was created. "t may also
include a list of loaded drivers and a stac! trace.
Crash dup !le: you can con$ure the system to write information to a crash dump $le on your
hard dis! whenever a 016 code is enerated. he $le (memory.dmp) contains information the
debuer can use to analy;e the error. his $le can be as bi as the physical memory contained in the
computer. /y default, it#s located in the Windowsuite
possibly ive information needed to resolve. "f it#s all you have, then debu it, rather than waitin for
the machine to crash aain. 1pen the $le in the debuer (see below) ust as openin memory.dmp in
http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://googleblog.kinja.com/http://googleblog.kinja.com/http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://googleblog.kinja.com/
-
8/19/2019 Windows Bugcheck Analysis
4/22
Windows Bugcheck
Analysisthe demonstration.
&'() code: the error code that identi$es the error that stopped the system !ernel from continuin to
run. "t is the $rst set of hexadecimal values displayed on the blue screen. &t a minimum, frontline&dmins should be re>uired to note this code, and the four other codes displayed in parenthesis and
any drivers identi$ed on the screen. 1ften, this is all you really need.
&y#ol !les: all system applications, drivers, and 2@@s are built such that their debuin
information resides in separate $les !nown as symbol $les. herefore, the system is smaller and faster,
yet it can still be debued if the symbol $les are available. Aou don#t need the 0ymbol $les to debu:
the debuer will automatically access the ones it needs from 'icrosoft#s public site.
/ac! to top
he /lue 0creen
%eardless of the reason for a system crash, the function that actually performs the crash
is $eBugCheck*+ , documented in the Windows 2river Bit (W2B). his function ta!es a stop code
(also called a buchec! code) and four parameters that must be interpreted on a perstop code basis.
&fter Be/uChec!Dx mas!s out all interrupts on all processors of the system, it switches the display
into a lowresolution -.A graphics ode (one implemented by all Windows*supported video
cards), paints a blue bac!round and displays the stop code, followed by some text suestin what
the user can do. Einally, Be/uChec!Dx calls any reistered device driver buchec! callbac!s
(reistered by callin the $e/egisterBugCheckCall#ack function), allowin drivers an opportunity
to stop their devices. "t then calls reistered reason callbac!s (reistered by callin
the $e/egisterBugCheck/easonCall#ack function), which allow drivers to append data to the
crash dump or write crash dump information to alternate devices. Be/uChec!Dx displays the textual
representation of the stop code near the top of the blue screen as well as the numeric stop code and
the four parameters at the bottom of the blue screen: the $rst line in the echnical "nformation section
lists the stop code and the four additional parameters passed to Be/uChec!DxF a text line near the
top of the screen provides the text e>uivalent of the stop code-s numeric identi$er (sometimes it#s
even possible that system data structures have been so seriously corrupted that the blue screen isn-t
displayed).
/ac! to top
"dentifyin the 0top Drror
'any dierent types of 0top errors occur: each has its own possible causes and re>uires a uni>ue
troubleshootin processF therefore, the $rst step in troubleshootin a 0top error is to identify the 0top
error. Aou need the followin information about the 0top error to bein troubleshootin:
• stop error nu#er: this number uni>uely identi$es the 0top errorF
• stop error paraeters: these parameters provide additional information about the 0top
error. heir meanin is speci$c to the 0top error numberF
http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://msdn.microsoft.com/en-us/library/windows/hardware/ff551961(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff551961(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553105(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553110(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553110(v=vs.85).aspxhttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://msdn.microsoft.com/en-us/library/windows/hardware/ff551961(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553105(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff553110(v=vs.85).aspxhttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Top
-
8/19/2019 Windows Bugcheck Analysis
5/22
Windows Bugcheck
Analysis• dri0er inforation: when available, the driver information identi$es the most li!ely source of
the problem. Got all 0top errors are caused by drivers, however.
his information is often displayed as part of the 0top messae: if possible, write it down to use as areference durin the troubleshootin process. "f the operatin system restarts before you can writedown the information, you can often retrieve the information from the "&yste" *0ent og in Dvent+iewer. "f you are unable to ather the 0top error number from the 0top messae and the 0ystem @o,you can retrieve it from a memory dump $le. /y default, Windows is con$ured to create a memorydump whenever a 0top error occurs. "f no memory dump $le was created, con$ure the system tocreate a memory dump $le. hen, if the 0top error reoccurs, you will be able to extract the necessaryinformation from the memory dump $le.
/ac! to top
=nderstandin the 0top 'essae
he 0top messae reports inforations a#out the &top error and assists the system
administrator (who understands how to interpret the information) in isolatin and eventually resolvin
the problem that caused the 0top error. he 0top messae provides a reat deal of useful information,
includin the 0top error number, or buchec! code. he 0top messae uses a full*screen character
mode format and consists of several maor sections, as shown in Figure 1, which display the followin
informations:
• Bugcheck nforation: this section lists the 0top error descriptive name. 2escriptive names
are directly related to the 0top error number listed in the echnical "nformation section.
• /ecoended ser Action: this section informs the user that a problem has occurred and
that Windows was shut down. "t also provides the sy#olic nae of the 0top error (in Figure
1, the symbolic name is 2%"+D%H"%I@HG1H@D00H1%HDI=&@). "t also attempts to descri#e the
problem and lists suggestions for reco0ery.
• 'echnical nforation: this section lists the &top error nu#er, also !nown as the
buchec! code, followed by up to four 0top errorspeci$c codes (displayed as hexadecimal
numbers beinnin with a 9x pre$x and enclosed in parentheses), which identify related
paraeters. "n Figure 1, the 0top error number is 9x99999927 (often written as 9x27).
• ri0er nforation: this section identi$es the dri0er associated with the 0top error.
• e#ug )ort and up &tatus nforation: this section lists Component 1bect 'odel
(C1') port paraeters that a !ernel debuer uses, if enabled. "f you have enabled memory
dump $le saves, this section also indicates whether one was successfully written.
/ac! to top
Collectin a Bernel*'ode Crash 2ump
http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Top
-
8/19/2019 Windows Bugcheck Analysis
6/22
Windows Bugcheck
Analysis'ost modern des!top installations of Windows are con$ured to collect small memory dumps
automatically. he $le dump eneration settins can be con$ured in the &dvanced tab of the
0ystem 6roperties window, as you can see in the Figure 4.
Figure 4: settin the dump eneration options.
'a#le 1 summari;es the dierent locations that Windows uses to store the memory dump $les (also
read the 'icrosoft Bnowlede /ase article B/8JKLKM 1verview of memory dump $le options for
Windows 8999, Windows N6, Windows 0erver 899O, Windows +ista, Windows 0erver 8995, Windows 4and Windows 0erver 8995 %8 ).
%eory
up
'ype
efault ocation
50aria#le6
efault ocation
5typical6
)aging File
/e7uireent
s
http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/http://support.microsoft.com/kb/254649/
-
8/19/2019 Windows Bugcheck Analysis
7/22
Windows Bugcheck
Analysis
0mall
memory
dump
Psystemroot
P
-
8/19/2019 Windows Bugcheck Analysis
8/22
Windows Bugcheck
Analysis
Figure 9: installin the Windows 02B.
&fter installation, the symbols path needs to be set to ensure that there are enouh symbols for the
debuer to determine what actually occurred and what was loaded. he entire symbol collectionoered to the public can be downloaded and placed on a local drive, or an "nternet location can be
speci$ed to pull the symbols on demand. " suest you to pull them from the "nternet: the correct
version of the symbols will be downloaded on deand and willnot #ecoe outdated #y
installation of hot!+es and ser0ice packs. he 'icrosoft Bnowlede /ase article =se the
'icrosoft 0ymbol 0erver to obtain debu symbol $les (B/O77J9O) provides you with the
instructions to follow to use the 'icrosoft 0ymbol 0erver to obtain debu symbol $les: basically, you
can create a folder (for example, C:
-
8/19/2019 Windows Bugcheck Analysis
9/22
-
8/19/2019 Windows Bugcheck Analysis
10/22
Windows Bugcheck
Analysis
-
8/19/2019 Windows Bugcheck Analysis
11/22
Windows Bugcheck
AnalysisFigure ;: startin the debuin process.
&fter that, you need to et detailed informations about the current exception or bu chec!: in the lowerpane of the Command windows, type the command
-
8/19/2019 Windows Bugcheck Analysis
12/22
-
8/19/2019 Windows Bugcheck Analysis
13/22
Windows Bugcheck
AnalysisFigure >a: analy;in the dump $le (part 7).
-
8/19/2019 Windows Bugcheck Analysis
14/22
Windows Bugcheck
Analysis
-
8/19/2019 Windows Bugcheck Analysis
15/22
Windows Bugcheck
AnalysisFigure >#: analy;in the dump $le (part 8).
&s you can see, the system crashed because of a 2%"+D%H"%I@HG1H@D00H1%HDI=&@ buchec!,whose 0top code is 9x99999927. he faultin module seems to be e7!L8O8 (the imae $le is
e7!L8O8.sys): we enter the l command with some options (0 causes the display to be verbose,
includin the symbol $le name, the imae $le name, chec!sum information, version information, date
stamps, time stamps, and information about whether the module is manaed codeF speci$es a
pattern that the module name must match) as in the followin
-
8/19/2019 Windows Bugcheck Analysis
16/22
Windows Bugcheck
Analysis
-
8/19/2019 Windows Bugcheck Analysis
17/22
Windows Bugcheck
AnalysisFigure ?: displayin module informations.
and we can et more informations about that module. hen we perform a >uich search on the web (http:systemexplorer.netdbe7!L8O8.sys.html ) and
discover that e7!L8O8.sys is a driver belonin to the "ntel iabit &dapter developed by "ntel
Corporation: in this case, we could $x the issue by downloadin and installin an updated version of
this driver (this 2'6 $le comes from a 6C really aected by this problem and updatin the driver
eectively solved the issue). Eurther troubleshootin is dependent on the speci$c error. 0ome errors
may re>uire the driver veri$er to be enabled to determine a root cause: this tool veri$es that drivers
are not ma!in illeal function calls or causin system corruption and it can identify conditions such as
memory corruption, mishandled "1 re>uest pac!ets ("%6s), invalid direct memory access (2'&) buer
usae and possible deadloc!s. he
-
8/19/2019 Windows Bugcheck Analysis
18/22
Windows Bugcheck
Analysis**Addr&ss '()))))))) h%s b%s& %t %ddr&ss+, dr!v&r $%m&+
"f the third parameter is the same as the $rst parameter, a special condition exists in which a systemwor!er routineUcarried out by a wor!er thread to handle bac!round tas!s !nown as wor! itemsU
returned at a hiher "%I@. "n that case, some of the four parameters ta!e on new meanins
7. address of the wor!er routine
8. !ernel "%I@
O. address of the wor!er routine
K. address of the wor! item
o resolve an error caused by a faulty de0ice dri0er, syste ser0ice or #asic inputoutput
syste 5B(&6, follow these steps
7. restart the systemF
8. press E5 at the character*based menu that displays the operatin system choicesF
O. select the @ast Bnown ood Con$uration option from the Windows &dvanced 1ptions menuF
this option is most eective when only one driver or service is added at a time.
o resolve an error caused by an incopati#le de0ice dri0er, syste ser0ice, 0irus scanner or
#ackup tool, follow these steps
7. chec! the 0ystem @o in Dvent +iewer for error messaes that miht identify the device or
driver that caused the errorF
8. try disablin memory cachin of the /"10F
O. run the hardware dianostics supplied by the system manufacturer, especially the memory
scannerF
K. ma!e sure the latest 0ervice 6ac! and Windows updates are installedF
J. if the system has small computer system interface (0C0") adapters, contact the adaptermanufacturer to obtain updated Windows drivers. ry disablin sync neotiation in the 0C0"
/"10, chec!in the cablin and the 0C0" "2s of each device and con$rmin proper terminationF
L. for interated device electronics ("2D) devices, de$ne the onboard "2D port as 6rimary only.
&lso, chec! each "2D device for the proper mastersubordinatestand*alone settin. ry
removin all "2D devices except for hard dis!s.
-
8/19/2019 Windows Bugcheck Analysis
19/22
Windows Bugcheck
Analysis"f the 0top 9x& messae is encountered while upradin to a newer Windows version, the problem
miht be due to an incompatible driver, system service, virus scanner or bac!up. o avoid problems
while upradin, simplify hardware con$uration and remove all third*party device drivers and systemservices (includin virus scanners) prior to runnin setup. &fter successfully installin Windows,
contact the hardware manufacturer to obtain compatible updates.
"f the 0top error occurs when resumin from hibernation or suspend, read the 'icrosoft Bnowlede
/ase articlesMK7KM8 and MKJJ44 .
"f the 0top error occurs when startin a mobile computer that has the lid closed, refer to the 'icrosoft
Bnowlede /ase article MK7J94 .
/ac! to top
0top 9x27 ("%I@HG1H@D00H1%HDI=&@)
he 0top 9x27 messae indicates that the system attempted to access paeable memory usin a
!ernel process "%I@ that was too hih. 2rivers that have used improper addresses typically cause this
error. his 0top messae has fourparaeters:
7. memory referenced
8. "%I@ at time of reference
O. type of access
o @+@@ T read operation
o @+@1 T write operation
K. address that referenced memory
0top 9x27 messaes can occur after you install faulty dri0ers or syste ser0ices. "f a driver is
listed by name, disable, remove, or roll bac! that driver to resolve the error. "f disablin or removin
drivers resolves the error, contact the manufacturer about a possible update. =sin updated software
is especially important for bac!up prorams, multimedia applications, antivirus scanners, 2+2
playbac!, and C2 masterin tools.
/ac! to top
0top 9x9999978K (WSD&H=GC1%%DC&/@DHD%%1%)
http://support.microsoft.com/kb/941492http://support.microsoft.com/kb/945577http://support.microsoft.com/kb/941507http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://support.microsoft.com/kb/941492http://support.microsoft.com/kb/945577http://support.microsoft.com/kb/941507http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Tophttp://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx#Top
-
8/19/2019 Windows Bugcheck Analysis
20/22
Windows Bugcheck
Analysis he 0top 9x9999978K messae occurs when Windows has a problem handlin a 6C"*Dxpress device.
'ost often, this occurs when addin or removin a hot*pluable 6C"*Dxpress cardF however, it can
occur with driver* or hardware*related problems for 6C"*Dxpress cards.
o troubleshoot 9x9999978K stop errors, $rst ma!e sure you have applied all Windows updates and
driver updates. "f you recently updated a driver, roll bac! the chane. "f the stop error continues to
occur, remove 6C"*Dxpress cards one by one to identify the problematic hardware. When you have
identi$ed the card causin the problem, contact the hardware manufacturer for further troubleshootin
assistance. he driver miht need to be updated, or the card itself could be faulty.
he meanins of the parameters are described in 'a#le 2.
)araet
er 1 )araeter 2 )araeter 3 )araeter 4 Cause of error
9x9
&ddress of
WSD&HD%%1%H%DC1%
2 structure.
Sih O8 bits of
'CiH0&=0 '0%
for the 'C& ban!
that had the
error.
@ow O8 bits of
'CiH0&=0 '0%
for the 'C& ban!
that had the
error.
& machine chec! exception
occurred.
hese parameter descriptions
apply if the processor is based
on the xLK architecture, or the
x5L architecture that has the
'C& feature available (for
example, "ntel 6entium 6ro,6entium "+, or Neon).
9x7
&ddress of
WSD&HD%%1%H%DC1%
2 structure.
%eserved. %eserved.& corrected machine chec!
exception occurred.
9x8
&ddress of
WSD&HD%%1%H%DC1%
2 structure.
%eserved. %eserved.& corrected platform error
occurred.
9xO
&ddress of
WSD&HD%%1%H%DC1%
2 structure.
%eserved. %eserved.& nonmas!able "nterrupt (G'")
error occurred.
-
8/19/2019 Windows Bugcheck Analysis
21/22
Windows Bugcheck
Analysis
9xK
&ddress of
WSD&HD%%1%H%DC1%2 structure.
%eserved %eserved. &n uncorrectable 6C" Dxpresserror occurred.
9xJ
&ddress of
WSD&HD%%1%H%DC1%
2 structure.
%eserved. %eserved.& eneric hardware error
occurred.
9xL
&ddress of
WSD&HD%%1%H%DC1%
2 structure
%eserved. %eserved. &n initiali;ation error occurred.
9x4
&ddress of
WSD&HD%%1%H%DC1%
2 structure.
%eserved. %eserved. & /11 error occurred.
9x5
&ddress of
WSD&HD%%1%H%DC1%
2 structure
%eserved. %eserved.& 0calable Coherent "nterface
(0C") eneric error occurred.
9xM
&ddress of
WSD&HD%%1%H%DC1%
2 structure.
@enth, in bytes,
of the 0&@ lo.
&ddress of the
0&@ lo.
&n uncorrectable "tanium*
based machine chec! abort
error occurred.
9x&
&ddress of
WSD&HD%%1%H%DC1%
2 structure
%eserved. %eserved.& corrected "tanium*based
machine chec! error occurred.
9x/
&ddress of
WSD&HD%%1%H%DC1%
2 structure.
%eserved. %eserved.& corrected "tanium platform
error occurred.
'a#le 2: meanins of the parameters.
-
8/19/2019 Windows Bugcheck Analysis
22/22
Windows Bugcheck
Analysis