How To Troubleshoot BSOD (Blue Screen Of Death) and Windows Stop Errors ?

If you get a (Blue Screen of Death), your system writes a small file called a minidump.

Your first step is to make certain your computer is setup to record memory dumps.

Right click My Computer, choose properties. Click on the advanced tab, and then choose startup and recovery ‘settings.’

Note: Make certain that your pagefile still resides on the system partition, otherwise WIndows will not be able to save the debug files.

Your second step is to download and install the Microsoft Debugging Tools found here: http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a

Once you have downloaded and installed these tools, go to start, all programs, Debugging Tools For Windows, Windbg. Once you open Windbg, you will presented with a blank screen. Click on File, Symbol File Path. Here you will enter the symbols path. Symbols are needed to effectively debug.

The path will be:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Enter in this path and click OK. Now, go to File, Save Workspace so that your symbols path is saved for future use. Now what you want to do is locate your memory dumps. They are usually located in %systemroot%/minidump (%systemroot%/minidump).

They are usually named the date, and then a -*number* to indicate the order of minidumps that day. My example is called MiniXXXX.dmp (date of dump).

Inside of Windbg, go to File, Open Crash Dump and load the file. You will get a message to save base workspace information. Choose no.

Now you will get a debugging screen. Now it takes a little bit to run it, as the symbols have to be downloaded as they are needed. Then you will see information such as:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\Adil\Desktop\Mini032910-01.DMP]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.090805-1438
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
Debug session time: Mon Mar 29 13:37:10.250 2010 (GMT-4)
System Uptime: 2 days 23:04:05.875
Loading Kernel Symbols
...............................................................
.....................................................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007F, {8, 80042000, 0, 0}

Unable to load image iomdisk.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for iomdisk.sys
*** ERROR: Module load completed but symbols could not be loaded for iomdisk.sys
Unable to load image VET-FILT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for VET-FILT.SYS
*** ERROR: Module load completed but symbols could not be loaded for VET-FILT.SYS
Unable to load image avgmfx86.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for avgmfx86.sys
*** ERROR: Module load completed but symbols could not be loaded for avgmfx86.sys
*** WARNING: Unable to verify timestamp for VETMONNT.SYS
*** ERROR: Module load completed but symbols could not be loaded for VETMONNT.SYS
Probably caused by : usbehci.sys ( usbehci!EHCI_MapAsyncTransferToTd+26 )

Followup: MachineOwner
---------

Now, we can already see what it was most likely caused by, in this case it was iomdisk.sys,, which is an AVG  AV file.

If we want to get further in depth, we can use the command, !analyze -v at the kd> prompt to delve more info about the error:

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

BUGCHECK_STR: 0x7f_8

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME: System

CURRENT_IRQL: 2

TRAP_FRAME: b966fdf0 -- (.trap 0xffffffffb966fdf0)
ErrCode = 00000000
eax=da8e5000 ebx=0000000e ecx=0000000f edx=00000000 esi=89ed5ca0 edi=00000000
eip=8092b27c esp=b966fe64 ebp=b966fea0 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
nt!CcMapData+0x8c:
8092b27c 8a10 mov dl,byte ptr [eax] ds:0023:da8e5000=??
Resetting default scope

LAST_CONTROL_TRANSFER: from f7799ae2 to ba90f7b9

STACK_TEXT:
b966f000 f7799ae2 89d9c9dc 10000001 5f4d7072 USBPORT!USBPORTSVC_LogEntry+0x23
b966f030 f779b06b 89d9c9dc 00000200 00000000 usbehci!EHCI_MapAsyncTransferToTd+0x26
b966f068 f779c9b2 89d9c9dc 00000000 88df251c usbehci!EHCI_BulkTransfer+0x139
b966f08c ba8fbcf4 89d9c9dc 88945cc0 88df251c usbehci!EHCI_SubmitTransfer+0x52
b966f0d4 ba8fc405 89d9c028 88945b48 8081f5e8 USBPORT!USBPORT_DmaEndpointActive+0x1ea
b966f100 ba8fe854 89d9c028 88945b48 8081f5e8 USBPORT!USBPORT_DmaEndpointWorker+0x13f
b966f128 ba900089 89d9c028 00000003 88d12c88 USBPORT!USBPORT_CoreEndpointWorker+0x6d0
b966f178 80a77ea6 89d9c028 00000000 88df24d8 USBPORT!USBPORT_ProcessScatterGatherList+0x637
b966f1a4 80a780a8 89564ac8 89d9c028 88d12c68 hal!HalBuildScatterGatherList+0x1cc
b966f1d4 ba9002e6 89de71e0 89d9c028 88d12c68 hal!HalGetScatterGatherList+0x26
b966f230 ba9010f3 89d9c028 88bbc758 8081f5e8 USBPORT!USBPORT_FlushMapTransferList+0x1f6
b966f28c ba901fe4 02945b48 ffffffff 8081f5e8 USBPORT!USBPORT_FlushPendingList+0x5b5
b966f2bc ba908fd4 89cdbd30 b966f2f4 ba908b9a USBPORT!USBPORT_QueueTransferUrb+0x248
b966f2c8 ba908b9a 89d9c028 88bbc758 888e357c USBPORT!USBPORT_AsyncTransfer+0x30
b966f2f4 ba90dc7a 89c27030 89d9c028 88bbc758 USBPORT!USBPORT_ProcessURB+0x3ee
b966f314 ba8f6e7c 89c27030 88bbc758 88bbc758 USBPORT!USBPORT_PdoInternalDeviceControlIrp+0x7e
b966f338 80828ed3 88bbc834 89c27188 888e357c USBPORT!USBPORT_Dispatch+0x148
b966f34c ba46918a b966f374 ba46d0cf 88bbc758 nt!IofCallDriver+0x45
b966f354 ba46d0cf 88bbc758 89c27030 89c8dd30 usbhub!USBH_PassIrp+0x18
b966f374 ba46da33 89c8dd30 88bbc758 88bbc758 usbhub!USBH_PdoUrbFilter+0xbd
b966f394 ba46aef2 888e357c 88bbc758 b966f3b8 usbhub!USBH_PdoDispatch+0x211
b966f3a4 80828ed3 88ba7030 88bbc758 888e34e0 usbhub!USBH_HubDispatch+0x48
b966f3b8 b950540c 888e35ff 88ceff74 88ceff0a nt!IofCallDriver+0x45
b966f3cc b9506389 888e3428 88bbc758 8899c99c USBSTOR!USBSTOR_IssueBulkOrInterruptRequest+0x9c
b966f404 b9506d8b 888e3428 88bbc758 888e3428 USBSTOR!USBSTOR_CbwTransfer+0x79
b966f42c 8081b473 888e3428 00bbc758 88992398 USBSTOR!USBSTOR_StartIo+0x13b
b966f450 b95057fc 888e3428 88bbc758 88ceff60 nt!IoStartPacket+0xa6
b966f474 80828ed3 889922e0 88bbc758 889cf910 USBSTOR!USBSTOR_Scsi+0x108
b966f488 f772fbc9 f7730f8a 889cf858 88bbc758 nt!IofCallDriver+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
b966f4b8 80828ed3 889cf858 88bbc758 88cefe88 iomdisk+0xbc9
b966f4cc f7370607 88cefe88 12d25000 b966f510 nt!IofCallDriver+0x45
b966f4dc f73702b2 88cefe88 8895b608 886764c8 CLASSPNP!SubmitTransferPacket+0xbb
b966f510 f7370533 00000000 00001000 886762f0 CLASSPNP!ServiceTransferRequest+0x1e4
b966f534 80828ed3 8895b550 00000000 89f64d28 CLASSPNP!ClassReadWrite+0x159
b966f548 f74c80cf 88960828 886764ec b966f56c nt!IofCallDriver+0x45
b966f558 80828ed3 889ac8c8 886762f0 88676510 PartMgr!PmReadWrite+0x95
b966f56c f73f7053 886762f0 89f3e848 886762f0 nt!IofCallDriver+0x45
b966f588 80828ed3 88960770 886762f0 88676534 ftdisk!FtDiskReadWrite+0x1a9
b966f59c f73a08bc 89f64838 88a51008 889fd5a8 nt!IofCallDriver+0x45
b966f5b4 80828ed3 889fd5a8 886762f0 886762f0 volsnap!VolSnapRead+0x52
b966f5c8 f727ea62 b966f8ac b966f7ac f727e8d9 nt!IofCallDriver+0x45
b966f5d4 f727e8d9 b966f8ac 889fd5a8 c5925000 Ntfs!NtfsSingleAsync+0x91
b966f7ac f727f156 b966f8ac 886762f0 88a51008 Ntfs!NtfsNonCachedIo+0x2db
b966f898 f727f079 b966f8ac 886762f0 00000001 Ntfs!NtfsCommonRead+0xaf5
b966fa44 80828ed3 88a49718 886762f0 886762f0 Ntfs!NtfsFsdRead+0x113
b966fa58 f734ed28 886762f0 89f2d880 88a61160 nt!IofCallDriver+0x45
b966fa84 80828ed3 88a27ee8 886762f0 88676534 fltmgr!FltpDispatch+0x152
b966fa98 f733e25b 88676534 88a61160 886762f0 nt!IofCallDriver+0x45
b966fb38 f733e627 88a61160 886762f0 00000001 sis!SipCommonRead+0x23d
b966fb50 80828ed3 88a61160 886762f0 88d85508 sis!SiRead+0x3f
b966fb64 f77c7a6b 88676534 88d85508 886762f0 nt!IofCallDriver+0x45
b966fb9c f77c7c74 88d855c0 886762f0 000009e1 VET_FILT+0xa6b
b966fc2c f77c82ea 88d85508 886762f0 88985020 VET_FILT+0xc74
b966fc8c 80828ed3 88d85508 886762f0 886762f0 VET_FILT+0x12ea
b966fca0 f734ed28 05925000 89f2d880 00000000 nt!IofCallDriver+0x45
b966fccc 80828ed3 88985020 886762f0 886762f0 fltmgr!FltpDispatch+0x152
b966fce0 80837d96 89ecd158 89ed5ca0 89ecd148 nt!IofCallDriver+0x45
b966fcf8 80837e3b 88a9a30e 89ecd180 89ecd160 nt!IoPageRead+0x109
b966fd7c 8082a71f 00000001 da8e5000 c036a394 nt!MiDispatchFault+0xd51
b966fdd8 808264d2 00000000 da8e5000 00000000 nt!MmAccessFault+0x5f5
b966fdd8 8092b27c 00000000 da8e5000 00000000 nt!KiTrap0E+0xd8
b966fea0 f72bef2d 88a9a3a8 b966fed0 00000400 nt!CcMapData+0x8c
b966fec0 f72bc494 88c96b58 88a51008 05925000 Ntfs!NtfsMapStream+0x4b
b966ff34 f72bedf0 88c96b58 88a497f8 e50df010 Ntfs!NtfsReadMftRecord+0x86
b966ff6c f72befac 88c96b58 88a497f8 e50df010 Ntfs!NtfsReadFileRecord+0x7a
b966ffa4 f72c312a 88c96b58 e50df008 e50df010 Ntfs!NtfsLookupInFileRecord+0x37
b9670074 f727bb15 88c96b58 e50df008 88c96b58 Ntfs!NtfsUpdateStandardInformation+0x46
b96700c0 f72b01f9 88c96b58 88a497f8 e50df008 Ntfs!NtfsTeardownFromLcb+0x163
b9670118 f727d137 88c96b58 e50df0d0 00000000 Ntfs!NtfsTeardownStructures+0x12c
b9670144 f72bd0a9 88c96b58 e50df0d0 00000000 Ntfs!NtfsDecrementCloseCounts+0xa9
b96701cc f72b71d8 88c96b58 e50df0d0 e50df008 Ntfs!NtfsCommonClose+0x3a1
b9670260 f72d08d2 00000000 00000000 b96703ac Ntfs!NtfsFspClose+0xe2
b967038c f72bfef8 883006f8 882c20b0 b96703cc Ntfs!NtfsCommonCreate+0x132
b9670490 80828ed3 89928020 882c20b0 882c20b0 Ntfs!NtfsFsdCreate+0x17d
b96704a4 f735c54d 00000000 882c2288 89f2d880 nt!IofCallDriver+0x45

STACK_COMMAND: kb

FOLLOWUP_IP:
usbehci!EHCI_MapAsyncTransferToTd+26
f7799ae2 8b4608 mov eax,dword ptr [esi+8]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: usbehci!EHCI_MapAsyncTransferToTd+26

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbehci

IMAGE_NAME: usbehci.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45d69ce8

FAILURE_BUCKET_ID: 0x7f_8_usbehci!EHCI_MapAsyncTransferToTd+26

BUCKET_ID: 0x7f_8_usbehci!EHCI_MapAsyncTransferToTd+26

Followup: MachineOwner

---------

After the intial run of the debug process, you can use the command !analyze -v to gather more information.

This tutorial only covers minidumps, however, if you need more debug or more info, you could change your memory dump options to do a complete dump. This is useful, but hard to debug

Note: Make absolutely sure that your symbol path is correct. If it isn’t, then you will get symbol errors and not likely be able to debug the dump to get the info you desire.

For More info about BSOD and stop Errors you can always go to :

http://www.microsoft.com/downloads/details.aspx?familyid=859637b4-85f1-4215-b7d0-25f32057921c&displaylang=en

OR

http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a

Hope this Article was informative for you , and thank you for reading .

This entry was posted in Tutorials. Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*

Powered by WP Robot

Show Buttons
Hide Buttons