How do I use WinDBG Debugger to troubleshoot a Blue Screen of Death?

Microsoft's WinDBG will help you to debug and diagnose a BSOD problem and then lead you to the root cause so you can fix it.
By Jacky Howe Have you ever wondered how to obtain extra information from the infamous Blue Screen of Death (BSOD) that will sometimes show up and give you a cryptic, Stop: 0x00000000 error message, before flashing off the screen. The error message is trying to point you to a fatal operating system error that could be caused by a number of problems.

Microsoft's WinDBG will help you to debug and diagnose the problem and then lead you to the root cause so you can fix it.

This blog post is also available in PDF format as a free TechRepublic download.

Steps in a nutshell

  1. Create and capture the memory dump associated with the BSOD you are trying to troubleshoot.
  2. Install and configure WinDBG and the Symbols path to the correct Symbols folder.
  3. Use WinDBG to Debug and analyze the screen dump, and then get to the root cause of the problem.

Create memory dump

Keep in mind that if you are not experiencing a blue screen fatal system error, there will be no memory dump to capture.

1. Press the WinKey + Pause.

2. Click Advanced, and under Start Up and Recovery, select Settings.

3. Uncheck Automatically Restart.

4. Click on the dropdown arrow under Write Debugging Information.

5. Select Small Memory Dump (64 KB) and make sure the output is %SystemRoot%\Minidump.

6. Restart the PC normally, as this will allow the System to error and Blue Screen and then create the Minidump.

The location of the Minidump files can be found here:


To download and install the Windows debugging tools for your version of Windows, visit the Microsoft Debugging Tools Web site.

Follow the prompts, and when you install, take note of your Symbols location, if you accept the default settings. I normally create a folder first and then direct the install to that folder because I use WinDBG for two operating systems, XP and Vista, and want to keep them separate and organized.

This Microsoft Support Knowledge Base article will explain how to read the small memory dump files that Windows creates for debugging purposes.

Setting up and using WinDBG

1. Click Start | All Programs | Debugging Tools for Windows, and open WinDBG. Select File | Symbol file path and modify it to suit your situation, then copy and paste it into the box, as shown in Figure A, and click OK. I suggest:


Or if you are using different Symbols:



Figure A

Symbol Path
2. Close the workspace and save the Workspace information, as shown in Figure B. This should lock in the Symbol path.

Figure B


3. Open WinDBG and select File and select Open Crash Dump and then navigate to the minidump file created earlier, highlight it, and select Open.

Click on:

! analyze -v

as shown in Figure C under Bugcheck Analysis.

Figure C

! analyze -v
Tips! If you look to the bottom of the screen, you will see kd>; to the right of that type !analyze -v or .lastevent and press the Enter key. It will then show you the exception record and stack trace of the function where the exception occurred.

You can also use the .exr, .cxr, and .ecxr commands to display the exception and context records.

When working with drivers, you can use kd> lm tn, as shown in Figure D, to get extra information.

[Ctrl]+[A] will let you copy the information and paste it into Notepad.

Figure D

For example, look to the bottom of the page for information similar to what is shown in Figure E.

Figure E

Stack trace


The problem creating the BSOD was caused by the installed dialer software for a USB modem. It turned out that uninstalling the software didn't resolve the problem.

The answer to the problem was achieved by using the WinDBG tool to Debug and analyze the memory dump file. The fix was to rename the C:\Windows\System\fldevice.sys driver to C:\Windows\System\fldevice.sys.old. Windows was still referencing the file even though the software had been uninstalled. This tool is invaluable and will help you to resolve the problems that you may encounter when you get a BSOD.

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!


Exactly in the same way, I could not be able to uninstall the corrupt file completely  as it is still creating problems. At last, I called AskPCTechies to solve the issue completely.


I try to open the crash dump file but it wont let cause im not the adminastrator. Im the only user on this comp. How can i open it as the adminastrator??


After clicking the !analyze -v what next? I received a bunch more cryptic text but still not sure what's causing the BSOD. The article doesn't say how to locate the offending file. Seems like some steps were skipped. The only thing I got next was another link for hardware disk. What's that mean. I need to upgrade the firmware? Run a chkdsk?


I have the dump file, what do I do to fix the problem? STACK_TEXT: 8059dd6c 826643fb 0000009f 00000003 8707c030 nt!KeBugCheckEx+0x1e 8059ddc8 82664018 8059de40 8059def0 805d3001 nt!PopCheckIrpWatchdog+0x1ad 8059de08 826dd30b 827414e0 00000000 8e810380 nt!PopCheckForIdleness+0x343 8059df28 826dcecb 8059df70 8272b902 8059df78 nt!KiTimerListExpire+0x367 8059df88 826dd635 00000000 00000000 00299c67 nt!KiTimerExpiration+0x22a 8059dff4 826db2f5 8d15bb60 00000000 00000000 nt!KiRetireDpcList+0xba 8059dff8 8d15bb60 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x45 WARNING: Frame IP not in any known module. Following frames may be wrong. 826db2f5 00000000 0000001b 00c7850f bb830000 0x8d15bb60 STACK_COMMAND: kb FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: 0x9F_3_IMAGE_usbhub.sys BUCKET_ID: 0x9F_3_IMAGE_usbhub.sys Followup: MachineOwner


I am stuck from the beginning. I have installed windbg, but what is winkey + pause . I have a dell xps, and I cannot figure this out. I have a insert/pause button, although this does not bring up anything.??


Jacky - well done! I haven't see BSOD for years (win xp). How can I force my win xp to produce any BSOD - just for testing? Thanks.


Most of the time the result from analyze -v is incorrect and reports the incorrect culprit from the stack frame due to the heuristics used in analysis. Also you really need to do a kernel memory dump to get the required information. System internals did a great conference in 2006 on this.


I am right with you until this solution seems to assume that one can get PAST the BSOD to the programs button, download the debugger, etc? Wouldn't that mean that Windows is working? How about if you can't do that--now what?


Thanks, Jacky. I haven't done this in a long time. As a matter of fact, I don't think I've even decompressed the symbols package on this machine.


NOW we are talking! Yeah, memory dumps 101! Excellent, might get people warmed up to debug more and more. You can tell almost every thing that was happening on the OS when it crashed. (By the way, if you don't want to get to the trouble of debugging, call Microsoft's Professional Support Services. The call for debugging blue screens is (or was) free.)

Mark W. Kaelin
Mark W. Kaelin

How do you debug a blue screen fatal system error? Or do you even try to debug it?

Editor's Picks