Discussion on:

How do I use WinDBG Debugger to troubleshoot a Blue Screen of Death?

How do you debug a blue screen fatal system error? Or do you even try to debug it?

FYI: You can still begin the debug process as described in the article. The one catch is that in the case of some fatal BSOD's, the system doesn't have time to write the dump file before rebooting or locking. In those cases, you can utilize the live debugging method if you're comfortable with in that environment.

Of course, all of this becomes a LOT more effective and timely if you have access to MS source code (some do - others will never have it).

NOW we are talking! Yeah, memory dumps 101!

Excellent, might get people warmed up to debug more and more. You can tell almost every thing that was happening on the OS when it crashed.

(By the way, if you don't want to get to the trouble of debugging, call Microsoft's Professional Support Services. The call for debugging blue screens is (or was) free.)

Thanks, Jacky. I haven't done this in a long time. As a matter of fact, I don't think I've even decompressed the symbols package on this machine.

I really do try to keep things simple.

I am right with you until this solution seems to assume that one can get PAST the BSOD to the programs button, download the debugger, etc? Wouldn't that mean that Windows is working?

How about if you can't do that--now what?

You just look them up.

Have a recover disk handy?

If the System is not starting up so that you can access the minidump file, you will need to use a Bootable Recovery CD, to be able to gain access to the minidump files.

You will need to copy the minidump files from a non functioning System, to a System that has WinDBG installed to enable you to debug the information.

Follow the instructions below to create the CD.

This Recovery CD will work for Windows XP and Windows Vista:

Creating a Windows Vista Recovery CD

http://blogs.techrepublic.com.com/window-on-windows/?p=622

You can then use the command console to copy the files to a USB drive or memory stick.

Boot from the Vista CD and on the first screen click Next, click Repair your computer, click Next and select Command Prompt. Type in the text below and press enter:

copy C:\WINDOWS\Minidump\*.dmp (drive letter)f: or (drive letter)f:\folder name

Tip! the USB device that you are writing to will have to be formatted as FAT32.

Thanks Jacky...I really appreciate your sharing this info. I have two laptops...and no disks for the older...hurricanes and all....and its the one with the BSOD.

Just so I am sure...the link you provided will work on Win XP as well? That is what I am using.

Hope you and yours have a great Christmas.

access to Windows XP Pro and Windows Home using the Recovery CD and I didn't have any problems accessing the folders to copy files.

The other alternative is to remove the hard drive and use a USB Adaptor.

USB 2.0 to IDE / SATA Adapter Cable 80cm (Supports 2.5" & 3.5" IDE)

Example:

http://www.skycomp.com.au/product.aspx?id=89551

And a Merry Christmas to you and your family.

Most of the time the result from analyze -v is incorrect and reports the incorrect culprit from the stack frame due to the heuristics used in analysis.
Also you really need to do a kernel memory dump to get the required information. System internals did a great conference in 2006 on this.

Jacky - well done!

I haven't see BSOD for years (win xp).

How can I force my win xp to produce any BSOD - just for testing?

Thanks.

Open WinDBG and press F1 for help

Forcing a System Crash from the Keyboard
A system crash can be directly caused from most keyboards. In Windows XP and later, this feature is available on i8042prt ports (PS/2 keyboards). In addition, it is available on USB keyboards only in Windows Server 2003 (with Service Pack 2 or later, or with Service Pack 1 if the hotfix available with KB 244139 is installed).

Two preparations must be made before this can be done:

If you wish a crash dump file to be written, you must enable such dump files, choose the path and file name, and select the size of the dump file. For details, see Enabling a Kernel-Mode Dump File.
With PS/2 keyboards, you must enable the keyboard-initiated crash in the registry. In the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters, create a value named CrashOnCtrlScroll, and set it equal to REG_DWORD 0x1 (or any nonzero value).
With USB keyboards (Windows Server 2003 only, with Service Pack 2 or later, or with Service Pack 1 if the hotfix is installed), you must set the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters and create a value named CrashOnCtrlScroll, and set it equal to REG_DWORD 0x1 (or any nonzero value).
Note There is a limitation with the Kbdhid.sys driver that allows you to generate the memory dump process by using a USB keyboard. The CTRL+SCROLL LOCK+SCROLL LOCK keyboard shortcut does not work if the computer stops responding at a high interrupt request level (IRQL). This limitation exists because the Kbdhid.sys driver operates at a lower IRQL than the i8042prt.sys driver. For more information on using this feature with the USB keyboards, refer to the article Generate a memory dump file by using the keyboard (KB 244139).

The system must be rebooted before these changes will take effect.

After this has been done, the keyboard crash can be initiated as follows. Hold down the rightmost CTRL key, and press the SCROLL LOCK key twice.

It is possible for a system to freeze in such a way that this CTRL+SCROLL LOCK+SCROLL LOCK sequence will not work. However, this should be a very rare occurrence. The CTRL+SCROLL LOCK+SCROLL LOCK crash initiation will work even in many instances where CTRL+ALT+DELETE does not work.

The system then calls KeBugCheck and issues bug check 0xE2 (MANUALLY_INITIATED_CRASH). Unless crash dumps have been disabled, a crash dump file is written at this point.

If a kernel debugger is attached to the frozen machine, the machine will break into the kernel debugger after the crash dump file has been written.

If it doesn't work send me a PM and I will fix you up with a few minidump files.

I am stuck from the beginning. I have installed windbg, but what is winkey + pause . I have a dell xps, and I cannot figure this out. I have a insert/pause button, although this does not bring up anything.??

Possibly you could tell me what menu this winkey + pause would in fact bring up?

That is the same as right clicking on the 'My Computer' icon, and then selecting 'Properties'. It is simply a Windows Key 'Hot Key' for the same function.

Thank you for the reply.

Blow some of that warm air from Jacksonville up here to Michigan could you?

Jeremy

I had to fire up the fireplace last night. Warm is relative. LOL. BTW, I just thought of something. There are on some keyboards 2 Windows keys, one for the main (Start) and the other for sub-menus. Make sure you are holding down the main Windows key. It is usually the one on the left. Holding that down, along with the Pause or Pause\Break key should bring up this dialog window.

I have the dump file, what do I do to fix the problem?

STACK_TEXT:
8059dd6c 826643fb 0000009f 00000003 8707c030 nt!KeBugCheckEx+0x1e
8059ddc8 82664018 8059de40 8059def0 805d3001 nt!PopCheckIrpWatchdog+0x1ad
8059de08 826dd30b 827414e0 00000000 8e810380 nt!PopCheckForIdleness+0x343
8059df28 826dcecb 8059df70 8272b902 8059df78 nt!KiTimerListExpire+0x367
8059df88 826dd635 00000000 00000000 00299c67 nt!KiTimerExpiration+0x22a
8059dff4 826db2f5 8d15bb60 00000000 00000000 nt!KiRetireDpcList+0xba
8059dff8 8d15bb60 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x45
WARNING: Frame IP not in any known module. Following frames may be wrong.
826db2f5 00000000 0000001b 00c7850f bb830000 0x8d15bb60


STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x9F_3_IMAGE_usbhub.sys

BUCKET_ID: 0x9F_3_IMAGE_usbhub.sys

Followup: MachineOwner

...or what OS you use, but you may wish to have a look at...
The shutdown process does not finish, and you receive an error message on a computer that is running Windows Vista or Windows Server 2008: "Stop 0x0000009F"
http://support.microsoft.com/kb/972109

After clicking the !analyze -v what next? I received a bunch more cryptic text but still not sure what's causing the BSOD. The article doesn't say how to locate the offending file. Seems like some steps were skipped. The only thing I got next was another link for hardware disk. What's that mean. I need to upgrade the firmware? Run a chkdsk?

Here's a detailed post on how to fix symbols issues with windbg. hope it helps.
http://www.windowstipspage.com/symbol-server-path-windbg-debugging/

I try to open the crash dump file but it wont let cause im not the adminastrator. Im the only user on this comp. How can i open it as the adminastrator??

you will need that person to give you admin rights

I am the admin user though thats why it doesnt make sense?? I get you dont have the permision to open this file, contact the file owner or admin to obtain permission. Driver_irql_not_less_or_equal thats the blue screen error i get. I downloaded a new graphics driver the other day cause i heard that could be the issue, but still blue scree of death happens every so often once a couple of days. That's why im trying to open this and pop it into debugger to find out the exact problem. I have no viruses, or malware and my registry is fine....

Any thoughts would be appreciated.

Thank you