Community Pick: Many members of our community have endorsed this article.

How To Troubleshoot BSOD(Blue Screen Of Death) and Windows Stop Errors ?

adiloadilo
CERTIFIED EXPERT
Published:
If you get a (Blue Screen of Death), your system writes a small file called a minidump.

Your first step is to make certain your computer is setup to record memory dumps.
Right click My Computer, choose properties. Click on the advanced tab, and then choose startup and recovery 'settings.'

Note: Make certain that your pagefile still resides on the system partition, otherwise WIndows will not be able to save the debug files.



Your second step is to download and install the Microsoft Debugging Tools found here: http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a

Once you have downloaded and installed these tools, go to start, all programs, Debugging Tools For Windows, Windbg. Once you open Windbg, you will presented with a blank screen. Click on File, Symbol File Path. Here you will enter the symbols path. Symbols are needed to effectively debug.

The path will be:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Enter in this path and click OK. Now, go to File, Save Workspace so that your symbols path is saved for future use. Now what you want to do is locate your memory dumps. They are usually located in %systemroot%/minidump (%systemroot%/minidump).

They are usually named the date, and then a -*number* to indicate the order of minidumps that day. My example is called MiniXXXX.dmp (date of dump).

Inside of Windbg, go to File, Open Crash Dump and load the file. You will get a message to save base workspace information. Choose no.

Now you will get a debugging screen. Now it takes a little bit to run it, as the symbols have to be downloaded as they are needed. Then you will see information such as:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
                      Copyright (c) Microsoft Corporation. All rights reserved.
                      
                      
                      Loading Dump File [C:\Users\Adil\Desktop\Mini032910-01.DMP]
                      Mini Kernel Dump File: Only registers and stack trace are available
                      
                      Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
                      Executable search path is: 
                      Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
                      Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
                      Built by: 3790.srv03_sp2_gdr.090805-1438
                      Machine Name:
                      Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
                      Debug session time: Mon Mar 29 13:37:10.250 2010 (GMT-4)
                      System Uptime: 2 days 23:04:05.875
                      Loading Kernel Symbols
                      ...............................................................
                      .....................................................
                      Loading User Symbols
                      Loading unloaded module list
                      ....
                      *******************************************************************************
                      *                                                                             *
                      *                        Bugcheck Analysis                                    *
                      *                                                                             *
                      *******************************************************************************
                      
                      Use !analyze -v to get detailed debugging information.
                      
                      BugCheck 1000007F, {8, 80042000, 0, 0}
                      
                      Unable to load image iomdisk.sys, Win32 error 0n2
                      *** WARNING: Unable to verify timestamp for iomdisk.sys
                      *** ERROR: Module load completed but symbols could not be loaded for iomdisk.sys
                      Unable to load image VET-FILT.SYS, Win32 error 0n2
                      *** WARNING: Unable to verify timestamp for VET-FILT.SYS
                      *** ERROR: Module load completed but symbols could not be loaded for VET-FILT.SYS
                      Unable to load image avgmfx86.sys, Win32 error 0n2
                      *** WARNING: Unable to verify timestamp for avgmfx86.sys
                      *** ERROR: Module load completed but symbols could not be loaded for avgmfx86.sys
                      *** WARNING: Unable to verify timestamp for VETMONNT.SYS
                      *** ERROR: Module load completed but symbols could not be loaded for VETMONNT.SYS
                      Probably caused by : usbehci.sys ( usbehci!EHCI_MapAsyncTransferToTd+26 )
                      
                      Followup: MachineOwner
                      ---------

Open in new window


Now, we can already see what it was most likely caused by, in this case it was iomdisk.sys,, which is an AVG  AV file.

If we want to get further in depth, we can use the command, !analyze -v at the kd> prompt to delve more info about the error:

kd> !analyze -v
                      *******************************************************************************
                      *                                                                             *
                      *                        Bugcheck Analysis                                    *
                      *                                                                             *
                      *******************************************************************************
                      
                      UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
                      This means a trap occurred in kernel mode, and it's a trap of a kind
                      that the kernel isn't allowed to have/catch (bound trap) or that
                      is always instant death (double fault).  The first number in the
                      bugcheck params is the number of the trap (8 = double fault, etc)
                      Consult an Intel x86 family manual to learn more about what these
                      traps are. Here is a *portion* of those codes:
                      If kv shows a taskGate
                              use .tss on the part before the colon, then kv.
                      Else if kv shows a trapframe
                              use .trap on that value
                      Else
                              .trap on the appropriate frame will show where the trap was taken
                              (on x86, this will be the ebp that goes with the procedure KiTrap)
                      Endif
                      kb will then show the corrected stack.
                      Arguments:
                      Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
                      Arg2: 80042000
                      Arg3: 00000000
                      Arg4: 00000000
                      
                      Debugging Details:
                      ------------------
                      
                      
                      BUGCHECK_STR:  0x7f_8
                      
                      DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP
                      
                      PROCESS_NAME:  System
                      
                      CURRENT_IRQL:  2
                      
                      TRAP_FRAME:  b966fdf0 -- (.trap 0xffffffffb966fdf0)
                      ErrCode = 00000000
                      eax=da8e5000 ebx=0000000e ecx=0000000f edx=00000000 esi=89ed5ca0 edi=00000000
                      eip=8092b27c esp=b966fe64 ebp=b966fea0 iopl=0         nv up ei ng nz ac po cy
                      cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010293
                      nt!CcMapData+0x8c:
                      8092b27c 8a10            mov     dl,byte ptr [eax]          ds:0023:da8e5000=??
                      Resetting default scope
                      
                      LAST_CONTROL_TRANSFER:  from f7799ae2 to ba90f7b9
                      
                      STACK_TEXT:  
                      b966f000 f7799ae2 89d9c9dc 10000001 5f4d7072 USBPORT!USBPORTSVC_LogEntry+0x23
                      b966f030 f779b06b 89d9c9dc 00000200 00000000 usbehci!EHCI_MapAsyncTransferToTd+0x26
                      b966f068 f779c9b2 89d9c9dc 00000000 88df251c usbehci!EHCI_BulkTransfer+0x139
                      b966f08c ba8fbcf4 89d9c9dc 88945cc0 88df251c usbehci!EHCI_SubmitTransfer+0x52
                      b966f0d4 ba8fc405 89d9c028 88945b48 8081f5e8 USBPORT!USBPORT_DmaEndpointActive+0x1ea
                      b966f100 ba8fe854 89d9c028 88945b48 8081f5e8 USBPORT!USBPORT_DmaEndpointWorker+0x13f
                      b966f128 ba900089 89d9c028 00000003 88d12c88 USBPORT!USBPORT_CoreEndpointWorker+0x6d0
                      b966f178 80a77ea6 89d9c028 00000000 88df24d8 USBPORT!USBPORT_ProcessScatterGatherList+0x637
                      b966f1a4 80a780a8 89564ac8 89d9c028 88d12c68 hal!HalBuildScatterGatherList+0x1cc
                      b966f1d4 ba9002e6 89de71e0 89d9c028 88d12c68 hal!HalGetScatterGatherList+0x26
                      b966f230 ba9010f3 89d9c028 88bbc758 8081f5e8 USBPORT!USBPORT_FlushMapTransferList+0x1f6
                      b966f28c ba901fe4 02945b48 ffffffff 8081f5e8 USBPORT!USBPORT_FlushPendingList+0x5b5
                      b966f2bc ba908fd4 89cdbd30 b966f2f4 ba908b9a USBPORT!USBPORT_QueueTransferUrb+0x248
                      b966f2c8 ba908b9a 89d9c028 88bbc758 888e357c USBPORT!USBPORT_AsyncTransfer+0x30
                      b966f2f4 ba90dc7a 89c27030 89d9c028 88bbc758 USBPORT!USBPORT_ProcessURB+0x3ee
                      b966f314 ba8f6e7c 89c27030 88bbc758 88bbc758 USBPORT!USBPORT_PdoInternalDeviceControlIrp+0x7e
                      b966f338 80828ed3 88bbc834 89c27188 888e357c USBPORT!USBPORT_Dispatch+0x148
                      b966f34c ba46918a b966f374 ba46d0cf 88bbc758 nt!IofCallDriver+0x45
                      b966f354 ba46d0cf 88bbc758 89c27030 89c8dd30 usbhub!USBH_PassIrp+0x18
                      b966f374 ba46da33 89c8dd30 88bbc758 88bbc758 usbhub!USBH_PdoUrbFilter+0xbd
                      b966f394 ba46aef2 888e357c 88bbc758 b966f3b8 usbhub!USBH_PdoDispatch+0x211
                      b966f3a4 80828ed3 88ba7030 88bbc758 888e34e0 usbhub!USBH_HubDispatch+0x48
                      b966f3b8 b950540c 888e35ff 88ceff74 88ceff0a nt!IofCallDriver+0x45
                      b966f3cc b9506389 888e3428 88bbc758 8899c99c USBSTOR!USBSTOR_IssueBulkOrInterruptRequest+0x9c
                      b966f404 b9506d8b 888e3428 88bbc758 888e3428 USBSTOR!USBSTOR_CbwTransfer+0x79
                      b966f42c 8081b473 888e3428 00bbc758 88992398 USBSTOR!USBSTOR_StartIo+0x13b
                      b966f450 b95057fc 888e3428 88bbc758 88ceff60 nt!IoStartPacket+0xa6
                      b966f474 80828ed3 889922e0 88bbc758 889cf910 USBSTOR!USBSTOR_Scsi+0x108
                      b966f488 f772fbc9 f7730f8a 889cf858 88bbc758 nt!IofCallDriver+0x45
                      WARNING: Stack unwind information not available. Following frames may be wrong.
                      b966f4b8 80828ed3 889cf858 88bbc758 88cefe88 iomdisk+0xbc9
                      b966f4cc f7370607 88cefe88 12d25000 b966f510 nt!IofCallDriver+0x45
                      b966f4dc f73702b2 88cefe88 8895b608 886764c8 CLASSPNP!SubmitTransferPacket+0xbb
                      b966f510 f7370533 00000000 00001000 886762f0 CLASSPNP!ServiceTransferRequest+0x1e4
                      b966f534 80828ed3 8895b550 00000000 89f64d28 CLASSPNP!ClassReadWrite+0x159
                      b966f548 f74c80cf 88960828 886764ec b966f56c nt!IofCallDriver+0x45
                      b966f558 80828ed3 889ac8c8 886762f0 88676510 PartMgr!PmReadWrite+0x95
                      b966f56c f73f7053 886762f0 89f3e848 886762f0 nt!IofCallDriver+0x45
                      b966f588 80828ed3 88960770 886762f0 88676534 ftdisk!FtDiskReadWrite+0x1a9
                      b966f59c f73a08bc 89f64838 88a51008 889fd5a8 nt!IofCallDriver+0x45
                      b966f5b4 80828ed3 889fd5a8 886762f0 886762f0 volsnap!VolSnapRead+0x52
                      b966f5c8 f727ea62 b966f8ac b966f7ac f727e8d9 nt!IofCallDriver+0x45
                      b966f5d4 f727e8d9 b966f8ac 889fd5a8 c5925000 Ntfs!NtfsSingleAsync+0x91
                      b966f7ac f727f156 b966f8ac 886762f0 88a51008 Ntfs!NtfsNonCachedIo+0x2db
                      b966f898 f727f079 b966f8ac 886762f0 00000001 Ntfs!NtfsCommonRead+0xaf5
                      b966fa44 80828ed3 88a49718 886762f0 886762f0 Ntfs!NtfsFsdRead+0x113
                      b966fa58 f734ed28 886762f0 89f2d880 88a61160 nt!IofCallDriver+0x45
                      b966fa84 80828ed3 88a27ee8 886762f0 88676534 fltmgr!FltpDispatch+0x152
                      b966fa98 f733e25b 88676534 88a61160 886762f0 nt!IofCallDriver+0x45
                      b966fb38 f733e627 88a61160 886762f0 00000001 sis!SipCommonRead+0x23d
                      b966fb50 80828ed3 88a61160 886762f0 88d85508 sis!SiRead+0x3f
                      b966fb64 f77c7a6b 88676534 88d85508 886762f0 nt!IofCallDriver+0x45
                      b966fb9c f77c7c74 88d855c0 886762f0 000009e1 VET_FILT+0xa6b
                      b966fc2c f77c82ea 88d85508 886762f0 88985020 VET_FILT+0xc74
                      b966fc8c 80828ed3 88d85508 886762f0 886762f0 VET_FILT+0x12ea
                      b966fca0 f734ed28 05925000 89f2d880 00000000 nt!IofCallDriver+0x45
                      b966fccc 80828ed3 88985020 886762f0 886762f0 fltmgr!FltpDispatch+0x152
                      b966fce0 80837d96 89ecd158 89ed5ca0 89ecd148 nt!IofCallDriver+0x45
                      b966fcf8 80837e3b 88a9a30e 89ecd180 89ecd160 nt!IoPageRead+0x109
                      b966fd7c 8082a71f 00000001 da8e5000 c036a394 nt!MiDispatchFault+0xd51
                      b966fdd8 808264d2 00000000 da8e5000 00000000 nt!MmAccessFault+0x5f5
                      b966fdd8 8092b27c 00000000 da8e5000 00000000 nt!KiTrap0E+0xd8
                      b966fea0 f72bef2d 88a9a3a8 b966fed0 00000400 nt!CcMapData+0x8c
                      b966fec0 f72bc494 88c96b58 88a51008 05925000 Ntfs!NtfsMapStream+0x4b
                      b966ff34 f72bedf0 88c96b58 88a497f8 e50df010 Ntfs!NtfsReadMftRecord+0x86
                      b966ff6c f72befac 88c96b58 88a497f8 e50df010 Ntfs!NtfsReadFileRecord+0x7a
                      b966ffa4 f72c312a 88c96b58 e50df008 e50df010 Ntfs!NtfsLookupInFileRecord+0x37
                      b9670074 f727bb15 88c96b58 e50df008 88c96b58 Ntfs!NtfsUpdateStandardInformation+0x46
                      b96700c0 f72b01f9 88c96b58 88a497f8 e50df008 Ntfs!NtfsTeardownFromLcb+0x163
                      b9670118 f727d137 88c96b58 e50df0d0 00000000 Ntfs!NtfsTeardownStructures+0x12c
                      b9670144 f72bd0a9 88c96b58 e50df0d0 00000000 Ntfs!NtfsDecrementCloseCounts+0xa9
                      b96701cc f72b71d8 88c96b58 e50df0d0 e50df008 Ntfs!NtfsCommonClose+0x3a1
                      b9670260 f72d08d2 00000000 00000000 b96703ac Ntfs!NtfsFspClose+0xe2
                      b967038c f72bfef8 883006f8 882c20b0 b96703cc Ntfs!NtfsCommonCreate+0x132
                      b9670490 80828ed3 89928020 882c20b0 882c20b0 Ntfs!NtfsFsdCreate+0x17d
                      b96704a4 f735c54d 00000000 882c2288 89f2d880 nt!IofCallDriver+0x45
                      
                      
                      STACK_COMMAND:  kb
                      
                      FOLLOWUP_IP: 
                      usbehci!EHCI_MapAsyncTransferToTd+26
                      f7799ae2 8b4608          mov     eax,dword ptr [esi+8]
                      
                      SYMBOL_STACK_INDEX:  1
                      
                      SYMBOL_NAME:  usbehci!EHCI_MapAsyncTransferToTd+26
                      
                      FOLLOWUP_NAME:  MachineOwner
                      
                      MODULE_NAME: usbehci
                      
                      IMAGE_NAME:  usbehci.sys
                      
                      DEBUG_FLR_IMAGE_TIMESTAMP:  45d69ce8
                      
                      FAILURE_BUCKET_ID:  0x7f_8_usbehci!EHCI_MapAsyncTransferToTd+26
                      
                      BUCKET_ID:  0x7f_8_usbehci!EHCI_MapAsyncTransferToTd+26
                      
                      Followup: MachineOwner
                      
                      ---------

Open in new window


After the intial run of the debug process, you can use the command !analyze -v to gather more information.


This tutorial only covers minidumps, however, if you need more debug or more info, you could change your memory dump options to do a complete dump. This is useful, but hard to debug

Note: Make absolutely sure that your symbol path is correct. If it isn't, then you will get symbol errors and not likely be able to debug the dump to get the info you desire.

For More info about BSOD and stop Errors you can always go to :

http://www.microsoft.com/downloads/details.aspx?familyid=859637b4-85f1-4215-b7d0-25f32057921c&displaylang=en
OR
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a

Hope this Article was informative for you , and thank you for reading ¿

5
5,402 Views
adiloadilo
CERTIFIED EXPERT

Comments (3)

Two things:
1. By "Troubleshoot" I understand that I get some info not only on how to DEBUG but also how to use this info to solve my problem. Your article only shows how to put blue screens in a more verbose state and some tools how to read mini-dumps but there is no info on how to use this these mini-dumps or tools to get rid of blue screens.
2. Just yesterday I got blue screen on my laptop. Blue screen was appearing for a very very short time while windows were loading and then laptop immediately restarted. It looked like a infinite cycle. The period of time the blues screen was appearing was so short that I even could not "eye-catch" the error number. So I took a camera and filmed the blues screen and then scrolled frame by frame to get the error codes. If you would describe what to do in situations like this your article would be even more helpful. Maybe there are some other ways then camera to catch error codes of a blue screen in situations like this? It would be nice to know for all readers I think.

Otherwise - good job.
Thanks
R.
CERTIFIED EXPERT

Author

Commented:
Hi Ramuncikas

1- you are right "Troubleshoot" as a word is really a vague answer and invloves more analyse process , but these steps are only intended to help users start that process .if the user can debug the Mini-dumb files , then he can identify which drivers are causing problems and which hardware . Doing a simple searh for that file on the internet will reveal the offending driver or software .
2- As for your situation the user can start in safe mode by pressing F8 before windows start , this will load windows without  all drivers. the user then can configure the mini-dumb then restart the laptop , if error happens again it will be written to the Mini-Dumb file for debug.

Thanks for your comment , it will really help improving future articles :)
"As for your situation the user can start in safe mode by pressing F8 before windows start"
As I said I got into infinite cycle of BSOD/reboot. I know safe mode is out there, but even safe mode ended with BSOD. My "camera" method showed me I'm getting a 0x7b error (HDD/SATA hardware,  HDD drivers etc.) .
But it could be any other error code as well. My point is that your article could provide info on situation BSOD/reboot cycle because it's another tricky situation where it's hard to get even a CLUE about an error not talking about mini-dumps.

Thanks.
R

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.