Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Friday, August 5, 2011

BSOD troubleshooting preliminaries

Source
 Thanks, John!!
FYI - We'll use the procedures here to start the analysis  
Hardware and virus issues can cause BSOD's.  Analysis of them is usually frustrating, taking weeks of time just to figure that the problem might be hardware related.  Try running the stuff here to see if there might be hardware issues.  You can upload your dump files and have the analysis started while running these tests and procedures - but please read the list completely before starting.
1.  A detailed description of what seems to cause the problem, and any "thoughts" that you may have about the issues - even if you don't think it's important.  More BSOD's are solved by an analysis of your "hunches" than are solved by WinDbg.  If you're overclocking, reset the system to default values before continuing.  Overclocking stresses hardware, and over time can lead to BSOD's.  This includes memory timings - set them to Default or Auto.
2.  When working inside of the case, make sure that the system isn't plugged in, and that the battery is removed if it's a laptop.  Use canned air (not a vacuum or an air compressor) to clean out the vents.
- Check to ensure all fans are working (PSU, CPU, and Video especially)
- Check to ensure that there's nothing clogging the heatsinks/coolers (PSU, CPU, and Video especially)
- Check to ensure that all cables are firmly seated
- Check to ensure that the memory sticks are clean (clean with a soft, dry, lint-free cloth) and that the slots are clean also (blow out with canned air).
Let us know what you did, and what you found.
3.  Use Speedfan to check your temps (free here):  SpeedFan - Access temperature sensor in your computer
Let us know the temps that are reported.
4.  Check for BIOS upgrades (read the release notes).  Don't update the BIOS unless you're sure that the update applies to the issues that you have.  If uncertain, ask us.
5.  Check your Power Supply for specifications, post both the specifications of your system and the specifications for the PSU.
6.  HD diag - http://usasma.vox.com/library/post/bootable-hard-drive-diagnostics.html
Will run even if Windows doesn't boot
7.  Mem diag - http://usasma.vox.com/library/post/bootable-memory-test-diagnostics.html
Will run even if Windows doesn't boot
8.  Independent Virus scan - http://usasma.vox.com/library/post/free-online-malware-scans-originally-posted-09mar08.html
System must connect to the internet in order to do this.  This in case a virus has corrupted your current scanners into providing false results.
If you are using an Internet Security product (or a 360 product), please do one of the following:
- locate your product key for that product and download a fresh copy of it from the manufacturer's website (don't use the CD it came on).
- or download a free antivirus to take it's place (I recommend Avast free, available here:  http://www.avast.com/eng/download-avast-home.html
Once that's done, uninstall the product using a removal tool available at the manufacturer's website (often the uninstaller won't remove the problem).  Post back if you need a link.
Install the replacement antivirus, update it, and test to see if BSOD's are still happening.
9.  SiSoftSandra Lite - www.sisoftware.net/index.html?
Must install in Windows.  Can download to another PC and copy to BSOD PC.
10.  Zip up the memory dumps and upload them in your next post.
They're located in C:\Windows\Minidump (may be hidden)
If you can't zip them there, copy to your Desktop and try it there.
To ZIP, select all the files, then right click on them
Select "Send to", then select "Compressed (zipped) folder"
11.  Go to Start (Vista and Win7) and type in "perfmon /report" (without the quotes) and press Enter.  Let the report generate, then save it as an .html file and zip it up with the memory dumps.
12.  Depending on your version of Windows, check for errors in the Event Viewer...System and Application log files, the Reliability Monitor, and in Device Management.  Also check Windows Error Reporting and/or the Action Center.
================    ===============
Please note that though this process may appear long and daunting, it has been explained in such a way so that the steps will be easy to follow.
A memory dump is what happens when Windows crashes. The memory is dumped into the pagefile and saved for the next reboot. Once Windows reboots, it reclaims the memory dump data from the pagefile and saves it to a file, which usually ends with the .dmp extension. Analyzing these dump files can help to figure out what's causing your system to crash. While they don't offer a "sure" fix, they provide clues to the cause of a crash so that we can work on fixing them. In my experience most system crashes are caused by faulty/corrupted drivers, malware, or hardware failures (in that order). Following the steps below will help us determine what may be causing your computer to Blue Screen, or crash.
A. The first thing to do when your system crashes is to reboot. Doing so will create the memory dump file so it's able to be accessed. Windows may also ask permission to send the file for online analysis. I suggest that you always allow it to be sent. Most times you won't get anything back, but occasionally it will point out the problem and save you a lot of work trying to determine it on your own. Also, quite often the first crash is the only crash as Windows will fix the problem when it reboots, so there's no need to worry unless Windows crashes repeatedly. If you can't get into Windows, either in normal or Safe Mode, then just post straight to the appopriate forum and we'll help you from there. The various forums that we help diagnose crashes are:
  • Windows Vista Forum
  • Windows XP Forum
  • Windows 2000 Forum
B. The next thing to do is to ensure that you are free of malware. If malware is present on your computer, it may have corrupted your installation, and be the cause of your crashes. I suggest you perform one of the free online scans that can be found at the following link:
Free Online Malware Scanners
C. Once you have completed an online scan, or two, please search your hard drive for files ending with the .dmp extension. There are several types of memory dumps that Windows may create. These are distinguished below:
  1. A complete memory dump or a kernel memory dump that are usually saved in the C:\Windows directory and named MEMORY.DMP.
  2. A small memory dump, aka a minidump, which are usually saved in the C:\Windows\Minidump directory. These are named Miniwwxxyy-zz.dmp, where the ww is the number of the month, the xx is the number of the day, the yy is the number of the year, and the zz is the number of the crash dump that day. For example, a minidump with the name of Mini070108-03.dmp is the 3rd minidump generated on July 1, 2008.
On some systems the directories where the dump files are stored are protected by being Hidden and System files.
To show Hidden and System files in Windows Explorer, click on the Start button, then select All Programs, then select Accessories, and finally select Windows Explorer.
  1. Once opened, select the Tools menu and then select the File Options menu item. In Vista you may have to press and hold the Alt key to view this menu.
  2. Then go to the View tab and check the box labeled Show Hidden Files and Folders and uncheck Hide Protected Operating System Files
  3. You will now be at a dialog that asks you if you're sure you want to do this. Click on the Yes button to allow the change to take place.
  4. Then click the OK buttons at the prompts to exit the dialog. You will now be able to view hidden and system directories.
Warning - These files are hidden for a reason and messing with some of them may cause problems with your system.
D. Once you've located the memory dump file(s), then you'll have to get a debugger to analyze them. The one that I'm familiar with is the free Microsoft Debugging Tools for Windows. Download the version, 32 or 64 bit, that's appropriate for the operating system that you'll be running the debugger on. The debugger can be found at the following link: Debugging Tools for Windows
Once it's downloaded, double click on it to install it. Once it's installed, open the debugger by doing the following:
  1. Click on the Start Menu.
  2. Click on the All Programs menu.
  3. Select the Debugging Tools for Windows program folder.
  4. Click on the WinDbg icon to start the program.
Once you've opened the program, click on the File menu item, then on Symbol File Path.
E. In the window that opens, insert the exact text on the next line in the Symbol File Path box. This is a critical step, and if done incorrectly you'll end up with symbol errors:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
The easiest thing to do is copy the above bolded text and then paste it into the box. Once that is done, click on OK to exit the dialog. Next, click on File menu and then select the Save Workspace menu option. This will save the symbol path for future use.
NOTE: You MUST be connected to the internet in order to use the Symbol server listed above.
F. Next, click on the File menu and select the Open Crash Dump option. When the dialog box opens, click on the Browse button and browse to the location of the memory dump file and then double-click on it to load it into the Debugger. You may be prompted to save the workspace again, but just click on the No button. A window will now open and the dump file text will fill the debugging screen.
Here's an example of of an analysis report from a Minidump file. If this was a complete or kernel dump, it would be much larger.
Microsoft ® Windows Debugger Version 6.8.0004.0 AMD64
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\FUBAR\Desktop\Mini070108-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Tue Jul 1 16:28:22.439 2008 (GMT-4)
System Uptime: 0 days 0:04:00.921
Loading Kernel Symbols
....
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 84c64731, f4fecc3c, 0}
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )
Followup: MachineOwner
---------
G. The next step is to click on the !analyze -v link that's highlighted in blue in the report above.  This will generate more information, which would look something like this:
Additional Commands (not reflected in the samples on this page): 
-  I'm starting to incorporate typing !analyze -v;!thread;r;kv;lmtn;lmtsmn;.bugcheck into the text box at the bottom of the debugger - thanks to jcgriff2.
-  List loaded drivers = lm kv
-  Memory usage = !vm
-  Current thread = !thread
-  List all processes = !process 0 0
-  If driver deadlock detected in verifier = !deadlock
-  Additional commands located here as time permits:  Debugging Commands
Microsoft ® Windows Debugger Version 6.8.0004.0 AMD64
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\FUBAR\Desktop\Mini070108-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Tue Jul 1 16:28:22.439 2008 (GMT-4)
System Uptime: 0 days 0:04:00.921
Loading Kernel Symbols
................................................................................
Loading User Symbols
Loading unloaded module list
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 84c64731, f4fecc3c, 0}
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 84c64731, The address that the exception occurred at
Arg3: f4fecc3c, Trap Frame
Arg4: 00000000
Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
+ffffffff84c64731
84c64731 ?? ???
TRAP_FRAME: f4fecc3c -- (.trap 0xfffffffff4fecc3c)
Unable to read trap frame at f4fecc3c
CUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from 00000000 to 84c64731
STACK_TEXT:
f4feccac 00000000 00000000 01790000 00000000 0x84c64731

STACK_COMMAND: .trap 0xfffffffff4fecc3c ; kb
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: 0x8E_ANALYSIS_INCONCLUSIVE
BUCKET_ID: 0x8E_ANALYSIS_INCONCLUSIVE
Followup: MachineOwner
---------
H. Once this is done, we want to copy the text of the dump file analysis report. To do this, select the Edit menu item in the Debugging Tools window and then select Copy Window Text to Clipboard. Now, return to Bleeping Computer and paste the information into your next post.
I. If you haven't started a topic for your issue yet, you can start one at the appropriate link below. Please be sure and let us know the make and model of your system along with the symptoms that you're experiencing.
  • Windows Vista Forum
  • Windows XP Forum
J.  An example of the process used when viewing the analysis that you've generated:  http://www.sevenforums.com/general-discussion/13020-bsod-tcpip-sys-crash.html#post129991

No comments: