Elliott C. Back: Internet & Technology

How To Analyze Windows XP BSOD Minidump Files

Posted in Computers & Technology,Hardware,Microsoft,Windows,Windows XP by Elliott Back on July 1st, 2008.

If you’ve been getting a lot of BSOD (Blue Screen Of Death) in Windows XP, the Windows debugging tools can help you find out what’s wrong with your computer. In this guide, we’ll walk you through what you need to do to analyze the minidump files that DrWatson leaves behind when Windows crashes.

First, you need to turn on debugging information in Windows. Right click on My Computer, select Properties, and click on the Advanced tab, and click on the Settings button under Startup and Recovery. You’ll see a screen like this:

startup-and-recovery.png

You want to have the “Small Memory Dump” and “Small dump directory” fields filled in. If they’re already setup that way, great. If not, change them, restart, and wait for a BSOD stop error to occur so that you can investigate the problem.

Second, now that you have the memory dump files in C:\WINDOWS\Minidump\Mini???????-??.dmp, you need software from Microsoft to read and interpret them. Download:

  1. WinDbg – A windows debugger
  2. Windows XP SP2 Symbols – A system “dictionary”

Some people try to debug their system might get an error like this:

d -z Mini062808-01.dmp

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [Mini062808-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055b620
Debug session time: Sat Jun 28 22:05:53.137 2008 (GMT-4)
System Uptime: 0 days 4:01:15.706

This error can be fixed by installing the Windows XP SP2 symbols pack above, or another Microsoft symbols pack.

Third, open up WinDbg by clicking Start, Programs, Debugging Tools for Windows (x86), and then WinDbg. You need to set the symbol path to wherever you installed the Windows symbols in the last step. You can do this from File then Symbol File Path, where you want to paste SRV*c:\windows\symbols*http://msdl.microsoft.com/download/symbols:

symbol-file-path.png

Finally, you just need to open a dump file from File, Open Crash Dump, and at the prompt type !analyze -v. You’ll then see output like the following:

!analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace.

Arguments:
Arg1: f78ab980, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804dab68, address which referenced memory

Debugging Details:
——————
WRITE_ADDRESS: f78ab980
CURRENT_IRQL: 2

FAULTING_IP:
nt!memcpy+130
804dab68 89448ffc mov dword ptr [edi+ecx*4-4],eax

CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: iexplore.exe
LAST_CONTROL_TRANSFER: from b0d2a3be to 804dab68

STACK_TEXT:
f78a9dc4 b0d2a3be f78ab980 8a1f8107 00000006 nt!memcpy+0×130
WARNING: Stack unwind information not available. Following frames may be wrong.
f78aa29c b0d2a640 8a204000 8a1f8008 8a1f800e w70n51+0x2a3be
f78aac00 b0d0b11a 8a204000 89cd6fd8 89cd628c w70n51+0x2a640
f78aae30 b0d20abe 89cd6000 f78aae44 8a01c3a0 w70n51+0xb11a
f78aae4c b0d1d037 89cd6000 89b7e000 00000001 w70n51+0x20abe
f78aaf3c b0d1c77b 8a060658 89f328d0 f78aaf84 w70n51+0x1d037
f78aaf90 b0d1dcf6 89cd6000 f78aafab f78aafd0 w70n51+0x1c77b
f78aafac b0d1de4b 89cd6000 f78aafd0 f7445f09 w70n51+0x1dcf6
f78aafb8 f7445f09 89cd6000 8a127528 8a12778c w70n51+0x1de4b
f78aafd0 804dcbd4 89cd62a0 89cd628c 00000000 NDIS!ndisMDpcX+0×21
f78aaff4 804dc89e b11bfd54 00000000 00000000 nt!KiRetireDpcList+0×46
f78aaff8 b11bfd54 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a
804dc89e 00000000 00000009 bb835675 00000128 0xb11bfd54

STACK_COMMAND: kb

FOLLOWUP_IP:
w70n51+2a3be
b0d2a3be ?? ???

SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: w70n51+2a3be
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: w70n51
IMAGE_NAME: w70n51.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3ee71b51
FAILURE_BUCKET_ID: 0xA_W_w70n51+2a3be
BUCKET_ID: 0xA_W_w70n51+2a3be
Followup: MachineOwner
———

In this particular case, we’re debugging a Dell Inspiron 5150 which has been recently having sporadic hard crashes. The bluescreen message it got, Stop 0x0000000A or IRQL_NOT_LESS_OR_EQUAL, is almost always an indication of a driver error. Googling for w70n51.sys (from the crash dump) shows it to be Intel PRO/Wireless LAN 2100 3B Mini PCI adapter software, which should be updated to resolve the bluescreens.

This entry was posted on Tuesday, July 1st, 2008 at 8:00 pm and is tagged with . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

15 Responses to “How To Analyze Windows XP BSOD Minidump Files”

  1. Scott says:

    Nice little post here, good job Elliott. Short, to the point and quite helpful.

    Andy – your an idiot.

    Cheers!

  2. sayied anwer says:

    hi dear friend ton first i want trouble shooting steps for error IRQL_NOT_LESS_OR_EQUAL (a, continuesly i am getting the error of that, please tell me the troubleshooting steps for the same

  3. Andy – You are crazy if you think it’s any easier to debug halt/stop errors on Apple or Linux. WinDbg is actually not that bad.

  4. Andy says:

    WOW.
    I could not believe the run around we had to do to get the required info out of Microsoft!!!

    Thank you Elliot!! You are god sent and this technical note id by far the most valuable piece of info on MS XP debugging that I have ever seen.

    What are the folks at microsoft thinking? Why do they hide the data from their customers?

    I don’t about what others think BUT I am almost convinced to switch my entire company to either LINUX or Apple.

  5. AJ says:

    awesome! thank you sooooooo much for posting this.

  6. Nitin says:

    Thanks a ton. Amazing information…

  7. Mitch says:

    This is what it says in my analysis:

    READ_ADDRESS: e1e5c000

    CURRENT_IRQL: 2

    FAULTING_IP:
    +fffffffff1f3ed50
    f1f3ed50 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

    CUSTOMER_CRASH_COUNT: 2

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0xD1

    PROCESS_NAME: System

    LAST_CONTROL_TRANSFER: from f1f402a8 to f1f3ed50

    STACK_TEXT:
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    f7c37d64 f1f402a8 804e48b0 ff676980 ffffffff 0xf1f3ed50
    f7c37d7c 804e23b5 85187860 00000000 853c6b30 0xf1f402a8
    f7c37dac 80575723 85187860 00000000 00000000 nt!ExpWorkerThread+0xef
    f7c37ddc 804ec6d9 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0×34
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0×16

    STACK_COMMAND: kb

    SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: Unknown_Module

    IMAGE_NAME: Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP: 0

    FAILURE_BUCKET_ID: 0xD1_ANALYSIS_INCONCLUSIVE

    BUCKET_ID: 0xD1_ANALYSIS_INCONCLUSIVE

    Followup: MachineOwner
    ———

  8. Mitch says:

    My computer has the blue screen of death constantly and only since i found this website did i find any help. But i follow all your directions andwhere the juicy information is kept it just says ANALYSIS_INCONCLUSIVE.
    I really need some help ith my computer cause whenever i install something it crashes and i have 67 minidump files – 67 times my computer has crashed without me knowing why… please help

  9. Brian says:

    you rock man, this is the coolest trick in the book. I love reading these logs and seeing how jacked up MS really is :)

  10. John says:

    Good Information, exactly what I was looking for!

  11. jim says:

    Mark,
    I couldn't agree more, better than the latin on MS page!

  12. Mark says:

    Useful and straightforward info, unlike the twaddle from the Microsoft “Support” site. Thanks!

  13. Elliott Back says:

    Oops, let me fix that…

  14. Christian says:

    You link for WinDbg is linking to Windows Installer 1.1 and not the debugging tool.

    The correct link for debugging tool is:
    msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.9.3.113.msi

  15. Oigen says:

    Apparently my bsod woes may be caused by ntoskrnl.exe
    Would replacing it be of any use?

    Use !analyze -v to get detailed debugging information.

    BugCheck 1000000A, {177, 1c, 0, 804de637}

    Probably caused by : ntoskrnl.exe ( nt!KiTrap0C+107 )

    SYMBOL_STACK_INDEX: 0

    SYMBOL_NAME: nt!KiTrap0C+107

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME: ntoskrnl.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 45e54690

    FAILURE_BUCKET_ID: 0xA_nt!KiTrap0C+107

    BUCKET_ID: 0xA_nt!KiTrap0C+107

Leave a Reply