Windows blue screen of death after crash debugging
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

Windows blue screen of death after crash debugging PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on
  • Presentation posted in: General

Windows blue screen of death after crash debugging. Alex Mclean Amy Valley Derek Visch. What is a BSOD?. Blue Screen of Death. What is a BSOD?. B lue S creen O f D eath The function that is called to generate the BSOD is KeBugCheckEx.

Download Presentation

Windows blue screen of death after crash debugging

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Windows blue screen of death after crash debugging

Windows blue screen of death after crash debugging

Alex Mclean

Amy Valley

Derek Visch


What is a bsod

What is a BSOD?

Blue Screen of Death


What is a bsod1

What is a BSOD?

Blue Screen Of Death

The function that is called to generate the BSOD is KeBugCheckEx.

Occurs in windows when the operating system encounters a critical error that it cannot recover from.


Why generate a bsod

Why generate a BSOD?

Why not just ignore the exception

Is likely that driver that caused the first

exception will continue to do so

Therefore high risk of data to be corrupted


Most common bsod causes by stop code category

Most Common BSOD Causes

By Stop Code Category

Source: Russinovich, Mark E., David A. Solomon, and Alex Ionescu. Windows Internals: Part 2. 6th ed. Redmond, WA: Microsoft, 2012. Print.


Memory dump types

Memory Dump Types

  • Kernel Memory Dumps

  • Complete Memory Dumps

  • Small Memory Dumps


Small memory dumps

Small Memory Dumps

  • Only information about the current process and thread context, the bug check stop code, and the kernel portion of the stack trace that caused the crash.

    Basic windbg commands like !process will not

    have the information they need


Kernel memory dumps

Kernel Memory Dumps

  • Collected on kernel crashes

  • Contains the kernel-mode memory pages at the time of the crash

  • Does not show user-mode pages


Complete memory dumps

Complete Memory Dumps

  • A dump of the entire physical memory (RAM)

  • Does show user-mode pages at the time of the crash

  • Not always available on computers with 2 GB or more of RAM due to size


Sample complete memory dump

Sample Complete Memory Dump


Sample kernel memory dump

Sample Kernel Memory Dump


Getting memory dumps

Getting memory dumps


Choose type of memory dump

Choose Type of Memory Dump


Cause the crash

Cause the crash


Reading the crash

Reading the Crash

Run WinDbg as administrator

File Open Crash Dump

C:\Windows\MEMORY.DMP

Run the following commands:

kd> .symfix

kd> .reload

kd> !process -1 0

kd> !analyze -v

kd> lm kv m myfault


  • Login