Windows blue screen of death after crash debugging
Download
1 / 15

Windows blue screen of death after crash debugging - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

Windows blue screen of death after crash debugging. Alex Mclean Amy Valley Derek Visch. What is a BSOD?. Blue Screen of Death. What is a BSOD?. B lue S creen O f D eath The function that is called to generate the BSOD is KeBugCheckEx.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Windows blue screen of death after crash debugging' - gaia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows blue screen of death after crash debugging

Windows blue screen of death after crash debugging

Alex Mclean

Amy Valley

Derek Visch


What is a bsod
What is a BSOD?

Blue Screen of Death


What is a bsod1
What is a BSOD?

Blue Screen Of Death

The function that is called to generate the BSOD is KeBugCheckEx.

Occurs in windows when the operating system encounters a critical error that it cannot recover from.


Why generate a bsod
Why generate a BSOD?

Why not just ignore the exception

Is likely that driver that caused the first

exception will continue to do so

Therefore high risk of data to be corrupted


Most common bsod causes by stop code category
Most Common BSOD Causes By Stop Code Category

Source: Russinovich, Mark E., David A. Solomon, and Alex Ionescu. Windows Internals: Part 2. 6th ed. Redmond, WA: Microsoft, 2012. Print.


Memory dump types
Memory Dump Types

  • Kernel Memory Dumps

  • Complete Memory Dumps

  • Small Memory Dumps


Small memory dumps
Small Memory Dumps

  • Only information about the current process and thread context, the bug check stop code, and the kernel portion of the stack trace that caused the crash.

    Basic windbg commands like !process will not

    have the information they need


Kernel memory dumps
Kernel Memory Dumps

  • Collected on kernel crashes

  • Contains the kernel-mode memory pages at the time of the crash

  • Does not show user-mode pages


Complete memory dumps
Complete Memory Dumps

  • A dump of the entire physical memory (RAM)

  • Does show user-mode pages at the time of the crash

  • Not always available on computers with 2 GB or more of RAM due to size


Sample complete memory dump
Sample Complete Memory Dump






Reading the crash
Reading the Crash

Run WinDbg as administrator

File Open Crash Dump

C:\Windows\MEMORY.DMP

Run the following commands:

kd> .symfix

kd> .reload

kd> !process -1 0

kd> !analyze -v

kd> lm kv m myfault


ad