Hi guys
I have made a guide on the infamous BSOD because if we can better understand the codes, we will be able to acquire useful information to try to bring our system to normality.
Certainly, when the BSOD happens, someone asks why me ? Of course you may reinstall the OS but I consider it a waste of time and for those not used to install Windows this could be very difficult.
1: System logs
When there are these problems, the most important point is the collection of logs that the system has created and in the case of the BSOD are these:
-Windows Stop Messages aka BSOD
example: 0x000000EA or 0x000000E6
-The MiniDump file are created in the directory C:\Windows\MiniDump
-Logs in Event Viewer
Windows Stop Messages:
This happens when something forced Windows to stop (very obvious). In most cases this is caused by hardware failures. But sometimes it is the result of the use of very powerful malware removal as GMER or COMBOFIX.
STOP messages are identified by a number composed of 8 hexadecimal, but could also be shortened:
Example: STOP 0x0000000A may be reproduced as a Stop 0xA
Minidump:
Every time that you create the unstable condition of the system, Windows saves a log file into a folder. This is present in the C:\Windows\Minidump path that helps us to identify the BSOD . The file cannot be opened by a text editor but need specific programmes to read one of these is BlueScreenView.
Event Viewer:
To open Event Viewer, click Start->Control Panel->System and safety-> administrative tools, and then double-click Event Viewer.
The log records service applications, security, system events. With the logs in Event Viewer, you can get information that concern your hardware, software, and system components and to monitor security events on a local or remote environment. These logs can help you identify and diagnose the source of system problems or help you to understand any problems that may occur.
If the minidump file are created only in the case of a BSOD, generalize event viewer errors that are present in the operating system.
Now, as we have the means to identify errors, we pass to the analysis of the codes:
2. Analysis
To enhance the tutorial assume that you have a Windows Stop Messages, a minidump file and a log of the event viewer.
First let's start with the Windows STOP message. For this the user has problems should write all the code when this occurs. Useful in this case would be remove the check of automatic restart in case of errors as described in enabling the minidump file.
On the web there are a couple of links with that interpret these codes:
http://aumha.org/a/stop.htm
http://support.microsoft.com/search/?adv=1
Example: Let's say that the user exits out the following message:
PAGE_FAULT_IN_NONPAGED_AREA
Stop: 0x00000050 (0xFF5AFFF8, 0x00000000, 0x80544A9D, 0x00000000)
If we try the first link listed we will have the answer:
"Requested data was not in memory. An invalid system memory address was referenced. Defective memory (including main memory, L2 [URL = ] [/URL] RAM cache, video RAM) or incompatible software ([URL = ] including [/URL] remote control and antivirus software) might cause this Stop message , as may other hardware problems (e.g., incorrect SCSI termination or a flawed PCI card) ".
A good behavior in these cases would be to remember the latest hardware or software changes made to our pc or operating system.
In this example, the BSOD code gave us more likely to suspect a hardware change, although not always. If a user has not done anything, it may be a software problem and that's why it's better to try to understand the true nature of the code.
We will now analyze the minidump file:
File analysis could be done in different ways and here a link to learn how to do with windbg:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff539316 (v = vs. 85) .aspx
Returning to simplicity, in order to open and read the log file, you need a program like BlueScreenView, WhoCrashed. Download links and instructions for use will be featured at the end of this tutorial.
Here's what a file midump once you have a program to open it:
Code:
==================================================
Dump File: Mini021514-02.dmp
Crash Time: 2/15/2014 17:56:46
Bug Check String: THREAD_STUCK_IN_DEVICE_DRIVER
Bug Check Code: 0x100000ea
Parameter 1: 0x89075750
Parameter 2: 0x89941e18
Parameter 3: 0xb3bb2cbc
Parameter 4: 0x00000001
Caused By Driver: nv4_mini.sys
Caused By Address: nv4_mini.sys + c9be2
File Description:
Product Name:
Company:
File Version:
Processor: 32-bit
Computer Name:
Full Path: C:\Documents and Settings\Klipsh\Desktop\minidump\Mini021510-02.dmp
Processors Count: 4
Major Version: 15
Minor Version: 2600
==================================================
At first glance you don't understand much, but we can explain in detail the contents:
Crash Time: it is very important because we have to restrict the times analysis that refer a recent BSOD occurred. If a user comes across numerous BSOD minidump files created will be many, as opposed to a user who had a single BSOD since he installed the S.O.
Bug Check String: might be considered as the "name" of the BSOD code.
Bug Check Code: represents the Windows Stop Message code how BSOD code primary.
If we search the aumha Web site the name and code of BSOD we will have an answer:
"A device driver problem has caused the system to pause indefinitely (hang). Typically, this is caused by a display driver waiting for the video hardware to enter an idle state. This might indicate a hardware problem with the video adapter, or a faulty video driver. "
Caused By Driver: no doubt it is the most important section. In the example above, represents the name of the driver that caused the system to crash.
The log of the Event Viewer:
There are a couple of ways to view these logs, the easiest way would be through the windows (I posted above) but it would be better to use a program like VEW that it is better than Windows:
Event Viewer logs are definitely most simple to interpret. You will notice much information from a failed upgrade, a antivirus blocked by malware, etc. In the following example we'll look at the case of Internet Explorer that does not start:
"Error-8:38:53 am 2/4/2014 | Computer Name = YOUR-6194D6D7F5 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000. "
This can happen but if you often can be caused by an extension of IE that causes the crash. The event viewer it is important after we analyzed the BSOD codes and minidump files. Learn more about the causes and make sure there are no other problems.
3. Solutions
Since we have collected all the data we try to fix the BSOD Windows.
-run a scan with your antivirus to remove malware;
-run the command sfc/scannow
-perform a checkdisk chkdsk/r repair or chkdsk/r/f;
-repair windows with the recovery dvd.
-remove any new hardware change.
These steps should fix most problems, if it is not then let's move on to something more difficult:
-run a free hardware diagnostics using of programs made available by the manufacturer of your PC
-make sure that the drivers and Bios are up-to-date. Update the Bios means of Flash memory, and must be done with great caution;
-If you have updated a driver and this causes problems, always try a restore to the driver before. It would be better to create restore points every time you perform a major update;
-Open the case of your pc and check that all components are tightly fastened.
-before buying hardware components make sure that they are compatible with the PC on which you install them.
-check the latest installed programs.
This step may be somewhat difficult for users without any experience and it should be done very carefully.
4. Returning to the Log
It is important to know if the creation of the dump file is enabled, if it is not:
Enable Minidump:
-Start
-Computer-property
-Advanced settings
-Startup and recovery-settings
-System error
-Mark-Show the event in the system event log
-Remove the mark-automatically restart
-Write debugging information-small memory dump
The way-%SystemRoot%\Minidump
Confirm everything and restart your pc. Now with logs enabled would be easier to analyze or ask for help.
5. Conclusion
Link to help:
STOP codes: http://aumha.org/a/stop.htm
BlueScrenView download links and information of use: http://www.nirsoft.net/utils/blue_screen_view.html
Link to download Whocrashed: http://www.majorgeeks.com/files/details/whocrashed_free_home_edition.html
I hope I have listed at least the most informations to interpret and correct errors that may cause BSOD.
Sorry for any errors or inaccuracies
Regards
I have made a guide on the infamous BSOD because if we can better understand the codes, we will be able to acquire useful information to try to bring our system to normality.
Certainly, when the BSOD happens, someone asks why me ? Of course you may reinstall the OS but I consider it a waste of time and for those not used to install Windows this could be very difficult.
1: System logs
When there are these problems, the most important point is the collection of logs that the system has created and in the case of the BSOD are these:
-Windows Stop Messages aka BSOD
example: 0x000000EA or 0x000000E6
-The MiniDump file are created in the directory C:\Windows\MiniDump
-Logs in Event Viewer
Windows Stop Messages:
This happens when something forced Windows to stop (very obvious). In most cases this is caused by hardware failures. But sometimes it is the result of the use of very powerful malware removal as GMER or COMBOFIX.
STOP messages are identified by a number composed of 8 hexadecimal, but could also be shortened:
Example: STOP 0x0000000A may be reproduced as a Stop 0xA
Minidump:
Every time that you create the unstable condition of the system, Windows saves a log file into a folder. This is present in the C:\Windows\Minidump path that helps us to identify the BSOD . The file cannot be opened by a text editor but need specific programmes to read one of these is BlueScreenView.
Event Viewer:
To open Event Viewer, click Start->Control Panel->System and safety-> administrative tools, and then double-click Event Viewer.
The log records service applications, security, system events. With the logs in Event Viewer, you can get information that concern your hardware, software, and system components and to monitor security events on a local or remote environment. These logs can help you identify and diagnose the source of system problems or help you to understand any problems that may occur.
If the minidump file are created only in the case of a BSOD, generalize event viewer errors that are present in the operating system.
Now, as we have the means to identify errors, we pass to the analysis of the codes:
2. Analysis
To enhance the tutorial assume that you have a Windows Stop Messages, a minidump file and a log of the event viewer.
First let's start with the Windows STOP message. For this the user has problems should write all the code when this occurs. Useful in this case would be remove the check of automatic restart in case of errors as described in enabling the minidump file.
On the web there are a couple of links with that interpret these codes:
http://aumha.org/a/stop.htm
http://support.microsoft.com/search/?adv=1
Example: Let's say that the user exits out the following message:
PAGE_FAULT_IN_NONPAGED_AREA
Stop: 0x00000050 (0xFF5AFFF8, 0x00000000, 0x80544A9D, 0x00000000)
If we try the first link listed we will have the answer:
"Requested data was not in memory. An invalid system memory address was referenced. Defective memory (including main memory, L2 [URL = ] [/URL] RAM cache, video RAM) or incompatible software ([URL = ] including [/URL] remote control and antivirus software) might cause this Stop message , as may other hardware problems (e.g., incorrect SCSI termination or a flawed PCI card) ".
A good behavior in these cases would be to remember the latest hardware or software changes made to our pc or operating system.
In this example, the BSOD code gave us more likely to suspect a hardware change, although not always. If a user has not done anything, it may be a software problem and that's why it's better to try to understand the true nature of the code.
We will now analyze the minidump file:
File analysis could be done in different ways and here a link to learn how to do with windbg:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff539316 (v = vs. 85) .aspx
Returning to simplicity, in order to open and read the log file, you need a program like BlueScreenView, WhoCrashed. Download links and instructions for use will be featured at the end of this tutorial.
Here's what a file midump once you have a program to open it:
Code:
==================================================
Dump File: Mini021514-02.dmp
Crash Time: 2/15/2014 17:56:46
Bug Check String: THREAD_STUCK_IN_DEVICE_DRIVER
Bug Check Code: 0x100000ea
Parameter 1: 0x89075750
Parameter 2: 0x89941e18
Parameter 3: 0xb3bb2cbc
Parameter 4: 0x00000001
Caused By Driver: nv4_mini.sys
Caused By Address: nv4_mini.sys + c9be2
File Description:
Product Name:
Company:
File Version:
Processor: 32-bit
Computer Name:
Full Path: C:\Documents and Settings\Klipsh\Desktop\minidump\Mini021510-02.dmp
Processors Count: 4
Major Version: 15
Minor Version: 2600
==================================================
At first glance you don't understand much, but we can explain in detail the contents:
Crash Time: it is very important because we have to restrict the times analysis that refer a recent BSOD occurred. If a user comes across numerous BSOD minidump files created will be many, as opposed to a user who had a single BSOD since he installed the S.O.
Bug Check String: might be considered as the "name" of the BSOD code.
Bug Check Code: represents the Windows Stop Message code how BSOD code primary.
If we search the aumha Web site the name and code of BSOD we will have an answer:
"A device driver problem has caused the system to pause indefinitely (hang). Typically, this is caused by a display driver waiting for the video hardware to enter an idle state. This might indicate a hardware problem with the video adapter, or a faulty video driver. "
Caused By Driver: no doubt it is the most important section. In the example above, represents the name of the driver that caused the system to crash.
The log of the Event Viewer:
There are a couple of ways to view these logs, the easiest way would be through the windows (I posted above) but it would be better to use a program like VEW that it is better than Windows:
Event Viewer logs are definitely most simple to interpret. You will notice much information from a failed upgrade, a antivirus blocked by malware, etc. In the following example we'll look at the case of Internet Explorer that does not start:
"Error-8:38:53 am 2/4/2014 | Computer Name = YOUR-6194D6D7F5 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000. "
This can happen but if you often can be caused by an extension of IE that causes the crash. The event viewer it is important after we analyzed the BSOD codes and minidump files. Learn more about the causes and make sure there are no other problems.
3. Solutions
Since we have collected all the data we try to fix the BSOD Windows.
-run a scan with your antivirus to remove malware;
-run the command sfc/scannow
-perform a checkdisk chkdsk/r repair or chkdsk/r/f;
-repair windows with the recovery dvd.
-remove any new hardware change.
These steps should fix most problems, if it is not then let's move on to something more difficult:
-run a free hardware diagnostics using of programs made available by the manufacturer of your PC
-make sure that the drivers and Bios are up-to-date. Update the Bios means of Flash memory, and must be done with great caution;
-If you have updated a driver and this causes problems, always try a restore to the driver before. It would be better to create restore points every time you perform a major update;
-Open the case of your pc and check that all components are tightly fastened.
-before buying hardware components make sure that they are compatible with the PC on which you install them.
-check the latest installed programs.
This step may be somewhat difficult for users without any experience and it should be done very carefully.
4. Returning to the Log
It is important to know if the creation of the dump file is enabled, if it is not:
Enable Minidump:
-Start
-Computer-property
-Advanced settings
-Startup and recovery-settings
-System error
-Mark-Show the event in the system event log
-Remove the mark-automatically restart
-Write debugging information-small memory dump
The way-%SystemRoot%\Minidump
Confirm everything and restart your pc. Now with logs enabled would be easier to analyze or ask for help.
5. Conclusion
Link to help:
STOP codes: http://aumha.org/a/stop.htm
BlueScrenView download links and information of use: http://www.nirsoft.net/utils/blue_screen_view.html
Link to download Whocrashed: http://www.majorgeeks.com/files/details/whocrashed_free_home_edition.html
I hope I have listed at least the most informations to interpret and correct errors that may cause BSOD.
Sorry for any errors or inaccuracies
Regards
Last edited by a moderator:
