If you’ve been getting a lot of BSOD (Blue Screen Of Death) in Windows XP, the Windows debugging tools can help you find out what’s wrong with your computer. In this guide, we’ll walk you through what you need to do to analyze the minidump files that DrWatson leaves behind when Windows crashes.
First, you need to turn on debugging information in Windows. Right click on My Computer, select Properties, and click on the Advanced tab, and click on the Settings button under Startup and Recovery. You’ll see a screen like this:
You want to have the “Small Memory Dump” and “Small dump directory” fields filled in. If they’re already setup that way, great. If not, change them, restart, and wait for a BSOD stop error to occur so that you can investigate the problem.
Second, now that you have the memory dump files in C:\WINDOWS\Minidump\Mini???????-??.dmp, you need software from Microsoft to read and interpret them. Download:
Second, now that you have the memory dump files in C:\WINDOWS\Minidump\Mini???????-??.dmp, you need software from Microsoft to read and interpret them. Download:
- WinDbg – A windows debugger
- d -z Mini062808-01.dmpMicrosoft (R) Windows Debugger Version 6.9.0003.113 X86Copyright (c) Microsoft Corporation. All rights reserved.Loading Dump File [Mini062808-01.dmp]Mini Kernel Dump File: Only registers and stack trace are availableSymbol search path is: *** Invalid ******************************************************************************** Symbol loading may be unreliable without a symbol search path. ** Use .symfix to have the debugger choose a symbol path. ** After setting your symbol path, use .reload to refresh symbol locations. *****************************************************************************Executable search path is:********************************************************************** Symbols can not be loaded because symbol path is not initialized. ** ** The Symbol Path can be set by: ** using the _NT_SYMBOL_PATH environment variable. ** using the -y argument when starting the debugger. ** using .sympath and .sympath+ **********************************************************************Unable to load image ntoskrnl.exe, Win32 error 0n2*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exeWindows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatibleProduct: WinNt, suite: TerminalServer SingleUserTS PersonalKernel base = 0×804d8000 PsLoadedModuleList = 0×8055b620Debug session time: Sat Jun 28 22:05:53.137 2008 (GMT-4)System Uptime: 0 days 4:01:15.706
This error can be fixed by installing the Windows XP SP2 symbols pack above, or another Microsoft symbols pack.
Third, open up WinDbg by clicking Start, Programs, Debugging Tools for Windows (x86), and then WinDbg. You need to set the symbol path to wherever you installed the Windows symbols in the last step. You can do this from File then Symbol File Path, where you want to paste SRV*c:\windows\symbols*http://msdl.microsoft.com/download/symbols:
Finally, you just need to open a dump file from File, Open Crash Dump, and at the prompt type !analyze -v. You’ll then see output like the following:
- !analyze -v******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************IRQL_NOT_LESS_OR_EQUAL (a)An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace.Arguments:Arg1: f78ab980, memory referencedArg2: 00000002, IRQLArg3: 00000001, bitfield :bit 0 : value 0 = read operation, 1 = write operationbit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)Arg4: 804dab68, address which referenced memoryDebugging Details:——————WRITE_ADDRESS: f78ab980CURRENT_IRQL: 2FAULTING_IP:nt!memcpy+130804dab68 89448ffc mov dword ptr [edi+ecx*4-4],eaxCUSTOMER_CRASH_COUNT: 1DEFAULT_BUCKET_ID: DRIVER_FAULTBUGCHECK_STR: 0xAPROCESS_NAME: iexplore.exeLAST_CONTROL_TRANSFER: from b0d2a3be to 804dab68STACK_TEXT:f78a9dc4 b0d2a3be f78ab980 8a1f8107 00000006 nt!memcpy+0×130WARNING: Stack unwind information not available. Following frames may be wrong.f78aa29c b0d2a640 8a204000 8a1f8008 8a1f800e w70n51+0×2a3bef78aac00 b0d0b11a 8a204000 89cd6fd8 89cd628c w70n51+0×2a640f78aae30 b0d20abe 89cd6000 f78aae44 8a01c3a0 w70n51+0xb11af78aae4c b0d1d037 89cd6000 89b7e000 00000001 w70n51+0×20abef78aaf3c b0d1c77b 8a060658 89f328d0 f78aaf84 w70n51+0×1d037f78aaf90 b0d1dcf6 89cd6000 f78aafab f78aafd0 w70n51+0×1c77bf78aafac b0d1de4b 89cd6000 f78aafd0 f7445f09 w70n51+0×1dcf6f78aafb8 f7445f09 89cd6000 8a127528 8a12778c w70n51+0×1de4bf78aafd0 804dcbd4 89cd62a0 89cd628c 00000000 NDIS!ndisMDpcX+0×21f78aaff4 804dc89e b11bfd54 00000000 00000000 nt!KiRetireDpcList+0×46f78aaff8 b11bfd54 00000000 00000000 00000000 nt!KiDispatchInterrupt+0×2a804dc89e 00000000 00000009 bb835675 00000128 0xb11bfd54STACK_COMMAND: kbFOLLOWUP_IP:w70n51+2a3beb0d2a3be ?? ???SYMBOL_STACK_INDEX: 1SYMBOL_NAME: w70n51+2a3beFOLLOWUP_NAME: MachineOwnerMODULE_NAME: w70n51IMAGE_NAME: w70n51.sysDEBUG_FLR_IMAGE_TIMESTAMP: 3ee71b51FAILURE_BUCKET_ID: 0xA_W_w70n51+2a3beBUCKET_ID: 0xA_W_w70n51+2a3beFollowup: MachineOwner———
In this particular case, we’re debugging a Dell Inspiron 5150 which has been recently having sporadic hard crashes. The bluescreen message it got, Stop 0×0000000A or IRQL_NOT_LESS_OR_EQUAL, is almost always an indication of a driver error. Googling for w70n51.sys (from the crash dump) shows it to be Intel PRO/Wireless LAN 2100 3B Mini PCI adapter software, which should be updated to resolve the bluescreens.
About the Author
0 comments:
Please no spam! Remove comment!