How To Receive Help Diagnosing Blue Screens and Windows Crashes Part 1

Discussion in 'Windows OS's' started by Jan Benedict, Dec 18, 2012.

  1. Jan Benedict

    Jan Benedict Geek

    Likes Received:
    10
    Trophy Points:
    18
    A memory dump is what happens when Windows crashes. The memory is dumped into the pagefile and saved for the next reboot. Once Windows reboots, it reclaims the memory dump data from the pagefile and saves it to a file, which usually ends with the .dmp extension. Analyzing these dump files can help to figure out what's causing your system to crash. While they don't offer a "sure" fix, they provide clues to the cause of a crash so that we can work on fixing them. In my experience most system crashes are caused by faulty/corrupted drivers, malware, or hardware failures (in that order). Following the steps below will help us determine what may be causing your computer to Blue Screen, or crash.

    1. The first thing to do when your system crashes is to reboot. Doing so will create the memory dump file so it's able to be accessed. Windows may also ask permission to send the file for online analysis. I suggest that you always allow it to be sent. Most times you won't get anything back, but occasionally it will point out the problem and save you a lot of work trying to determine it on your own. Also, quite often the first crash is the only crash as Windows will fix the problem when it reboots, so there's no need to worry unless Windows crashes repeatedly.

    2. The next thing to do is to ensure that you are free of malware. If malware is present on your computer, it may have corrupted your installation, and be the cause of your crashes. I suggest you perform a total system scan using your anti-virus, or use online scanners. Make sure your anti-virus is updated.
    Some online scans:
    http://housecall.trendmicro.com
    http://www.pandasecurity.com/homeusers/solutions/activescan/
    http://www.kaspersky.com/virusscanner Scan Only - no removal
    http://www.bitdefender.com/scan8/ie.html
    http://support.f-secure.com/enu/home/ols.shtml
    http://us.mcafee.com/root/mfs/default.asp
    http://onlinescan.avast.com/
    http://ca.com/us/securityadvisor/virusinfo/scan.aspx
    http://www.eset.com/onlinescan/
    Note: Some or any of the above listed scanners will pick up items listed as "in quarantine" from other anti-virus programs. Therefore review your results carefully:

    3. Once you have completed an online scan, or two, please search your hard drive for files ending with the .dmp extension. There are several types of memory dumps that Windows may create. These are distinguished below:
    • A complete memory dump or a kernel memory dump that are usually saved in the C:\Windows directory and named MEMORY.DMP.
    • A small memory dump, aka a minidump, which are usually saved in the C:\Windows\Minidump directory. These are named Miniwwxxyy-zz.dmp, where the ww is the number of the month, the xx is the number of the day, the yy is the number of the year, and the zz is the number of the crash dump that day. For example, a minidump with the name of Mini070108-03.dmp is the 3rd minidump generated on July 1, 2008.
    On some systems the directories where the dump files are stored are protected by being Hidden and System files.

    To show Hidden and System files in Windows Explorer, click on the Start button, then select All Programs, then select Accessories, and finally select Windows Explorer.
    • Once opened, select the Tools menu and then select the File Options menu item. In Vista you may have to press and hold the Alt key to view this menu.
    • Then go to the View tab and check the box labeled Show Hidden Files and Folders and uncheck Hide Protected Operating System Files
    • You will now be at a dialog that asks you if you're sure you want to do this. Click on the Yes button to allow the change to take place.
    • Then click the OK buttons at the prompts to exit the dialog. You will now be able to view hidden and system directories.
    Warning- These files are hidden for a reason and messing with some of them may cause problems with your system.

    4. Once you've located the memory dump file(s), then you'll have to get a debugger to analyze them. The one that I'm familiar with is the free Microsoft Debugging Tools for Windows. Download the version, 32 or 64 bit, that's appropriate for the operating system that you'll be running the debugger on. The debugger can be found at the following link: Debugging Tools for Windows

    Once it's downloaded, double click on it to install it. Once it's installed, open the debugger by doing the following:
    • Click on the Start Menu.
    • Click on the All Programs menu.
    • Select the Debugging Tools for Windows program folder.
    • Click on the WinDbg icon to start the program.
    Once you've opened the program, click on the File menu item, then on Symbol File Path.

    5. In the window that opens, insert the exact text on the next line in the Symbol File Path box. This is a critical step, and if done incorrectly you'll end up with symbol errors:

    SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

    The easiest thing to do is copy the above bolded text and then paste it into the box. Once that is done, click on OK to exit the dialog. Next, click on File menu and then select the Save Workspace menu option. This will save the symbol path for future use.

    Note: You MUST be connected to the internet in order to use the Symbol server listed above.

    Part 2
     
    Sniper likes this.

Share This Page