In this episode of Defrag Tools, Chad Beeder and Larry Larsen discuss analyzing kernel mode bugchecks (colloquially known as Blue Screens of Death) using WinDbg from the Debugging Tools For Windows.

We use these commands:

!analyze -v

.hh

.trap

!pte

!process

!thread

.formats

.process

.thread

k

~

.reload

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:

Debugging Tools for Windows

How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2

Windows Internals book tools (including NotMyFault)

Timeline:

[00:50] - What is a bugcheck (blue screen)?

[03:23] - Different types of memory dump files (complete, kernel-only, mini)

[05:16] - Windows Error Reporting

[07:17] - Configuring your system for a memory dump

[07:54] - Enabling "Complete memory dump" option on Windows 7 and Server 2008 R2; see KB 969028

[10:45] - Looking at a 32-bit memory dump created by NotMyFault

[12:04] - Symbol path

[13:21] - Step 1 is always: !analyze -v

[15:40] - Looking up bug check descriptions - Windows Debugger Help (.hh)

[19:45] - Looking at the trap frame (.trap)

[20:18] - Why did a memory access fail? (Using !pte command to look at virtual memory mappings)

[22:15] - What is a trap frame? (64-bit systems do not store all registers in trap frames; see blog post here)

[26:50] - Showing all running processes with !process 0 0

[28:48] - View more details on a specific process with !process

[31:43] - Converting between numerical formats with .formats

[32:55] - Switching the debugger into a process or thread context: use .process or .thread

[35:10] - Switching between CPUs (~ command)

[38:13] - Next week: Driver Verifier