Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


June 1997

The Blue Screen of Death


From the June 1997 Edition
of Windows IT Pro
Mark T. Edmead
Feature
InstantDoc #502
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Internals and Architecture Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Another useful utility is dumpexam.exe, which converts the memory file into a readable text file. You need three files to run dumpexam: dumpexam.exe, imagehlp.dll, and for the Intel platform, kdextx86.dll (the third file depends on the platform). The three files must be in the same directory. You can find them on the CD-ROM of the NT Server or the NT Workstation CD-ROM in the directory \support\debug\<platform>, where platform is i386, alpha, mips, or ppc.

The noninteractive debugging method is ideal for users who don't want to debug the driver, but just want to figure out which one is at fault. To run dumpexam, you need to load the symbol files, which contain NT system debugging information. Make sure that the symbol files are for the version of NT you're running, including any installed service packs. For the Intel version of NT, the symbol files are in the \support\debug\i386\symbols directory on the NT resource kits' CD-ROMs

Figure 2 shows the syntax for dumpexam. For example, if you want to analyze a dump file for a computer with NT Workstation 4.0, the symbols are in the directory d:\symbols. The dump file, server.dmp, is in the directory d:\dump. The command line reads

dumpexam -y d:\symbols d:\dump\server.dmp

The results of the exam will be in %SystemRoot%\MEMORY.TXT.

Interactive debugging. The other method of debugging is interactive debugging. Device driver developers, rather than systems administrators, usually prefer interactive debugging because the process requires extensive knowledge of NT internals.

Interactive debugging requires you to have another PC (a host machine) with NT installed and to run the kernel debugger on the host machine. It must be running the same version of NT as the target machine. The host machine must be connected to the problem computer via a modem or null cable connection.

Is the System Safe?
Can you safely use the system after a kernel STOP error? The answer depends on whether you can isolate what caused the problem. I've seen cases where the error condition happens once, never to repeat again. In other cases, however, the error occurs after the user has installed or updated a driver. In this case, you need to remove the driver and start over. When you get the kernel STOP error, reboot the system, and hit the space bar when you see the Last Known Good text. This action starts NT with the last known working configuration, without the offending driver. The option of reverting to the last known working configuration reinforces the wisdom of installing one driver at a time and making sure that the driver works before you install another driver. If the driver doesn't work correctly, you can revert to the previous working configuration. If you install two or more drivers at the same time and one of them causes a problem, you will have trouble determining which driver caused the problem.

If the problem is not related to a driver, look at new system hardware, such as a new controller card. To determine whether a controller card is the problem, remove the card and test the system again. If the problem goes away, check whether the card (or any new hardware you add to your system) is in the Microsoft Hardware Compatibility List (HCL). TechNet and Microsoft's Web site (http://www.microsoft.com) have an up-to-date list.

The Bottom Line
I hope that, after reading this article, the blue screen won't intimidate you. Using the techniques I've explained, you can find out, in general, why you got the screen and perhaps tell specifically what caused the problem. If you aren't a device driver developer and don't want to deal with interactive system debugging, noninteractive is the way to go. Your goal is to get your system up and running as fast as possible. Isolating the problem is the first step. For additional resources, see the sidebar, "Other Sources of Help."

Other Sources of Help
Microsoft TechNet CD-ROMs
contain the Microsoft Knowledge Base (the same library that Microsoft Product Support Specialists use), resource kits, and educational materials.

Microsoft Network (MSN) and CompuServe
have several Microsoft forums where you can post questions and obtain answers.

Microsoft Download Library (MSDL)
is an electronic bulletin board system (BBS) from which you can download drivers and other software. The phone number for MSDL is 206-936-6735.

Microsoft Web Site (http://www.microsoft.com)
contains product information, drivers, service packs, and more.

As the article notes, if the problem driver is a Microsoft driver, you can send the dump file to Microsoft for analysis. If the driver is from a third-party manufacturer, you can send the memory file to that manufacturer.

End of Article

   Previous  1  2  [3]  Next  


Reader Comments
I was excited to see Mark T. Edmead’s “The Blue Screen of Death” in your June issue. As a consulting partner in a firm that works on nothing but NT internals, I figure a lot of our clients can learn from an article on NT’s infamous blue screen of death.<br>
The only problem is that much of what they’ll learn from this article is wrong. The article is absolutely rife with technical errors. For example, the second sentence in the section headed “What Does This Weird Screen Mean?” reads, “The kernel STOP may mean that a kernel driver ... has illegally accessed the privileged kernel area.” This statement is very close to meaningless, and any meaning I can attach to it is wrong. Kernel drivers are privileged (i.e., they run in kernel mode) and have full access to the kernel area.<br>
Another example? Let’s take Table 1: Kernel Mode Error Conditions. The first entry for IRQL_NOT_LESS_OR_EQUAL tells the reader, “A process attempted to access pageable memory at a process internal request level (IRQL) that was too high.” That statement is one reason for getting this error. But it’s not the reason.<br>
The text continues, “A process can access only objects that have priorities (IRQL) equal to or lower than its own.” This statement is nonsense. Objects don’t have IRQLs. IRQLs are not typically associated with processes (with one exception). The IRQL indicates the CPU state at any point in time, relative to that CPU’s interruptability, preemptability, and dispatchability. That is, the IRQL identifies which devices can interrupt the CPU, whether at the end of a quantum the current thread will be rescheduled, and whether any scheduling operations at all are allowable.<br>
Yikes! I found plenty of other technical problems in the article, too.<br>
I’ve spent lots of time reading blue screens and debugging drivers, so I recognized the problems with this article. How many of your readers can say the same? <br>
--Peter G. Viscarola<br><br>

<i>Thanks, Peter, for pointing out these problems. We’ll be very careful not to let such errors slip by in the future, and we apologize for any inconvenience these errors may have caused anyone.<br>
--Karen Forster</i>

Peter G. Viscarola August 13, 1999

I am looking forward to reading the Blue Screen of Death article because I am having a problem with the KERNEL and DLL. At quick glance I see the article refers to this problem in connection with using Windows NT. I am not using Windows NT and am using Windows ME 2000 on something called an etower by a company called emachines. I will read the article and try to understand it before I start screaming for more help! I've been using a computer and the Internet for several years but still have trouble learning what I need to know to keep it working in good order. I do appreciate the Windows&.Net Magazine and really appreciate the response I receive from you tech support person. With this site on my "favorites" I hope to slowly gain some of the knowledge I need. Thanks. RA

Ru Aaronson May 16, 2002

I have done all the steps mentioned and obtained memory.txt but the file is of 0MB but the actuall user.dmp is of 4MB size. I need this user.dmp fiel in readable format.Pls guide me ..
Thanx in Advance
kmk

kmk10 May 09, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

Is Microsoft Just Like IBM?

Microsoft has defined the way we do business from a technology perspective for years. But with a younger generation that lives in the clouds, is Microsoft's recent progress in cloud computing too little, too late? ...

Microsoft, News Corp. Discuss Locking Out Google

Microsoft and Rupert Murdoch's News Corp. recently discussed an alliance that would counter Google's fledgling online news service. ...
Windows OSs Whitepapers Protecting Microsoft SharePoint
Related Events Windows Internals with Sysinternals Webinar

Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement