Blue Screen analysis

 

Blue Screen analysis

Blue Screen is a method used in Windows to prompt serious system-level errors. Once the Blue Screen appears, the Windows system is terminated and the desktop environment can be restored only after it is restarted. Therefore, the Blue Screen is also called the Blue Screen Of Death (BSOD.

With the "Start and fault recovery" settings of the system, the system status can be automatically dumped from memory to disk files when a system error or crash occurs. In Windows, three types of system dump files are defined.

L Complete dump (Complete memory dump)

Contains all data in the physical memory when a dump is generated. The file size is usually larger than the physical memory size. The default location is % SystemRoot % \ MEMO in RY. DMP.

L Kernel memory dump)

Remove the memory pages used by the user process, so the file size is much smaller than the complete dump. For a typical Windows XP system, the file size is about MB, the default location is % SystemRoot % \ MEMORY. DMP.

L Small memory dump)

The default value is 64KB. The default value is in the % SystemRoot %/MiniDump folder. The system names the dump file by date and serial number. Therefore, the system can save multiple small memory dump files.

The format of the system dump file is not public. Currently, you need to use the WinDbg debugger to analyze the system dump file. Open the dump file in WinDbg. The simplest analysis method is to use WinDbg! The analyze-v command can automatically complete a lot of analysis work. Generally used! The analyze-v command is sufficient to analyze the causes of the blue screen.

 

 

As shown in 21.2.16, a complete! Analyze-v command output. The analysis results mainly include the following:

L blue screen stop code description and Parameters

Contains constants, detailed descriptions, and meanings of each parameter corresponding to the stop code and stop code.

L incorrect command location

Contains the program address, machine code, and the corresponding Assembly command that causes the error.

L crash Classification

It refers to a classification code assigned to the crash. It is usually a blue screen stop code or a stop code plus a sub-class number.

L trap frame information

Describes the status of this blue screen exception, including the current Register value and error code.

L stack backtracking

Displays the execution records recorded on the suspicious thread stack, including function calls and transfer due to interruptions or exceptions. This information is very important for a deep understanding of the causes of blue screens. For example, we can see from the stack tracing result in this example that the final result is win32k! An error occurred in the SfnINSTRING function and a transfer occurred. It was transferred to nt! KiTrap0E + 0xcc.

 

L basic blue screen information

Including the module name, image name, further trace name, and error ID that cause the error, so that the error analysis software can automatically analyze, count, and archive a large number of dump files.