With a sharp, "Blue face."

--Use WinDbg to fight system crashes

People sometimes have moods, not to mention machines. Windows will sometimes be in the mood with us, small is "application encountered problems need to shut down", may also give you a look at the face. However, this face is not red white, but a "blue face", you have seen it? First, we introduce the following three important questions:

What exactly is a "blue face"?

This refers to what people often call "blue screen", "System Crash" and so on, and foreigners call it BSOD (blue screens of Death). Professionally speaking, this term is defined as "the blue screen that appears when Microsoft Windows crashes or stops executing (due to catastrophic errors or internal conditions that prevent the system from continuing to run)." What we normally call "system crash" or "Kernel error (kernel error)" or "Stop error" is the professional term "bug check."

Two, why must give you "blue face"?

Once the system blue screen crashes, most people will be paralyzed by the idea that Windows is out of control, and that some of the culprit is that Windows or windows are not strong enough to be stable. But, Windows silently petitioners you know? You know, every time a kernel-mode device driver or subsystem throws an illegal exception, Windows faces this tough choice, and while Windows eventually chooses to crash, it doesn't mean it can't ignore the exception and let device drivers or subsystems continue to execute. The reason why Windows chooses to "Die Me" because it does not know if the error can be isolated so that it does not harm other programs and data of the system, or whether the component will return to normal in the future, and Windows understands that this exception is more likely to come from deeper problems, such as the conventional memory damage (general corruption), or because the hardware device is not working properly. Allowing the system to continue running may cause more exceptions, and data stored on disk or other peripherals may also be compromised. Windows realizes that the risk is too great for your program, data security, and integrity to minimize your losses at the first time, and Windows has been so painful to sacrifice ...

Third, how to give "Blue face"?

When the system detects a fatal error that is causing a crash, Windows itself executes the crash function "KeBugCheckEx". The function accepts a stop code, also known as error check code, and four parameters that are interpreted according to the stop code (the legend below). After calling KeBugCheckEx, all interrupts on all processors in the system are masked, and then the system switches the monitor to a low-resolution VGA graphics mode (because this is a common mode supported by all Windows platform graphics), draws a blue background, and then displays this stop code. And it's followed by some key information that helps users diagnose errors. Finally, KeBugCheckEx invokes all registered device driver error checking callback functions (which are registered by calling the Keregisterbugcheckcallback function) to stop these drivers from running the devices they control ( The system data structures have been corrupted so badly that blue screens are not shown.

The following conditions can cause a system blue screen crash:

1. A device driver or operating system function running in kernel mode raises an unhandled exception, such as a memory access violation (caused by an attempt to write a read-only page or an attempt to read a memory address (that is, an invalid address) that is not currently mapped.

2. Calling a kernel support routine results in rescheduling, such as waiting for a scheduled object to be marked as waiting when the interrupt request level (IRQL) is a dpc/dispatch level or a higher level.

3. A page fault (page Fault) occurs when the data exists in the paging file or in a memory-mapped file at the Dpc/dispatch level or higher IRQL level. (This will require the memory manager to wait for an I/O operation to occur.) But as mentioned above, there is no waiting at the dpc/dispatch level or higher IRQL level, because that will require a rescheduling.

4. The device driver or operating system function explicitly requires the system to crash (by calling the system function KeBugCheckEx) when an internal state is detected to indicate that the data has been compromised or that the system cannot continue without the data being compromised.

5, the occurrence of hardware errors, such as the processor's computer check abnormal function (Machine check) reported that there is an exception or the occurrence of a non-shielded interrupt (NMI).

After understanding the above three points, I believe you will appreciate the fearless spirit of windows, and will forgive its "blue face". In fact, in most cases, Third-party device drivers cause Windows to crash. For memory dump files submitted by Windows XP users to Microsoft Online Crash Analytics (Microsoft OCA, Microsoft Online Crash analysis), Microsoft makes a statistical classification of the causes of the crash. As shown in the following illustration: (Data generated in April 2004).

Since Windows exposed us to the helpless "blue face", we should ask why, as soon as possible to trigger the system collapse of the culprit to bring the system to a speedy recovery. Next, let's look at what Windows wants to tell us through this "blue face."

As shown in the figure above, this is a blue screen image showing all the parameters. Of course, we have encountered a blue screen image and it may be different, such as less information, but roughly the same, we take it as an example of a comprehensive exposition.