BSOD - Reading and Using Windows Dump Files

Let's face it, there is nothing more frustrating than being in the middle of a great game and suddenly getting the dreaded Blue Screen of Death (BSOD), unless it's being in the gunners seat of a helicopter in BFBC2 when your pilot suddenly loses his internet connection.

We've all been there, some more than most. Anyone who owns a Windows computer will see a BSOD at least once in their lifetime.  If it happens once and recovers, then it was probably just a system hiccup, but if it KEEPS happening, then something is wrong.

For many of us, the blue screen will appear for 15 - 30 seconds, giving us time to read (and write down) the generated error code, but if the blue screen flashes by too fast to read the error code, how do you know what is going on?

Dump Files (dunna nunna nunna nunna)

 

If you have your system set to record dump files (and it should), when Windows crashes it will write all the necessary error information to the dump file.  This is wonderful if your blue screen flashes before your eyes like someone has just snapped your picture, but unfortunately, this is not a simple .txt file and extracting information from it is going to require jumping through a couple of hoops.

First off, let's verify that your system is set to record dump files.

For now this page will focus on Windows Vista / 7, but I will come back later and update for XP.

If you have Vista or Windows 7:

• Go to Start > Control Panel > System and Security > System
• From the right-hand menu options select Advanced System Settings
• A box will pop up with the advanced tab selected  Under  "Startup and Recovery" select "Settings"
• Make sure there is a check mark in the box labeled "Write an event to system log" and in the drop-down box below it ensure that it reads "Kernel Memory Dump"
• Click OK and back out of your control panel.  

Now your ready for your next BSOD.  Unfortunately, if your system was not set up to record memory dumps, you'll have to wait until it crashes again to write a log file, but if it was already set to record memory dumps, then we're still in business.

Windows Debugger (WinDbg)

Your dump files should be located by default (Windows 7) in C:/Windows/minidump/ but to read the files is another matter entirely.  For this you will need something capable of actually reading the dump file.  There are several options, but we are only going to explore WinDbg at this time.

There are two files that you will need here.  Windows debugger and it's associated symbol file.

Start by downloading the Windows debugger. I prefer the stand-alone SDK but that's up to you.

• http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx

When installing, you will get a checklist of items to install.  They are all checked by default.  This is un-necessary since all you will really be needing for this is the debugger.  Just uncheck everything else.

 Once installed you will need to install the symbol file.  You can download the latest symbol file for your operating system, but instead I prefer to simply provide the debugger with the address to the Microsoft Symbol Server and let it download the most updated symbol file.

To do install the symbols file:

• Go to File > Symbol File Path (or just press Ctrl + S)
• If you downloaded a symbol file, enter the path to the symbol file directory here
• If you want WinDbg to download it for you type in http://msdl.microsoft.com/download/symbols

Now you are ready to open your dump file and find out what is going on with your computer!

Let's read those dump files!

 

To open the dump file you may either choose File > Open Dump File or simply use CTRL + D.
Navigate to your dump file directory (c:\windows\minidump\) and choose the latest dump file (if you chose not to overwrite old dump files).
Once open WinDbg will chew on it a bit then spit out something that looks completely useless.  As you scroll down you will see a blue hyperlink that reads !analyze -v.  Click on this link, and it will analyze your dump file and rather frankly tell you why your system crashed.

My last dump file reads:

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
MODULE_NAME: Pool_Corruption

So there we have it.  We got STOP 0x0019 BAD_POOL_HEADER because a driver malfunctioned.  Granted, this could also have been caused by a hardware issue such as a bad hard drive or bad sector on the HDD, or bad memory, or (since it's a laptop) the memory could have needed to be re-seated, but in this case it was an old program that I didn't use anymore that was causing the problem.  A bit of digital housekeeping, cleaning up the disk and tossing out old un-used programs did the trick.

Hope this helps :)

How to react to scare tactic posts and chain letters.

                                                        photo courtesy of www.freepixels.com

Today I received an email from a friend of mine that read something like this:

URGENT - PLEASE READ - NOT A JOKE
PASS THIS ON!

IF A PERSON CALLED SIMON ASHTON (SIMON25@HOTMAIL.CO.UK) CONTACTS YOUTHROUGH EMAIL DON'T OPEN THE MESSAGE. DELETE IT BECAUSE HE IS AHACKER!!

TELL EVERYONE ON YOUR LIST BECAUSE IF SOMEBODY ON YOUR LIST ADDSHIM THEN YOU WILL GET HIM ON YOUR LIST. HE WILL FIGURE OUT YOUR IDCOMPUTER ADDRESS, SO COPY AND PASTE THIS MESSAGE TO EVERYONE EVEN IFYOU DON'T CARE FOR THEM AND FAST BECAUSE IF HE HACKS THEIR EMAIL HEHACKS YOUR MAIL TOO!!!!!.....

Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on..This information arrived this morning, Direct from both Microsoft andNorton. Please send it to everybody you know who has access to theInternet. You may receive an apparently harmless e-mail titled 'MailServer Report'

If you open either file, a message will appear on your screen saying:'It is too late now, your life is no longer beautiful.'

Subsequently you will LOSE EVERYTHING IN YOUR PC,And the person who o sent it to you will gain access to your name,e-mail and password.

This is a new virus which started to circulate on Saturdayafternoon.. AOL has already confirmed the severity, and the antivirus software's are not capable of destroying it .

The virus has been created by a hacker who calls himself 'life owner'..

PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask themto PASS IT ON IMMEDIATELY!

According to Snopes ( http://www.snopes.com/computer/internet/hackermail.asp ) this is just another installment in a long-running hoax, and in fact, is made via a simple template (rather like that old game Mad Libs) 

Unless the person includes a malicious file along with their email (NEVER open attachments from people you don't know), such as a worm or virus, the person really has no way of accessing your computer via this method unless you have not activated your firewall.  Though if you have not activated your firewall or other intrusion detection software, e-mail hackers are the least of your worries.

The only thing a person can really do via server-side email clients, such as Hotmail, Yahoo or AOL is tell whether the email has been opened or not by embedding a simple image file, often a 1x1 pixel blank image that is stored on a server that reports access, and then watch their access logs to see who actually opened the image file.  This simply tells the hacker which email addresses are active and thus they can then sell your email address to spammers and advertisers as "valid".

This is the reason most server-side email clients (and even client-side email clients such as Outlook)  block image downloads by default, allowing you to view images only from trusted sources.  It isn't to protect your computer, it's to protect your e-mail address from unwanted spam.

Even though this email is a hoax, it does serve a very useful purpose.  It brings attention to the real threats out there and makes the public at large more aware of the real vulnerabilities that may be lurking in their computer system.  

A simple list of good computing practices can virtually eliminate any worries you may have about your online life.

• 1. Make sure the firewall built into your operating system is active at all times.  (never turn it off)

• 2. Make sure your operating system is up-to-date.

• 3. Invest in a good "active scan" virus protection system such as McAfee, Kaspersky, Norton or AVG and keep it updated.

• 4. Invest in a good "active scan" malware program such as Malwarebytes, and keep it updated.

• 5. Backup your hard drive at least once a month, or use an active backup service to either an external hard drive or cloud.  If you should ever have to reformat or even replace your hard drive, you won't lose your data.

• 6. Clean and defrag your hard drive at least once a month.  You can also invest in a free program from IOBit called "Smart Defrag" which will defragment your computer whenever it is idle.

• 7. Never EVER open attachments or click on links in email from people you don't know.  Even if it is from someone you do know, if it looks suspicious, don't click it!!

These are just a few simple steps to a happier, healthier computer, and in most cases, a worry-free online experience for you.