Q. My machine is crashing and is showing a blue screen. How can I find out what’s causing the crash?

A Web Exclusive from FAQ for Windows
John Savill
Problem Solving
InstantDoc #100472
FAQ for Windows

A. When your machine crashes, a memory dump file called memory.dmp is created in your Windows directory. You can use the dumpchk.exe utility to inspect what caused the dump. To use the utility, you must first download and install the symbol package for your OS from http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx. Once the symbols are installed, install the Debugging Tools for Windows from http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx. Versions are available for both 32-bit and 64-bit OSs.

Once you’ve downloaded and installed the symbol package and debugging tool, you can run a check against the memory dump file by using the following command:

dumpchk -y %windir%\symbols %windir%\memory.dmp

Following is the command’s output. Note the “Probably caused by” line, which indicates why the system crashed.

C:\Program Files\Debugging Tools for Windows (x64)>dumpchk -y %windir%\symbols
%windir%\memory.dmp
Loading dump file C:\Windows\memory.dmp

Microsoft (R) Windows Debugger Version 6.9.0003.113 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\memory.dmp]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: C:\Windows\symbols
Executable search path is:
Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Kernel base = 0xfffff800`02a61000 PsLoadedModuleList = 0xfffff800`02c26db0
Debug session time: Sun Sep 21 12:30:02.588 2008 (GMT-5)
System Uptime: 2 days 22:08:26.619
Loading Kernel Symbols
................................................................................
....................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd6018). Type ".hh dbgerr001" for details
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {167, 2, 0, fffff80002a9e835}

Page c27fa not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 000007ff`fffd6018). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 000007ff`fffd6018). Type ".hh dbgerr001" for details
Probably caused by : ntkrnlmp.exe ( nt!CcZeroEndOfLastPage+1b5 )

Followup: MachineOwner

End of Article

You must log on before posting a comment.

If you don't have a username & password, please register now.