Or, as it is also called, BSOD, can significantly ruin the life of both the computer and the server, and it also turned out to be a virtual machine. Today I’ll tell you how to analyze the blue screen of dump memory in Windows, since correct diagnosis and getting the reason why your system is not working, 99 percent of its solution, especially a system engineer, is simply obliged to be able to do this, and in the shortest possible time, so How can a business lose a lot of money due to service downtime?
BSOD decryption
Let's first look at what this abbreviation means, BSOD from the English Blue Screen of Death or also STOP error mode.
Blue screen of death errors occur for various reasons, including driver problems, a faulty application, or a faulty RAM module. As soon as you have a blue screen in Windows, your system will automatically create a crash memory dump file, which we will analyze.
How to configure memory dump creation
By default, Windows creates a crash dump file memory.dmp when there is a blue screen, now I will show you how it is configured and where it is stored, I will show you with an example Windows Server 2008 R2, as I recently had a task to investigate the issue of a blue screen in a virtual machine. In order to find out where dump memory windows is configured, open Start and right-click on the Computer icon and select properties.
How to analyze blue screen dump memory in Windows - Computer Properties
How to analyze blue screen dump memory in Windows system settings
Go to the Advanced tab - Boot and Recovery. Click the Settings button
How to analyze blue screen dump memory in Windows - Boot and recovery
Where is the memory.dmp file stored?
and we see that first of all there is a checkbox to perform an automatic reboot to record debugging information, Kernel memory dump is selected and below there is where the memory dump is saved %SystemRoot%\MEMORY.DMP
Let's go to the c:\windows\ folder and find the file MEMORY.DMP it contains blue screen of death codes
How to analyze blue screen dump memory in Windows-memory.dmp
How to set up mini dump
Blue screen of death errors are also recorded in the small memory dump; it is configured there, you just need to select it.
It is stored in the c:\windows\minidump folder. The advantage is that it takes up less space and is created as a separate file for each blue screen. You can always view the history of blue screen occurrences.
Now that we have figured out where to look for the memory dump file, we need to learn how to interpret it and understand the reason why the blue screen of death occurs. Microsoft Kernel Debugger will help us solve this problem. You can download Microsoft Kernel Debugger from the official website, the main thing is to select the desired OS version. If someone breaks it, you can download it from the Yandex disk using a direct link. It is also part of ADK.
Download Microsoft Kernel Debugger, as a result you will have a small file that will allow you to download everything you need from the Internet. Let's launch it.
We will not participate in the quality improvement program
Click Accept and agree to the license
How to install Microsoft Kernel Debugger - agree to the license
Microsoft Kernel Debugger installation will begin
How to Install Microsoft Kernel Debugger - MKD Installation
We see that Microsoft Kernel Debugger has been successfully installed
After which we see that the Debugging Tools for Windows folder has appeared in the startup for both 32 and 64 bit systems.
In addition to the Debugging Tools for Windows package itself, you will also need a set of debugging symbols - Debugging Symbols. The set of debugging symbols is specific to each OS on which the BSoD was recorded. Therefore, you will have to download a set of symbols for each OS whose operation you will have to analyze. A 32-bit Windows XP will require the Windows XP 32-bit character set; a 64-bit OS will require the Windows XP 64-bit character set. For other operating systems of the Windows family, character sets are selected according to the same principle. You can download debugging symbols from here. It is recommended to install them at %systemroot%\symbols although I like to install them in separate folders and avoid cluttering the Windows folder.
Blue Screen Analysis in Debugging Tools
After installing Debugging Symbols for the system that had the blue screen of death, launch Debugging Tools
How to install Microsoft Kernel Debugger - Run
Before analyzing the contents of the memory dump, you will need to do a little configuration of the debugger. Specifically, tell the program where to look for debugging symbols. To do this, select File > Symbol File Path… from the menu.
Click the Browse button...
and indicate the folder in which we installed the debugging symbols for the memory dump in question, you can specify several folders separated by commas and you can request information about the required debugging symbols directly via the Internet, from a public Microsoft server. This way you will have the most a new version characters. You can do this as follows - in the File > Symbol File Path… menu, enter:
SRV*%systemroot%\symbols*http://msdl.microsoft.com/download/symbols
How to analyze the blue screen of death
We copy the memory.dmp or minidump file from the computer where the blue screen popped up, and open it, select File > Open Crash Dump... from the menu and select the file required for consideration.
How to analyze the blue screen of death-01
For example, choose minidump
How to analyze the blue screen of death - open minidump
The analysis of the minidump will begin, we see a link to the error appear, click on it for more detailed information about the blue screen.
How to analyze the blue screen of death-03
And we see a faulty application that is destroying your system, you can also see what’s wrong in even more detail by clicking on the link.
How to analyze the blue screen of death-04
Get more detailed information about the cause of the blue screen.
How to analyze the blue screen of death-05
If you open memory.dmp, you will get a similar picture and see why you got a blue screen.
How to analyze the blue screen of death-06
This is how easy it is to diagnose and eliminate the blue screen of death.
At the next step of selecting a component to install ( Select the features you want to install) we mark only what we need - Debugging tools for Windows and press Install
A set of utilities will be downloaded and installed from the Internet to the folder specified on the first screen.
After installation is complete, find it in the Start menu or on the start screen in the shortcut group Windows Kits utility WinDbg and run it with administrator rights
If for some reason the shortcut could not be found, you can run the executable file from the installation directory - C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\windbg.exe
In the main menu of the program WinDbg select items File > Symbol File Path. In the window that opens, insert a line defining the local symbol cache directory and its online source:
SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbolsWe save the settings by selecting items in the main menu File > Save Workspace
Open the memory dump file by selecting from the menu File > Open Crash Dump...
Select a file MEMORY.DMP(located in the C:\Windows directory by default) and click Open
Information will appear about which executable module caused the system to stop working. By clicking on a hyperlink !analyze-v You can obtain more detailed information about the state of the system at the time the stop error occurred.
The same information can be obtained using the command line using approximately the following sequence of commands:
cd /d " C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\" kd -z "D:\DOWNLOADS\VM05\MEMORY.DMP " .logopen C:\Debuglog.txt .sympath srv*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbolsIn this example, all information about dump parsing will be downloaded in readable form to the file C:\Debuglog.txt
Information sources:
The cause of critical Windows errors accompanied by blue screens (BSOD) is often a driver - newly installed or damaged. Having determined which driver is causing the error, you can begin to fix the problem: update the driver, roll back to an earlier version, reinstall or remove the application that installed the driver, etc. The driver name is not always displayed on a blue screen. However, there is a very simple way that allows you to identify the problematic driver in a couple of minutes using a memory dump.
Step 1 — Enable memory dump recording
First you need to make sure that dump recording is enabled. To do this, open the system properties by pressing the key combination Win+Pause, [in Vista click link Advanced System Settings], go to tab Additionally, and finally press the button.
Small Memory dumps should be sufficient for our purposes.
Pay attention to the path to the folder where they will be saved if a critical error occurs.
Now you can archive the file and attach it to a forum post Troubleshooting critical Windows errors and wait until someone tells you the name of the problematic driver :) But you can do it yourself without much effort.
Step 2 — Analyzing Dumps Using MinDumper Utility
You will find a story about the utility in this article.
- Download and install Debugging Tools for Windows. They are included in the Windows SDK web installer, where after launch you need to select Debugging Tools in the Common Utilities section.
- Download scenario(kdfe.cmd), which was written by Alexander Sukhovey and published on the resource sysadmins.ru(since I couldn’t find a live link there, I offer my own). Unzip the archive to any folder.
Note. If the location of the Program Files folder is non-standard, you may need to specify in kdfe.cmd the path to the folder where the Debugging Tools for Windows are installed. Use the dbgpath variable on line 41.
Step 3 - Analyzing the Memory Dump
Now it all comes down to executing one command. Open a command prompt and go to the folder where you extracted kdfe.cmd. Run the file, specifying the path to the memory dump file as a parameter (in the example below the file is called Mini1110307-01.dmp)
Blue screen of death(eng. Blue Screen of Death, Blue Screen of Doom, BSoD) - messages about a critical system error in Microsoft Windows operating systems. Many who encounter a blue screen of death on their computer/laptop see the only solution as reinstalling the operating system. But sometimes the OS has nothing to do with it, but the problem is in the hardware. In order not to guess - why did the blue screen of death appear, you need to use the information that you provide operating system in the form of logs. In this article, I will describe step by step how to find out the cause of the blue screen of death.
So, the appearance of the blue screen of death is always unexpected and at the wrong time, so many simply do not have time to see what is written, and it must be said there (though not in a very explicit form) the reasons for the failure. First of all, I suggest setting up your computer/laptop so that it does not reboot immediately after a system failure, but gives you the opportunity to see the cause of the failure, if this information is not enough, you need to look dump a file that contains information: an error code with parameters, a list of drivers loaded into RAM at the time of the system crash, etc., but this information is enough to identify the faulty driver.
Settings regarding rebooting after a system failure can be specified by right-clicking on the My Computer/Computer shortcut (suitable for Windows XP, Windows7, Windows8), selecting " Properties", or press the key combination
On the "tab" Additionally"select in the Boot and Recovery field" Options".
Uncheck " Perform automatic reboot", in order to have time to see everything that the blue screen of death writes. The line Dump file indicates the path where the file will be saved, which will indicate the reasons for the failure.
Now you can carefully study the information when a blue screen of death appears. If your computer no longer boots and you cannot change these settings, in this case, when booting, press F8 on the keyboard and select the menu item “If the system fails, do not reboot.”
If the information indicated there is not enough, you can use a dump ( dmp file). To do this you can use the tool microsoft-microsoft debugging tool, but it weighs a lot and requires installation and framework 4.5. You can get by with fewer sacrifices if you use the program BlueScreenView . In my opinion, a very convenient program that does not require installation and in Russian (add the file to the program folder). By running the BlueScreenView.exe file, the program interface will open in which the dump of this computer will already be loaded (the default path is C:\Windows\MiniDump, if you go to Settings-Advanced Settings, you can specify a different path if you copied the dump to another location).
Errors very often occur in Windows OS, even in the case of a “clean” system. If ordinary program errors can be solved (a message about a missing component appears), then critical errors will be much more difficult to fix.
What is a memory dump in Windows
To solve problems with the system, a crash memory dump is usually used - this is a photo part or all of the RAM and placing it on a non-volatile medium ( HDD). In other words, the contents of RAM are fully or partially copied to the media, and the user can analyze the memory dump.
There are several types of memory dumps:
Small dump(Small Memory Dump) – saves a minimum amount of RAM, which contains information on critical errors (BSoD) and components that were loaded during system operation, for example, drivers, programs. MiniDump is stored in the path C:\Windows\Minidump.
Full dump(Complete Memory Dump) – the full amount of RAM is saved. This means that the file size will be equal to the amount of RAM. If there is little disk space, it will be problematic to save, for example, 32 GB. There are also problems with creating a memory dump file larger than 4 GB. This type is used very rarely. Stored at C:\Windows\MEMORY.DMP.
Dump kernel memory– only information related to the system core is saved.
When the user gets to analyzing the error, he only needs to use minidamp (small dump). But before this, it must be turned on, otherwise the problem will not be recognized. Also, to more effectively identify a crash, using a full memory snapshot is preferable.
Information in the registry
If you look in the Windows registry, you can find some useful snapshot settings. Click the Win+R key combination and enter the command regedit and open the following branches:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
In this branch the user will find the following parameters:
- AutoReboot– enable or disable reboot after creating a Blue Screen of Death (BSoD).
- DumpFile– name of dump types and location.
- CrashDumpEnabled– the number of the file being created, for example, the number 0 – the dump is not created; 1 – creating a full dump; 2 – creating a core dump; 3 – creating a small dump.
- DumpFilters– the option allows you to add new functions before creating a snapshot. For example, file encryption.
- MinidumpDir– the name of the small dump and its location.
- LogEvent– activation of recording information in the system log.
- MinidumpsCount– set the number of small dumps to be created. (Exceeding this number will destroy old files and replace them).
- Overwrite– function for a full or system dump. When creating a new photo, the previous one will always be replaced with a new one.
- DedicatedDumpFile– creating an alternative image file and specifying its path.
- IgnorePagefileSize– used for temporary snapshot location, without using a swap file.
How it works
If a failure occurs, the system completely stops its operation and, if dumping is active, it will be written to a file placed on disk. information about the problem that has arisen. If something happened to the physical components, then an emergency code will work, and the hardware that failed will make some changes, which will certainly be reflected in the snapshot.
Typically the file is stored in a block allocated for the swap file hard drive, after the BSoD appears, the file is overwritten in the type that the user himself configured (Small, full or core dump). Although, in modern operating systems, the participation of the paging file is not necessary.
How to enable dumps
IN Windows 7:
IN Windows 8 and 10:
Here the process is a little similar, you can get into the system information in the same way as in Windows 7. In “Ten”, be sure to open “ This computer", click on the free space with the right mouse button and select " Properties" Another way to get there is through the Control Panel.
Second option for Windows 10:
It should be noted that in new versions of Windows 10 new items have appeared that were not in the “seven”:
- Small dump memory 256 KB - minimum failure data.
- Active dump- appeared in the tenth version of the system and saves only the active memory of the computer, the system kernel and the user. Recommended for use on servers.
How to delete a dump
Just go to the directory where the memory snapshots are stored and simply delete them. But there is another way to remove it - using the Disk Cleanup utility:
If no items were found, the dumps may not have been enabled.
Even if you once enabled them, some system optimization utilities you use can easily disable some functionality. Often a lot of things turn off during use SSD drives, since repeated reading and writing procedures greatly harm the health of this disk.
Memory dump analysis using WinDbg
Download from the official Microsoft website this program in step 2, where it is described “ InstallationWDK" - https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk. 
To work with the program you will also need a special package of debugging symbols. It is called Debugging Symbols, previously it could be downloaded from the Microsoft website, but now they have abandoned this idea and you will have to use the File program function - “ Symbol File Path", where you should enter the following line and click OK:
set _NT_SYMBOL_PATH=srv*DownstreamStore*https://msdl.microsoft.com/download/symbols
If it doesn't work, try this command:
SRV*%systemroot%\symbols*http://msdl.microsoft.com/download/symbols
Click “File” again and select the “Save Workspace” option.
The utility is configured. All that remains is to specify the path to the memory dump files. To do this, click File and click the option “ OpenCrashDump" The location of all dumps is indicated at the beginning of the article.
After selection, the analysis will end and the problematic component will be automatically highlighted. To obtain more information in the same window, you can enter the following command: !analyze –v 
Analysis with BlueScreenView
You can download the tool for free from this site - http://www.nirsoft.net/utils/blue_screen_view.html. Installation does not require any skills. Only used on Windows 7 and higher.
We launch and configure. Click “Options” – “ Extra options"(Advanced Options). Select the first item " Load MiniDumps from this folder"and indicate the directory - C:\WINDOWS\Minidump. Although you can simply click the “Default” button. Click OK.
The dump files should appear in the main window. It can be either one or several. To open it, just click on it with the mouse. 
The bottom of the window will display the components that were running at the time of the failure. The person responsible for the accident will be highlighted in red.
Now click “File” and select, for example, the item “ Find in Google error code + driver" If you find the driver you need, install and restart your computer. Perhaps the error will disappear.
