Investigating A Blue Screen Of Death

During a period of network issues some of our Windows Server 2008 R2 machines rebooted.  Further investigation showed that the servers had experienced a Blue Screen Of Death (BSOD) and rebooted.  Most BSOD incidents are caused by faulty drivers.  It’s possible to look at the memory dump that’s created when the BSOD occurs and determine which driver caused the crash.  This is the method I use.

First download and install the Debugging Tools for Windows from http://www.microsoft.com/whdc/devtools/debugging/default.mspx.  Download either the 32bit or 64bit version depending upon the bit type of the operating system that experienced the BSOD.  See here for more information: http://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx#E1C

Next create two folders in the root of c:\ called Symbols and Dump.

Copy the memory dump from the machine that crashed from c:\Windows to c:\Dump.  The dump file will probably be called MEMORY.DMP

Load WinDbg from the Debugging Tools for Windows folder in the Start Menu

Go to File -> Symbol File Path…  Paste SRV*C:\symbols*http://msdl.microsoft.com/download/symbols into the Symbol path box and click OK.

Go to File -> Open Crash Dump and select the MEMORY.DMP file in c:\Dump and click OK.  In a few seconds text will start to appear in the debug box.

When the text has finished loading click the !analyze -v link below the Bugcheck Analysis box as below

Once the process has finished you’ll see text similar to below.  IMAGE_NAME is the driver that caused the BSOD.  In my case it’s basp.sys, which is a Broadcom driver.  Google the IMAGE_NAME value to find out the driver name, then search for an updated version.

Advertisements