1 / 15

Windows blue screen of death after crash debugging

Windows blue screen of death after crash debugging. Alex Mclean Amy Valley Derek Visch. What is a BSOD?. Blue Screen of Death. What is a BSOD?. B lue S creen O f D eath The function that is called to generate the BSOD is KeBugCheckEx.

gaia
Télécharger la présentation

Windows blue screen of death after crash debugging

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows blue screen of death after crash debugging Alex Mclean Amy Valley Derek Visch

  2. What is a BSOD? Blue Screen of Death

  3. What is a BSOD? Blue Screen Of Death The function that is called to generate the BSOD is KeBugCheckEx. Occurs in windows when the operating system encounters a critical error that it cannot recover from.

  4. Why generate a BSOD? Why not just ignore the exception Is likely that driver that caused the first exception will continue to do so Therefore high risk of data to be corrupted

  5. Most Common BSOD Causes By Stop Code Category Source: Russinovich, Mark E., David A. Solomon, and Alex Ionescu. Windows Internals: Part 2. 6th ed. Redmond, WA: Microsoft, 2012. Print.

  6. Memory Dump Types • Kernel Memory Dumps • Complete Memory Dumps • Small Memory Dumps

  7. Small Memory Dumps • Only information about the current process and thread context, the bug check stop code, and the kernel portion of the stack trace that caused the crash. Basic windbg commands like !process will not have the information they need

  8. Kernel Memory Dumps • Collected on kernel crashes • Contains the kernel-mode memory pages at the time of the crash • Does not show user-mode pages

  9. Complete Memory Dumps • A dump of the entire physical memory (RAM) • Does show user-mode pages at the time of the crash • Not always available on computers with 2 GB or more of RAM due to size

  10. Sample Complete Memory Dump

  11. Sample Kernel Memory Dump

  12. Getting memory dumps

  13. Choose Type of Memory Dump

  14. Cause the crash

  15. Reading the Crash Run WinDbg as administrator File Open Crash Dump C:\Windows\MEMORY.DMP Run the following commands: kd> .symfix kd> .reload kd> !process -1 0 kd> !analyze -v kd> lm kv m myfault

More Related