Some questions about BSoD

Page 1 of 2 12 LastLast

  1. Posts : 6
    Windows 7 x64
       #1

    Some questions about BSoD


    Hello ,
    I'm new here and i'm not sure if i sent this thread in right place ..
    I have Some question and cant find answer ,I would be grateful if anyone could help me to find answers .
    _________________________________________________
    As i Have win7 i'm not sure i can ask about my Bsod's here ... so I'll ask a few general questions about Bsod's .

    1) If we don't find any blamed driver name in minidumps (except windows drivers ..) , Is that meaning its Most likely a hardware problem?

    2) what does " !blackboxpnp " command doing in windbg? is that shows faulty device name (In DeviceId Line) that cause the Bsod?

    3) sometimes i see something like this " fffff80384bfd022, Address of the instruction which caused the bugcheck " in minidumps ... and " !address fffff80384bfd022 " command don't show anything about faulty device or driver .. So how to find what is "fffff80384bfd022" actually? (i mean how to find this address related to which driver..)


    Many thanks.
      My Computer


  2. Posts : 13,933
    Windows 10 Pro X64 21H1 19043.1503
       #2

    This forum is for Windows 10 BSODs. Post your problem here: Windows 7 BSOD Help and Support
      My Computers


  3. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #3

    NetCat said:
    If we don't find any blamed driver name in minidumps (except windows drivers ..) , Is that meaning its Most likely a hardware problem?
    Unfortunately it does not, it's not as straightforward as "either A or B"

    what does "!blackboxpnp" command doing in windbg? is that shows faulty device name (In DeviceId Line) that cause the Bsod?
    It displays information about PnP devices that may be captured during creation of a dump file, but this data is not guaranteed to be present in a dump file.

    PnP devices are those devices which don't need a user to set up anything, like driver installments, and hardware switches,
    PnP device once connected to computer will "just work", Windows will automatically detect it and install appropriate driver. (Windows get's those drivers from device manufacturers)

    Here is an example when you run !blackboxpnp

    Code:
    10: kd> !blackboxpnp
        PnpActivityId      : {00000000-0000-0000-0000-000000000000}
        PnpActivityTime    : 132598168793751032
        PnpEventInformation: 3
        PnpEventInProgress : 0
        PnpProblemCode     : 24
        PnpVetoType        : 0
        DeviceId           : STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot1
        VetoString
    In the code above the "PnpProblemCode" is 24 which means following:
    Full Error Message
    This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)

    Cause
    The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.
    "PnpEventInformation" will tell you which exact device is likely causing trouble or is not working, you can find this information in PnP category of event viewer and searching for event number.
    You could then search for vendor and device ID online, ex. for new drivers or known issues.

    Other similar commands are:
    1. !blackboxscm
    2. !blackboxbsd
    3. !blackboxntfs


    sometimes i see something like this " fffff80384bfd022, Address of the instruction which caused the bugcheck " in minidumps ... and " !address fffff80384bfd022 " command don't show anything about faulty device or driver .. So how to find what is "fffff80384bfd022" actually? (i mean how to find this address related to which driver..)
    There is no general formula because it depends on bugcheck code, there are many different bugchecks and each one is handled differently as explained here:
    https://docs.microsoft.com/en-us/win...ode-reference2

    If your goal is to just have an approximation of what could be the cause, a bugcheck reference link above will be enough.

    Otherwise if you want to go one step further there is a lot of commands that you'll want to master:
    https://docs.microsoft.com/en-us/win...ugger-commands

    In order to master commands you'll need solid programing background to understand what they really do.
    However even all this knowledge may not be enough without a lot of practice.
      My Computer


  4. Posts : 6
    Windows 7 x64
    Thread Starter
       #4

    Ztruker said:
    This forum is for Windows 10 BSODs. Post your problem here: Windows 7 BSOD Help and Support
    Hello Ztruker ,
    It seems both websites are belongs to one person , so i have to create another account in that website or i can login with this id and pass in both websites (without registration again)?

    zebal said:
    Unfortunately it does not, it's not as straightforward as "either A or B"
    Hello Zebal ,
    i just thinking so what is next step when there is no driver named in more than 5-6 minidums .. sometimes it actually seems Insoluble ..
    It displays information about PnP devices that may be captured during creation of a dump file, but this data is not guaranteed to be present in a dump file.

    PnP devices are those devices which don't need a user to set up anything, like driver installments, and hardware switches,
    PnP device once connected to computer will "just work", Windows will automatically detect it and install appropriate driver. (Windows get's those drivers from device manufacturers)

    Here is an example when you run !blackboxpnp

    Code:
    10: kd> !blackboxpnp
        PnpActivityId      : {00000000-0000-0000-0000-000000000000}
        PnpActivityTime    : 132598168793751032
        PnpEventInformation: 3
        PnpEventInProgress : 0
        PnpProblemCode     : 24
        PnpVetoType        : 0
        DeviceId           : STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot1
        VetoString
    In the code above the "PnpProblemCode" is 24 which means following
    Many thanks for sharing this good information , So it seems most of USB devices must be PnP devices ,
    But what about components like Cpu that can overclocked and downlocked by user, are these components PnP device too?
    "PnpEventInformation" will tell you which exact device is likely causing trouble or is not working, you can find this information in PnP category of event viewer and searching for event number.
    You could then search for vendor and device ID online, ex. for new drivers or known issues.

    Other similar commands are:
    1. !blackboxscm
    2. !blackboxbsd
    3. !blackboxntfs
    Unfortunately i don't know how to find "PnP category" in my event viewer .. i created a custom view with this information given:
    Logged : Any time , checked all event levels , checked "By Source" box with this info"Kernel-PnP, PnPMgrTriggerProvider, PNRPSvc"
    But it only shows some Kernel-PnP in Warning level events :
    https://i.imgur.com/6kcUOiA.png
    https://i.imgur.com/Cjb2nMJ.png
    (these warning level events are belongs to some "TDR delay timed out" crash i think [because i get them so many times] , but i'm not sure )
    There is no general formula because it depends on bugcheck code, there are many different bugchecks and each one is handled differently as explained here:
    https://docs.microsoft.com/en-us/win...ode-reference2

    If your goal is to just have an approximation of what could be the cause, a bugcheck reference link above will be enough.

    Otherwise if you want to go one step further there is a lot of commands that you'll want to master:
    https://docs.microsoft.com/en-us/win...ugger-commands

    In order to master commands you'll need solid programing background to understand what they really do.
    However even all this knowledge may not be enough without a lot of practice.
    no i just want to find cause , this is an example:
    minidump show this bugcheck :
    Code:
    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff8061df55634, The address that the exception occurred at
    Arg3: ffff8b01498376e8, Exception Record Address
    Arg4: ffff8b0149836f30, Context Record Address
    Microsoft says for this bugcheck "Bug check 0x1000007E has the same meaning and parameters as bug check 0x7E" :
    Resolution:
    If you plan to debug this problem, the exception address (parameter 2) should identify the driver or function that caused this problem.
    now when i use "!address" command with Arg2 this detail shows :
    Code:
    2: kd> !address fffff8061df55634
    Mapping user range ...
    ERROR: !address: extension exception 0x80004005.
        "ExtRemoteTyped::Set from type and offset"
      My Computer


  5. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #5

    @NetCat

    Please excuse me because I was very likely wrong about !blackboxpnp debugger extension, blackbox* extensions are relatively new, in particular "!blackboxpnp" is not even documented from what I see, I don't think anyone is using it and looks like it's not giving desired information (except for PnP device - "DeviceId" and few other fields which you can copy and search in event viewer for more information). it surely won't tell you which driver is faulty by giving out it's name.

    You can compare it to other documented blackbox* extensions and you'll see they all have several things in common, if you wish to learn these.

    Unfortunately i don't know how to find "PnP category" in my event viewer ..
    Application and Services logs\Microsoft\Windows\Kernel-PnP

    However you need to look for time when the dump was made, which is specified in WinDbg starting "welcome", time is also probably specified in "PnpActivityTime" field which needs to be converted according to time zone specified in the dump file.

    So it seems most of USB devices must be PnP devices
    Yes.

    no i just want to find cause , this is an example:
    minidump show this bugcheck :
    Code:
    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff8061df55634, The address that the exception occurred at
    Arg3: ffff8b01498376e8, Exception Record Address
    Arg4: ffff8b0149836f30, Context Record Address
    Your very first step is to learn to read documentation (not a joke), if you don't understand it, read again and again.
    The error 0x80004005 (it means "Unspecified error") simply doesn't tell anything to know why it failed, you probably don't have full memory dump.

    You could get better results with:
    https://docs.microsoft.com/en-us/win...s-and-symbols-

    You can then speculate on captured memory region ex. by examining readable characters.
    See also:
    https://docs.microsoft.com/en-us/win...writing-memory
    Also:
    https://docs.microsoft.com/en-us/win...search-memory-

    Anyway I feel like this could lead into very long discussion for which I'm not sure you could follow, and as Ztruker told you this subforum isn't meant to be used for this.

    You may want to share logs if you need help:
    BSOD - Posting Instructions
    Last edited by zebal; 21 Mar 2021 at 09:11.
      My Computer


  6. Posts : 6
    Windows 7 x64
    Thread Starter
       #6

    zebal said:
    @NetCat

    Please excuse me because I was very likely wrong about !blackboxpnp debugger extension, blackbox* extensions are relatively new, in particular "!blackboxpnp" is not even documented from what I see, I don't think anyone is using it and looks like it's not giving desired information (except for PnP device - "DeviceId" and few other fields which you can copy and search in event viewer for more information). it surely won't tell you which driver is faulty by giving out it's name.

    You can compare it to other documented blackbox* extensions and you'll see they all have several things in common, if you wish to learn these.


    Application and Services logs\Microsoft\Windows\Kernel-PnP

    However you need to look for time when the dump was made, which is specified in WinDbg starting "welcome", time is also probably specified in "PnpActivityTime" field which needs to be converted according to time zone specified in the dump file.
    I agree it realy don't show so much usefull things about cause but i think you was right that devices named there captured when bugcheck happens , because most PC's have Mouse and keyboard and etc USB and its normal to see USB device capture in minidump's .
    Your very first step is to learn to read documentation (not a joke), if you don't understand it, read again and again.
    The error 0x80004005 (it means "Unspecified error") simply doesn't tell anything to know why it failed, you probably don't have full memory dump.

    You could get better results with:
    https://docs.microsoft.com/en-us/win...s-and-symbols-

    You can then speculate on captured memory region ex. by examining readable characters.
    See also:
    https://docs.microsoft.com/en-us/win...writing-memory
    Also:
    https://docs.microsoft.com/en-us/win...search-memory-

    Anyway I feel like this could lead into very long discussion for which I'm not sure you could follow, and as Ztruker told you this subforum isn't meant to be used for this.

    You may want to share logs if you need help:
    BSOD - Posting Instructions
    In fact i start learning about BSoD from some month ago , because i had this problem for months and some of problems solved , but some still persists...
    i know some commands like dps,dqs methods by giving them a range , but dD,dd,dds are worst actualy they dont show any usefull information ..

    Most of commands in docs.microsoft.com are for developers and programmers for debugging windows or softwares ,
    I'm just interested in analyzing BSoD's but unfortunately there is no good reference over internet ,and I have many questions about this without any answer..

    about this "s (Search Memory)"command in references,it seems its good command i didnt used it before . i have to learn what can this command do .

    Many thanks :)
      My Computer


  7. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #7

    NetCat said:
    I agree it realy don't show so much usefull things about cause but i think you was right that devices named there captured when bugcheck happens , because most PC's have Mouse and keyboard and etc USB and its normal to see USB device capture in minidump's .
    Keep in mind that the word "blackbox" it self tells you a lot, these are separate black boxes, a black box like in plane crash will tell you what was happening during a crash! (but not why)

    Most of commands in docs.microsoft.com are for developers and programmers for debugging windows or softwares ,
    I'm just interested in analyzing BSoD's but unfortunately there is no good reference over internet ,and I have many questions about this without any answer..
    If this makes you happy, out of 100 random developers only about 5 of them know (or care) how to use WinDbg
    That probably answers why online tutorials are so rare, we all need to do our own efforts and carefully bookmark good articles and blogs for future reference.
      My Computer


  8. Posts : 5,176
    64bit Win 10 Pro ver 21H2
       #8
    Last edited by philc43; 21 Mar 2021 at 13:08.
      My Computers


  9. Posts : 6
    Windows 7 x64
    Thread Starter
       #9

    zebal said:
    Keep in mind that the word "blackbox" it self tells you a lot, these are separate black boxes, a black box like in plane crash will tell you what was happening during a crash! (but not why)


    If this makes you happy, out of 100 random developers only about 5 of them know (or care) how to use WinDbg
    That probably answers why online tutorials are so rare, we all need to do our own efforts and carefully bookmark good articles and blogs for future reference.
    Best Explain actually :)
    "a black box like in plane crash will tell you what was happening during a crash! (but not why)"

    I thought before microsoft itself don't share a general helpful information about dump analysis ! :P
    i guessed this because there are smth called private symbols , but what private symbols can do in analysis idk !

    Many Thakns :)
    philc43 said:
    Hello philc43 ,
    these are really good and helpful Topics about dump analysis that i saw,
    gladly i learned most of them and practiced some of them ,
    But i have some questions that i cant find any answer for them and a place to ask ,
    (about kernel mode analysis , about some commands , about some details that shows in "analyze -v" for example what "AV_.." meaning in failure bugcheck ID and too many questions ... )

    Many Thakns :)
      My Computer


  10. Posts : 13,933
    Windows 10 Pro X64 21H1 19043.1503
       #10

    @NetCat, each forum requires it's own login. It can be the same on 7 forums as it is on 1`0 forums but you need to set it up separately there as well as on 10 forums.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 05:34.
Find Us




Windows 10 Forums