This is a tutorial on how to set up and read your minidump files when you get a BSOD (Blue Screen of Death) in an attempt to get more information about the cause of the problem. The first is the first. Download the latest debugging tools from the Microsoft site.
Then go to Start/Start Search. I type
The command cmd.
Then change directories to:
C:Program FilesDebugging Tools for Windows (x86)
using the command:
cd c:program files debugging tools for windows (x86)
It is not case sensitive when using the CD domain.
Then write:
windbg.exe zc:windowsminidumpmini06190901.dmp c “!analyze v”
Your minidump file is located at C:WindowsMinidumpMini06200901.dmp. It will have the format “MiniMMDDYY01.dmp”.
THE CORE SYMBOLS ARE INCORRECT. PLEASE CORRECT SYMBOLS TO MAKE ANALYSIS
If somewhere in the output of the bug check analysis you see an error like:
The kernel symbols are INCORRECT. Correct the symbols to do the analysis.
Then most likely you are using old and incompatible symbols or files are corrupted or you do not have the proper symbols in the specified location when the Windbg program was trying to parse the minidump file. So what I did was open the Windbg program located at C:Program FilesDebugging Tools for Windows (x86) (on Vista and I think it’s the same location for XP).
CONFIGURING THE SYMBOL FILE PATH VIA THE WINDBG COMMAND LINE:
This is an important step, so make sure your symbol path file is set up correctly so you don’t get Kernel symbols are INCORRECT or other types of errors. Now set the Symbol File Path (File/Symbol File Path) to:
SRVe:symbols[path to microsoft symbols path]
However, for some reason, I found that to set the symbol file path in the “File Path to Symbols/File” field cannot be changed directly with the “File Path to Symbols/File” field. So, I found out that you have to change it through the Windbg command window by going to:
“View/Command”
At the bottom of the command window next to the “kd>” prompt, type this:
.sympath SRVe:symbols[path to microsoft symbols path].
The part between the two asterisks ( ) is where the symbols will be downloaded from the Microsoft servers. It’s pretty big (about 22 MB), so make sure you have enough disk space.
SETTING THE SYMBOL FILE PATH IN THE ENVIRONMENT VARIABLE:
Alternatively, you can set it in your environment variable, either in your system or user’s environment variable. To do this, click WINDOWS KEY+e. The WINDOWS KEY is the key to the right of the LEFT CTRL key on the keyboard. This will open Windows Explorer.
Then click on “Advanced system settings” at the top left of the window. This step applies to Vista only. For XP users, just click on the Advanced tab.
Then click the “Environment Variable” button at the bottom of the window.
Then click the “New” button under System Variables. Again, you can create the environment as a user environment variable.
In the “Variable Name” type:
_NT_SYMBOL_PATH
In the type “VariableValue”:
symsrvsymsrv.dll:symbols[path to microsoft symbols path]
If you set the symbol file path as a system environment variable, I think you’ll have to restart your computer for it to take effect.
WINDBG COMMAND OUTPUT
So the following is the result of my crash:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading dump file [c:windowsminidumpmini06260901.dmp]
Mini kernel dump file: only logs and stack trace are available
The symbol search path is: SRVe:symbols[path to microsoft symbols]
The executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 processes) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.0903021506
Machine name:
Kernel Base = 0x8201d000 PsLoadedModuleList = 0x82134c70
Debug session time: Friday Jun 26 16:25:11.288 2009 (GMT7)
System uptime: 0 days 21:39:36.148
Loading Kernel Symbols
………………………………………………………. .. ………….
………………………………………………………. .. …………..
………………………………………………………. .. ………
Loading user symbols
Loading list of downloaded modules
……………………….
Bug checking analysis
Use !analyze v to get detailed information about debugging.
Bug check A, {8cb5bcc0, 1b, 1, 820d0c1f}
Cannot load image SystemRootsystem32DRIVERSSymIMv.sys, Win32 error 0n2
WARNING: Cannot verify timestamp for SymIMv.sys
ERROR: Module load completed but symbols for SymIMv.sys could not be loaded
Cannot load image SystemRootsystem32DRIVERSNETw3v32.sys, Win32 error 0n2
WARNING: Cannot verify timestamp for NETw3v32.sys
ERROR: Module load completed but symbols for NETw3v32.sys could not be loaded
Processing the initial command ‘!analyze v’
Probably caused by: tdx.sys ( tdx!TdxMessageTlRequestComplete+94 )
Follow-up: machine owner
0: kd> !analyze v
Bug checking analysis
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address on a
interrupt request level (IRQL) that is too high. this is usually
caused by drivers using incorrect addresses.
If a kernel debugger is available, get the stack trace.
Arguments:
Arg1: 8cb5bcc0, referenced memory
Arg2: 0000001b, IRQL
Arg3: 00000001, bit field:
bit 0: value 0 = read operation, 1 = write operation
bit 3: value 0 = not a execute operation, 1 = execute operation (only on chips that support this state level)
Arg4: 820d0c1f, address that referenced memory
Debug details:
WRITE_ADDRESS: GetPointerFromAddress: cannot read from 82154868
Cannot read memory MiSystemVaType at 82134420
8cb5bcc0
CURRENT_IRQL: 1b
IP_ERROR:
nt!KiUnwaitThread+19
820d0c1f 890a mov dword ptr [edx]ecx
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
ERROR_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: 4526c4 (.trap 0xffffffff4526c4)
Error code = 00000002
eax=85c5d4d8 ebx=00000000 ecx=8cb5bcc0 edx=8cb5bcc0 esi=85c5d420 edi=ed9c7048
eip=820d0c1f esp=452738 ebp=45274c iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!KiUnwaitThread+0x19:
820d0c1f 890a mov dword ptr [edx],ecx ds:0023:8cb5bcc0=???????
Default Scope Reset
LAST_CONTROL_TRANSFER: from 820d0c1f to 82077d24
STACK_TEXT:
4526c4 820d0c1f badb0d00 8cb5bcc0 87952ed0 nt!KiTrap0E+0x2ac
45274c 8205f486 00000002 85c5d420 ed9c7048 nt! KiUnwaitThread+0x19
452770 8205f52a ed9c7048 ed9c7008 00000000 nt!KiInsertQueueApc+0x2a0
452790 8205742b ed9c7048 00000000 00000000 nt!KeInsertQueueApc+0x4b
4527c8 8f989cd0 e79e1e88 e79e1f70 00000000 nt!IopfRequest complete+0x438
4527e0 8a869ce7 00000007 00000000 00000007 tdx!TdxMessageTlRequestComplete+0x94
452804 8a869d33 e79e1f70 e79e1e88 00000000 tcpip!UdpEndSendMessages+0xfa
45281c 8a560c7f e79e1e88 00000001 00000000 tcpip!UdpSendMessagesDatagramsComplete+0x22
…
STACK_COMMAND: kb
TRACKING_IP:
tdx!TdxMessageTlRequestComplete+94
8f989cd0 6804010000 thrust 104h
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: tdx!TdxMessageTlRequestComplete+94
FOLLOWUP_NAME: machine owner
MODULE_NAME: tdx
IMAGE_NAME: tdx.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 479190ee
FAILURE_BUCKET_ID: 0xA_tdx!TdxMessageTlRequestComplete+94
BUCKET_ID: 0xA_tdx!TdxMessageTlRequestComplete+94
Follow-up: machine owner
It looks like a bunch of hieroglyphic gibberish. However, by looking closely, you can learn more about the possible problem or the cause of the problem. The PROCESS_NAME is the System that suggests a system process. The MODULE_NAME is tdx.
KD OUTPUT COMMAND: LMVM TDX
The tdx was clickable for me, running the command:
kd>lmvm tdx
as a kd command. The ‘lm’ in “lmvm” is Module Loaded. The ‘v’ is detailed. The ‘m’ is a pattern match. From the chm debugger manual it sets it as:
m pattern
Specifies a pattern that the module name must match. The pattern can contain a variety of wildcards and specifiers. For more information about the syntax of this information, see String Wildcard Syntax.
You can find a lot of information in the chm manual when you download windbg from Microsoft. It will be located here:
C:Program FilesDebugger Tools for Windows (x86)debugger.chm
The output of the above command is:
0: kd>lmvm tdx
start end module name
8f97f000 8f995000 tdx (pdb symbols) c:Program FilesDebugging Tools for Windows (x86)symtdx.pdbCFB0726BF9864FDDA4B793D5E641E5531tdx.pdb
Loaded symbol image file: tdx.sys
Mapped memory image file: c:Program FilesDebugging Tools for Windows (x86)symtdx.sys479190EE16000tdx.sys
Image path: SystemRootsystem32DRIVERStdx.sys
Image name: tdx.sys
Timestamp: Fri Jan 18 21:55:58 2008 (479190EE)
Checksum: 0001391F
Image size: 00016000
File version: 6.0.6001.18000
Product version: 6.0.6001.18000
File Flags: 0 (3F Mask)
File OS: 40004 NT Win32
File Type: 3.6 Driver
File Date: 00000000.00000000
Translations: 0409.04b0
Company name: Microsoft Corporation
Product Name: Microsoft® Windows® Operating System
Internal name: tdx.sys
Original file name: tdx.sys
Product version: 6.0.6001.18000
File version: 6.0.6001.18000 (longhorn_rtm.0801181840)
File Description:TDI Translation Driver
Legal Copyright: © Microsoft Corporation. All rights reserved.
So we get more information. Who makes the module and the possible cause of the problem.
I look at STACK_TEXT and there are references to tcpip and NETIO which seem to hint at a network issue. So I googled others with BSOD and tdx.sys problem and there is a fix for this problem. A BIG word of caution though – do not download the hotfix if this particular issue does not apply to you. Microsoft suggests using Microsoft update procedures which will include all fixes.
To get the link to the hotfix for the network problem, google “Hotfix 934611 microsoft”.
I did not download this hotfix, instead I chose to update my service pack. Vista is currently on Service Pack 2. I only had Service Pack 1. So I’ll see if this fixes the problem.
To check which service pack you have installed and which bit version (32-bit or 64-bit), go to:
“Home/Team”. Right-click on “Computer” and then click on “Properties.” You will see the service pack information under the “Windows Edition” heading. Under the “System” heading (about halfway down the page) you will see “System Type:” which will show whether you have 32-bit or 64-bit versions installed.
To get Service Pack 2 for Vista Google “Sp2 Vista Microsoft”.