Windows debugging - Analyzing a BSOD crash dump
Introduction
We have all seen at least once a blue screen of death (BSOD) on Windows. But what is happening exactly? Where is the crash information? How to analyze them?
At the time of a blue screen of death (BSOD), the Windows system generates a file located in C:\Windows\MEMORY.DMP containing all useful information on the state of the system at the time of the crash.
Installation du Windows SDK
To work with Windows kernel crashdumps, we will need the WinDbg software, present in the Windows Software Development Kit (SDK):
- Pour Windows 7, 8, 10 and 11:
- Pour Windows Vista and XP:
Installation of tools
First, we will install the Debugging Tools for Windows from the SDK:
At the end of the installation, we have WinDbg installed on the machine for all architectures supported by Windows 10.
Configuration de WinDbg
Now that we have WinDbg installed, we need to configure it before importing a Crashdump. The first thing to configure is the symbol source for debugging. To do this, go to the File > Symbol file path menu and paste this value to add local symbol sources (cache in C:\Windows\PDBcache) and online (from http:/ /msdl.microsoft.com/download/symbols):
SRV*C:\Windows\PDBcache*http://msdl.microsoft.com/download/symbols
And we have:
Then click on OK and the symbol source is configured.
Loading the dump in WinDbg
First, we need to run WinDbg as Administrator to be able to read the MEMORY.DMP file containing all the information recovered at the time of the crash and the Blue Screen of Death (BSOD).
Then we choose the memory dump, (in C:\Windows\MEMORY.DMP):
Crash analysis
Now that we have the memory dump loaded in WinDbg, we can start a crash analysis:
Once we can launch a self-analysis of the crash with !analyze -v. These first analysis results allow us to have an idea of what caused the crash, and in which library / function it occurred:
