Windows debugging - Analyzing a BSOD crash dump

3-minute read
research
Table of contents :

Introduction

We have all seen at least once a blue screen of death (BSOD) on Windows. But what is happening exactly? Where is the crash information? How to analyze them?

When a critical error (also known as a “stop error”) occurs in Windows, the system encounters a condition where it can no longer operate safely. This could be due to faulty hardware, corrupt software, or missing DLL files, among other reasons. To protect the system, Windows halts all operations and displays the blue screen with error information. This is commonly referred to as the “Blue Screen of Death” or BSOD.

The BSOD contains important information about the error that caused the crash, including the error name, its hexadecimal code, and in some cases, additional parameters listed in parentheses. These details can be used to diagnose and troubleshoot the problem.

In addition to displaying the BSOD, Windows also creates a crash dump file. This file contains an image of the memory at the time of the crash, which can be used for further analysis. The crash dump file is typically located in C:\Windows\MEMORY.DMP.

Installation du Windows SDK

To work with Windows kernel crashdumps, we will need the WinDbg software, present in the Windows Software Development Kit (SDK):

Installation of tools

First, we will install the Debugging Tools for Windows from the SDK:

At the end of the installation, we have WinDbg installed on the machine for all architectures supported by Windows 10.

Configuration de WinDbg

Now that we have WinDbg installed, we need to configure it before importing a Crashdump. The first thing to configure is the symbol source for debugging. To do this, go to the File > Symbol file path menu and paste this value to add local symbol sources (cache in C:\Windows\PDBcache) and online (from http:/ /msdl.microsoft.com/download/symbols):

SRV*C:\Windows\PDBcache*http://msdl.microsoft.com/download/symbols

And we have:

Then click on OK and the symbol source is configured.

Loading the dump in WinDbg

First, we need to run WinDbg as Administrator to be able to read the MEMORY.DMP file containing all the information recovered at the time of the crash and the Blue Screen of Death (BSOD).

Then we choose the memory dump, (in C:\Windows\MEMORY.DMP):

Crash analysis

Now that we have the memory dump loaded in WinDbg, we can start a crash analysis:

Once we can launch a self-analysis of the crash with !analyze -v. These first analysis results allow us to have an idea of what caused the crash, and in which library / function it occurred:

References