Windows debugging - Analyzing a BSOD crash dump

Apr 20, 2023   
Also available in:  🇫🇷 


Introduction

We have all seen at least once a blue screen of death (BSOD) on Windows. But what is happening exactly? Where is the crash information? How to analyze them?

At the time of a blue screen of death (BSOD), the Windows system generates a file located in C:\Windows\MEMORY.DMP containing all useful information on the state of the system at the time of the crash.

Installation du Windows SDK

To work with Windows kernel crashdumps, we will need the WinDbg software, present in the Windows Software Development Kit (SDK):

Installation of tools

First, we will install the Debugging Tools for Windows from the SDK:

At the end of the installation, we have WinDbg installed on the machine for all architectures supported by Windows 10.

Configuration de WinDbg

Now that we have WinDbg installed, we need to configure it before importing a Crashdump. The first thing to configure is the symbol source for debugging. To do this, go to the File > Symbol file path menu and paste this value to add local symbol sources (cache in C:\Windows\PDBcache) and online (from http:/ /msdl.microsoft.com/download/symbols):

SRV*C:\Windows\PDBcache*http://msdl.microsoft.com/download/symbols

And we have:

Then click on OK and the symbol source is configured.

Loading the dump in WinDbg

First, we need to run WinDbg as Administrator to be able to read the MEMORY.DMP file containing all the information recovered at the time of the crash and the Blue Screen of Death (BSOD).

Then we choose the memory dump, (in C:\Windows\MEMORY.DMP):

Crash analysis

Now that we have the memory dump loaded in WinDbg, we can start a crash analysis:

Once we can launch a self-analysis of the crash with !analyze -v. These first analysis results allow us to have an idea of what caused the crash, and in which library / function it occurred:

References