====== Windows Bluescreen Analysis ======
Bluescreens can have very different triggers. Defective memory, faulty drivers and many other factors can have an influence here.
At first bluescreens seem annoying, but they are a protection against serious damage to the system.
===== Download and install the debugger =====
The debugging tools are part of the Windows SDK. They can be downloaded from Microsoft. It is usually sufficient to install only the debugging tools and deselect the rest of the SDK during the installation process.
===== Open the debugger and load the crash dump. =====
After the installation, we open the debugger and first go to **File / Symbol File Paths**
Here we enter the following:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Then we press Ok. This reference reloads missing symbols from Microsoft. This way we avoid unnecessary error messages.
Now we can open the crash dump via **File / Open Crash dump** to load the error report. This is normally located under //"C:\Windows\Minidump".//.
===== 3. first insight =====
The first look sometimes already shows a clue to the problem.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 9F, {3, fffffa800cf757f0, fffff800e9d0b770, fffffa800cf07c60}
*** WARNING: Unable to verify timestamp for amd_sata.sys
*** ERROR: Module load completed but symbols could not be loaded for amd_sata.sys
Probably caused by : amd_sata.sys
Followup: MachineOwner
---------
Here we can already see that the driver **amd_sata.sys** driver could be the culprit.
===== 4 Further analysis =====
Now we enter the following command:
!analyze -v
This shows us extended analysis information.
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: fffffa800cf757f0, Physical Device Object of the stack
Arg3: fffff800e9d0b770, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: fffffa800cf07c60, The blocked IRP
Debugging Details:
------------------
DRVPOWERSTATE_SUBCODE: 3
IMAGE_NAME: amd_sata.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5056e207
MODULE_NAME: amd_sata
FAULTING_MODULE: fffff88001494000 amd_sata
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x9F
PROCESS_NAME: System
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
DPC_STACK_BASE: FFFFF800E9D12FB0
Again, the driver just mentioned comes to light: **amd_sata.sys**. Now we can hardly assume that it was this driver that caused the problem. In our example, it is an undefined state after the standby of the PC. Another important piece of information can be seen here:
Arg4: fffffa800cf07c60, The blocked IRP
This is the blocked parameter. This can also be analysed further with the command:
!irp fffffa800cf07c60
This output could now look like the following:
\Driver\amd_sata CLASSPNP!ClasspPowerUpCompletion
Args: 00000000 00000000 00000000 00000002
>[ 16, 2] 0 e1 fffffa800e1f4060 00000000 fffff88000f6fe30-00000000 Success Error Cancel pending
\Driver\disk partmgr!PmPowerCompletion
Args: 00041100 00000001 00000001 00000002
[ 16, 2] 0 e1 fffffa800e1f4b10 00000000 fffff800e87a6830-fffffa800e113b30 Success Error Cancel pending
\Driver\partmgr nt!PopRequestCompletion
Args: 00041100 00000001 00000001 000000
Again, we find clear indications that the SATA driver is working incorrectly when it wakes up from sleep mode.
===== 5. troubleshooting =====
We have now found out that the driver is not working correctly. Here it usually helps to simply install the latest driver. If there is not yet one, contact the hardware manufacturer so that they can take care of the problem.
===== 6. epilogue =====
This is only an example of a specific error message and is only intended to illustrate the general procedure. There is no universal remedy for a blue screen. Nevertheless, you can usually find a remedy with the debugger. Knowing the problem is already 50% of the solution.
On Mike's Technology and Finance Blog((http://mikemstech.blogspot.de/2011/11/windows-crash-dump-analysis.html)) there is an overview of all bluescreen messages. There are also debugger logs for some of them.