This translation is older than the original page and might be outdated.

Windows Bluescreen Analysis

Draft | Approver: psycore

Windows Bluescreen Analysis

Bluescreens can have very different triggers. Defective memory, faulty drivers and many other factors can have an influence here.

At first bluescreens seem annoying, but they are a protection against serious damage to the system.

Download and install the debugger

The debugging tools are part of the Windows SDK. They can be downloaded from Microsoft. It is usually sufficient to install only the debugging tools and deselect the rest of the SDK during the installation process.

Open the debugger and load the crash dump.

After the installation, we open the debugger and first go to File / Symbol File Paths

Here we enter the following:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Then we press Ok. This reference reloads missing symbols from Microsoft. This way we avoid unnecessary error messages. Now we can open the crash dump via File / Open Crash dump to load the error report. This is normally located under “C:\Windows\Minidump”..

3. first insight

The first look sometimes already shows a clue to the problem.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck 9F, {3, fffffa800cf757f0, fffff800e9d0b770, fffffa800cf07c60}
 
*** WARNING: Unable to verify timestamp for amd_sata.sys
*** ERROR: Module load completed but symbols could not be loaded for amd_sata.sys
Probably caused by : amd_sata.sys
 
Followup: MachineOwner
---------

Here we can already see that the driver amd_sata.sys driver could be the culprit.

4 Further analysis

Now we enter the following command:

!analyze -v

This shows us extended analysis information.

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: fffffa800cf757f0, Physical Device Object of the stack
Arg3: fffff800e9d0b770, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: fffffa800cf07c60, The blocked IRP
 
Debugging Details:
------------------
 
 
DRVPOWERSTATE_SUBCODE:  3
 
IMAGE_NAME:  amd_sata.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  5056e207
 
MODULE_NAME: amd_sata
 
FAULTING_MODULE: fffff88001494000 amd_sata
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
 
BUGCHECK_STR:  0x9F
 
PROCESS_NAME:  System
 
CURRENT_IRQL:  2
 
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
 
DPC_STACK_BASE:  FFFFF800E9D12FB0

Again, the driver just mentioned comes to light: amd_sata.sys. Now we can hardly assume that it was this driver that caused the problem. In our example, it is an undefined state after the standby of the PC. Another important piece of information can be seen here:

Arg4: fffffa800cf07c60, The blocked IRP

This is the blocked parameter. This can also be analysed further with the command:

!irp fffffa800cf07c60

This output could now look like the following:

	       \Driver\amd_sata	CLASSPNP!ClasspPowerUpCompletion
			Args: 00000000 00000000 00000000 00000002
>[ 16, 2]   0 e1 fffffa800e1f4060 00000000 fffff88000f6fe30-00000000 Success Error Cancel pending
	       \Driver\disk	partmgr!PmPowerCompletion
			Args: 00041100 00000001 00000001 00000002
 [ 16, 2]   0 e1 fffffa800e1f4b10 00000000 fffff800e87a6830-fffffa800e113b30 Success Error Cancel pending
	       \Driver\partmgr	nt!PopRequestCompletion
			Args: 00041100 00000001 00000001 000000

Again, we find clear indications that the SATA driver is working incorrectly when it wakes up from sleep mode.

5. troubleshooting

We have now found out that the driver is not working correctly. Here it usually helps to simply install the latest driver. If there is not yet one, contact the hardware manufacturer so that they can take care of the problem.

6. epilogue

This is only an example of a specific error message and is only intended to illustrate the general procedure. There is no universal remedy for a blue screen. Nevertheless, you can usually find a remedy with the debugger. Knowing the problem is already 50% of the solution.

On Mike's Technology and Finance Blog1) there is an overview of all bluescreen messages. There are also debugger logs for some of them.

en/windows/bluescreen_analyse.txt · Last modified: 2023/10/18 22:31
CC Attribution-Noncommercial-Share Alike 4.0 International