WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 25-04-2001 ]
Category
[ Information Technologies ]
sub-Categoy
[ Microsoft ]
      [Gathering Blue Screen Information After Memory Dump
      ID: Q192463
                                                                                            
       The information in this article applies to:  
                                               
          Microsoft Windows NT Server version 4.0                                            
          Microsoft Windows NT Workstation version 4.0                                       
          Microsoft Windows 2000 Professional                                                
          Microsoft Windows 2000 Server                                                      
          Microsoft Windows 2000 Advanced Server                                             
                                                                                             
      SUMMARY                                                       
                                                                                             
      The information below covers some steps you can take to gather more information about a blue screen error message. These steps will not always provide conclusive answers and may only be a symptom of another problem.
      Event Log Messages
      Set up your system to write an event log message with bugcheck information. 
      Windows NT Server 4.0 is set to write event log messages by default. Windows NT Workstation is not set by default. To set your system to write an event log message, click to select the "Write an event to the system log" check box located in the Recovery section of the Startup/Shutdown tab in System Properties. This will cause an event log message to be written to the system log.
      Data contained in the event log message.
      The description and format of the event log differs from the format displayed when the computer is writing the Memory.dmp file, but the majority of the information is the same. Below is an example of the event log.                   
                                                                                             
                  Event ID: 1001                                                             
                  Source: Save Dump                                                          
                  Description:                                                               
                    The computer has rebooted from a bugcheck. The bugcheck was :            
                    0xc000021a (0xe1270188, 0x00000001, 0x00000000, 0x00000000).             
                    Microsoft Windows NT (v15.1381). A dump was saved in:                    
                    C:\WINNT\MEMORY.DMP.                                                     
                                                                                             
      This information contains the stop code 0xc000021a and the four parameters. These can be very useful when troubleshooting certain types of stop codes. The parameters will mean different things depending on what type of stop code it is. For information on what the parameters represent, search the Knowledge Base for the specific STOP code. Not all STOP code parameters are covered in the Knowledge Base.
      Using Dumpchk.exe to Determine Memory Dump Information
      If you use Dumpchk.exe from the Service Pack 3 CD, you can determine all of the above information as well as the address of the driver that generated the stop message. This information can often give you a direction to begin troubleshooting. Before you run Dumpchk.exe, be sure to adjust the properties of the command prompt so that the screen buffer size height is set to 999. This height will allow you to scroll back to see the output. Run Dumpchk.exe from the command prompt with the following syntax:                                        
                                                                                             
                  dumpchk.exe Memory.dmp                                                           
                                                                                             
      The following is an example of the portions of the output that are most useful.  
                                                                                             
           MachineImageType   i386                                                       
            NumberProcessors   1                                                          
               BugCheckCode      0xc000021a                                                  
               BugCheckParameter1   0xe1270188                                               
               BugCheckParameter2   0x00000001                                               
               BugCheckParameter3   0x00000000                                               
               BugCheckParameter4   0x00000000                                               
                                                                                             
               ExceptionCode      0x80000003                                                 
               ExceptionFlags      0x00000001                                                
               ExceptionAddress   0x8014fb84                                                 
                                                                                             
      As previously mentioned, not all sections will give the same information. This will depend on the type of STOP code. The information above tells us the STOP code (0xc000021a) and the parameters (0xe1270188, 0x00000001, 0x00000000, 0x00000000), as well as the address of the driver that called the exception (0x8014fb84). This address can be used to identify the driver name using the output from running Pstat.exe, which can be found on the resource kit.           
                                                                                             
      Dumpchk.exe will also verify that the dump is valid
      Using Pstat.exe to Identify Driver Information Pstat.exe, a resource kit utility, will give you a picture of the processes and drivers currently running on your system. For these purposes, the most useful information will be the list of loaded drivers that appears at the end of the output. All you need to do is run Pstat.exe from the command line. The information given by Pstat.exe can be piped to a file using the following sytax: 
                                                                                             
                  pstat.exe > filename                                                             
                                                                                             
      The following is an example of the driver list at the end of the output.

      ModuleName
      Load Addr 
      Code 
        Data
      Paged
      Link
      Link
      ntoskrnl.exe 80100000  270272   40064  434816 Sun May 11 00:10:39 1997        
      hal.dll 80010000   20384    2720    9344 Mon Mar 10 16:39:20 1997        
      aic78xx.sys 80001000   20512    2272       0 Sat Apr 05 21:16:21 1997        
      SCSIPORT.SYS 801d7000    9824      32   15552 Mon Mar 10 16:42:27 1997        
      Disk.sys 80008000    3328       0    7072 Thu Apr 24 22:27:46 1997        
      CLASS2.SYS 8000c000    7040       0    1632 Thu Apr 24 22:23:43 1997        
      INO_FLPY.SYS 801df000    9152    1472    2080 Tue May 26 18:21:40 1998        
      Ntfs.sys 801e3000   68160    5408  269632 Thu Apr 17 22:02:31 1997        
      Floppy.SYS f7290000    1088     672    7968 Wed Jul 17 00:31:09 1996        
      Cdrom.SYS f72a0000   12608      32    3072 Wed Jul 17 00:31:29 1996
      Cdaudio.SYS f72b8000     960       0   14912 Mon Mar 17 18:21:15 1997        
      Null.SYS f75c9000       0       0     288 Wed Jul 17 00:31:21 1996        
      KSecDD.SYS f7464000    1280     224    3456 Wed Jul 17 20:34:19 1996        
      Beep.SYS f75ca000    1184       0       0 Wed Apr 23 15:19:43 1997        
      cs32ba11.SYS fcd1a000   52384   45344   14592 Wed Mar 12 17:22:33 1997        
      msi8042.SYS f7000000   20192    1536       0 Mon Mar 23 22:46:22 1998        
      mouclass.sys f7470000    1984       0       0 Mon Mar 10 16:43:11 1997        
      kbdclass.sys f7478000    1952       0       0 Wed Jul 17 00:31:16 1996        
      VIDEOPRT.SYS f72d8000    2080     128   11296 Mon Mar 10 16:41:37 1997        
      ati.sys f7010000     960    9824   48768 Fri Dec 12 15:20:37 1997        
      vga.sys f7488000     128      32   10784 Wed Jul 17 00:30:37 1996        
      Msfs.SYS f7308000     864      32   15328 Mon Mar 10 16:45:01 1997        
      Npfs.SYS f7020000    6560     192   22624 Mon Mar 10 16:44:48 1997        
      NDIS.SYS fccda000   11744     704   96768 Thu Apr 17 22:19:45 1997        
      win32k.sys a0000000 1162624   40064       0 Fri Apr 25 21:17:32 1997        
      ati.dll fccba000  106176   17024       0 Fri Dec 12 15:20:08 1997        
      Cdfs.SYS f7050000    5088     608   45984 Mon Mar 10 16:57:04 1997        
      INO_FLTR.SYS fc42f000   29120   38176    1888 Tue Jun 02 16:33:05 1998        
      TDI.SYS fc4a2000    4480      96     288 Wed Jul 17 00:39:08 1996        
      tcpip.sys fc40b000  108128    7008   10176 Fri May 09 17:02:39 1997        
      netbt.sys fc3ee000   79808    1216   23872 Sat Apr 26 21:00:42 1997        
      el90x.sys f7320000   24576    1536       0 Wed Jun 26 20:04:31 1996        
      afd.sys f70d0000    1696     928   48672 Thu Apr 10 15:09:17 1997        
      netbios.sys f7280000   13280     224   10720 Mon Mar 10 16:56:01 1997        
      Parport.SYS f7460000    3424      32       0 Wed Jul 17 00:31:23 1996        
      Parallel.SYS f746c000    7904      32       0 Wed Jul 17 00:31:23 1996        
      ParVdm.SYS f7552000    1312      32       0 Wed Jul 17 00:31:25 1996        
      Serial.SYS f7120000    2560       0   18784 Mon Mar 10 16:44:11 1997        
      rdr.sys fc385000   13472    1984  219104 Wed Mar 26 14:22:36 1997        
      mup.sys fc374000    2208    6752   48864 Mon Mar 10 16:57:09 1997        
      srv.sys fc24a000   42848    7488  163680 Fri Apr 25 13:59:31 1997        
      PSCRIPT.DLL f9ec3000       0       0       0                                 
      Fastfat.SYS f9e00000    6720     672  114368 Mon Apr 21 16:50:22 1997        
      NTDLL.DLL 77f60000  237568   20480       0 Fri Apr 11 16:38:50 1997 
      Total          2377632  255040  1696384
      By using the starting address shown above under the "load addr" column, you can match the exception address to the driver name. Using 8014fb84 as an example, you can determine that Ntoskrnl.exe has the nearest load address below the exception address and is most likely the driver that called the exception. With this information, you can go to the Knowledge Base to look for known issues that match your situation. 

      MORE INFORMATION

      For additional information, please see the following article in the Microsoft Knowledge Base:    
                                                                    
      Q129845 Blue Screen Preparation Before Contacting Microsoft
      Q103059 Descriptions of Bug Codes for Windows NT 

      Additional query words: how to                                                          
      Keywords : 

      Version : WINDOWS:2000; winnt:4.0                                                
      Platform : WINDOWS winnt                                                         
      Issue type : kbinfo                                                              
      Technology : kbvcSearch   

      Last Reviewed: July 20, 2000 
                               
                    © 2000 Microsoft Corporation. All rights reserved. Terms of Use.  
      Send feedback to MSDN. (Embedded image moved to file: pic05771.pcx)Look here for 
            MSDN Online resources.       ]


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)