Microsoft KB Archive/192463

= Gathering Blue Screen Information After Memory Dump in Windows 2000 or Windows NT =

Article ID: 192463

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q192463



For a Microsoft Windows XP version of this article, see 314084.



SUMMARY
This article describes how to gather more information about a blue-screen error message. Note that these steps may not always provide conclusive answers and may only be a symptom of another problem.



Event Log Messages
 Configure Windows to write an event log message with bugcheck information. Windows NT Server 4.0 is set to write event log messages by default. Windows NT Workstation is not set by default. To set your system to write an event log message, click to select the Write an event to the system log" check box that is located in the Recovery section of the Startup/Shutdown tab in System properties. This will cause an event log message to be written to the system log. The description and format of the event log differs from the format that is displayed when the computer is writing the Memory.dmp file, but the majority of the information is the same. Below is an example of the event log:

Event ID: 1001

Source: Save Dump

Description:

The computer has rebooted from a bugcheck. The bugcheck was : 0xc000021a (0xe1270188, 0x00000001, 0x00000000, 0x00000000). Microsoft Windows NT (v15.1381). A dump was saved in: C:\WINNT\MEMORY.DMP.

This information contains the stop code 0xc000021a and the four parameters. These can be very useful when troubleshooting certain types of stop codes. The parameters will mean different things depending on what type of stop code it is. For information about what the parameters represent, search the Microsoft Knowledge Base for the specific stop code. Not all stop code parameters are covered in the Microsoft Knowledge Base.

To query the Microsoft Knowledge Base, visit the following Microsoft Web page:

http://support.microsoft.com/support



Using Dumpchk.exe to Determine Memory Dump Information
If you use Dumpchk.exe from the Service Pack 3 CD, you can determine all of the information that is mentioned earlier and the address of the driver that generated the stop message. This information can often give you a direction to begin troubleshooting. Before you run Dumpchk.exe, be sure to adjust the properties of the command prompt so that the screen buffer size height is set to 999. This height will allow you to scroll back to see the output. Run Dumpchk.exe from the command prompt with the following syntax:

dumpchk.exe Memory.dmp

This is an example of the portions of the output that are most useful:

MachineImageType i386

NumberProcessors 1

BugCheckCode 0xc000021a

BugCheckParameter1 0xe1270188

BugCheckParameter2 0x00000001

BugCheckParameter3 0x00000000

BugCheckParameter4 0x00000000

ExceptionCode 0x80000003

ExceptionFlags 0x00000001

ExceptionAddress 0x8014fb84

Note that not all sections will give the same information. This will depend on the type of stop code. The information above tells you the stop code (0xc000021a) and the parameters (0xe1270188, 0x00000001, 0x00000000, 0x00000000), as well as the address of the driver that called the exception (0x8014fb84). This address can be used to identify the driver name by using the output from running Pstat.exe, which can be found in the Resource Kit.

Dumpchk.exe will also verify that the dump is valid.

Using Pstat.exe to Identify Driver Information
Pstat.exe, a Resource Kit utility, will give you a picture of the processes and drivers currently running on your system. For these purposes, the most useful information will be the list of loaded drivers that appears at the end of the output. All you need to do is run Pstat.exe from the command line. The information given by Pstat.exe can be piped to a file by using the following syntax:

pstat.exe >

This is an example of the driver list at the end of the output:   MODULENAME    Load Addr  Code    Data  Paged  LinkDate --  Ntoskrnl.exe 80100000   270272  40064 434816 Sun May 11 00:10:39 1997 Hal.dll 80010000   20384   2720  9344   Mon Mar 10 16:39:20 1997 Aic78xx.sys 80001000   20512   2272  0  Sat Apr 05 21:16:21 1997 Scsiport.sys 801d7000  9824    32    15552  Mon Mar 10 16:42:27 1997 Disk.sys 80008000  3328    0     7072   Thu Apr 24 22:27:46 1997 Class2.sys  8000c000   7040    0     1632   Thu Apr 24 22:23:43 1997 Ino_flpy.sys 801df000  9152    1472  2080   Tue May 26 18:21:40 1998 Ntfs.sys 801e3000  68160   5408  269632 Thu Apr 17 22:02:31 1997 Floppy.sys  f7290000   1088    672   7968   Wed Jul 17 00:31:09 1996 Cdrom.sys   f72a0000   12608   32    3072   Wed Jul 17 00:31:29 1996 Cdaudio.sys f72b8000   960     0     14912  Mon Mar 17 18:21:15 1997 Null.sys f75c9000  0       0     288    Wed Jul 17 00:31:21 1996 Ksecdd.sys  f7464000   1280    224   3456   Wed Jul 17 20:34:19 1996 Beep.sys f75ca000  1184    0     0  Wed Apr 23 15:19:43 1997 Cs32ba11.sys fcd1a000  52384   45344 14592  Wed Mar 12 17:22:33 1997 Msi8042.sys f7000000   20192   1536  0  Mon Mar 23 22:46:22 1998 Mouclass.sys f7470000  1984    0     0  Mon Mar 10 16:43:11 1997 Kbdclass.sys f7478000  1952    0     0  Wed Jul 17 00:31:16 1996 Videoprt.sys f72d8000  2080    128   11296  Mon Mar 10 16:41:37 1997 Ati.sys f7010000   960     9824  48768  Fri Dec 12 15:20:37 1997 Vga.sys f7488000   128     32    10784  Wed Jul 17 00:30:37 1996 Msfs.sys f7308000  864     32    15328  Mon Mar 10 16:45:01 1997 Npfs.sys f7020000  6560    192   22624  Mon Mar 10 16:44:48 1997 Ndis.sys fccda000  11744   704   96768  Thu Apr 17 22:19:45 1997 Win32k.sys  a0000000   1162624 40064 0  Fri Apr 25 21:17:32 1997 Ati.dll fccba000   106176  17024 0  Fri Dec 12 15:20:08 1997 Cdfs.sys f7050000  5088    608   45984  Mon Mar 10 16:57:04 1997 Ino_fltr.sys fc42f000  29120   38176 1888   Tue Jun 02 16:33:05 1998 Tdi.sys fc4a2000   4480    96    288    Wed Jul 17 00:39:08 1996 Tcpip.sys   fc40b000   108128  7008  10176  Fri May 09 17:02:39 1997 Netbt.sys   fc3ee000   79808   1216  23872  Sat Apr 26 21:00:42 1997 El90x.sys   f7320000   24576   1536  0  Wed Jun 26 20:04:31 1996 Afd.sys f70d0000   1696    928   48672  Thu Apr 10 15:09:17 1997 Netbios.sys f7280000   13280   224   10720  Mon Mar 10 16:56:01 1997 Parport.sys f7460000   3424    32    0  Wed Jul 17 00:31:23 1996 Parallel.sys f746c000  7904    32    0  Wed Jul 17 00:31:23 1996 Parvdm.sys  f7552000   1312    32    0  Wed Jul 17 00:31:25 1996 Serial.sys  f7120000   2560    0     18784  Mon Mar 10 16:44:11 1997 Rdr.sys fc385000   13472   1984  219104 Wed Mar 26 14:22:36 1997 Mup.sys fc374000   2208    6752  48864  Mon Mar 10 16:57:09 1997 Srv.sys fc24a000   42848   7488  163680 Fri Apr 25 13:59:31 1997 Pscript.dll f9ec3000   0       0     0 Fastfat.sys f9e00000   6720    672   114368 Mon Apr 21 16:50:22 1997 Ntdll.dll   77f60000   237568  20480 0  Fri Apr 11 16:38:50 1997 -  Total    2377632    255040  1696384 By using the starting address shown under the "Load Addr" column, you can match the exception address to the driver name. Using 8014fb84 as an example, you can determine that Ntoskrnl.exe has the nearest load address below the exception address and is most likely the driver that called the exception. With this information, you can visit the Microsoft Knowledge Base to look for known issues that match your situation.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

129845 Blue Screen Preparation Before Contacting Microsoft

Keywords: kbinfo KB192463

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.