Gathering Blue Screen Information After Memory Dump in Windows 2000 or Windows NT
This article was previously published under Q192463 On This PageSUMMARY This article describes how to gather more information about
a blue-screen error message. Note that these steps may not always provide
conclusive answers and may only be a symptom of another problem. MORE INFORMATIONEvent Log Messages
Using Dumpchk.exe to Determine Memory Dump InformationIf you use Dumpchk.exe from the Service Pack 3 CD, you can determine all of the information that is mentioned earlier and the address of the driver that generated the stop message. This information can often give you a direction to begin troubleshooting. Before you run Dumpchk.exe, be sure to adjust the properties of the command prompt so that the screen buffer size height is set to 999. This height will allow you to scroll back to see the output. Run Dumpchk.exe from the command prompt with the following syntax:
dumpchk.exe Memory.dmp
This is an example of the portions of the output that are most
useful:
MachineImageType i386 Note that not all sections will give the same information. This
will depend on the type of stop code. The information above tells you the stop
code (0xc000021a) and the parameters (0xe1270188, 0x00000001, 0x00000000,
0x00000000), as well as the address of the driver that called the exception
(0x8014fb84). This address can be used to identify the driver name by using the
output from running Pstat.exe, which can be found in the Resource Kit.
NumberProcessors 1 BugCheckCode 0xc000021a BugCheckParameter1 0xe1270188 BugCheckParameter2 0x00000001 BugCheckParameter3 0x00000000 BugCheckParameter4 0x00000000 ExceptionCode 0x80000003 ExceptionFlags 0x00000001 ExceptionAddress 0x8014fb84 Dumpchk.exe will also verify that the dump is valid. Using Pstat.exe to Identify Driver InformationPstat.exe, a Resource Kit utility, will give you a picture of the processes and drivers currently running on your system. For these purposes, the most useful information will be the list of loaded drivers that appears at the end of the output. All you need to do is run Pstat.exe from the command line. The information given by Pstat.exe can be piped to a file by using the following syntax:
pstat.exe > filename This is an example of the driver list at the end of the output: MODULENAME Load Addr Code Data Paged LinkDate ---------------------------------------------------------------------- Ntoskrnl.exe 80100000 270272 40064 434816 Sun May 11 00:10:39 1997 Hal.dll 80010000 20384 2720 9344 Mon Mar 10 16:39:20 1997 Aic78xx.sys 80001000 20512 2272 0 Sat Apr 05 21:16:21 1997 Scsiport.sys 801d7000 9824 32 15552 Mon Mar 10 16:42:27 1997 Disk.sys 80008000 3328 0 7072 Thu Apr 24 22:27:46 1997 Class2.sys 8000c000 7040 0 1632 Thu Apr 24 22:23:43 1997 Ino_flpy.sys 801df000 9152 1472 2080 Tue May 26 18:21:40 1998 Ntfs.sys 801e3000 68160 5408 269632 Thu Apr 17 22:02:31 1997 Floppy.sys f7290000 1088 672 7968 Wed Jul 17 00:31:09 1996 Cdrom.sys f72a0000 12608 32 3072 Wed Jul 17 00:31:29 1996 Cdaudio.sys f72b8000 960 0 14912 Mon Mar 17 18:21:15 1997 Null.sys f75c9000 0 0 288 Wed Jul 17 00:31:21 1996 Ksecdd.sys f7464000 1280 224 3456 Wed Jul 17 20:34:19 1996 Beep.sys f75ca000 1184 0 0 Wed Apr 23 15:19:43 1997 Cs32ba11.sys fcd1a000 52384 45344 14592 Wed Mar 12 17:22:33 1997 Msi8042.sys f7000000 20192 1536 0 Mon Mar 23 22:46:22 1998 Mouclass.sys f7470000 1984 0 0 Mon Mar 10 16:43:11 1997 Kbdclass.sys f7478000 1952 0 0 Wed Jul 17 00:31:16 1996 Videoprt.sys f72d8000 2080 128 11296 Mon Mar 10 16:41:37 1997 Ati.sys f7010000 960 9824 48768 Fri Dec 12 15:20:37 1997 Vga.sys f7488000 128 32 10784 Wed Jul 17 00:30:37 1996 Msfs.sys f7308000 864 32 15328 Mon Mar 10 16:45:01 1997 Npfs.sys f7020000 6560 192 22624 Mon Mar 10 16:44:48 1997 Ndis.sys fccda000 11744 704 96768 Thu Apr 17 22:19:45 1997 Win32k.sys a0000000 1162624 40064 0 Fri Apr 25 21:17:32 1997 Ati.dll fccba000 106176 17024 0 Fri Dec 12 15:20:08 1997 Cdfs.sys f7050000 5088 608 45984 Mon Mar 10 16:57:04 1997 Ino_fltr.sys fc42f000 29120 38176 1888 Tue Jun 02 16:33:05 1998 Tdi.sys fc4a2000 4480 96 288 Wed Jul 17 00:39:08 1996 Tcpip.sys fc40b000 108128 7008 10176 Fri May 09 17:02:39 1997 Netbt.sys fc3ee000 79808 1216 23872 Sat Apr 26 21:00:42 1997 El90x.sys f7320000 24576 1536 0 Wed Jun 26 20:04:31 1996 Afd.sys f70d0000 1696 928 48672 Thu Apr 10 15:09:17 1997 Netbios.sys f7280000 13280 224 10720 Mon Mar 10 16:56:01 1997 Parport.sys f7460000 3424 32 0 Wed Jul 17 00:31:23 1996 Parallel.sys f746c000 7904 32 0 Wed Jul 17 00:31:23 1996 Parvdm.sys f7552000 1312 32 0 Wed Jul 17 00:31:25 1996 Serial.sys f7120000 2560 0 18784 Mon Mar 10 16:44:11 1997 Rdr.sys fc385000 13472 1984 219104 Wed Mar 26 14:22:36 1997 Mup.sys fc374000 2208 6752 48864 Mon Mar 10 16:57:09 1997 Srv.sys fc24a000 42848 7488 163680 Fri Apr 25 13:59:31 1997 Pscript.dll f9ec3000 0 0 0 Fastfat.sys f9e00000 6720 672 114368 Mon Apr 21 16:50:22 1997 Ntdll.dll 77f60000 237568 20480 0 Fri Apr 11 16:38:50 1997 --------------------------------------------------------------------- Total 2377632 255040 1696384By using the starting address shown under the "Load Addr" column, you can match the exception address to the driver name. Using 8014fb84 as an example, you can determine that Ntoskrnl.exe has the nearest load address below the exception address and is most likely the driver that called the exception. With this information, you can visit the Microsoft Knowledge Base to look for known issues that match your situation. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: 129845 (http://support.microsoft.com/kb/129845/EN-US/) Blue Screen Preparation Before Contacting Microsoft
APPLIES TO
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Help and Support
Back to the top
|
