The debugging information can be written to different file formats (also known as memory dump files) when your computer stops unexpectedly because of a Stop error (also known as a "blue screen," system crash, or bug check). We can also configure Windows not to write debugging information to a memory dump file.
Windows can generate any one of the following memory dump file types:
•Complete memory dump
•Kernel memory dump
•Small memory dump (64 KB)
Click Start, and then click Control Panel.
1. Install the debugging tools(Windbg)
Select the Typical installation. By default, the installer installs the debugging tools in the following folder:
C:\Program Files\Debugging Tools for Windows
Note: You must have symbol information when you debug applications with various Microsoft tools. Symbol files provide a footprint of the functions that are contained in executable files and dynamic-link libraries (DLLs). Additionally, symbol files can present a roadmap of the function calls that lead to the point of failure. For example, you must have the symbols when you dump call stacks inside a debugger.
You can use the following symbol path:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
or
you can download symbols locally to your system and set path in Windbg.
To know more about symbols : http://support.microsoft.com/kb/311503
Steps to read dump file.
1. Open Windbg.exe from Start -> All Programs -> Debugging Tools for Windows -> windbg.exe
2. Set symbols path to Windbg.exe
Press Ctrl+S then set SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
3. Open memory dump file by pressing Ctrl+D then select the dump file where you have saved.
Now dump has been open its time to diagnose the root cause of the blue screen dump.
type !analyze -v or click on !analyze -v as shown in given below screen shot
After putting command we will get sample output (given output as per my dump file).
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 888c3b02, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000004
CURRENT_IRQL: 2
FAULTING_IP:
ndis!NdisFreeTimerObject+18
888c3b02 8b4b04 mov ecx,dword ptr [ebx+4]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: 8a77fbac -- (.trap 0xffffffff8a77fbac)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=888cf970 edx=878ecd60 esi=85fc1028 edi=888cf970
eip=888c3b02 esp=8a77fc20 ebp=8a77fc2c iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
ndis!NdisFreeTimerObject+0x18:
888c3b02 8b4b04 mov ecx,dword ptr [ebx+4] ds:0023:00000004=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 888c3b02 to 82c5e7eb
STACK_TEXT:
8a77fbac 888c3b02 badb0d00 878ecd60 8a77fbc8 nt!KiTrap0E+0x2cf
8a77fc2c 8ec535c1 00000000 8a77fc44 8ec3863f ndis!NdisFreeTimerObject+0x18
8a77fc38 8ec3863f 878ecf30 8a77fc50 8ec3dcac athr!ieee80211_scan_detach+0xa1
8a77fc44 8ec3dcac 878ecd60 8a77fc68 8ec3dc5f athr!StaFreeScanContext+0x5f
8a77fc50 8ec3dc5f 878ecd60 c000009a 878ecd60 athr!Sta11FreeStation+0x2c
8a77fc68 8ec3013e 85bd2778 8a77fc7c 00000001 athr!Sta11AllocateStation+0xef
8a77fc88 8ec2969c 85bd2778 00000001 8a77fca0 athr!Port11AllocatePort+0x4e
8a77fcc4 8ec29598 85bd2778 8a78738c 85bd2778 athr!MpCreateMacHandler+0x9c
8a77fcdc 8888e30a 85bd2778 85dcf0b0 8a77fd00 athr!MpOidRequestWorkItem+0x38
8a77fcec 82e387b5 85fc1028 85dcf0b0 84bd76d0 ndis!ndisDispatchIoWorkItem+0xf
8a77fd00 82c85f2b 860c9a88 00000000 84bd76d0 nt!IopProcessWorkItem+0x23
8a77fd50 82e2666d 00000000 abfd662f 00000000 nt!ExpWorkerThread+0x10d
8a77fd90 82cd80d9 82c85e1e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
STACK_COMMAND: kb
FOLLOWUP_IP:
athr!ieee80211_scan_detach+a1
8ec535c1 5d pop ebp
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: athr!ieee80211_scan_detach+a1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: athr
IMAGE_NAME: athr.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a2ea444
FAILURE_BUCKET_ID: 0xD1_athr!ieee80211_scan_detach+a1
BUCKET_ID: 0xD1_athr!ieee80211_scan_detach+a1
Followup: MachineOwner
---------
athr is a culprit file market in blue color. It depends on your how to resolve the problem. I have checked athr is related with wireless network card drive so I uninstalled the driver, now problem has been resolved.
Windows can generate any one of the following memory dump file types:
•Complete memory dump
•Kernel memory dump
•Small memory dump (64 KB)
Configure the dump type
To configure startup and recovery options (including the dump type), follow these steps.Click Start, and then click Control Panel.
- Click Performance and Maintenance, and then click System.
- On the Advanced tab, click Settings under Startup and Recovery.
1. Install the debugging tools(Windbg)
Select the Typical installation. By default, the installer installs the debugging tools in the following folder:
C:\Program Files\Debugging Tools for Windows
Note: You must have symbol information when you debug applications with various Microsoft tools. Symbol files provide a footprint of the functions that are contained in executable files and dynamic-link libraries (DLLs). Additionally, symbol files can present a roadmap of the function calls that lead to the point of failure. For example, you must have the symbols when you dump call stacks inside a debugger.
You can use the following symbol path:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
or
you can download symbols locally to your system and set path in Windbg.
To know more about symbols : http://support.microsoft.com/kb/311503
Steps to read dump file.
1. Open Windbg.exe from Start -> All Programs -> Debugging Tools for Windows -> windbg.exe
2. Set symbols path to Windbg.exe
Press Ctrl+S then set SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
3. Open memory dump file by pressing Ctrl+D then select the dump file where you have saved.
Now dump has been open its time to diagnose the root cause of the blue screen dump.
type !analyze -v or click on !analyze -v as shown in given below screen shot
After putting command we will get sample output (given output as per my dump file).
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 888c3b02, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000004
CURRENT_IRQL: 2
FAULTING_IP:
ndis!NdisFreeTimerObject+18
888c3b02 8b4b04 mov ecx,dword ptr [ebx+4]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: 8a77fbac -- (.trap 0xffffffff8a77fbac)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=888cf970 edx=878ecd60 esi=85fc1028 edi=888cf970
eip=888c3b02 esp=8a77fc20 ebp=8a77fc2c iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
ndis!NdisFreeTimerObject+0x18:
888c3b02 8b4b04 mov ecx,dword ptr [ebx+4] ds:0023:00000004=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 888c3b02 to 82c5e7eb
STACK_TEXT:
8a77fbac 888c3b02 badb0d00 878ecd60 8a77fbc8 nt!KiTrap0E+0x2cf
8a77fc2c 8ec535c1 00000000 8a77fc44 8ec3863f ndis!NdisFreeTimerObject+0x18
8a77fc38 8ec3863f 878ecf30 8a77fc50 8ec3dcac athr!ieee80211_scan_detach+0xa1
8a77fc44 8ec3dcac 878ecd60 8a77fc68 8ec3dc5f athr!StaFreeScanContext+0x5f
8a77fc50 8ec3dc5f 878ecd60 c000009a 878ecd60 athr!Sta11FreeStation+0x2c
8a77fc68 8ec3013e 85bd2778 8a77fc7c 00000001 athr!Sta11AllocateStation+0xef
8a77fc88 8ec2969c 85bd2778 00000001 8a77fca0 athr!Port11AllocatePort+0x4e
8a77fcc4 8ec29598 85bd2778 8a78738c 85bd2778 athr!MpCreateMacHandler+0x9c
8a77fcdc 8888e30a 85bd2778 85dcf0b0 8a77fd00 athr!MpOidRequestWorkItem+0x38
8a77fcec 82e387b5 85fc1028 85dcf0b0 84bd76d0 ndis!ndisDispatchIoWorkItem+0xf
8a77fd00 82c85f2b 860c9a88 00000000 84bd76d0 nt!IopProcessWorkItem+0x23
8a77fd50 82e2666d 00000000 abfd662f 00000000 nt!ExpWorkerThread+0x10d
8a77fd90 82cd80d9 82c85e1e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
STACK_COMMAND: kb
FOLLOWUP_IP:
athr!ieee80211_scan_detach+a1
8ec535c1 5d pop ebp
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: athr!ieee80211_scan_detach+a1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: athr
IMAGE_NAME: athr.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a2ea444
FAILURE_BUCKET_ID: 0xD1_athr!ieee80211_scan_detach+a1
BUCKET_ID: 0xD1_athr!ieee80211_scan_detach+a1
Followup: MachineOwner
---------
athr is a culprit file market in blue color. It depends on your how to resolve the problem. I have checked athr is related with wireless network card drive so I uninstalled the driver, now problem has been resolved.
No comments:
Post a Comment