1. W INDOWS BLUE SCREEN OF DEATH AFTER CRASH DEBUGGING Alex Mclean Amy Valley Derek Visch

2. What is a BSOD? Blue Screen of Death

3. What is a BSOD? Blue Screen Of Death The function that is called to generate the BSOD is KeBugCheckEx. Occurs in windows when the operating system encounters a critical error that it cannot recover from.

4. Why generate a BSOD? Why not just ignore the exception Is likely that driver that caused the first exception will continue to do so Therefore high risk of data to be corrupted

5. Most Common BSOD Causes By Stop Code Category Source: Russinovich, Mark E., David A. Solomon, and Alex Ionescu. Windows Internals: Part 2. 6th ed. Redmond, WA: Microsoft, 2012. Print.

6. Memory Dump Types Kernel Memory Dumps Complete Memory Dumps Small Memory Dumps

7. Only information about the current process and thread context, the bug check stop code, and the kernel portion of the stack trace that caused the crash. Basic windbg commands like !process will not have the information they need

8. Kernel Memory Dumps Collected on kernel crashes Contains the kernel-mode memory pages at the time of the crash Does not show user-mode pages

9. Complete Memory Dumps A dump of the entire physical memory (RAM) Does show user-mode pages at the time of the crash Not always available on computers with 2 GB or more of RAM due to size

10. Sample Complete Memory Dump

11. Sample Kernel Memory Dump

12. Getting memory dumps

13. Choose Type of Memory Dump

14. Cause the crash

15. Reading the Crash Run WinDbg as administrator File Open Crash Dump C:\Windows\MEMORY.DMP Run the following commands: kd>.symfix kd>.reload kd> !process -1 0 kd> !analyze -v kd> lm kv m myfault