Mind Drop's Blog

Today I experienced yet a other BSOD on my Windows 7 x64 box. Fourth one in the 20 days i’ve been running Windows 7 to be exact. Then thought about something I learned last week – last week, I attended a session about crash dump analysis with Daniel Pearson at TechEd Europe. It occurred to me, that I now had fine opportunity to try out my newly acquired skills.

In short crash dump analysis is about looking at the memory dump files Windows generates on a BSOD.

In order to analyze these files, one needs to install the Debugging tools for Windows. These can be found in their latest version here:  http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx. (Remember to install the x64 bit version if you are running a x64 bit version of Windows)

Besides an installation of the debugging tools, one will need the Symbol package matching the Windows version, which generated the crash dump. In my case this a retail version of Windows 7 x64 enterprise. Unfortunately none of the packages available from  the Microsoft site matched my Windows version, which the debugger also informed me about.

So I had to do bit digging about… and found this knowledge base article:  http://support.microsoft.com/kb/311503

It describes how to go about using the Microsoft Symbol Server for to obtain debug symbol files. In short the easiest way to setup the debugger with right symbols is to set the environment variable: _NT_SYMBOL_PATH = symsrv*symsrv.dll*f:\localsymbols*http://msdl.microsoft.com/download/symbols

This is done by right-clicking [My Computer], then clicking [Properties] and then selecting the [Advanced] tab, and clicking [Environment Variables].

Alternatively one can create an local symbol repository, by running the SymChk.exe utility from Debugging Tools installation folder. E.g.:

So now i’ve got my debugger setup correctly, I could analyze the crash dump.

So first I fired up the debugger by executing WinDbg.exe and opened the crash dump (File -> Open Crash Dump… or ‘Ctrl + D’

After the dump was loaded, I typed “!analyze -v” to get detailed debugging information.

This generated the following result:


Loading Dump File [C:\Windows\Minidump\111909-29374-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

DbsSplayTreeRangeMap::Add: ignoring zero-sized range at ?fffff800`00b9c500?

Symbol search path is: C:\symbols;symsrv*symsrv.dll*f: localsymbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows 7 Kernel Version 7600 MP (2 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 7600.16385.amd64fre.win7_rtm.090713-1255

Machine Name:

Kernel base = 0xfffff800`02a52000 PsLoadedModuleList = 0xfffff800`02c8fe50

Debug session time: Thu Nov 19 09:47:58.150 2009 (GMT+1)

System Uptime: 0 days 0:52:55.418

Loading Kernel Symbols

………………………………………………………

……………………………………………………….

………………………………………………….

Loading User Symbols

Loading unloaded module list

…..

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 9F, {3, fffffa8002e67a20, fffff80000b9c518, fffffa8006ef9420}

*** WARNING: Unable to verify timestamp for e1e6032e.sys

*** ERROR: Module load completed but symbols could not be loaded for e1e6032e.sys

Probably caused by : e1e6032e.sys

Followup: MachineOwner

———

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

DRIVER_POWER_STATE_FAILURE (9f)

A driver is causing an inconsistent power state.

Arguments:

Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time

Arg2: fffffa8002e67a20, Physical Device Object of the stack

Arg3: fffff80000b9c518, Functional Device Object of the stack

Arg4: fffffa8006ef9420, The blocked IRP

Debugging Details:

——————

DRVPOWERSTATE_SUBCODE: 3

IRP_ADDRESS: fffffa8006ef9420

DEVICE_OBJECT: fffffa8004305050

DRIVER_OBJECT: fffffa8004324d80

IMAGE_NAME: e1e6032e.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 49c923b3

MODULE_NAME: e1e6032e

FAULTING_MODULE: fffff88003d9c000 e1e6032e

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0×9F

PROCESS_NAME: System

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff80002b32e23 to fffff80002ac3f00

STACK_TEXT:

fffff800`00b9c4c8 fffff800`02b32e23 : 00000000`0000009f 00000000`00000003 fffffa80`02e67a20 fffff800`00b9c518 : nt!KeBugCheckEx

fffff800`00b9c4d0 fffff800`02acffa6 : fffff800`00b9c600 fffff800`00b9c600 00000000`00000002 00000000`00000000 : nt! ?? ::FNODOBFM::`string’+0×29330

fffff800`00b9c570 fffff800`02acf326 : fffffa80`063c8010 fffffa80`063c8010 00000000`00000000 00000000`00000000 : nt!KiProcessTimerDpcTable+0×66

fffff800`00b9c5e0 fffff800`02acfe7e : 00000007`64b26ff5 fffff800`00b9cc58 00000000`00031b1f fffff800`02c3f668 : nt!KiProcessExpiredTimerList+0xc6

fffff800`00b9cc30 fffff800`02acf697 : 00000001`8fa148c6 00000001`00031b1f 00000001`8fa14807 00000000`0000001f : nt!KiTimerExpiration+0×1be

fffff800`00b9ccd0 fffff800`02acc6fa : fffff800`02c3ce80 fffff800`02c4ac40 00000000`00000002 fffff880`00000000 : nt!KiRetireDpcList+0×277

fffff800`00b9cd80 00000000`00000000 : fffff800`00b9d000 fffff800`00b97000 fffff800`00b9cd40 00000000`00000000 : nt!KiIdleLoop+0×5a

STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: X64_0×9F_IMAGE_e1e6032e.sys

BUCKET_ID: X64_0×9F_IMAGE_e1e6032e.sys

Followup: MachineOwner

———

We can see that the debugger already had named a culprit before the analysis namely: “e1e6032e.sys”.

Next, i did a “lmvm” command with “e1e6032e” as argument to investigate the module. This gave me the following:

start end module name

fffff880`03d9c000 fffff880`03de4000 e1e6032e T (no symbols)

Loaded symbol image file: e1e6032e.sys

Image path: \SystemRoot\system32\DRIVERS\e1e6032e.sys

Image name: e1e6032e.sys

Timestamp: Tue Mar 24 19:17:23 2009 (49C923B3)

CheckSum: 00047749

ImageSize: 00048000

Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

Again its the driver. So went to \system32\DRIVERS\ and located e1e6032e.sys. It turns out be the driver for Ethernet card.

70% of all BSOD on Windows Vista was caused by faulty third-party device driver (source: Mircosoft). So this seems to be correct

Fortunately a search of an updated driver version was fruitless, so instead I decided to emai our tech support at Lenovo to see if they can provide me with a new driver.

I will let you know how it goes…