Gathering Blue Screen Information After Memory Dump in Windows 2000 or Windows NT (192463)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
This article was previously published under Q192463
For a Microsoft Windows XP version of this article, see 314084.

SUMMARY

This article describes how to gather more information about a blue-screen error message. Note that these steps may not always provide conclusive answers and may only be a symptom of another problem.

MORE INFORMATION

Event Log Messages

  • Configure Windows to write an event log message with bugcheck information. Windows NT Server 4.0 is set to write event log messages by default. Windows NT Workstation is not set by default. To set your system to write an event log message, click to select the Write an event to the system log" check box that is located in the Recovery section of the Startup/Shutdown tab in System properties. This will cause an event log message to be written to the system log.
  • The description and format of the event log differs from the format that is displayed when the computer is writing the Memory.dmp file, but the majority of the information is the same. Below is an example of the event log:
    Event ID: 1001
    Source: Save Dump
    Description:
    The computer has rebooted from a bugcheck. The bugcheck was : 0xc000021a (0xe1270188, 0x00000001, 0x00000000, 0x00000000). Microsoft Windows NT (v15.1381). A dump was saved in: C:\WINNT\MEMORY.DMP.
    This information contains the stop code 0xc000021a and the four parameters. These can be very useful when troubleshooting certain types of stop codes. The parameters will mean different things depending on what type of stop code it is. For information about what the parameters represent, search the Microsoft Knowledge Base for the specific stop code. Not all stop code parameters are covered in the Microsoft Knowledge Base.

    To query the Microsoft Knowledge Base, visit the following Microsoft Web page:

    http://support.microsoft.com/support

Using Dumpchk.exe to Determine Memory Dump Information

If you use Dumpchk.exe from the Service Pack 3 CD, you can determine all of the information that is mentioned earlier and the address of the driver that generated the stop message. This information can often give you a direction to begin troubleshooting. Before you run Dumpchk.exe, be sure to adjust the properties of the command prompt so that the screen buffer size height is set to 999. This height will allow you to scroll back to see the output. Run Dumpchk.exe from the command prompt with the following syntax:

dumpchk.exe Memory.dmp

This is an example of the portions of the output that are most useful:

MachineImageType i386
NumberProcessors 1
BugCheckCode 0xc000021a
BugCheckParameter1 0xe1270188
BugCheckParameter2 0x00000001
BugCheckParameter3 0x00000000
BugCheckParameter4 0x00000000

ExceptionCode 0x80000003
ExceptionFlags 0x00000001
ExceptionAddress 0x8014fb84

Note that not all sections will give the same information. This will depend on the type of stop code. The information above tells you the stop code (0xc000021a) and the parameters (0xe1270188, 0x00000001, 0x00000000, 0x00000000), as well as the address of the driver that called the exception (0x8014fb84). This address can be used to identify the driver name by using the output from running Pstat.exe, which can be found in the Resource Kit.

Dumpchk.exe will also verify that the dump is valid.

Using Pstat.exe to Identify Driver Information

Pstat.exe, a Resource Kit utility, will give you a picture of the processes and drivers currently running on your system. For these purposes, the most useful information will be the list of loaded drivers that appears at the end of the output. All you need to do is run Pstat.exe from the command line. The information given by Pstat.exe can be piped to a file by using the following syntax:

pstat.exe > filename

This is an example of the driver list at the end of the output: 
   MODULENAME	Load Addr  Code	   Data	 Paged  LinkDate
   ----------------------------------------------------------------------
   Ntoskrnl.exe	80100000   270272  40064 434816	Sun May 11 00:10:39 1997
   Hal.dll 	80010000   20384   2720	 9344	Mon Mar 10 16:39:20 1997
   Aic78xx.sys	80001000   20512   2272	 0	Sat Apr 05 21:16:21 1997
   Scsiport.sys	801d7000   9824	   32	 15552	Mon Mar 10 16:42:27 1997
   Disk.sys	80008000   3328	   0	 7072	Thu Apr 24 22:27:46 1997
   Class2.sys	8000c000   7040	   0	 1632	Thu Apr 24 22:23:43 1997
   Ino_flpy.sys	801df000   9152	   1472	 2080	Tue May 26 18:21:40 1998
   Ntfs.sys	801e3000   68160   5408	 269632	Thu Apr 17 22:02:31 1997
   Floppy.sys	f7290000   1088	   672	 7968	Wed Jul 17 00:31:09 1996
   Cdrom.sys	f72a0000   12608   32	 3072	Wed Jul 17 00:31:29 1996
   Cdaudio.sys	f72b8000   960	   0	 14912	Mon Mar 17 18:21:15 1997
   Null.sys	f75c9000   0	   0	 288	Wed Jul 17 00:31:21 1996
   Ksecdd.sys	f7464000   1280	   224	 3456	Wed Jul 17 20:34:19 1996
   Beep.sys	f75ca000   1184	   0	 0	Wed Apr 23 15:19:43 1997
   Cs32ba11.sys	fcd1a000   52384   45344 14592	Wed Mar 12 17:22:33 1997
   Msi8042.sys	f7000000   20192   1536	 0	Mon Mar 23 22:46:22 1998
   Mouclass.sys	f7470000   1984	   0	 0	Mon Mar 10 16:43:11 1997
   Kbdclass.sys	f7478000   1952	   0	 0	Wed Jul 17 00:31:16 1996
   Videoprt.sys	f72d8000   2080	   128	 11296	Mon Mar 10 16:41:37 1997
   Ati.sys 	f7010000   960	   9824	 48768	Fri Dec 12 15:20:37 1997
   Vga.sys 	f7488000   128	   32	 10784	Wed Jul 17 00:30:37 1996
   Msfs.sys	f7308000   864	   32	 15328	Mon Mar 10 16:45:01 1997
   Npfs.sys	f7020000   6560	   192	 22624	Mon Mar 10 16:44:48 1997
   Ndis.sys	fccda000   11744   704	 96768	Thu Apr 17 22:19:45 1997
   Win32k.sys	a0000000   1162624 40064 0	Fri Apr 25 21:17:32 1997
   Ati.dll 	fccba000   106176  17024 0	Fri Dec 12 15:20:08 1997
   Cdfs.sys	f7050000   5088	   608   45984	Mon Mar 10 16:57:04 1997
   Ino_fltr.sys	fc42f000   29120   38176 1888	Tue Jun 02 16:33:05 1998
   Tdi.sys 	fc4a2000   4480    96	 288	Wed Jul 17 00:39:08 1996
   Tcpip.sys	fc40b000   108128  7008	 10176	Fri May 09 17:02:39 1997
   Netbt.sys	fc3ee000   79808   1216	 23872	Sat Apr 26 21:00:42 1997
   El90x.sys	f7320000   24576   1536	 0	Wed Jun 26 20:04:31 1996
   Afd.sys 	f70d0000   1696    928	 48672	Thu Apr 10 15:09:17 1997
   Netbios.sys	f7280000   13280   224	 10720	Mon Mar 10 16:56:01 1997
   Parport.sys	f7460000   3424    32	 0	Wed Jul 17 00:31:23 1996
   Parallel.sys	f746c000   7904    32	 0	Wed Jul 17 00:31:23 1996
   Parvdm.sys	f7552000   1312    32	 0	Wed Jul 17 00:31:25 1996
   Serial.sys	f7120000   2560    0	 18784	Mon Mar 10 16:44:11 1997
   Rdr.sys 	fc385000   13472   1984	 219104	Wed Mar 26 14:22:36 1997
   Mup.sys 	fc374000   2208    6752	 48864	Mon Mar 10 16:57:09 1997
   Srv.sys 	fc24a000   42848   7488	 163680	Fri Apr 25 13:59:31 1997
   Pscript.dll	f9ec3000   0       0	 0
   Fastfat.sys	f9e00000   6720    672	 114368	Mon Apr 21 16:50:22 1997
   Ntdll.dll	77f60000   237568  20480 0	Fri Apr 11 16:38:50 1997
   ---------------------------------------------------------------------
   Total   	2377632    255040  1696384
By using the starting address shown under the "Load Addr" column, you can match the exception address to the driver name. Using 8014fb84 as an example, you can determine that Ntoskrnl.exe has the nearest load address below the exception address and is most likely the driver that called the exception. With this information, you can visit the Microsoft Knowledge Base to look for known issues that match your situation.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

129845 Blue Screen Preparation Before Contacting Microsoft

Modification Type:MajorLast Reviewed:6/3/2003
Keywords:kbinfo KB192463
©2002 Microsoft Corporation. All rights reserved.