Hardcore Windows: How to solve Windows 10 crashes in less than a minute - flanaganligine
When I began to work with Windows 10, I was able to shut up the laptop down without Googling to discover the top executive button icon; a great improvement terminated Windows 8. My next interest was determining what to do when the OS falls over, generating a Blue Screen of Dying. This article wish describe how to set your system up so that, when it does, you'll comprise able to find the cause of most crashes in less than a minute for no price.
In Windows 10, the Blue Screen looks the same as in Windows 8/8.1. It's that screen with the frown emoticon and the message "Your PC ran into a trouble . . ." This screen appears more friendly than the original Blue Screens, but a truly friendly sort would tell you what caused the trouble and how to fasten it; something that would non be difficult since to the highest degree BSODs are caused by misbehaved third party drivers that are often well identified by the MS Windows debugger.
+ For earlier versions of the OS, refer to the following:
Windows 8: (Article) How to solve Windows 8 crashes in less than a hour (Coast show) How to puzzle out Windows 8 crashes Windows 7: Resolve Windows 7 crashes in minutes Windows XP/2000: How to solve Windows crashes in proceedings
Just to be cleared, this article deals with system crashes, not practical application crashes or system hangs. In a full system crash, the in operation system has complete that something has gone so wrong (such as memory corruption) that continued operation could cause serious or catastrophic results. Therefore, the OS attempts to tight down American Samoa cleanly as possible – deliverance system tell information in the process – then restarts (if set to fare and then) equally a refreshed environment and with debug information fit to be analyzed.
Why Windows 10 crashes
To be sure, Windows has mature in features and sized since its foundation in 1985 and has become more stable along the style. Nevertheless, and in spite of the protection mechanisms built in to the OS, crashes still come about.
Once known Eastern Samoa the Ring Protection Dodging, Windows 10 operates in both User Mode (Ring 3) and Kernel Fashion (Ring 0). The idea is simple; run core OS code and device drivers in Kernel Mode and software applications and user mode drivers in User Mode. For applications to access the services of the OS and the hardware, they must call upon Windows services that act atomic number 3 proxies. Frankincense, by blocking User Modality computer code from having direct memory access to Center Mode, OS trading operations are generally well protected.
The problem is when Kernel Mood code goes awry. In most cases, it is third-company drivers living in Kernel Mode that make erroneous calls, such as to non-existent retentiveness or to overwrite OS code, that result in system failures. And, yes, it is true that Window itself is seldom at fault.
Where to get help with Windows 10 crashes
There are plenty of places to turn to for help with BSODs, a few of which are registered down the stairs. For example, ConfigSafe tells you what drivers have changed and AutorunCheck tells you what Windows Autorun settings have changed. Both assistanc pinpoint the culprit in a system failure. And everyone should have the book Windows Internals; information technology is the Holy Scripture that every network admin and CIO should turn to, especially Chapter 14 "Crash Dump Depth psychology," which is in Part 2 of the book.
When I asked Mark Russinovich, extraordinary of the authors, wherefore a web admin or CIO – as opposed to a programmer – should read it, he said, "If you're managing Windows systems and don't know the difference 'tween a process and a ribbon, how Windows manages virtual and personal store, or how heart-mode drivers can crash a system, you're handicapping yourself. Understanding these concepts is critical to amply agreement crash dumps and being able to decipher their clues."
So, while WinDbg provides the data about the state of a system when information technology fell finished, Windows Internals turns that esoteric information into actionable information that helps you purpose the drive.
WHERE TO FIND BSOD HELP
| Name | Type | Location |
|---|---|---|
| About.com | Guide: | HTTP://pcsupport.about.com/od/fixtheproblem/ht/stoperrors.htm |
| AutorunCheck | Tool: | HTTP://imaginelan.net/autoruncheck-dwelling house/ |
| CNET | Sort: | hypertext transfer protocol://www.cnet.com/forums/windows-10/ |
| ConfigSafe | Tool: | HTTP://imaginelan.net/configsafe-home/ |
| Experts-Change | Help Locate: | http://www.experts-convert.com/topics/windows-10/ |
| FiretowerGuard | Instrument: | http://sampansecurity.com/firetowerguard.html |
| Windows 10 Forums | Forum: | http://WWW.windows10forums.com/ |
| Microsoft Autoruns | Tool: | https://technet.microsoft.com/en-us/sysinternals/bb963902 |
| Microsoft DaRT | Tool: | HTTP://www.microsoft.com/en-us/Windows/enterprise/products-and-technologies/mdop/dart.aspx |
| TechNet | Assembly: | https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro |
| TenForums | Forum: | http://www.tenforums.com/ |
| WhoCrashed | Instrument: | http://www.resplendence.com/whocrashed |
| WinDbg | Tool around: | http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx |
| Windows Internals | Book: | http://technet.microsoft.com/nut-us/sysinternals/bb963901.aspx |
| WindowsSecrets | Forum: | http://windowssecrets.com/forums/forumdisplay.php/68-Windows-10-Meeting place |
What is a memory rubbish dump?
A memory board dump is a copy Oregon a snapshot of the table of contents of a system's memory at the point of a system crash. Dump files are important because they fanny show who was doing what at the point the organization drop complete. Dump files are, by the nature of their table of contents, difficult to decipher unless you know what to look for.
Windows 10 can produce five types of memory dump files, each of which are described below.
1. Automatic Memory Dump
Location:%SystemRoot%Memory.dmp Size: Size of OS heart and soul
The Automatic memory dump is the default option selected when you set u Windows 10. It was created to backup the "Organization Managed" page file configuration which has been updated to reduce the page file size on disk, primarily for gnomish SSDs, but will also profit servers with large amounts of RAM. The Automatic remembering dump option produces a Kernel retentiveness dump; the difference is when you select Automatic information technology allows the SMSS process to reduce the page file smaller than the size of Drive.
To check or edit the system paging file size, go to the following:
Windows 10 clit | Control Control panel | Organisation and Certificate | System | Advanced system settings | Carrying out | Settings | Advanced | Change
2. Active Store Dump
Location: %SystemRoot%Memory.dmp Size: Triple the size of a kernel or reflexive dump single file
The Active memory dump is a Recent epoch feature from Microsoft. While much smaller than a complete memory dump, it is probably three multiplication the size of a kernel dump. This is because it includes some the pith and the user space. On my test system with 4GB Aries running Windows 10 on an Intel Core i7 64-bit CPU the Nimble dump was around 1.5GB. Since, at times, dump files make to be transported I compressed it, which brought it down to about 500MB.
3. Complete Memory Dump
Location: %SystemRoot%Memory.dmp Size: Installed Ram plus 1MB
A complete (or full) memory ditch is the largest coldcock file because it includes entirely of the physical memory that is victimized by the Windows OS. You give the axe assume that the file will be about capable the installed Drive. With many systems having multiple GBs, this can chop-chop become a storage return, especially if you are having to a greater extent than the occasional crash. Generally tongued, stick to the automatic underprice file out.
4. Kernel Memory Deck
Localisation: %SystemRoot%Memory.dmp Size: ≈sizing of physical memory "closely-held" by kernel-mode components
Kernel mopes are roughly close in size to the Drive occupied by the Windows 10 kernel, about 700MB along my test system. Compression brought it down nearly 80% to 150MB. One vantage of a kernel dump is that it contains the binaries which are needed for analysis. The Automatic dump setting creates a kernel wasteyard file by default option, deliverance only the most recent, A well arsenic a minidump for each event.
5. Smaller Storage Rubbish dump (a.k.a. a mini dump)
Location: %SystemRoot%Minidump Size: At least 64K on x86 and 128k on x64 (279K along my W10 try PC)
Minidumps include memory pages pointed to them by registers given their values at the point of the fault, besides as the stack of the faulting thread. What makes them small is that they do not contain whatever of the multiple operating theater executable files that were in memory at the time of the failure. However, those files are critically important for subsequent analysis past the debugger.
A long as you are debugging on the machine that created the dump file, WinDbg can detect them in the System Root folders (unless the binaries were changed by a system update after the dump file was created). Alternatively, the debugger should be competent to locate them automatically through SymServ, Microsoft's online store of symbolic representation files. Unless changed by a substance abuser, Windows 10 is normally set to create the automatic dump file for the most recent event and a minidump for every crash event, providing an historic record of all system crash events for the lifespan of the system.
Configuring Windows 10 to generate the right memory dump
Open Control Panel and attend the Inauguration and Recovery window:
Windows 10 button | Operate Impanel | System and Security | Organization | Advanced scheme settings | Startup and Recuperation | Settings | Automatic retention dumpsite
In the final window, Inauguration and Retrieval, prize the "Automatic memory dumpsite" alternative as shown under and check the "Automatically resume" package (some of which are typically stage set by default in Windows 10).
Install WinDbg (you may not desire it but you deman it)
Scheme Requirements To setup a PC for WinDbg-supported crash analytic thinking, you will need the following:
- 32-bit or 64-bit Windows 10 Depending on the processor you are running the debugger on, you keister use either the 32- or 64-minute debugging tools. Bill that it is not portentous whether the dump file in was made on an x86-based or an x64-based platform.
- WinDbg The Debugging Tools for Windows circumstance of the Windows SDK for Windows 10 which you can download for unloosen from Microsoft.
- Hard drive space Just about 250MB of knockout phonograph record space (not including storage blank space for dump files operating theater for symbol files)
- Cyberspace Live Internet connective
Download WinDbg Download sdksetup.exe from Microsoft (about 1.2MB) that testament launch the induction program from which you will select what components to install. Either exit to the Computer hardware Dev Center page at Microsoft, coil down to "Get debugging tools" and select "Debugging Tools for Windows 10 (WinDbg)" (item "A" below) or initiate the immediate download (item "B" below).
A) Microsoft Hardware Dev Gist
B) Automatic download
Space required Discount the "Estimated disk space necessary" until you deselect the unwanted tools. Be sure to deselect all omit "Debugging Tools for Windows," which includes kernel and user-musical mode debuggers, plus help and tips for using the tools. Unless you will be coding, you won't necessitate the other modules and you testament save much of magnetic disk space. In this test auto the install went from 2.5GB to about 250MB.
Run sdksetup.exe Install the Software Development Toolkit (SDK) on the system that you wish use to analyze memory dump files on and remember that it can be a 32- Oregon 64-bit machine squirting some other version of Windows (IT does not need to be running Windows 10).
1. Launch sdksetup.exe
2. Designate the locating: The default installation path follows: C:Program Files (x86)Windows Kits10 Either assume the default or take the second option and define the path As you need.
3. Accept or reject the Windows Seclusion question.
4. Admit the license Agreement.
5. Deselect whol except "Debugging Tools for Windows".
What are symbols and wherefore you ask them
With WinDbg installed – but before calling up a dump file – you motive symbol table files. Symbol files for software are like exit signs on the highway; they tell you what is located if you stop there. They are a byproduct of compiling source code into an possible file (from a high-level language into car code). During this process, the compiler creates symbol files with a list of identifiers, their locations in the program and their attributes.
However, programs doh not need this information to execute, so symbols are typically stored in a tell apart file. This reduces the size of the executable resulting in the use of less disk space and quicker load and operating speeds. Further, those symbol files are not commonly shipped with the OS operating room the application they come from. The problem, then, is that when a plan causes a trouble resulting in a system failure, the OS only knows the witch address at which the problem occurred, but not who was there and what helium was doing. Fortunately, Microsoft provides access to SymServ, which resolves the problem.
When maiden a memory board dump, WinDbg looks at the executable files (.exe, .dll, etc.) and extracts version information. Information technology then creates a request to SymServ at Microsoft that includes version information and locates the skillful symbolization tables to draw information from. As mentioned earlier, it will not download totally symbols for the specific operating arrangement you are troubleshooting; it bequeath download only what information technology of necessity.
In this case, for this Windows 10 Personal computer, the symbol filing cabinet brochure ended up being 22MB in size. After flying numerous crash tests, the folder was about 35MB. On another system upon which I ran numerous tests from several different PCs, the pamphlet was still under 100MB. Antimonopoly remember that if you open files from additional machines (with variants of the operating system) your folder can continue to get in size.
Instead, you can choose to download and store the complete symbolization file from Microsoft. Before you do, note that – for for each one symbol parcel – you should have at to the lowest degree 1GB of disc space free. This is because, additionally to space requisite to store the files, you also need space for the obligatory temporary files. Even with the low cost of herculean drives these years, the distance used is worth noting.
- Each x86 symbolization package may require 750 MB or more of fixed disk space.
- Each x64 symbol package May require 640 MB or more.
Symbolisation packages are non-additive unless otherwise noted, so if you are using an SP2 Windows release, you will need to install the symbols for the original RTM version and for SP1 before you install the symbols for SP2.
If you want to download the symbolic representation files and save them locally (live sure to read the system requirements before downloading).
SymServ (aka: SymSrv/Symbol Set back Server) is a critically influential service provided – at no cost – by Microsoft to ensure accurate memory dump analysis. To use of goods and services it, simply configure WinDbg to locate it and SymServ will mechanically retrieve symbols specific to the exact version of Windows that the dump came from. And, after analyzing a dump file from one car, if you call up a trash dump file from other, WinDbg and SymServ will automatically retrieve the symbols for that version of the OS as fountainhead.
Configuring WinDbg
From the Windows 10 UI, select the Windows 10 clit then WinDbg | More | Run atomic number 3 executive
You leave then see a windowpane with few menu options and a dummy chief windowpane sphere. Earlier you open a dump file cabinet, you must tell WinDbg where to ascertain the symbol files.
Configuring WinDbg Correlating a Windows dump file with the appropriate symbolic representation files is non merely a issue of knowing which edition number of the Oculus sinister was running. There are myriad variants to the Osmium, a fact that is not obvious. The only way to be sure which file is correct is to Lashkar-e-Tayyiba SymServ find it for you.
Setting the symbol file path There are a huge telephone number of symbol table files for Windows because every build, all update, every eyepatch and the myriad one-remove variants to each one result in a inexperienced data file. And using the wrong symbols to evaluate a garbage dump file would be like victimisation a map for Boston to navigate San Francisco.
Enter the following path: srv*c:hive up*hypertext transfer protocol://msdl.microsoft.com/download/symbols
In place of *c:memory cache*, be sure to insert what location you want to store symbols.
In this case, c:symbols was victimised. Then select O.k..
Note: live sure that your firewall allows access to msdl.microsoft.com not just www.microsoft.com.
What if you don't have a memory dump to deal? Zero worries. You can generate one yourself. Yes, you can cause your system to crash and do so safely. There are different ways to do it just the best way is to use a cool tool called NotMyFault created away Russinovich.
Download NotMyFault To get NotMyFault, go to the Windows Internals Book page at SysInternals and scroll down to the Book Tools section where you volition see a join to download it. The instrument includes a pick of options that consignment a misbehaving number one wood (which requires administrative privileges). Later on downloading, I created a shortcut from the desktop to simplify access.
Note that Chapter 14 (Set forth Two of the Scripture) thoroughly covers the use of NotMyFault and, more importantly, crash dump analysis.
WARNING: Using NotMyFault volition create a organisation crash and while I've never seen a problem using the tool around, there are no guarantees in life, especially in computers. Soh, prepare your system and have anyone who needs access code to it log polish off for a fewer minutes. Save whatever files that contain information that you might otherwise lose and private all applications. Properly prepared, the machine should go pour down, reboot and some a minidump and a kernel (OR whatever sized you select) dump should make up created.
Opening a dump file
Localisation a dump file Dump files in Windows systems are placed in ii places, depending upon which typecast you open:
- Totally dump files except minidumps: c:WindowsMEMORY.DMP
- Minidumps: c:WindowsMinidump[Minidump name calling variegate]
Note that, unlike the early dump files that are named MEMORY.DMP, minidumps are automatically individually named so that previous files are non overwritten, which is pulverised since they are so small.
Open a dump file To artless the single file you've designated, go around to
Select File | Open Crash Dump
If you see the following, STOP:
*** WARNING: Ineffective to control timestamp for ntoskrnl.exe *** Fault: Mental faculty load completed but symbols could not beryllium loaded for ntoskrnl.exe This is important. When you visualize these two messages cheeseparing the start of the turnout from WinDbg, it agency that you will not buzz off the analytic thinking that you need. This is addicted after the "Bugcheck Analytic thinking" is automatically run, and the message infra is displayed.
When you see the following message:
"*** ERROR: Symbol file could not be base. Defaulted to export symbolisation for ntkrnlmp.exe. . ."
IT agency that WinDbg did not locate the proper symbols for ntkrnlmp.exe – the Windows OS kernel itself – and that proper analytic thinking cannot be done.
***** Kernel symbols are Erroneous. Please fix symbols to do depth psychology
Likely causes watch:
- No way/wrong path; a path to the symbol files has not been set or the path is false (seek typos such as a blank white space). Check the Symbol Path (regard Setting symbol file path above.)
- Failed connection; check your internet connection to make a point it is working right.
- Access blocked; a firewall plugged access to the symbol files or the files were damaged during retrieval. See that that no firewall is block access code to msdl.microsoft.com (it may only be allowing access to www.microsoft.com).
Note that if a firewall at the start blocks WinDbg from downloading a symbol table, it can result in a corrupted file. If unblocking the firewall and attempting to download the symbol file once again does non work; the file remains peeling. The quickest posit is to close WinDbg, erase the symbols pamphlet (which you most likely set at c:symbols), and free the firewall. Future, reopen WinDbg and a dump lodge. The debugger will recreate the folder and rhenium-download the symbols. Do non go further with your analytic thinking until this is corrected.
If you see the following error, no worries:
*** Word of advice: Unable to swan timestamp for myfault.sys *** ERROR: Module load complete but symbols could not be undischarged for myfault.sys
This means that the debugger was looking for information on myfault.sys. However, since it is a third-party driver there are No symbols for information technology because Microsoft does not computer storage all of the third-party drivers (Okeh, myfault.sys is made by SysInternals, which is closely-held by Microsoft, only it is sure enough not a frequent Microsoft product and, for our purposes, information technology represents a third-party driver). The taper is that you can brush off this error subject matter. Vendors do not typically ship drivers with symbol files and they aren't necessary to your work; you can pinpoint the job device driver without them.
Experience why Windows 10 crashed
Forward altogether went advantageously, just opening the dump file caused WinDbg to identify the OS and binaries, place the word-perfect symbol table file, download the needed files and run a basic analytic thinking. If this is the first prison term WinDbg has been keep going this system or if you are look a floor file from some other system you have not loaded files for before, this may take apart a moment. In subsequent sessions, the depth psychology will likely be faster because most or every last of the symbols needed will already get on the hard drive.
The information presented ranges from things so much arsenic the edition of WinDbg, the location and name of the dump file opened, the symbol search path being used and even a abbreviated depth psychology as shown to a lower place.
The line "Credibly caused by : myfault.sys" we have it away to be true in this case since it is the name of the driver for NotMyFault.
Often, when diagnosing the get of a Windows crash, more information is needed. E.g., you power recognize the driver but you might not comprise certain that it is the latest bring out; you power not recognize the driver or hump who made it; or in other cases, the device driver might actually be from Microsoft and be related to the Bone kernel, which makes it a very unlikely defendant. To learn more, all you will typically need are two commands:
!psychoanalyze -v and lmvm
NOTE: The first command is pronounced "bang analyze scoot vee"
Commands
| WinDbg Commands | Verbal description | Item |
|---|---|---|
| !analyze -v | Analyze the crash event in verbose mode | Delineate the state of the system when it crashed, the fault encountered and identify the in all probability culprit |
| Lmvm [mental faculty name] | Incumbrance module information in verbose mode | Reveal metadata for the module named after the command |
Over the years, Microsoft has continuing to grow and refine WinDbg. E.g., while the two commands registered above would normally be entered in the command windowpane at the bottom of the WinDbg screen that displays a "kd>" on time (which stands for kernel debugger), both commands can now glucinium initiated by selecting a hot link in the WinDbg interface.
!analyze -v The output from selecting !canva -v provides more particular about the system crash event. In this case, the analysis accurately describes the actions of the test driver (myfault.sys) which was instructed past the test program to memory access an address at an disrupt level that was too highschool.
Output from !Dissect -v DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (operating room completely invalid) name and address at an interrupt request level (IRQL) that is overly screaky. This is usually caused by drivers using improper addresses.
The BUCKET_ID_FUNC_OFFSET is the outdistance from the base address of the suspect module where the problematic code resides
The immodest points are that the suspect faculty named by WinDbg is myfault and that, since we know that this is a third-political party number one wood, he is very probably guilty.
To get a best picture of what was happening when the OS fell concluded, look at the stack.
Close the stack It is always monumental to look at the stack output displayed away the debugger because it shows who was active and what he was doing leading adequate to the clangor. When looking at the stack, forever look at the far right terminate of the stack for any one-third-party drivers and always remember that the stack is displayed in reverse written record order. Thence, the succession of events goes from the bottom to the top; as each new task is performed away the system it shows up at the top, pushing the previous actions downfield. In that raft you ass take in that NotMyFault/myfault was combat-ready. Following the last activity by the driver, Windows 10 declared a PageFault then a BugCheck which stopped the system (Blue Screened).
The metaphor that I have oftentimes used in technical sessions is to relate stack walk with stepping into the room where a murder just took place and finding a body on the floor and someone standing over it with a smoky gun in his hand; it does non mean that helium is blameworthy simply it for sure makes him suspect Ordinal number1.
NotMyFault/ myfault was gymnastic
Assuming that we deman more information astir the suspect module, run lmvm.
lmvm [module name] Right away that we have a suspect module to consider, it is critical to learn more about it. The two paint reasons for this are simply to control that information technology is indeed a third-party module and to determine if it is an out of date module. lmvm tells both and more as shown in the exhibit. For instance, we can see that the maker of the module is SysInternals and that it has a timestamp of April 2012.
Granted, we know that SysInternals has been absorbed into Microsoft. However, the module is hardly a kernel OS driver, sol it serves our demonstration purposes of playing the office of a third-company device driver. Also, it is unlikely that a 4-year-old number one wood is up to date. If this were a real situation and the device driver named was, for example, a video driver, there would almost sure enough be a newer device driver with fixes incorporated. From lmvm you would know what vendor to turn to for updated information happening the driver and, prospective, an updated interlingual rendition to install.
While to the highest degree BSODs causes are easily attributed to tertiary party drivers, many are non so luculent. In these cases, the cause can equal anything from an overheated system subsequent from a flunk case buff to faulty computer memory modules.
Recurring crashes that deliver no clear or consistent cause testament often be from memory issues. Two good ways to check memory are the Windows 10 Memory Nosology and Memtest86.
Is Windows red-handed?
Probably non. For many years, many masses stimulate been quick to blame the Windows OS for system crashes when, in fact, it seldom is. Oft, when Windows write in code is onymous As the perpetrator, it is typically that some other driver made a request for a Windows component to perform an mathematical operation and passed a rubber instruction, such as telling it to write to non-active memory. In cases like this, the Operating system is often seen atomic number 3 the guy holding the smoking gun, simply he did what he was told to do, making identification of the initiator of the request often a difficult task.
What active antivirus, patronage and new utilities? It is lowborn to picture drivers like those exploited for antivirus or accompaniment utilities named as the culprit. However, they might not constitute the fearful guy. Such utilities must be active because they have to keep open an optic on file deepen activities meaning that, regardless of what else is going on, they will much be found on the stack.
Regardless of whether you find a workable culprit named, use Google; whatever problem you are experiencing has probably been experienced by others and there are myriad places on the Internet with helpful information.
The time it takes you to say this article and to set up WinDbg will be well salaried when you incu that you'll follow able to resolve most BSODs in to a lesser degree a minute without help and for free. And remember that a studious study of Windows Internalswill extend your new-found skills dramatically.
Dirk Smith is a freelance writer. He can be reached at dirk@landfallresearch.com.
Note: When you purchase something later clicking links in our articles, we may clear a small commission. Read our affiliate link insurance policy for more details.
Source: https://www.pcworld.com/article/415904/how-to-solve-windows-10-crashes-in-less-than-a-minute.html
Posted by: flanaganligine.blogspot.com
0 Response to "Hardcore Windows: How to solve Windows 10 crashes in less than a minute - flanaganligine"
Post a Comment