Opening .dmp files for BSOD? (Windows 7)

[LegacyStijncat]

Hello, and thanks for reading this already!

 

A friend of mine somehow got her PC running Windows 7 so f***** up that she gets BSOD's almost daily after running her pc for too long.

Before, coloured lines fill the screen and audio distortion happens. Then, BSOD with System_Service_Exception

Her temps seemed fine at most times, and after some research, I'm guessing it's drivers.

 

Normally you can find exactly what drivers in the .dmp file that gets created after a BSOD, so I tried opening them.

 

Things I've tried:

• Event Viewer: With event viewer, you can apparently see things like that (Thanks for the tip @JerkyMcDilerino ), but her Windows 7 is in a foreign language, so I can't properly dig trough it.
• Windbg: This seemed to almost succeed in opening .dmp files, but it keeps giving symbol errors.

 

If anyone has any suggestions how to find the thing that causes this, or just to open the .dmp, please give me a hand!

 

Thanks in advance!

[2FA]

Perhaps try this: http://www.nirsoft.net/utils/blue_screen_view.html

[2FA]

Windbg will give you the best information though, usually I'll get those symbol errors as well but I can still see what the cause of the BSOD was.

[LegacyStijncat]

Perhaps try this: http://www.nirsoft.net/utils/blue_screen_view.html

Thanks for the suggestion, but it seems fishy... or is it just me being paranoid?

 

 

 

Windbg will give you the best information though, usually I'll get those symbol errors as well but I can still see what the cause of the BSOD was.

Really? Where could you find it?

[2FA]

Thanks for the suggestion, but it seems fishy... or is it just me being paranoid?

I got that from Microsoft Technet, although I have seen people vouch for it.

[2FA]

Oh I recognize this error now, it's caused by the IEEE 1394, or firewire, driver stack. Microsoft has a page specifically about it here: https://support.microsoft.com/en-us/kb/980932

[2FA]

Really? Where could you find it?

 

They are usually caused by a driver which is usually listed towards the bottom.

[LegacyStijncat]

They are usually caused by a driver which is usually listed towards the bottom.

Got the symbol to work by placing them on the same HDD partition as the program was installed.

Probably caused by : memory_corruption ( nt!MiIdentifyPfn+317 )

Does that refer to the RAM?

 

EDIT:

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {fffffa80e920ec28, 2, 0, fffff8000313f207}

Probably caused by : memory_corruption ( nt!MiIdentifyPfn+317 )

Followup: MachineOwner

---------

2: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: fffffa80e920ec28, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000000, bitfield :

    bit 0 : value 0 = read operation, 1 = write operation

    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: fffff8000313f207, address which referenced memory

Debugging Details:

------------------

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032c8100

GetUlongFromAddress: unable to read from fffff800032c81c0

 fffffa80e920ec28 Nonpaged pool

CURRENT_IRQL:  2

FAULTING_IP:

nt!MiIdentifyPfn+317

fffff800`0313f207 488b4118        mov     rax,qword ptr [rcx+18h]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  svchost.exe

TRAP_FRAME:  fffff880089024e0 -- (.trap 0xfffff880089024e0)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=0000000000000001 rbx=0000000000000000 rcx=fffffa80e920ec10

rdx=0000000000094f37 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8000313f207 rsp=fffff88008902670 rbp=fffffa8005be2bc0

 r8=0000000000094f39  r9=0000000000000001 r10=0000000000000042

r11=0000058000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei ng nz na pe nc

nt!MiIdentifyPfn+0x317:

fffff800`0313f207 488b4118        mov     rax,qword ptr [rcx+18h] ds:fffffa80`e920ec28=????????????????

Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8000308ae69 to fffff8000308b8c0

STACK_TEXT:  

fffff880`08902398 fffff800`0308ae69 : 00000000`0000000a fffffa80`e920ec28 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx

fffff880`089023a0 fffff800`03089ae0 : 00000000`42506650 00000000`00000000 00000000`00000000 02800000`00095a32 : nt!KiBugCheckDispatch+0x69

fffff880`089024e0 fffff800`0313f207 : 00000000`00000000 02000000`000b0d43 00000000`42506600 fffff800`0337626f : nt!KiPageFault+0x260

fffff880`08902670 fffff800`0313fe0b : 00000000`00000000 00000000`00000004 fffffa80`04feb4b0 fffffa80`04fea000 : nt!MiIdentifyPfn+0x317

fffff880`08902710 fffff800`034a40e5 : fffffa80`04fea000 fffff880`08902ca0 fffff880`089027e8 00000000`00000000 : nt!MmQueryPfnList+0xbb

fffff880`08902750 fffff800`033e9568 : 00000000`00000006 00000000`00000000 fffffa80`04fea000 00000000`00000001 : nt!PfpPfnPrioRequest+0x115

fffff880`089027a0 fffff800`03395163 : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`06767701 : nt! ?? ::NNGAKEGL::`string'+0x3d88d

fffff880`08902830 fffff800`033959d9 : 00000000`02bfb688 fffff800`03097b38 00000000`02bfb6e0 00000000`00000801 : nt!ExpQuerySystemInformation+0x1193

fffff880`08902be0 fffff800`0308ab53 : 00000000`03954068 fffff880`08902ca0 00000000`0938d130 00000000`043ca870 : nt!NtQuerySystemInformation+0x4d

fffff880`08902c20 00000000`77badf1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000000`02bfb5b8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77badf1a

STACK_COMMAND:  kb

FOLLOWUP_IP:

nt!MiIdentifyPfn+317

fffff800`0313f207 488b4118        mov     rax,qword ptr [rcx+18h]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!MiIdentifyPfn+317

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP:  556356e8

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0xA_nt!MiIdentifyPfn+317

BUCKET_ID:  X64_0xA_nt!MiIdentifyPfn+317

Followup: MachineOwner

[2FA]

Try testing your RAM with MemTest86 to see if it's bad then.

 

http://www.memtest86.com/

[LegacyStijncat]

Perhaps try this: http://www.nirsoft.net/utils/blue_screen_view.html

Going to mark as solved with this answer.

I've used BlueScreenViewer and checked a couple of the .dmp files. 3 unique crash codes, so I recommended reinstalling Windows 7 completely.