How to gather information after a memory dump in Windows XP (314084)


The information in this article applies to:

  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
This article was previously published under Q314084
For a Microsoft Windows 2000 version of this article, see 192463.

INTRODUCTION

This article describes how to gather more information about a Stop error message. These steps do not always give conclusive answers and may only point you to another problem.

MORE INFORMATION

Handling event log messages

Configure Windows to write an event log message with bugcheck information:
  1. Click Start, and then click Control Panel.
  2. Double-click System, and then click the Advanced tab.
  3. In the Startup and Recovery section, click Settings, and then select the Write an event to the system log check box.

    An event log message is written to the system log.
The description and format of the event log differs from the Memory.dmp file format, but most of the information is the same. The following event log is an example of the event log: Event ID: 1001
Source: Save Dump
Description: The computer has rebooted from a bugcheck.
The bugcheck was: 0xc000021a (0xe1270188, 0x00000001, 0x00000000, 0x00000000). Microsoft Windows NT (v15.1381).
A dump was saved in: C:\WINNT\MEMORY.DMP. This information contains the Stop code 0xc000021a and the four parameters. These can be very useful when you are troubleshooting certain types of Stop codes. The meaning of the parameters varies, depending on the type of Stop code.

For information about what the parameters mean, search the Microsoft Knowledge Base for the specific Stop code. (Not all Stop code parameters are covered in the Microsoft Knowledge Base.) To query the Microsoft Knowledge Base, visit the following Microsoft Web site:

http://support.microsoft.com/support

Using Dumpchk.exe to determine memory dump file information

If you use Dumpchk.exe, you can determine all of this information and the address of the driver that generated the Stop message. This information can frequently give you a direction to start troubleshooting. Before you run Dumpchk.exe, make sure that you adjust the properties of the command prompt so that the screen buffer size height is set to 999. With this height, you can scroll back to see the output. Run Dumpchk.exe from the command prompt with the following syntax:

dumpchk.exe Memory.dmp

This is an example of the parts of the output that are most useful. 
   MachineImageType     i386
   NumberProcessors     1
   BugCheckCode         0xc000021a
   BugCheckParameter2   0x00000001
   BugCheckParameter3   0x00000000
   BugCheckParameter4   0x00000000

   ExceptionCode        0x80000003
   ExceptionFlags       0x00000001
   ExceptionAddress     0x8014fb84
Not all sections give the same information. The information depends on the kind of Stop code. The information in the example tells you the Stop code (0xc000021a), the parameters (0xe1270188, 0x00000001, 0x00000000, 0x00000000), and the address of the driver that called the exception (0x8014fb84). You can use this address to identify the driver name by using the output from Pstat.exe. Pstat.exe is in the Resource Kit.

Dumpchk.exe will also verify that the dump file is valid.

For additional information about how to use Dumpchk.exe, click the following article number to view the article in the Microsoft Knowledge Base:

315271 How to Use Dumpchk.exe to check a memory dump file

Using Pstat.exe to identify a driver

Pstat.exe is a Resource Kit utility that gives you information about the processes and drivers that are currently running on your computer. For diagnostic purposes, the most useful information is the list of loaded drivers at the end of the output.

Run Pstat.exe at a command prompt. To pipe the information that you receive from Pstat.exe into a file, use the following command syntax:

pstat.exe > filename

The following list is an example of the driver list that appears at the end of the output:
   ModuleName   LoadAddr  Code    Data    Paged  LinkDate
   ----------------------------------------------------------------------
   Ntoskrnl.exe 80100000  270272   40064  434816 Sun May 11 00:10:39 1997
   Hal.dll      80010000   20384    2720    9344 Mon Mar 10 16:39:20 1997
   Aic78xx.sys  80001000   20512    2272       0 Sat Apr 05 21:16:21 1997
   Scsiport.sys 801d7000    9824      32   15552 Mon Mar 10 16:42:27 1997
   Disk.sys     80008000    3328       0    7072 Thu Apr 24 22:27:46 1997
   Class2.sys   8000c000    7040       0    1632 Thu Apr 24 22:23:43 1997
   Ino_flpy.sys 801df000    9152    1472    2080 Tue May 26 18:21:40 1998
   Ntfs.sys     801e3000   68160    5408  269632 Thu Apr 17 22:02:31 1997
   Floppy.sys   f7290000    1088     672    7968 Wed Jul 17 00:31:09 1996
   Cdrom.sys    f72a0000   12608      32    3072 Wed Jul 17 00:31:29 1996
   Cdaudio.sys  f72b8000     960       0   14912 Mon Mar 17 18:21:15 1997
   Null.sys     f75c9000       0       0     288 Wed Jul 17 00:31:21 1996
   KSecDD.sys   f7464000    1280     224    3456 Wed Jul 17 20:34:19 1996
   Beep.sys     f75ca000    1184       0       0 Wed Apr 23 15:19:43 1997
   Cs32ba11.sys fcd1a000   52384   45344   14592 Wed Mar 12 17:22:33 1997
   Msi8042.sys  f7000000   20192    1536       0 Mon Mar 23 22:46:22 1998
   Mouclass.sys f7470000    1984       0       0 Mon Mar 10 16:43:11 1997
   Kbdclass.sys f7478000    1952       0       0 Wed Jul 17 00:31:16 1996
   Videoprt.sys f72d8000    2080     128   11296 Mon Mar 10 16:41:37 1997
   Ati.sys      f7010000     960    9824   48768 Fri Dec 12 15:20:37 1997
   Vga.sys      f7488000     128      32   10784 Wed Jul 17 00:30:37 1996
   Msfs.sys     f7308000     864      32   15328 Mon Mar 10 16:45:01 1997
   Npfs.sys     f7020000    6560     192   22624 Mon Mar 10 16:44:48 1997
   Ndis.sys     fccda000   11744     704   96768 Thu Apr 17 22:19:45 1997
   Win32k.sys   a0000000 1162624   40064       0 Fri Apr 25 21:17:32 1997
   Ati.dll      fccba000  106176   17024       0 Fri Dec 12 15:20:08 1997
   Cdfs.sys     f7050000    5088     608   45984 Mon Mar 10 16:57:04 1997
   Ino_fltr.sys fc42f000   29120   38176    1888 Tue Jun 02 16:33:05 1998
   Tdi.sys      fc4a2000    4480      96     288 Wed Jul 17 00:39:08 1996
   Tcpip.sys    fc40b000  108128    7008   10176 Fri May 09 17:02:39 1997
   Netbt.sys    fc3ee000   79808    1216   23872 Sat Apr 26 21:00:42 1997
   El90x.sys    f7320000   24576    1536       0 Wed Jun 26 20:04:31 1996
   Afd.sys      f70d0000    1696     928   48672 Thu Apr 10 15:09:17 1997
   Netbios.sys  f7280000   13280     224   10720 Mon Mar 10 16:56:01 1997
   Parport.sys  f7460000    3424      32       0 Wed Jul 17 00:31:23 1996
   Parallel.sys f746c000    7904      32       0 Wed Jul 17 00:31:23 1996
   ParVdm.sys   f7552000    1312      32       0 Wed Jul 17 00:31:25 1996
   Serial.sys   f7120000    2560       0   18784 Mon Mar 10 16:44:11 1997
   Rdr.sys      fc385000   13472    1984  219104 Wed Mar 26 14:22:36 1997
   Mup.sys      fc374000    2208    6752   48864 Mon Mar 10 16:57:09 1997
   Srv.sys      fc24a000   42848    7488  163680 Fri Apr 25 13:59:31 1997
   Pscript.dll  f9ec3000       0       0       0
   Fastfat.sys  f9e00000    6720     672  114368 Mon Apr 21 16:50:22 1997
   NTdll.dll    77f60000  237568   20480       0 Fri Apr 11 16:38:50 1997
   ----------------------------------------------------------------------
          Total          2377632  255040 1696384
By using the starting address in the LoadAddr column, you can match the exception address to the driver name. For example, if you received 8014fb84 as the exception address, the list shows that Ntoskrnl.exe has the nearest load address below the exception address. Therefore, Ntoskrnl.exe is most likely to be the driver that called the exception. With this information, you can search the Microsoft Knowledge Base for known issues that match your situation.

Additional information

The following questions are used to gather additional information that may be requested by any Microsoft support engineer. The support engineer must have this information to analyze the Stop error message that you are receiving.

Please answer as many questions as you can before you call a Microsoft support engineer.

Questions about your software configuration

  • What version of Microsoft Windows is installed on the computer?
  • Is this a localized version of Windows? If yes, what language?
  • Are any service packs installed? If yes, which service packs?
  • Are any post-service pack hotfixes installed? If yes, which post-SP hotfixes?
  • If this is a Compaq server, what is the version of Support Software Diskettes (SSDs) installed?
  • Is Windows installed on an NTFS file system partition?
  • How are the hard disks partitioned?
  • What programs are installed?

Questions about your network

  • What protocols are installed? (For example, TCP/IP or NetBEUI)
  • Are there any routers on your network?

Questions about your hardware

  • What is the brand and model of your computer?
  • Is the computer listed in the Windows Hardware Compatibility List (HCL)?
  • What are the brands, types, and sizes of the hard disks?
  • What types of controllers are in the computer?
  • How many and what types of processors are in the computer?
  • How much memory (RAM) is in the computer?
  • What size is the paging file? On what partition is the paging file located?
  • What types and models of tape drives are in the computer?
  • What is the type and model of the CD-ROM drive?
  • What types and models of network adapters are installed in the computer?
  • Is this first occurrence of the problem?
Modification Type:MajorLast Reviewed:2/22/2006
Keywords:kbhowto kbenv kberrmsg kbinfo KB314084
©2004 Microsoft Corporation. All rights reserved.