Important forensics to solve computer glitches
If your Windows PC suffers a Blue Screen of Death (BSOD) error, several things will happen. The most obvious is that your PC is forced to restart, as a BSOD is a result of Windows completely crashing. One less obvious result of a BSOD error, however, is the error log that is created that allows you to troubleshoot the issue afterward.
This is called a memory dump file, saved in the DMP file format. These files contain various information on the problem, including your current Windows version, any running apps and drivers at the time of the BSOD, and the error code itself. To help you analyze memory dump files, here’s what you’ll need to do.
What are Memory Dump Files on Windows 10?
A Blue Screen of Death is a critical and unrecoverable error on a Windows PC, but the cause of these errors can vary. For example, an unexpected kernel mode trap BSOD is usually caused by incompatible or overclocked hardware, while a critical process died BSOD can have various causes, including corrupt system files.
To help you troubleshoot the problem, Windows automatically generates a memory dump file. This usually contains the stop code name and value (e.g. a system service exception stop code), a list of any running drivers at the time of the crash, and some additional technical information that you can use to identify the cause.
These dump files (using the DMP file format) are saved automatically in either the root C:\, C:\minidump, or C:\Windows\minidump folders. To help you analyze them, you can install Microsoft’s debugging app WinDbg from the Microsoft Store. This helps you analyze the memory dump files and locate the stop code information.
You can also use older tools like NirSoft BlueScreenView to quickly analyze the dump files created on your PC. This will also help you identify the stop code value and the possible cause (such as a specific driver file).
Once you know the stop code value, you can then search for additional information online about the issue. For instance, if you discovered from your dump file that you suffered a memory management BSOD, you can check out our BSOD error guide for additional advice on how to resolve the issue.
Because a BSOD error can stop your PC from working, you may need to try and restart Windows in Safe Mode. Running Windows in Safe Mode reduces the number of active system processes and drivers to the bare minimum, allowing you to investigate things further.
If you can’t boot into Windows at all, however, your options are limited. Currently, there are no standalone tools that you can run if Windows itself isn’t working properly to analyze BSOD dump files. If this happens, you’ll need to recover the dump files using a Linux live CD using a DVD or a portable USB flash memory stick.
You can then analyze the file using WinDbg or NirSoft BlueScreenView on a working Windows PC or laptop by following the steps below.
Changing Memory Dump File Settings in Windows Settings
Memory dump files are created automatically, but you can set the level of detail included in a memory dump file in Windows Settings. This will only work for BSODs that occur after changing this setting, but if your PC is having problems, you can follow these steps to add additional information to the dump files.
- To start, right-click the Start menu and select Settings.
- In the Settings menu, select System > About. In the Related settings panel, in the System > About menu, select the Advanced system settings option.
- In the System Properties menu, select the Settings option listed in the Startup and Recovery section at the bottom.
- To change the level of detail recorded by memory dump files when a BSOD occurs, select one of the available options using the Write debugging information drop-down menu in the Startup and Recovery window. Full information on what is included in each memory dump is available at the Microsoft documentation website. Select OK > OK to save your choice.
You may need to restart your PC after making this change to ensure the setting is applied. Any future BSOD errors that occur will generate a memory dump file containing the level of information you selected above.
How to Analyze Windows Memory Dump Files Using WinDbg
If you suffer a BSOD error, you can use WinDbg to analyze the memory dump file. This Microsoft-created development tool is the best way to analyze your memory files, but you can also use the older NirSoft BlueScreenView as an alternative, following the steps below.
These steps assume your PC is working well enough to install and use WinDbg. If it isn’t, you’ll need to retrieve the dump files from your hard drive using a Linux live CD or USB to analyze them elsewhere. Live CD environments can be booted using the installation media of most Linux distributions, including Ubuntu and Debian.
- To begin, you’ll need to install WinDbg Preview from the Microsoft Store. On the WinDbg store page, select Get to begin the installation.
- Once WinDbg is installed, launch it by selecting Launch on the store page or by launching it from the Start menu. If you can’t access your dump files, you’ll need to locate WinDbg in the Start menu, then right-click and select More > Run as administrator to grant it the necessary access.
- In the WinDbg window, select File > Start debugging > Open dump file. Use the built-in File Explorer menu to open your latest dump file, which is typically saved in the root C:\ folder, C:\minidump, or C:\Windows\minidump folder.
- Opening the DMP file will cause the WinDbg debugger to run and load the file. This could take some time, depending on the size of the file and the level of detail saved. Once this is done, type !analyze -v into the command box at the bottom of the Command tab, then press Enter to run the command.
- The !analyze -v command will take some time to load and analyze the log file created by the BSOD error—wait for this process to complete. Once it’s done, you can analyze the full output in the Command tab. In particular, search for the stop code name and value (e.g. DRIVER_IRQL_NOT_LESS_OR_EQUAL and d1) listed under the Bugcheck Analysis section. Along with the stop code, a brief description offering a cause (such as driver issues) will be listed, allowing you to troubleshoot further.
- You can also look at other relevant information listed in the WinDbg analysis (such as the MODULE_NAME value) to identify the cause. In this example instance, the BSOD code was caused by running the NotMyFault system testing tool.
Once you’ve identified the stop code and possible cause of the BSOD error, you can research the issue further to determine a possible fix.
How to Analyze Windows Memory Dump Files Using NirSoft BlueScreenView
While WinDbg isn’t included with Windows, it’s produced by Microsoft to troubleshoot BSOD errors. If you’d prefer, however, you can analyze memory dump files from your PC (or from another PC if you have a copy of the relevant dump files) using the older NirSoft BlueScreenView tool.
BlueScreenView may look dated, but it continues to offer all of the relevant information about your BSOD dump files. This includes the stop code name and value (such as DRIVER_IRQL_NOT_LESS_OR_EQUAL) that you can then use to identify the cause.
- To start, download and install the NirSoft BlueScreenView tool on your Windows PC. Once the tool is installed, launch it from the Start menu.
- BlueScreenView will automatically locate any memory dump files from known sources such as C:/ and C:/Windows/minidump. If you want to load a file manually, however, select Options > Advanced Options.
- In the Advanced Options menu, switch to the folder containing your dump files by selecting the Browse button positioned next to the Load from the following MiniDump folder box. To return this to the default location, select Default. Select OK to save your choice and load your files.
- In the main BlueScreenView window, a list of your saved memory dump files will appear. Select one of the files listed to view more information about it. The stop code name will appear in the Bug Check String column, allowing you to research the issue further.
- With the memory dump file selected, a full list of active files and drivers will be listed underneath. Files that are highlighted red will have a direct link to the cause of the BSOD error. For instance, myfault.sys is related to the NotMyFault system testing tool, while ntoskrnl.exe is the Windows system kernel process.
While BlueScreenView is a useful tool for quickly identifying the BSOD error name, it isn’t a full debugging tool like WinDbg. If you can’t troubleshoot the problem using this tool, you’ll need to try WinDbg for a more detailed analysis.
Troubleshooting BSOD Errors Using Memory Dump Files
Using the memory dump file information you recover, you can troubleshoot the BSOD errors by searching for the stop codes or related BSOD error files. The error stop codes, in particular, can help you find the cause behind a BSOD, from a bad system config info BSOD to an unexpected store exception error BSOD.
BSOD errors are caused by everything from faulty hardware to corrupt system files. To help stop them, you should check your PC for malware regularly and use tools like SFC to repair your Windows installation if it becomes corrupted. If all else fails, you can always reset or reinstall Windows 10 to restore your PC to full working order.