Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

BSOD - Using WinDbg (Windows Debugger) and !analyze -v


  • This topic is locked This topic is locked
5 replies to this topic

#1 xBlueRobot

xBlueRobot

  •  Avatar image
  • BSOD Kernel Dump Expert
  • 426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 PM

Posted 20 November 2021 - 12:58 PM

This is a short and concise beginner's guide to configuring WinDbg (Windows Debugger) and using the default !anaylze -v command to debug a crash dump file. WinDbg is the only suitable debugging tool for analysing a crash dump file, programs such as WhoCrashed and BlueScreenView only provide very rudimentary information which usually isn't particularly useful in isolation.

 

WinDbg is part of the Windows SDK and is available to download from here. Please do not use WinDbg Preview from the Microsoft Store, this program is still in beta and is prone to bugs.

 

Installing and Configuring WinDbg

 

  1. Download and open the winsdksetup.exe using the download link provided above.
  2. Please click Next and/or Accept until you reach the screen asking you to select which components you wish to install.
  3. Please only select Debugging Tools for Windows and the Windows Performance Toolkit.
  4. Select Install and wait for the installer to complete.
  5. Open WinDbg, you can find this by searching for windbg on your Start menu. Please select the version which matches your architecture e.g. x64
  6. The newer versions of WinDbg should automatically configure and download the debugging symbols (.pdb) for you, however, if you have any warnings about missing symbols, then please configure the symbol search path (CTRL+S) to SRV*c:\symbols*https://msdl.microsoft.com/download/symbols
  7. It is recommended that you associate the crash dump file extension (.dmp) to the Windows Debugger. Otherwise, you can open the dump file in WinDbg by using CTRL+D and then selecting the dump file.

Using !analyze -v

 

Once you opened the dump file in WinDbg, you should see a hyperlink for the !analyze -v command. If you click it, then WinDbg's debugger engine will analyse the dump file for you and provide some basic information such as the call stack and the bugcheck parameters. You may also see the last saved context and/or exception record depending on the bugcheck code.

 

The two most important parts are the bugcheck parameters and the call stack. Let's examine these two key pieces of information.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80223c56b5e, address which referenced memory

As we can see, the bugcheck code is Stop 0xD1 and the four parameters are shown below it. We can look up this bugcheck code on the MSDN support page for some basic troubleshooting tips. In our particular example, the first and last parameters are the most important, these indicate what address was being referenced and who was referencing it.

 

It would seem that we were referencing an address through a null pointer. Let's examine which function was dereferencing the null pointer using the ln command and the value of the fourth parameter. You can enter commands in the input box at the bottom of WinDbg.

2: kd> ln fffff80223c56b5e
Browse module
Set bu breakpoint

(fffff802`23bf2ca0)   tcpip!FlpReturnNetBufferListChain+0x63ebe   |  (fffff802`23bf2db0)   tcpip!RscLibExUncoalesceNBL

We can clearly see it is for a tcpip.sys function, which is FlpReturnNetBufferListChain. This is unlikely to be the direct cause of the crash and just happens to be where the exception was thrown. If we examine the call stack (alternatively just use knL) then we can see a third-party driver. These are typically easy to recognise since they will have no function name associated to them. The reason being is because we do not have the appropriate symbols for that driver.

2: kd> knL
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 fffff20b`ba7fdfb0 fffff802`23ae5e07 tcpip!FlpReturnNetBufferListChain+0x63ebe
01 fffff20b`ba7fe010 fffff802`23ae5c28 NETIO!NetioDereferenceNetBufferList+0x87
02 fffff20b`ba7fe060 fffff802`23bb8156 NETIO!NetioDereferenceNetBufferListChain+0x1c8
03 fffff20b`ba7fe0e0 fffff802`23bb763f tcpip!IppReceiveHeaderBatch+0x2b6
04 fffff20b`ba7fe1e0 fffff802`23cdf7b2 tcpip!IppFlcReceivePacketsCore+0x32f
05 fffff20b`ba7fe300 fffff802`23cdf634 tcpip!IppInspectInjectReceiveEx+0x172
06 fffff20b`ba7fe350 fffff802`23e887b5 tcpip!IppInspectInjectReceive+0x24
07 fffff20b`ba7fe3b0 fffff802`1ecf8458 fwpkclnt!FwppInjectionStackCallout+0x115
08 fffff20b`ba7fe440 fffff802`1ecf83cd nt!KeExpandKernelStackAndCalloutInternal+0x78
09 fffff20b`ba7fe4b0 fffff802`23e8a2b4 nt!KeExpandKernelStackAndCalloutEx+0x1d
0a fffff20b`ba7fe4f0 fffff802`23e89ea4 fwpkclnt!NetioExpandKernelStackAndCallout+0x58
0b fffff20b`ba7fe530 fffff802`2d2ba363 fwpkclnt!FwpsInjectTransportReceiveAsync0+0x304
0c fffff20b`ba7fe670 ffffd90a`0ea8ef30 klwtp+0xa363
0d fffff20b`ba7fe678 00000000`00000000 0xffffd90a`0ea8ef30

The third-party driver is klwtp.sys and if we look this up in the Driver Reference Table (DRT), then we'll notice that it is for Kaspersky Security and therefore it is recommended that the user either update the program or remove it completely using Kaspersky's official removal tool. That's it!

I appreciate that this is a very short and informal tutorial, however, it is very difficult to cover beyond the very basics in a single post. As a result of this, if you are interested in learning more and becoming proficient in learning how to debug BSODs, then I would thoroughly recommend signing up to the Sysnative BSOD Academy. There is no obligation to finish the academy within a set time frame - you work at your pace - and there is no failure. The instructors will walk you through each assignment step by step, happily answering any questions which you may have. Upon the completion of the academy, you should have a solid foundation to progress from, since BSOD analysis is an ever continual journey of learning.

 

If you have any questions, then please leave them below or send me a PM.
 


Edited by xBlueRobot, 20 November 2021 - 01:03 PM.


BC AdBot (Login to Remove)

 


#2 axe0

axe0

  •  Avatar image
  • Malware Response Team
  • 2,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:02:08 PM

Posted 22 November 2021 - 03:17 AM

Also interesting about the !analyze -v.
https://www.sysnative.com/forums/threads/bsod-understanding-the-analyze-v-command-output.28087/
Kind regards,
Axe0

#3 markwilliams87667

markwilliams87667

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 13 May 2022 - 01:39 AM

OK this is amazing research this will help us a lot you can also contact to help desk for further assistance 



#4 DanielBrooks

DanielBrooks

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 30 August 2022 - 07:03 AM

Hello!



#5 xBlueRobot

xBlueRobot
  • Topic Starter

  •  Avatar image
  • BSOD Kernel Dump Expert
  • 426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 PM

Posted 07 September 2022 - 07:45 AM

Can we please lock this thread to prevent any spam?



#6 boopme

boopme

    To Insanity and Beyond


  •  Avatar image
  • Helper Emeritus
  • 85,296 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 AM

Posted 07 September 2022 - 11:11 AM

 Locked


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users