The Blue Screen

Regardless of the reason for a system crash, the function that actually performs the crash is KeBugCheckEx, documented in the Windows Driver Kit (WDK). This function takes a stop code (sometimes called a bugcheck code) and four parameters that are interpreted on a per–stop code basis. After KeBugCheckEx masks out all interrupts on all processors of the system, it switches the display into a low-resolution VGA graphics mode (one implemented by all Windows-supported video cards), paints a blue background, and then displays the stop code, followed by some text suggesting what the user can do. Finally, KeBugCheckEx calls any registered device driver bugcheck callbacks (registered by calling the KeRegisterBugCheckCallback function), allowing drivers an opportunity to stop their devices. It then calls registered reason callbacks (registered with KeRegisterBugCheckReasonCallback), which allow drivers to append data to the crash dump or write crash dump information to alternate devices.

KeBugCheckEx displays the textual representation of the stop code near the top of the blue screen and the numeric stop code and four parameters at the bottom of the blue screen.

The first line in the Technical information section lists the stop code and the four additional parameters passed to KeBugCheckEx. A text line near the top of the screen provides the text equivalent of the stop code’s numeric identifier. stop code 0x000000D1 is a DRIVER_IRQL_NOT_LESS_OR_EQUAL crash. When a parameter contains an address of a piece of operating system or device driver code, Windows displays the base address of the module the address falls in, the date stamp, and the file name of the device driver. This information alone might help you pinpoint the faulty component.

Although there are more than 300 unique stop codes, most are rarely, if ever, seen on production systems. Instead, just a few common stop codes represent the majority of Windows system crashes. Also, the meaning of the four additional parameters depends on the stop code (and not all stop codes have extended parameter information). Nevertheless, looking up the stop code and the meaning of the parameters (if applicable) might at least assist you in diagnosing the component that is failing (or the hardware device that is causing the crash).

You can find stop code information in the section “Bug Checks (Blue Screens)” in the Debugging Tools for Windows help file. (For information on the Debugging Tools for Windows.) You can also search Microsoft’s Knowledge Base (http://support.microsoft.com) for the stop code and the name of the suspect hardware or application. You might find information about a workaround, an update, or a service pack that fixes the problem you’re having. The Bugcodes.h file in the WDK contains a complete list of the 300 or so stop codes, with some additional details on the reasons for some of them.

Based on data collected from the release of Windows Vista through the release of Windows Vista SP1, the top 30 stop codes account for 96 percent of crashes and can be grouped into a dozen categories:
• Page fault. A page fault on memory backed by data in a paging file or a memorymapped file occurs at an IRQL of DPC/dispatch level or above, which would require the memory manager to have to wait for an I/O operation to occur. The kernel cannot wait or reschedule threads at an IRQL of DPC/dispatch level or higher. This category also includes page faults in nonpaged areas. The common stop codes are:
- 0xA - IRQL_NOT_LESS_OR_EQUAL
- 0xD1 - DRIVER_IRQL_NOT_LESS_OR_EQUAL


• Power management. A device driver or an operating system function running in kernel mode is in an inconsistent or invalid power state. Most frequently, some component has failed to complete a power management I/O request operation within 10 minutes. This crash category is new in Windows Vista. In previous versions of the Windows operating system, these failures generally resulted in a system hang with no crash. The stop codes are:
- 0x9F - DRIVER_POWER_STATE_FAILURE
- 0xA0 - INTERNAL_POWER_ERROR


• Exceptions and traps A device driver or an operating system function running in kernel mode incurs an unexpected exception or trap. The common stop codes are:
- 0x1E - KMODE_EXCEPTION_NOT_HANDLED
- 0x3B - SYSTEM_SERVICE_EXCEPTION
- 0x7E - SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
- 0x7F - UNEXPECTED_KERNEL_MODE_TRAP
- 0x8E - KERNEL_MODE_EXCEPTION_NOT_HANDLED with P1 != 0xC0000005
STATUS_ACCESS_VIOLATION


• Access violations A device driver or an operating system function running in kernel
mode incurs a memory access violation, which is caused either by attempting to write
to a read-only page or by attempting to read an address that isn’t currently mapped
and therefore is not a valid memory location. The common stop codes are:
- 0x50 - PAGE_FAULT_IN_NONPAGED_AREA
- 0x8E - KERNEL_MODE_EXCEPTION_NOT_HANDLED with P1 = 0xC0000005
STATUS_ACCESS_VIOLATION


• Display The display device driver detects that it can no longer control the graphics processing unit or detects an inconsistency in video memory management. The common stop codes are:
- 0xEA - THREAD_STUCK_IN_DEVICE_DRIVER
- 0x10E - VIDEO_MEMORY_MANAGEMENT_INTERNAL
- 0x116 - VIDEO_TDR_FAILURE


• Pool. The kernel pool manager detects an improper pool reference. The common stop codes are:
- 0xC2 - BAD_POOL_CALLER
- 0xC5 - DRIVER_CORRUPTED_EXPOOL


• Memory management. The kernel memory manager detects a corruption of memory management data structures or an improper memory management request. The common stop codes are:
- 0x1A - MEMORY_MANAGEMENT
- 0x4E - PFN_LIST_CORRUPT


• Consistency check. This is a catch-all category for various other consistency checks performed by the kernel or device drivers. The common stop codes are:
- 0x18 - REFERENCE_BY_POINTER
- 0x35 - NO_MORE_IRP_STACK_LOCATIONS
- 0x44 - MULTIPLE_IRP_COMPLETE_REQUESTS
- 0xCE - DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
- 0x8086 – This is a stop code used by the Intel storage driver iastor.sys


• Hardware. A hardware error, such as a machine check or a nonmaskable interrupt
(NMI), occurs. This category also includes disk failures when the memory manager is attempting to read data to satisfy page faults. The common stop codes are:
- 0x77 – KERNEL_STACK_INPAGE_ERROR
- 0x7A - KERNEL_DATA_INPAGE_ERROR
- 0x124 - WHEA_UNCORRECTABLE_ERROR
- 0x101 - CLOCK_WATCHDOG_TIMEOUT (Software bugs can cause these errors too, but they are most common on over-clocked hardware systems.)


• USB. An unrecoverable error occurs in a universal serial bus operation. The common stop code is:
- 0xFE - BUGCODE_USB_DRIVER


• Critical object. A fatal error occurs in a critical object without which Windows cannot continue to run. The common stop code is:
- 0xF4 - CRITICAL_OBJECT_TERMINATION


• NTFS file system. A fatal error is detected by the NTFS file system. The common stop code is:
- 0x24 - NTFS_FILE_SYSTEM


Source of Information : Microsoft Press Windows Internals 5th Edition