Entering the Land of BSOD Investigation

Every day upon booting my Vista workstation at work I was getting a message that the system recovered from an unexpected shutdown. I figured that someone was just powering my PC off at night, but I decided to check the logs. It appeared that Windows was crashing right after I left work. I went off to search for any files ending in .DMP. These .DMP files are snapshots of memory when the PC crashes. If you can’t find any, you may have to turn memory dumping on (Under Vista, that’s Control Panel>System>Advanced System Settings>Startup and Recovery>Settings, uncheck “Automatically Restart” and make sure “Write Debugging Information” is set to “Complete” or “Kernel”).

Once again, UAC rears its ugly head. Searching from start menu or the command prompt yielded no results, then I remembered that I wasn’t running from an elevated prompt. The location? C:windowsminidump:

I guess Microsoft thinks that regular users shouldn’t be looking at memory dumps as the permissions on minidump are SYSTEM and Administrators only.

Now we will download the Microsoft Debugging Tools. This will allow us to analyze the .DMP file.

After installing the program, the first thing we want to do is set the symbol path. This gives us more information from the crash dump. We will set the path to SRV*c:symbols*http://msdl.microsoft.com/download/symbols by going to File>Symbol File Path:

Now go to File>Open Crash Dump and open the .DMP file (I’ve provided my crash dump here in case you want to practice with these instructions).

Right away it identifies a possible culprit:

Running “!analyze -v” provides further (geeker) analysis:

Also note the DEFAULT_BUCKET_ID is VISTA_DRIVER_FAULT which gives further clues. WinDBG identifies ECACHE.SYS as being the problem. Doing a Google search brings up that ECACHE.SYS is related to ReadyBoost. Since I don’t use ReadyBoost I just disabled the service (called ReadyBoost, imagine that!) and bingo: the problem goes away.

Now the cause of this: I can only guess it is my external USB hard drive. During the work day, I connect an external USB drive to my PC. I pull this drive without doing the safe disconnect and then log out. Vista is likely using the drive as a ReadyBoost drive and then I pull the rug out from under it by removing the drive.

-Soli Deo Gloria

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.