Wednesday, July 25, 2007

BSOD ( Blue Screen of Death)

Windows NT

In Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista, the blue screen of death occurs when the kernel or a driver running in kernel mode encounters an error from which it cannot recover. This is usually caused by an illegal operation being performed. The only safe action the operating system can take in this situation is to restart the computer. As a result, data may be lost, as users are not given an opportunity to save data that has not yet been saved to the hard drive.

Blue screens are known as "Stop errors" in the Windows Resource Kit documentation. They are referred to as "bug checks" in the Windows Software development kit and Driver development kit documentation.

Windows 2000 (can also be configured to display debug info like the Windows NT example)
Windows 2000 (can also be configured to display debug info like the Windows NT example)

The text on the error screen contains the code of the error as well as its symbolic name (e.g. 0x0000001E, KMODE_EXCEPTION_NOT_HANDLED) along with four error-dependent values in parentheses that are there to help software engineers with fixing the problem that occurred. Depending on the error code, it may display the address where the problem occurred, along with the driver which is loaded at that address. Under Windows NT and 2000, the second and third sections of the screen may contain information on all loaded drivers and a stack dump, respectively. The driver information is in three columns; the first lists the base address of the driver, the second lists the driver's creation date (as a Unix timestamp), and the third lists the name of the driver.

By default, Windows will create a memory dump file because a blue screen error occurs. Depending on the OS version, there may be several formats this can be saved in, ranging from a 64 KB "mini dump" to a "complete dump" which is effectively a copy of the entire contents of physical RAM. The resulting memory dump file may be debugged later, using a kernel debugger. A debugger is necessary to obtain a stack trace, and may be required to ascertain the true cause of the problem; as the information onscreen is limited and thus possibly misleading, it may hide the true source of the error.

Windows NT 3.5
Windows NT 3.5

Microsoft Windows can also be configured to send live debugging information to a kernel debugger running on a separate computer. (Windows XP also allows for kernel debugging from the machine that is running the OS.) If a blue screen error is encountered while a live kernel debugger is attached to the system, Windows will halt execution and cause the debugger to "break in", rather than displaying the BSOD. The debugger can then be used to examine the contents of memory and determine the source of the problem.

The Windows debugger is available as a free download from Microsoft.

Windows includes a feature that can be used to cause a blue screen manually. To enable it, the user must add a value to the Windows registry. After that, a BSOD will appear when the user presses the SCROLL LOCK key twice while holding the right CTRL key.[3] This feature is primarily useful for obtaining a memory dump of the computer while it is in a given state. As such, it is generally used to aid in troubleshooting system hangs.

By default, Windows XP is configured to save only a 64K minidump when it encounters a blue screen, and then to automatically reboot the computer. Because this process happens very quickly, the blue screen may be seen only for an instant or not at all. Users have sometimes noted this as a random reboot rather than a traditional stop error, and are only aware of an issue after Windows reboots and displays a notification that it has recovered from a serious error.

A BSOD can also be caused by a critical boot loader error, where the operating system is unable to access the boot partition due to incorrect storage drivers or similar problems. The error code in this situation is STOP 0x0000007B (INACCESSIBLE_BOOT_DEVICE). In such cases, there is no memory dump saved. Since the system is unable to boot from the hard drive in this situation, correction of the problem often requires booting from the Microsoft Windows CD. After booting to the CD, it may be possible to correct the problem by performing a repair install or by using the Recovery Console (with CHKDSK).

The color blue was chosen because there was a version of Windows NT for the DEC Alpha platform and there the console colors could not be changed in an easy way. For consistency reasons blue became the color for Stop errors on all platforms (alpha/i386/mips/ppc).

ReactOS
ReactOS

ReactOS

ReactOS, an attempt at creating a free software/open source implementation of a Windows NT-compatible operating system, also features its own BSOD similar to the Windows NT/XP one.

Windows 9x
Windows 9x

Windows 9x/Me

The blue screen of death also occurs in Microsoft's home desktop operating systems Windows 95, 98, and Me. Here it is less serious, but more common. In these operating systems, the BSOD is the main way for virtual device drivers to report errors to the user. It is internally referred to by the name of "_VWIN32_FaultPopup". A Windows 9x/Me BSOD gives the user the option either to restart or continue. However, VxDs do not display BSODs frivolously — they usually indicate a problem which cannot be fixed without restarting the computer, and hence after a BSOD is displayed the system is usually unstable or unresponsive.

Two of the most common reasons for BSODs are:

  • Problems that occur with incompatible versions of DLLs. This cause is sometimes referred to as DLL hell. Windows loads these DLLs into memory when they are needed by application programs; if versions are changed, the next time an application loads the DLL it may be different from what the application expects. These incompatibilities increase over time as more new software is installed, and is one of the main reasons why a freshly-installed copy of Windows is more stable than an "old" one.
  • Faulty or poorly written device drivers, hardware incompatibilities, or damaged hardware may also cause a BSOD. If you have just installed a new piece of hardware, updated a driver, or installed an Operating System update shortly before you see the BSOD, be sure to investigate these causes also.

In Windows 95 and 98, a BSOD occurred when the system attempted to access the file "c:\con\con" on the hard drive. This was often inserted on websites to crash users' machines. Microsoft has released a patch for this.

The BSOD can appear if a user ejects a removable medium while it is being read on 9x/ME. This is particularly common while using Microsoft Office: if a user simply wants to view a document, he might eject a floppy disk before exiting the program. Since Microsoft Office always creates a temporary file in the same directory, it will trigger a BSOD upon exiting because it will attempt to delete the file on the disk that is no longer in the drive.

This type of blue screen is no longer seen in Windows NT, 2000, and XP. In the case of these less serious software errors, the program may still crash, but it will not take down the entire operating system with it due to better memory management and decreased legacy support. In these systems, the "true" BSOD is seen only in cases where the entire operating system crashes.

Windows CE 5.0
Windows CE 5.0

Windows CE

The simplest version of the blue screen occurs in Windows CE except the versions for Pocket PC. The blue screen in Windows CE 3.0 is similar to the one in Windows 95 and 98.

Windows for Workgroups 3.11
Windows for Workgroups 3.11

Windows for Workgroups

Windows for Workgroups' Blue Screen of Death is very similair to the Windows 9x BSoD.

Xbox Error Message
Xbox Error Message

Xbox

Although the Microsoft Xbox usually shows a Green Screen of Death when a critical error occurs, this model was seen showing a BSOD during the presentation of Forza Motorsport at the CeBIT computer fair in Hannover in March 2005.

No comments: