HOWTO Memory Dump

You get two different types of "Blue Screen of Death", a STOP error message and a Memory Dump. The information below covers some steps you can take to gather more information about a blue screen error message. These steps will not always provide conclusive answers and may only be a symptom of another problem.

Event Log Messages

Set up your system to write an event log message with bugcheck information.
Windows NT Server 4.0 is set to write event log messages by default. Windows NT Workstation is not set by default. To set your system to write an event log message, open the Control Panel, doubleclick on System, select the Startup/Shutdown tab and tick the box next to "Write an event to the system log". This will cause an event log message to be written to the system log.
Data contained in the event log message.
The description and format of the event log differs from the format displayed when the computer is writing the Memory.dmp file, but the majority of the information is the same. Below is an example of the event log.

Event ID: 1001
Source: Save Dump
Description:
The computer has rebooted from a bugcheck. The bugcheck was :
0xc000021a (0xe1270188, 0x00000001, 0x00000000, 0x00000000).
Microsoft Windows NT (v15.1381). A dump was saved in:
C:\WINNT\MEMORY.DMP.

This information contains the stop code 0xc000021a and the four parameters. These can be very useful when troubleshooting certain types of stop codes. The parameters will mean different things depending on what type of stop code it is.

Using Dumpchk.exe to Determine Memory Dump Information
If you use Dumpchk.exe from the Service Pack 3 CD, you can determine all of the above information as well as the address of the driver that generated the stop message. This information can often give you a direction to begin troubleshooting. Strange enough this file is on the SP3 CD and will be unpacked when NTSP3*.exe is executed, but it is not going to be copied to your system. Just copy the file manually to your SystemRoot directory before you finish the installation of SP3.
Before you run Dumpchk.exe, be sure to adjust the properties of the command prompt so that the screen buffer size height is set to 999. This height will allow you to scroll back to see the output. Run Dumpchk.exe from the command prompt with the following syntax:

dumpchk.exe Memory.dmp

The following is an example of the portions of the output that are most useful.

MachineImageType i386
NumberProcessors 1
BugCheckCode 0xc000021a
BugCheckParameter1 0xe1270188
BugCheckParameter2 0x00000001
BugCheckParameter3 0x00000000
BugCheckParameter4 0x00000000

ExceptionCode 0x80000003
ExceptionFlags 0x00000001
ExceptionAddress 0x8014fb84

As previously mentioned, not all sections will give the same information. This will depend on the type of STOP code. The information above tells us the STOP code (0xc000021a) and the parameters (0xe1270188, 0x00000001, 0x00000000, 0x00000000), as well as the address of the driver that called the exception (0x8014fb84). This address can be used to identify the driver name using the output from running Pstat.exe, which can be found on the resource kit.

Dumpchk.exe will also verify that the dump is valid.

Using Pstat.exe to Identify Driver Information

Pstat.exe, a resource kit utility, will give you a picture of the processes and drivers currently running on your system. For these purposes, the most useful information will be the list of loaded drivers that appears at the end of the output. All you need to do is run Pstat.exe from the command line. The information given by Pstat.exe can be piped to a file using the following sytax:

pstat.exe > filename

The following is an example of the driver list at the end of the output.

ModuleName Load Addr Code Data Paged LinkDate

----------------------------------------------------------------------------------------------------

ntoskrnl.exe 80100000 270272 40064 434816 Sun May 11 00:10:39 1997

hal.dll 80010000 20384 2720 9344 Mon Mar 10 16:39:20 1997

aic78xx.sys 80001000 20512 2272 0 Sat Apr 05 21:16:21 1997

SCSIPORT.SYS 801d7000 9824 32 15552 Mon Mar 10 16:42:27 1997

Disk.sys 80008000 3328 0 7072 Thu Apr 24 22:27:46 1997

CLASS2.SYS 8000c000 7040 0 1632 Thu Apr 24 22:23:43 1997

INO_FLPY.SYS 801df000 9152 1472 2080 Tue May 26 18:21:40 1998

Ntfs.sys 801e3000 68160 5408 269632 Thu Apr 17 22:02:31 1997

Floppy.SYS f7290000 1088 672 7968 Wed Jul 17 00:31:09 1996

Cdrom.SYS f72a0000 12608 32 3072 Wed Jul 17 00:31:29 1996

Cdaudio.SYS f72b8000 960 0 14912 Mon Mar 17 18:21:15 1997

Null.SYS f75c9000 0 0 288 Wed Jul 17 00:31:21 1996

KSecDD.SYS f7464000 1280 224 3456 Wed Jul 17 20:34:19 1996

Beep.SYS f75ca000 1184 0 0 Wed Apr 23 15:19:43 1997

cs32ba11.SYS fcd1a000 52384 45344 14592 Wed Mar 12 17:22:33 1997

msi8042.SYS f7000000 20192 1536 0 Mon Mar 23 22:46:22 1998

mouclass.sys f7470000 1984 0 0 Mon Mar 10 16:43:11 1997

kbdclass.sys f7478000 1952 0 0 Wed Jul 17 00:31:16 1996

VIDEOPRT.SYS f72d8000 2080 128 11296 Mon Mar 10 16:41:37 1997

ati.sys f7010000 960 9824 48768 Fri Dec 12 15:20:37 1997

vga.sys f7488000 128 32 10784 Wed Jul 17 00:30:37 1996

Msfs.SYS f7308000 864 32 15328 Mon Mar 10 16:45:01 1997

Npfs.SYS f7020000 6560 192 22624 Mon Mar 10 16:44:48 1997

NDIS.SYS fccda000 11744 704 96768 Thu Apr 17 22:19:45 1997

win32k.sys a0000000 1162624 40064 0 Fri Apr 25 21:17:32 1997

ati.dll fccba000 106176 17024 0 Fri Dec 12 15:20:08 1997

Cdfs.SYS f7050000 5088 608 45984 Mon Mar 10 16:57:04 1997

INO_FLTR.SYS fc42f000 29120 38176 1888 Tue Jun 02 16:33:05 1998

TDI.SYS fc4a2000 4480 96 288 Wed Jul 17 00:39:08 1996

tcpip.sys fc40b000 108128 7008 10176 Fri May 09 17:02:39 1997

netbt.sys fc3ee000 79808 1216 23872 Sat Apr 26 21:00:42 1997

el90x.sys f7320000 24576 1536 0 Wed Jun 26 20:04:31 1996

afd.sys f70d0000 1696 928 48672 Thu Apr 10 15:09:17 1997

netbios.sys f7280000 13280 224 10720 Mon Mar 10 16:56:01 1997

Parport.SYS f7460000 3424 32 0 Wed Jul 17 00:31:23 1996

Parallel.SYS f746c000 7904 32 0 Wed Jul 17 00:31:23 1996

ParVdm.SYS f7552000 1312 32 0 Wed Jul 17 00:31:25 1996

Serial.SYS f7120000 2560 0 18784 Mon Mar 10 16:44:11 1997

rdr.sys fc385000 13472 1984 219104 Wed Mar 26 14:22:36 1997

mup.sys fc374000 2208 6752 48864 Mon Mar 10 16:57:09 1997

srv.sys fc24a000 42848 7488 163680 Fri Apr 25 13:59:31 1997

PSCRIPT.DLL f9ec3000 0 0 0

Fastfat.SYS f9e00000 6720 672 114368 Mon Apr 21 16:50:22 1997

NTDLL.DLL 77f60000 237568 20480 0 Fri Apr 11 16:38:50 1997

----------------------------------------------------------------------------------------------------

Total 2377632 255040 1696384

ModuleName	Load Addr	Code	Data	Paged	LinkDate
----------------------------------------------------------------------------------------------------
ntoskrnl.exe	80100000	270272	40064	434816	Sun May 11 00:10:39 1997
hal.dll	80010000	20384	2720	9344	Mon Mar 10 16:39:20 1997
aic78xx.sys	80001000	20512	2272	0	Sat Apr 05 21:16:21 1997
SCSIPORT.SYS	801d7000	9824	32	15552	Mon Mar 10 16:42:27 1997
Disk.sys	80008000	3328	0	7072	Thu Apr 24 22:27:46 1997
CLASS2.SYS	8000c000	7040	0	1632	Thu Apr 24 22:23:43 1997
INO_FLPY.SYS	801df000	9152	1472	2080	Tue May 26 18:21:40 1998
Ntfs.sys	801e3000	68160	5408	269632	Thu Apr 17 22:02:31 1997
Floppy.SYS	f7290000	1088	672	7968	Wed Jul 17 00:31:09 1996
Cdrom.SYS	f72a0000	12608	32	3072	Wed Jul 17 00:31:29 1996
Cdaudio.SYS	f72b8000	960	0	14912	Mon Mar 17 18:21:15 1997
Null.SYS	f75c9000	0	0	288	Wed Jul 17 00:31:21 1996
KSecDD.SYS	f7464000	1280	224	3456	Wed Jul 17 20:34:19 1996
Beep.SYS	f75ca000	1184	0	0	Wed Apr 23 15:19:43 1997
cs32ba11.SYS	fcd1a000	52384	45344	14592	Wed Mar 12 17:22:33 1997
msi8042.SYS	f7000000	20192	1536	0	Mon Mar 23 22:46:22 1998
mouclass.sys	f7470000	1984	0	0	Mon Mar 10 16:43:11 1997
kbdclass.sys	f7478000	1952	0	0	Wed Jul 17 00:31:16 1996
VIDEOPRT.SYS	f72d8000	2080	128	11296	Mon Mar 10 16:41:37 1997
ati.sys	f7010000	960	9824	48768	Fri Dec 12 15:20:37 1997
vga.sys	f7488000	128	32	10784	Wed Jul 17 00:30:37 1996
Msfs.SYS	f7308000	864	32	15328	Mon Mar 10 16:45:01 1997
Npfs.SYS	f7020000	6560	192	22624	Mon Mar 10 16:44:48 1997
NDIS.SYS	fccda000	11744	704	96768	Thu Apr 17 22:19:45 1997
win32k.sys	a0000000	1162624	40064	0	Fri Apr 25 21:17:32 1997
ati.dll	fccba000	106176	17024	0	Fri Dec 12 15:20:08 1997
Cdfs.SYS	f7050000	5088	608	45984	Mon Mar 10 16:57:04 1997
INO_FLTR.SYS	fc42f000	29120	38176	1888	Tue Jun 02 16:33:05 1998
TDI.SYS	fc4a2000	4480	96	288	Wed Jul 17 00:39:08 1996
tcpip.sys	fc40b000	108128	7008	10176	Fri May 09 17:02:39 1997
netbt.sys	fc3ee000	79808	1216	23872	Sat Apr 26 21:00:42 1997
el90x.sys	f7320000	24576	1536	0	Wed Jun 26 20:04:31 1996
afd.sys	f70d0000	1696	928	48672	Thu Apr 10 15:09:17 1997
netbios.sys	f7280000	13280	224	10720	Mon Mar 10 16:56:01 1997
Parport.SYS	f7460000	3424	32	0	Wed Jul 17 00:31:23 1996
Parallel.SYS	f746c000	7904	32	0	Wed Jul 17 00:31:23 1996
ParVdm.SYS	f7552000	1312	32	0	Wed Jul 17 00:31:25 1996
Serial.SYS	f7120000	2560	0	18784	Mon Mar 10 16:44:11 1997
rdr.sys	fc385000	13472	1984	219104	Wed Mar 26 14:22:36 1997
mup.sys	fc374000	2208	6752	48864	Mon Mar 10 16:57:09 1997
srv.sys	fc24a000	42848	7488	163680	Fri Apr 25 13:59:31 1997
PSCRIPT.DLL	f9ec3000	0	0	0
Fastfat.SYS	f9e00000	6720	672	114368	Mon Apr 21 16:50:22 1997
NTDLL.DLL	77f60000	237568	20480	0	Fri Apr 11 16:38:50 1997
----------------------------------------------------------------------------------------------------
Total	2377632	255040	1696384

By using the starting address shown above under the "load addr" column, you can match the exception address to the driver name. Using 8014fb84 as an example, you can determine that Ntoskrnl.exe has the nearest load address below the exception address and is most likely the driver that called the exception. With this information, you may be able to find out what the cuse of the dump is. You can check the MS Knowledge Base.