Question How to analysis a BSOD?

[hack3rcon]

Hello,
I used the WinDbg to analysis a BSOD file. I open the dump file:

Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
...............................................................
Loading User Symbols
Loading unloaded module list
...................

************* Symbol Loading Error Summary **************
Module name            Error
ntoskrnl               The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
For analysis of this file, run !analyze -v
*** WARNING: Unable to verify timestamp for watchdog.sys

Then, I ran the !analyze -v command and result is:

...
LAST_CONTROL_TRANSFER:  from fffff80563e93ad0 to fffff80555dfcd70

STACK_TEXT: 
fffff805`595f3738 fffff805`63e93ad0 : 00000000`00000119 00000000`00000005 ffffc40c`6d90f000 ffffc40c`6df68520 : nt+0x3fcd70
fffff805`595f3740 00000000`00000119 : 00000000`00000005 ffffc40c`6d90f000 ffffc40c`6df68520 00000000`00011668 : watchdog+0x3ad0
fffff805`595f3748 00000000`00000005 : ffffc40c`6d90f000 ffffc40c`6df68520 00000000`00011668 00000000`00000000 : 0x119
fffff805`595f3750 ffffc40c`6d90f000 : ffffc40c`6df68520 00000000`00011668 00000000`00000000 ffffc40c`72f45590 : 0x5
fffff805`595f3758 ffffc40c`6df68520 : 00000000`00011668 00000000`00000000 ffffc40c`72f45590 fffff805`70fe02dd : 0xffffc40c`6d90f000
fffff805`595f3760 00000000`00011668 : 00000000`00000000 ffffc40c`72f45590 fffff805`70fe02dd ffffc40c`72f42000 : 0xffffc40c`6df68520
fffff805`595f3768 00000000`00000000 : ffffc40c`72f45590 fffff805`70fe02dd ffffc40c`72f42000 ffffc40c`6d90f000 : 0x11668


THREAD_SHA1_HASH_MOD_FUNC:  1ffa882a03d0bff665b5475db9543d1550319fa0

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  a56c5ea5e76595c5742709446528d8159b25ce45

THREAD_SHA1_HASH_MOD:  1ffa882a03d0bff665b5475db9543d1550319fa0

FOLLOWUP_IP:
watchdog+3ad0
fffff805`63e93ad0 cc              int     3

FAULT_INSTR_CODE:  cccccccc

SYMBOL_STACK_INDEX:  1

FOLLOWUP_NAME:  MachineOwner

STACK_COMMAND:  .thread ; .cxr ; kb

BUGCHECK_STR:  CFEE68AF

EXCEPTION_CODE: (NTSTATUS) 0xcfee68af - <Unable to get error code text>

EXCEPTION_CODE_STR:  CFEE68AF

EXCEPTION_STR:  WRONG_SYMBOLS

PROCESS_NAME:  ntoskrnl.wrong.symbols.exe

IMAGE_NAME:  ntoskrnl.wrong.symbols.exe

MODULE_NAME: nt_wrong_symbols

SYMBOL_NAME:  nt_wrong_symbols!CFEE68AF1046000

BUCKET_ID:  WRONG_SYMBOLS_X64_19041.1.amd64fre.vb_release.191206-1406_TIMESTAMP_800718-060119

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS_X64_19041.1.amd64fre.vb_release.191206-1406_TIMESTAMP_800718-060119

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_X64_19041.1.amd64fre.vb_release.191206-1406_TIMESTAMP_800718-060119_CFEE68AF_nt_wrong_symbols!CFEE68AF1046000

TARGET_TIME:  2023-09-18T22:48:43.000Z

OSBUILD:  19041

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE: 

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  191206-1406

BUILDLAB_STR:  vb_release

BUILDOSVER_STR:  10.0.19041.1.amd64fre.vb_release.191206-1406

ANALYSIS_SESSION_ELAPSED_TIME:  853f

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:wrong_symbols_x64_19041.1.amd64fre.vb_release.191206-1406_timestamp_800718-060119_cfee68af_nt_wrong_symbols!cfee68af1046000

FAILURE_ID_HASH:  {38503203-cc04-2f43-4fa0-a35d5ce214c9}

Followup:     MachineOwner
---------

Then, I did:

0: kd> lmvm nt_wrong_symbols
Browse full module list
start             end                 module name
0: kd>

No result!
What is the next step?

Thank you.

 

[ubuysa]

You need to tell WinDbg where to find the necessary symbol files. You do that by clicking on File > Symbol File Path, and in that box paste this: cache*C:\MySymbols;srv*https://msdl.microsoft.com/download/symbols

There is a lot of knowledge and experience required to debug a BSOD and it takes a long time to learn. An ideal place to start is the Sysnative BSOD Academy, which I strongly recommend.

 

[Ralston18]

And I will add the suggestion to start with Reliability HistoryMonitor and Event Viewer.

Either one or both tools may be capturing some error code, warning, or even an informational event just before or at the time of the BSODs.

Reliability History is much more end user friendly and the timeline formats may reveal patterns.

Event Viewer requires much more time and effort to learn and understand.,

Both tools allow clicking any given error, etc. for more information and details. The details may or may not be helpful.

To help with Event Viewer:

https://forums.tomshardware.com/threads/how-to-use-windows-10-event-viewer.2752289/

 

[hack3rcon]

You need to tell WinDbg where to find the necessary symbol files. You do that by clicking on File > Symbol File Path, and in that box paste this: cache*C:\MySymbols;srv*https://msdl.microsoft.com/download/symbols

There is a lot of knowledge and experience required to debug a BSOD and it takes a long time to learn. An ideal place to start is the Sysnative BSOD Academy, which I strongly recommend.

Hello,
Thank you so much for your reply.
I have already defined the file symbol.