• Happy holidays, folks! Thanks to each and every one of you for being part of the Tom's Hardware community!

[SOLVED] How to read DMP files ?

Aug 20, 2021
29
1
35
TLDR; I have random BSODs. They usually occur during mundane tasks, not during gaming or any other intensive tasks. I used WinDbg to analyze DMP files but I do not know what the results mean because it's a lot of technical stuff I do not know. Can anyone help me figure this out? Been having this issue for a while now. I just ran memtest and it passed the 13 tests 4 times with no problem, updated drivers, chkdsk. I can upload the DMP file or show the results of WinDbg. Any feedback is welcomed!
 
Solution
PFN corrupt - pfn = Page Frame Number

A block of RAM, typically 4KB in size, used for virtual memory. A page frame is a physical entity with its own page frame number (PFN), whereas a "page" is content that floats between memory page frames and storage (disk or SSD).

https://www.pcmag.com/encyclopedia/term/page-frame

have you tested the ram? I am surprised I didn't mention it yet

Try running memtest86 on each of your ram sticks, one stick at a time, up to 4 passes. Only error count you want is 0, any higher could be cause of the BSOD. Remove/replace ram sticks with errors. Memtest is created as a bootable USB so that you don’t need windows to run it
if you copy/paste the results from winDbg into here I can see if they mean anything to me

Can you follow option one on the following link - here - and then do this step below: Small memory dumps - Have Windows Create a Small Memory Dump (Minidump) on BSOD - that creates a file in c windows/minidump after the next BSOD

  1. Open Windows File Explore
  2. Navigate to C:\Windows\Minidump
  3. Copy the mini-dump files out onto your Desktop
  4. Do not use Winzip, use the built in facility in Windows
  5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
  6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
  7. Then post a link here to the zip file, so we can take a look for you . . .
 
  • Like
Reactions: aamgr
APC_INDEX_MISMATCH (1)
This is a kernel internal error. The most common reason to see this
BugCheck is when a filesystem or a driver has a mismatched number of
calls to disable and re-enable APCs. The key data item is the
Thread->CombinedApcDisable field. This consists of two separate 16-bit
fields, the SpecialApcDisable and the KernelApcDisable. A negative value
of either indicates that a driver has disabled special or normal APCs
(respectively) without re-enabling them; a positive value indicates that
a driver has enabled special or normal APCs (respectively) too many times.
Arguments:
Arg1: 0000000077821cfc, Address of system call function or worker routine
Arg2: 0000000000000001, Thread->ApcStateIndex
Arg3: 0000000000000000, (Thread->SpecialApcDisable << 16) | Thread->KernelApcDisable
Arg4: fffff68544661b80, Call type (0 - system call, 1 - worker routine)

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2671

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 13319

Key : Analysis.Init.CPU.mSec
Value: 327

Key : Analysis.Init.Elapsed.mSec
Value: 8202

Key : Analysis.Memory.CommitPeak.Mb
Value: 74

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


BUGCHECK_CODE: 1

BUGCHECK_P1: 77821cfc

BUGCHECK_P2: 1

BUGCHECK_P3: 0

BUGCHECK_P4: fffff68544661b80

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: Zoom.exe

STACK_TEXT:
fffff68544661948 fffff8032aa09169 : 0000000000000001 0000000077821cfc 0000000000000001 0000000000000000 : nt!KeBugCheckEx
fffff68544661950 fffff8032aa09033 : 0000000000000000 fffff68544661b80 fffff68500000000 ffffbf821fd13b60 : nt!KiBugCheckDispatch+0x69
fffff68544661a90 0000000077821cfc : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceExitPico+0x1fe
000000000be2f218 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x77821cfc


SYMBOL_NAME: nt!KiSystemServiceExitPico+1fe

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.19041.1165

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1fe

FAILURE_BUCKET_ID: 0x1_SysCallNum_1b0007_nt!KiSystemServiceExitPico

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {1d25e8fe-40eb-1b84-9166-c3af30bbaf7e}

Followup: MachineOwner
---------



This is the latest dmp file. BSODs usually happen when using programs installed in my ssd alongside the OS. Games and other intensive programs are on a HDD. Could this indicate a problem with my ssd?
 
Not a lot of info in that dump.
I am not sure what an APC is, I know what a DPC is but not sure if they are related.

The APC_INDEX_MISMATCH bug check has a value of 0x00000001. This indicates that there has been a mismatch in the asynchronous procedure calls (APC) state index. (link)

seems I was close, I thought it was Procedure Calls.. didn't know what A stood for. A Procedure call is an almost constant action in the CPU, it lets CPU know what to do next.

most common cause is a driver, we just need to figure out which one. above only mentions kernel drivers,
 
  • Like
Reactions: aamgr
If we could figure out which driver it is, how would I update/restore/fix that particular driver?
My pc BSOD again 🙁 heres the WinDbg

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 000000000000073a, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8052d8ed1ad, address which referenced memory

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2733

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 49127

Key : Analysis.Init.CPU.mSec
Value: 359

Key : Analysis.Init.Elapsed.mSec
Value: 2222

Key : Analysis.Memory.CommitPeak.Mb
Value: 74

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


BUGCHECK_CODE: a

BUGCHECK_P1: 73a

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8052d8ed1ad

READ_ADDRESS: fffff8052e2fa390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
000000000000073a

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: obs64.exe

TRAP_FRAME: ffff848f23310600 -- (.trap 0xffff848f23310600)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffe28688776288
rdx=ffffe28688776288 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8052d8ed1ad rsp=ffff848f23310790 rbp=ffffe28683875d40
r8=0000000000000012 r9=0000000000000000 r10=0000000000000012
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!KiTryScheduleNextForegroundBoost+0x15:
fffff8052d8ed1ad 8a803a070000 mov al,byte ptr [rax+73Ah] ds:000000000000073a=??
Resetting default scope

STACK_TEXT:
ffff848f233104b8 fffff8052da09169 : 000000000000000a 000000000000073a 0000000000000002 0000000000000000 : nt!KeBugCheckEx
ffff848f233104c0 fffff8052da05469 : 0000000000000001 00000000ffffffff 0000000000000000 fffff8052db19e00 : nt!KiBugCheckDispatch+0x69
ffff848f23310600 fffff8052d8ed1ad : 0000000000000004 0000000000000000 0000000000000002 ffffa800c4d00180 : nt!KiPageFault+0x469
ffff848f23310790 fffff8052d887a22 : ffffe28688776288 ffffe28683875d40 ffffe28687ce61f0 ffff848f233107fc : nt!KiTryScheduleNextForegroundBoost+0x15
ffff848f233107c0 fffff8052d8871b1 : 0000000000000000 fffff8052dbf5e31 0000000000000000 0000000000000000 : nt!KiDeferredReadySingleThread+0x5b2
ffff848f233109b0 fffff8052d927ea0 : 0000000000080005 0000000000000000 ffffe28688776360 ffffe28687ce61c0 : nt!KiExitDispatcher+0x141
ffff848f23310a20 fffff8052dcd520b : 0000027dc6cb02f0 0000000000000000 ffff848f23310b80 ffffe28688776360 : nt!KeReleaseSemaphore+0x110
ffff848f23310aa0 fffff8052da08bb8 : ffffe28688e80080 0000000000000010 0000000000000000 ffffffffff676901 : nt!NtReleaseSemaphore+0x9b
ffff848f23310b00 00007ffdb88acf64 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
0000009a4896f618 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffd`b88acf64


SYMBOL_NAME: nt!KiTryScheduleNextForegroundBoost+15

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.19041.1165

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 15

FAILURE_BUCKET_ID: AV_nt!KiTryScheduleNextForegroundBoost

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {a63b8913-ce3e-ddb1-eeed-356132fb9ffa}

Followup: MachineOwner
---------
 
did you set it up to collect minidumps? they will actually show me what drivers were running at the time and I can start to figure out cause

crash is just mentioning victim (OBS) and parts of windows. Crash happened after cpu looked in ram, probably caused by a driver.
 
  • Like
Reactions: aamgr
Hi, I ran the dump files through the debugger and got the following information: https://jsfiddle.net/rjm5d6sq/show This link is for anyone wanting to help. You do not have to view it. It is safe to "run the fiddle" as the page asks.
File information:082021-19140-01.dmp (Aug 20 2021 - 04:29:14)
Bugcheck:APC_INDEX_MISMATCH (1)
Probably caused by:memory_corruption (Process: Zoom.exe)
Uptime:0 Day(s), 1 Hour(s), 17 Min(s), and 41 Sec(s)

File information:082021-18562-01.dmp (Aug 20 2021 - 03:11:04)
Bugcheck:IRQL_NOT_LESS_OR_EQUAL (A)
Probably caused by:memory_corruption (Process: obs64.exe)
Uptime:0 Day(s), 7 Hour(s), 02 Min(s), and 22 Sec(s)

File information:082021-15953-01.dmp (Aug 20 2021 - 06:24:25)
Bugcheck:SYSTEM_SERVICE_EXCEPTION (3B)
Probably caused by:memory_corruption (Process: Zoom.exe)
Uptime:0 Day(s), 1 Hour(s), 54 Min(s), and 39 Sec(s)

File information:081921-19593-01.dmp (Aug 18 2021 - 15:51:43)
Bugcheck:APC_INDEX_MISMATCH (1)
Probably caused by:memory_corruption (Process: dwm.exe)
Uptime:0 Day(s), 11 Hour(s), 09 Min(s), and 25 Sec(s)

File information:081921-18546-01.dmp (Aug 19 2021 - 00:18:34)
Bugcheck:SYSTEM_SERVICE_EXCEPTION (3B)
Probably caused by:memory_corruption (Process: Zoom.exe)
Uptime:0 Day(s), 0 Hour(s), 48 Min(s), and 30 Sec(s)
Comment: The overclocking driver "NTIOLib_X64.sys" was found on your system. (MSI Afterburner or other MSI software)

Possible Motherboard page: https://www.msi.com/Motherboard/b450-tomahawk
You are using the latest BETA BIOS.

This information can be used by others to help you. Someone else will post with more information. Please wait for additional answers. Good luck.
 
  • Like
Reactions: aamgr
How do I set it up to show what drivers were running at that time? There are only 5 DMP files here and it does not include the latest BSOD I had? The last one was the crash a few hours ago but I had more crashes after that.

Edit: Heres the dropbox link for the zipped minidump folder: https://www.dropbox.com/s/7ackvfuv1ay9q02/Minidump.zip?dl=0
Gardenman has written a program that converts the output of WinDBg into a form I can read. The dump has the drivers list in it somewhere so he gets that for each crash as well.

One of the victims gives me a clue, DWM.exe = Windows Desktop Manager. It sits between Applications and GPU drivers.
Zoom probably should have as well...

Are you using MSI Afterburner?

I would run ddu in safe mode and reinstall GPU drivers - https://forums.tomshardware.com/faq...n-install-of-your-video-card-drivers.2402269/
 
  • Like
Reactions: aamgr
You can use the debugger command lmv to get a verbose list of the loaded modules (drivers). Unfortunately it will include all 3rd party drivers + Microsoft drivers all in a single list and many without descriptions. The debugger tool was really written for programmers. I can't give you a tutorial on how to use it here. You can find more info online on other sites if you search.
 
  • Like
Reactions: aamgr
All of this started when I was "overclocking" my GPU using Afterburner while following a YT video LOL. It wouldn't boot so I took it to the store who built it and it worked fine for a couple of months(they just took the CMOS battery in and out and updated drivers) however the problem did present itself again. Now I am only using MSI afterburner to manually control GPU fan speed but other than that, I don't try to overclock it again after what happened. I will try to perform a clean install of video card drivers.

Edit: I will revert to the latest stable version of bios, I did not notice that it was a beta bios.
 
I'm in safe mode and while ddu was running, pc bsod. Is that supposed to happen or do I need to do it again? It did remove geforce experience but I'm not sure if it actually removed the driver.
 
I went into safe mode again, DDU uninstalled the driver successfully and it was able to restart on its own. I installed the driver again w/o GeForce experience, and I also uninstalled MSI afterburner.

The GPU is an RTX 2060 super (Galax)
SSD - Kingston SA400 240GB Sata - Boot drive
HDD - Seagate Barracuda 2TB Sata
CrystalDisk says both drives are good
PSU: Seasonic m12II-620 Evo 80+ modular
Case: Gigabyte C200

That's it, I did not change anything from the original build.
I'm replying after installing the driver again, lets see if it still BSODs.

UPDATE/EDIT: it did BSOD again. Latest minidump: https://www.dropbox.com/s/7ackvfuv1ay9q02/Minidump.zip?dl=0
I ran the code lmv and heres the results: https://www.dropbox.com/s/ojycukywh7v5m13/lmv.txt?dl=0
 
Last edited:
grumble.. should wait and see if gpu cause of this crash, but if it is I would run ddu again but instead of getting drivers from Nvidia, run windows update instead and let windows install older Nvidia drivers. I would have suggested the Galax drivers but they just link to Nvidia.
 
  • Like
Reactions: aamgr
I did run the debugger command lmv to get a verbose list of the loaded modules (drivers). Here are the results: https://www.dropbox.com/s/ojycukywh7v5m13/lmv.txt?dl=0. I just copied it into notepad (it's quite long). Again, it's a lot of technical stuff I do not know how to interpret. Is there's a way of circumventing finding the drivers causing the error? Like reinstall windows maybe on a brand new drive or smtg. idc about the data on this pc anymore I just want it to work.
 
lmv just lists the modules/drivers that were loaded when the system crashed. Sometimes the dumps will point directly to a driver by having a "Warning" in the Analyze Verbose text. Other times you can guess by looking at the stack text to tell what was going on when it crashed. It's complicated, and in most cases, just a guess. Updating drivers, (or using older versions) can sometimes help. A BIOS update can sometimes help. Sometimes it's hardware and the dumps are naming drivers which have nothing to do with why you're crashing.

Otherwise saying, there is no answer for the question: "Why did I crash?" by simply looking at a dump. You have to take the info from that, along with everything else that's going on and try to come to a conclusion.

I ran the dump files through the debugger and got the following information: https://jsfiddle.net/rmkd921L/show This link is for anyone wanting to help. You do not have to view it. It is safe to "run the fiddle" as the page asks.
File information:082221-17390-01.dmp (Aug 22 2021 - 08:16:36)
Bugcheck:PAGE_FAULT_IN_NONPAGED_AREA (50)
Probably caused by:memory_corruption (Process: mfpmp.exe)
Uptime:0 Day(s), 3 Hour(s), 06 Min(s), and 14 Sec(s)

File information:082221-13515-01.dmp (Aug 22 2021 - 10:59:58)
Bugcheck:SYSTEM_SERVICE_EXCEPTION (3B)
Probably caused by:memory_corruption (Process: steam.exe)
Uptime:0 Day(s), 1 Hour(s), 27 Min(s), and 10 Sec(s)

File information:082221-12437-01.dmp (Aug 22 2021 - 09:08:38)
Bugcheck:PAGE_FAULT_IN_NONPAGED_AREA (50)
Probably caused by:memory_corruption (Process: System)
Uptime:0 Day(s), 0 Hour(s), 02 Min(s), and 44 Sec(s)

File information:082021-18968-01.dmp (Aug 20 2021 - 09:48:47)
Bugcheck:KMODE_EXCEPTION_NOT_HANDLED (1E)
Probably caused by:memory_corruption (Process: LEDKeeper.exe)
Uptime:0 Day(s), 0 Hour(s), 23 Min(s), and 54 Sec(s)

File information:082021-15953-01.dmp (Aug 20 2021 - 06:24:25)
Bugcheck:SYSTEM_SERVICE_EXCEPTION (3B)
Probably caused by:memory_corruption (Process: Zoom.exe)
Uptime:0 Day(s), 1 Hour(s), 54 Min(s), and 39 Sec(s)
Comment: The overclocking driver "NTIOLib_X64.sys" was found on your system. (MSI Afterburner or other MSI software)

Comment: Please only upload NEW dump files and place them in a NEW folder each time. I cannot go back and try to figure out which dumps are new and which aren't.

This information can be used by others to help you. Someone else will post with more information. Please wait for additional answers. Good luck.
 
Otherwise saying, there is no answer for the question: "Why did I crash?" by simply looking at a dump. You have to take the info from that, along with everything else that's going on and try to come to a conclusion.
thats where I am now, all 5 BSOD are different, no clear pattern. Hard to figure out what is cause, normally the results are more similar.

I suspect lan drivers might be involved
download Win10 Auto Installation Program from under windows header here - https://www.realtek.com/en/componen...0-1000m-gigabit-ethernet-pci-express-software
 
Both links are to the same file, however it probably includes the latest dumps that have been created. It does have 5 new dumps in it that we've not seen yet.

I ran the dump files through the debugger and got the following information: https://jsfiddle.net/ougsfpcq/show This link is for anyone wanting to help. You do not have to view it. It is safe to "run the fiddle" as the page asks.
File information:082421-14015-01.dmp (Aug 24 2021 - 02:43:50)
Bugcheck:IRQL_NOT_LESS_OR_EQUAL (A)
Probably caused by:memory_corruption (Process: Zoom.exe)
Uptime:0 Day(s), 22 Hour(s), 40 Min(s), and 58 Sec(s)

File information:082421-12828-01.dmp (Aug 24 2021 - 04:19:38)
Bugcheck:DRIVER_IRQL_NOT_LESS_OR_EQUAL (D1)
Probably caused by:memory_corruption (Process: System)
Uptime:0 Day(s), 1 Hour(s), 35 Min(s), and 14 Sec(s)

File information:082321-16562-01.dmp (Aug 23 2021 - 04:02:22)
Bugcheck:KERNEL_AUTO_BOOST_INVALID_LOCK_RELEASE (162)
Probably caused by:memory_corruption (Process: System)
Uptime:0 Day(s), 1 Hour(s), 14 Min(s), and 14 Sec(s)

File information:082321-15125-01.dmp (Aug 23 2021 - 02:15:07)
Bugcheck:UNEXPECTED_KERNEL_MODE_TRAP (7F)
Probably caused by:memory_corruption (Process: WWAHost.exe)
Uptime:0 Day(s), 1 Hour(s), 02 Min(s), and 41 Sec(s)

File information:082321-12546-01.dmp (Aug 23 2021 - 02:47:37)
Bugcheck:SYSTEM_SERVICE_EXCEPTION (3B)
Probably caused by:memory_corruption (Process: LEDKeeper.exe)
Uptime:0 Day(s), 0 Hour(s), 32 Min(s), and 00 Sec(s)
This information can be used by others to help you. Someone else will post with more information. Please wait for additional answers. Good luck.
 
i will have to look through these tomorrow but looking at syst native, i see lots of programs crashing

from dumps:

crash 1. victim Zoom
cause LAN drivers. Mentions afd.sys which is Ancillary Function Driver for Winsock. Windows uses it for networking

crash 2 victim Windows
cause LAN drivers. This time it mentions tcpip.sys. Transmission control protocol/internet protocol. Used by windows to talk to internet

crash 3 victim system
cause: unclear. I am not sure what bam.sys does. Background Activity Moderator Driver http://batcmd.com/windows/10/services/bam/
So I can't really point at anything in particular for that

crash 4 victim WWAHost.exe (??) its the environment all the modern apps (refer Calculator and shop) run in
win 10 was stuck in a loop. it was doing the same commands over and over and clearly one wasn't working right.

crash 5 victim LEDKeeper aka Mysticlight
Not sure exactly. Its not clear.

top 2 are clearly lan drivers but yours aren't that old
May 10 2021rt640x64.sysRealtek NICDRV 8169 PCIe GBE Family Controller driver https://www.realtek.com/en/

though it does explain why defender crashed on 20th, Epic webhelper hasn't been too happy either.

Download the Win10 Auto Installation Program from under the windows header here - https://www.realtek.com/en/componen...0-1000m-gigabit-ethernet-pci-express-software

If you don't use ethernet and use WIFI, its not showing anywhere so I assume not.
 
Before I ran SysnativeBSOD I downloaded and installed Win10 Auto Installation Program from under the windows header from - https://www.realtek.com/en/componen...0-1000m-gigabit-ethernet-pci-express-software And yeah it still BSOD 3 times in one zoom meeting. I also already reinstalled zoom to see if it was the problem but it was not. Is this a motherboard issue? The shop did RMA it when I had a problem with the pc the first time. I also cleaned the pc, reset the CMOS battery, ran DDU, and reinstalled drivers again.