|Debugging Tools for Windows|
When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It is also commonly referred to as a system crash, a kernel error, or a Stop error.
If crash dumps are enabled on the system, a crash dump file is created.
If a kernel debugger is attached and active, the system causes a break so the debugger can be used to investigate the crash.
If no debugger is attached, a blue text screen appears with information about the error. This screen is called a blue screen, a bug check screen, or a Stop screen.
The exact appearance of the blue screen depends on the cause of the error. The following is an example of one possible blue screen:
Mismatched kernel and hal image.
Beginning dump of physical memory
Physical memory dump complete. Contact your system administrator or
technical support group.
On the other hand, some blue screens look like this:
The Windows Logon Process system process terminated unexpectedly with
a status of 0x00000001 (0x00000000 0x00000000).
The system has been shut down.
The hexadecimal number following the word "STOP" is called the bug check code or Stop code. This is the most important item on the screen.
Each bug check code has four associated parameters. In the first blue screen shown here, all four parameters are displayed after the bug check code. However, in the second kind of blue screen, these parameters have been rearranged within the explanatory text. Regardless of the amount of rearrangement, they will always appear sequentially. If fewer than four parameters appear, the remaining parameters can be assumed to be zero.
The remainder of the text on the blue screen gives additional information. For some bug checks, this may be an explanation of what happened or suggestions for how you can deal with the problem. If a kernel-mode dump file has been written, this will usually be indicated as well.
Under some conditions, Windows will display only the first line of the blue screen. This can occur if the vital services needed for the display have been affected by the error.
Each bug check code also has an associated symbolic name. These names usually do not appear on the blue screen. In these examples, the first screen shows bug check 0x79 (MISMATCHED_HAL), while the second shows bug check 0xC000021A (STATUS_SYSTEM_PROCESS_TERMINATED).
To deliberately cause a bug check from a kernel-mode driver, you need to pass the bug check's symbolic name to the KeBugCheck or KeBugCheckEx function. This should only be done in circumstances where no other option is available. For more details on these functions, see the Windows Driver Kit.
If a debugger is attached, a bug check will cause the target computer to break into the debugger. In this case, the blue screen might not appear, or might appear with less text; the full details on this crash will be sent to the debugger and appear in the debugger window. To see this information a second time, use the .bugcheck (Display Bug Check Data) command.
The debugger will also display additional information regarding the current problem. To see this information a second time, use the !analyze extension command.