Jun 24

Find out what caused a Blue Screen of Death in Windows.

If you’ve used a computer with any flavor of the Windows Operating System, you’ve certainly experienced the infamous Blue Screen of Death (BSOD). These BSODs or Stop errors, as Microsoft calls them, occur when the Operating System detects a problem with either hard-ware or software, and it “stops” to prevent damage to the system. Depending on the computer configuration the computer may restart or simply wait for your input. It also writes a file to the hard-drive. This file is called a memory dump file, small memory dump file, or minidump file. This file contains information that may help you identify why your computer stopped responding.Your computer has to be configured to write this memory dump. It also needs to have a paging file of at least 2 MB on the boot drive.

To verify that your computer is set to write the minidump file and that the paging file is the correct size and in the right location follow the next steps:

  1. Click the Start Menu, Right Click “Computer” or “My Computer” and click “Properties…” Alternatively you can press the Windows Key and the Break key at the same time. This will open the System Properties.
  2. Click the “Advanced Tab” if you are using Windows 2000, Windows XP, or Windows Server 2003, or click “Advanced System Settings…” if you are using Windows Vista, Windows 7 or Windows Server 2008.
  3. Click the Settings button under the performance section.
  4. Click the Advanced tab and click the Change button under the Virtual Memory section.
  5. Make sure the boot drive is selected and that the size of the paging file or virtual memory is 2 MB or more. I like to set it at 1.5 times the size of your RAM or 4096 MB, whichever is less. It is also safe to let Windows manage the paging file for you.
  6. Click Set and then OK to set the paging file size.
  7. Click the Settings button under Startup and Recovery.
  8. Select “Small Memory Dump” under debugging information and click OK.

Microsoft offers tools to read and debug this memory dump file (Dumpchk.exe, WinDbg, and KD.exe), but there are other tools available that are a lot easier to use. One of the tools I like to use is called Blue Screen View. This utility is lightweight and easy to use. You run it and it detects and debugs the memory dump files for you. The information provided in these dump files is really useful when troubleshooting these kind of errors. Most of the times you will be able to find out what driver was causing the problem. The next step would be to remove or update the driver that caused the BSOD. Some times the cause of the problem may not be so clear even when looking at the contents of the minidump file. In these cases, more tests will be required, but that is a conversation for another day. These simple steps should help you pinpoint the cause of the issue if the issue is caused by a bad or corrupt driver – most stop errors are. When the errors are caused by a hard-ware malfunction, running a hard-ware diagnostic utility will usually help you pinpoint the problem (Memtest to test the memory modules for instance.).

You can get the Blue Screen View utility from the www.nirsoft.net website.

Mar 06

Blue Screen of Death after installing Microsoft update.

This past February, before I put this blog online, I had an issue with some of my customers’ computers. Some of my customers called me asking for help because their computers wouldn’t load. They said their computers kept rebooting. I know it’s been almost a month now, but I think this issue deserves a post in this blog.

After troubleshooting the issue I traced down the source of the problem to a Microsoft update. More specifically to update KB977165/MS10-015. As soon as I removed this update the computer was able to load windows perfectly fine.

This was odd though. Other computers where the same update was installed didn’t have this issue. This indicated that the problem was caused by something else – not the Microsoft Update. I scanned the computer for viruses and found nothing. I re-installed the update and the computer entered the boot loop once again. After some more troubleshooting I traced the cause of the stop error to the file %System32\drivers\atapi.sys. There was a problem with this file. It had to be infected. I uploaded the file to virustotal.com, and the results came back clean in all but one of the scans. It just said that it was probably infected with a root kit, but it wouldn’t give me more information.

This made sense. Rootkits are designed to hide themselves or other malware from antivirus applications. This is probably why the anti-virus scan I ran didn’t catch anything.

I decided to take a different approach, and I took the hard-drive out of the computer. I connected the hard-drive to another computer and scanned it using an up to date anti-virus (Kaspersky). The scan found several items and cleaned them successfully. One of the infected files was atapi.sys. After this, I installed the update and the computer didn’t reboot again.

So there you have it. The problem was caused by a an infection on the PC.

My suspicions were later confirmed by Microsoft. They apparently took some customers’ computers with them to check them and found the source of the problem. They state on their security response blog that the problem was caused by the Alureon root kit.

They state on their blog:

the presence of Alureon does not allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit.

So there you have it. They later released a version of the update that does not install if it detects the system is in a state that will cause it to enter this reboot loop.

If you are a victim of this problem, make sure your computer is free from infection. Microsoft recommends to re-install your operating system if you cannot get rid of the infection.

I don’t think this is necessary. If you are in the Phoenix Arizona area and need assistance with this issue, you can contact us and we will gladly help you.