Allion Labs / Joseph Lin

The Blue Screen of Death, often abbreviated as BSOD, is an error screen displayed on a Windows computer when its operating system (OS) cannot recover from a critical system error. The BSOD indicates a system crash, meaning that the operating system has reached a condition where it cannot operate normally. Many problems can trigger a BSOD, for example, hardware failures, driver issues, or a crucial process terminating unexpectedly.

BSOD Error on Windows 10

Although the BSOD is a common error in Windows OS, it is difficult to identify the root cause of BSOD only with the message on the blue screen. However, if we select the “Complete memory dump” option under “Write debugging information,” we can obtain the complete memory dump after the BSOD occurs. With the help of the memory dump, we can find out the reason why the device shuts down and needs to restart.

A complete memory dump can be obtained by changing the option to “Complete memory dump”.

Windows BSOD Memory Dump Analysis

After obtaining the memory dump files, we can analyze them to help identify the cause of BSOD by using Windows debuggers, such as WinDbg.

WinDbg is a multipurpose debugger for Microsoft Windows OS. Debugging is the process of finding and resolving errors in a system. WinDbg can be used to debug user mode applications, device drivers, and the OS itself in kernel mode.

WinDbg is performing debugging tasks

Allion and leading PC manufacturers have been working closely over the past few years. Based on our rich experience of analyzing WinDbg BSOD memory dumps, we divide the possible BSOD errors into 4 groups:

  • Device drivers issues
  • Application issues
  • Hardware device issues
  • Windows OS issues
• Real-world BSOD Memory Dump Analysis

「Root Cause」: “Windows was waiting for the Intel Wireless Bluetooth Driver to transfer to next power state. Base on the analysis, we can know the device driver didn’t transfer to next power state.

So that BSOD happened after the IRP pending.

「Detailed」:By checking the dump files, we confirmed all BSOD were caused by Intel Wireless Bluetooth Driver didn’t transfer to next power state. So that BSOD happened after the IRP pending.

[IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)] 0 e1 ffff8508e793ee10 00000000 00000000-00000000    pending

DriverACPI

Args: 00000000 00000001 00000001 00000000

————————————————————————————————–

Windows was waiting for the device to transfer to next power state.

Base on above log, we can know the device didn’t transfer to next power state.

So that BSOD happened after the pending.

————————————————————————————————–

2: kd> !devstack ffff8508e6f2db90

!DevObj           !DrvObj            !DevExt           ObjectName

ffff8508e6f30d50  DriverBTHUSB     ffff8508e7991eb0

ffff8508e6f318d0  Driveribtusb     ffff8508e71da310

ffff8508e793ee10  DriverACPI       ffff8508d32e7010

> ffff8508e6f2db90  DriverUSBHUB3    ffff8508e715e310  USBPDO-4

!DevNode ffff8508e79516b0 :

DeviceInst is “USBVID_8087&PID_00265&c5fc33b&0&10”

ServiceName is “BTHUSB”

————————————————————————————————–

USBVID_8087&PID_00265&c5fc33b&0&10

=>Intel Wireless Bluetooth Driver

————————————————————————————————–

REG_DWORD           UBR                           184

————————————————————————————————–

Windows 10 Pro 2004 (19041.388)

————————————————————————————————–

2: kd> lmvm UsbHub3

Browse full module list

start             end                 module name

fffff800`332d0000 fffff800`33373000   UsbHub3    (pdb symbols)          d:symbolusbhub3.pdbFEB0212F8C4FD77DDEEBF0678FB00EA21usbhub3.pdb

Loaded symbol image file: UsbHub3.sys

Image path: SystemRootSystem32driversUsbHub3.sys

Image name: UsbHub3.sys

Browse all global symbols  functions  data

Image was built with /Brepro flag.

Timestamp:        FDA30E83 (This is a reproducible build file hash, not a timestamp)

CheckSum:         000AC346

ImageSize:        000A3000

File version:     10.0.19041.264

Product version:  10.0.19041.264

————————————————————————————————–

UsbHub3.sys version is 10.0.19041.264

This version is the same with the version used in latest MSFT QFE 2020.08B

————————————————————————————————–

2: kd> lmvm bthusb

Browse full module list

start             end                 module name

fffff800`38b70000 fffff800`38b91000   BTHUSB     (pdb symbols)          d:symbolbthusb.pdbBE8B332932B8B19471111557BE5095DA1bthusb.pdb

Loaded symbol image file: BTHUSB.sys

Image path: SystemRootSystem32driversBTHUSB.sys

Image name: BTHUSB.sys

Browse all global symbols  functions  data

Image was built with /Brepro flag.

Timestamp:        4B55908C (This is a reproducible build file hash, not a timestamp)

CheckSum:         000279B2

ImageSize:        00021000

Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Information from resource tables:

————————————————————————————————–

[Allion] Can’t see the file version of BTHUSB.sys

But we can see the Windows version on BSOD machine is Windows 10 2004 (19041.388)

The latest version of BTHUSB.sys in MSFT QFE 2020.08B is 10.0.19041.423

————————————————————————————————–

2: kd> !reg querykey REGISTRYMACHINESYSTEMCONTROLSET001SERVICESibtusb

Sorry <REGISTRYMACHINESYSTEMCONTROLSET001SERVICESibtusb> is not cached

=============================================================

Falling back to traversing the tree of nodes.

Hive         ffffe70f12c72000

KeyNode      ffffe70f176db5dc

[SubKeyAddr]         [SubKeyName] ffffe70f176db8f4     Parameters [SubKeyAddr]         [VolatileSubKeyName] ffffe70f17efe664     Enum

Use ‘!reg keyinfo ffffe70f12c72000 <SubKeyAddr>’ to dump the subkey details

[ValueType]         [ValueName]                   [ValueData] REG_DWORD           Type                          1

REG_DWORD           Start                         3

REG_DWORD           ErrorControl                  1

REG_DWORD           Tag                           a

REG_EXPAND_SZ       ImagePath                     SystemRootSystem32DriverStoreFileRepositoryibtusb.inf_amd64_b9506ba89bf1aa17ibtusb.sys

REG_SZ              DisplayName                   @oem55.inf,%ibtusb.SVCDESC_IBT%;インテル(R) ワイヤレス Bluetooth(R)

REG_SZ              Group                         PNP Filter

REG_MULTI_SZ        Owners                        oem55.inf

「Recommend」:

Suggest to replace the Intel wireless bluetooth driver or report issue to Intel.

Allion can help vendors identify causes of Windows BSOD. Also, we provide consulting and advisory services to resolve the problems. If you are interested in knowing more details about Allion’s BSOD analysis, please contact us at service@allion.com.