Is there a utility that can help me troubleshoot crash issues?

Ray November 11, 2011

My computer and my friend’s computer are having crash issues. Is there a system utility that you can run and use to take snapshots of what is going on? My computer is Windows 7, and I do use Perfmon and Sysmon for it, but I don’t know what to use for XP. And even for Windows 7, i’m not provided with information (like hardware interrupts) that I’d like to have handy.

    November 20, 2011 at 8:36 pm

    Hello, I have same card you have in a crossfire configuration.  Is your overdrive turned on in catalyst manager?  Is that how you are getting your temperatures?  In that system, temperatures never pass 28 degrees and the fan never passes from running at 40%.  Do you still have warranty on the card?  If you do, you could try returning it.  Did you try running your computer with the incorporated card for long?  I would give it a shot for a few days to check if it does the same.  If for some reason is does same with incorporated card, I am afraid you will have to start checking your motherboard.  Only way to do it by yourself though is by changing the motherboard with a known motherboard that works.

    • Ray
      November 22, 2011 at 12:52 am

      Answering your Questions:  

      Overdrive is not turned on.
      Warranty is long gone.
      If the ATI is out, this does not happen. (ie not mother board)
      When it does happen it only happens once.  Then computer automatically restarts and will run for days.

  2. Ray
    November 20, 2011 at 7:23 pm

    I checked it before the crash, and just now.  It says it is at 46c.  I did quite a bit of reading on this subject, and people run at much higher temps.

    Is 46 out of line?  

    • Jeff
      November 20, 2011 at 7:31 pm

      No, 46 degrees Celsius (114 degrees Fahrenheit) is not excessive. However, if you just booted, this temperature is likely to get higher. Keep checking, perhaps you can monitor the temperature just before the crash.

      In your device manager, are any drivers listed as corrupt or faulty? As a last ditch effort, see if your system performs nominally in a Linux environment.

      • Ray
        November 20, 2011 at 8:00 pm

        I am going to keep using it.  Since I have been out of work so long, I do not have ability to get new card.

        I will just restart 30-60 minutes after power up.   That avoids the issue (I don't know why).

        My system disk contains nominal data beyond windows and program files, so restoring if there ever is a loss of disk info will not be hard.

        The performance difference is significant even just viewing 1080 videos, so I am going to try to keep it going as long as I can.

        If I find anythings that work, I will post...

        Thanks again...

  3. Ray
    November 20, 2011 at 7:11 pm

    So here I am again.   Friday i put video card back in after installing update to driver.
    No crashes Friday or Saturday

    I felt it starting this morning after being on for several hours.   Turned on PSR, checked heat levels which were all in low range of what's normal.

    after 10 minutes BSOD'd.  Nothing left from PSR.  did get this information from who crashed.

    I am quite sure it's the video card, but have no idea what to do to resolve it.

    On Sun 11/20/2011 6:44:04
    PM GMT your computer crashedcrash dump file:
    C:WindowsMinidump112011-26254-01.dmpThis was probably caused by the
    following module: ntoskrnl.exe (nt+0x7CC40) Bugcheck code: 0x124
    (0x0, 0xFFFFFA8007150038, 0xF2000040, 0x800)Error: WHEA_UNCORRECTABLE_ERRORfile path:
    C:Windowssystem32ntoskrnl.exeproduct: Microsoft® Windows® Operating Systemcompany: Microsoft Corporationdescription: NT Kernel &
    SystemBug check description: This bug check indicates that a fatal hardware
    error has occurred. This bug check uses the error data that is provided by the
    Windows Hardware Error Architecture (WHEA). This is likely to be caused by a
    hardware problem problem. This problem might be caused by a thermal issue.
    The crash took place in the Windows kernel. Possibly this problem is caused
    by another driver which cannot be identified at this time. 

    • Jeff
      November 20, 2011 at 7:15 pm

      Hi Ray,

      If your video card is the problem, consider replacing it. As of now, I would say that the video card is overheating, or at least that's what all of the logs indicate.

      - Jeff

  4. Ray
    November 19, 2011 at 1:01 am

    I wonder if my other comment will show up:

    Anyways, this point was made earlier "Rootkits modify your operating system's kernel and most frequently patch I/O calls and callbacks.".   

    One of the Microsoft tools actually verifies the checksums for all software to be loaded at boottime.   I would have thought that was a pretty good indicator that nothing had changed in them.   

    I really don't think I have any bad influences floating in my computer, but it was disconcerting to think what many others indicate as thorough is not complete answer.

    Might be nice just to start another question to pursue this... (before it is too late)

    • Jeff
      November 19, 2011 at 1:26 am

      Hi Ray,

      I'd be interested in seeing such a tool, however if it's verifying the checksums of the software, that probably doesn't include the kernel. Even if it did, the Windows kernel is loaded into memory and getting a checksum of a memory address is unreliable.

      • Ray
        November 19, 2011 at 1:57 am

        But the file (or files) that are loaded "in the kernel" can be checked, or are they invisible or otherwise forbidden fruit.  

        I had thought many things get loaded into the kernel, that all of them come from files.  

        FYI I did get more info with and updated WhoCrashed indicating the error was in hal.dll hardware abstraction layer.  From what I have read this runs in the Kernel...

        Anyways, assuming my prior status update did not show up.

        I checked again and there was a new driver for my card as of November 15th. I have downloaded installed and am running on it.   Very happily surprised to find the new driver increased performance from 6.9 to 7.5.   

        Now I can type as fast as I want... (joking here)

        • Jeff
          November 19, 2011 at 2:01 am

          That's good to hear, Ray! I assume you pinpointed it down to the graphics card?

  5. Ray
    November 18, 2011 at 7:18 pm

    Hello again.   Yesterday after backing everything up, and shortly after getting the 4th BDOD of the week (1 per day), I turned machine off for 8 hours.

    Pulled the Graphics card and rebooted.     No BSOD

    This morning No BSOD.

    I think that points directly to graphics...   Nasty for me, my graphics performance went from 6.9 to 3.5.    oh well... 

    • Richard Carpenter
      November 18, 2011 at 9:22 pm

      That boils it down pretty good, the driver or the card itself... Hopefully the driver :-)

  6. Ray
    November 17, 2011 at 6:17 am

    Very interesting discussion.  Glad it did not get political.  I am unemployed and have no funding available, are any of the tools mentioned free and trustworthy....

    • Jeff
      November 17, 2011 at 7:40 am

      Ray, see my previous post. 

      Rootkit Revealer, Root Repeal, Sophos Anti-Rootkit or GMER

      • Ray
        November 17, 2011 at 3:28 pm

        I have to let my frustration be tempered with a couple days not thinking about it.   I will post results for sure...

        Thank you for your help.   

        FYI I constantly badger my daughter about her Apple Laptop.   Never seen her have any of these issues.  I know I can do more on MS Windows, but I understand her love...

        • Richard Carpenter
          November 17, 2011 at 9:21 pm

          Again want to apologize for the previous comment.

          Apple is actually very venerable to attacks, just does not have a big enough market share. They did get hit pretty hard a few months ago. That said, I still use them and have several, go figure.

          This kind of troubleshooting can be hard to do, always makes me mad when it turns out to be something simple and have spent days or weeks troubleshooting.

          Hopefully between all of us, we can help you get it figured out. Definitively keep us posted :-) 

  7. Ray
    November 16, 2011 at 8:14 pm

    Thanks for all the comments.   Lots of stuff in them to try.   So tired of it all, if you can understand that.    Step by step I will work thru it.   I always have multiple level backups ..

    I am going to do the klite first because that had been updated in the interim...Simple question:  Won't things like Malwarebytes, Microsoft Security Scanner and the Microsoft Malicious Software Removal tool catch RootKits?   Or are they beyond ....

    • Jeff
      November 16, 2011 at 8:57 pm

      Hi Ray,

      Your traditional anti-virus/anti-spyware won't detect rootkits as they typically run at the "application level", rootkits run much lower. Rootkits modify your operating system's kernel and most frequently patch I/O calls and callbacks. The problem with anti-viruses is that they clean your system with the false pretence that you can trust the operating system. A rootkit effectively compromises your system and tells it to lie about what is actually going on.

      As a programmer, I'm sure your aware of the dangers of the operating system returning false information. Most of the .net libraries RELY on that information. If you query the operating system for which processes are running, you're most likely to use the System.Diagnostics.Process namespace. So essentially, you're asking the attacker to keep you updated. Obviously, it's not in the attackers best interest to return honest results. So in order to detect the rootkits, we programmers must dig a lot deeper and write our own libraries that don't rely on an altruistic operating system.

      In fact, if you find that you are infected by a rootkit, the only method I recommend to remove it is to do a full reinstall. The tools are there to simply let you know it's there. The logic behind rootkits is convoluted, but very interesting. If you're unlucky enough to have been infected by a rootkit: kneel down and kiss your ass goodbye, because you won't even know it's there ;)

      Sorry for the long reply!
      - Jeff

      • Richard Carpenter
        November 16, 2011 at 9:12 pm

        9 times out of 10 a rootkit can be removed by scanning in safe mode. I ussually run ccleaner than a removal tool in safemode, tell all malware is gone. A old IT Guru showed me the way he does it, and it ain't failed me yet :-) If you have ANYTHING sensitive on the computer, than you would not want to take the chance either, like Jeff has said. There are a few rootkit detectors, but most kick back false alarms all day, almost too aggravating to mess with.

        • Jeff
          November 16, 2011 at 9:29 pm

          I think 9 out of 10 is extremely high, I would set the odds at something more like 2-3 out of 10. I encourage you to build a rootkit and install it on a virtual machine, then see how difficult it is to remove ;) The only way it would be 9 of 10, is if it were written by a bunch of skid monkeys using VB implementing public libraries or using prehistoric sources. :)

          However, even if that statistic were true, recognizing the infection is the hardest part. After all, anyone can reinstall...Understand that the need to do so is what aids the success rate of rootkits.

        • Richard Carpenter
          November 16, 2011 at 11:49 pm

          The stat I used comes from experience and certification. I have looked at source code for common modern rootkits and various Malware, even tweaked with them for forensics reason. I have installed rootkits on test machines and VMs for research purposes. A rootkit was once a major boogeyman, but is no longer the major scare it once was, like the early 2000s. A rootkit is a program just like anything else, The reason I mentioned sfemode is becuase only a small portion of the OS is loaded and makes it easier for the removal tool to remove them

          Virus removal is what I do on the side, not to mention my full time job is IT. If I could not detect and remove a rootkit I would not be worth a grain of salt. People pay me because I can diagnose the problem, whether it is a virus etc. etc.

          ReInstall is not a magic answer, and can be major waste of time.

          I do not mean to get defensive, but putting in a public forum that I inflated a stat, only experimented with outdated and useless malware, and last but not least do understand the process involved is rather insulting.

        • Jeff
          November 17, 2011 at 12:52 am

          I did not mean to be "that guy". I questioned the statistic, not your experience or intellect (: Of course if you're scrutinizing the rootkit in a controlled environment, using various RE techniques you'll be able to patch it. A rootkit could remain a zero day for years, ya? Until a formal signature has been established for it, rootkit removers simply won't help (unless you have an extremely intelligent heuristics engine). And let's face it, the majority of users don't know what behaviour is considered "abnormal" when analysing network calls, file I/O and logs (or lack there of) for a rootkit.

          I don't typically see rootkits getting detected, unless the author did something stupid like installing a pseudo-driver or queried another [protected] node on the network. The ones that are detected, are most likely a direct result of the developer sharing the source or stub on an underground network or otherwise attacked a high level firm, where the source of the attack is critical.

          Then you must worry about patching the vulnerability that allowed the rootkit's entrance and any other's that it created, doubling down on surveillance, cleanup from any bi-product infections, such as trojan downloaders. To me, it seems significantly more secure and logical to backup your non-executable files and wipe it down. Very rarely do I think that a reinstall is the best answer, here I do.

          All this discussion and Ray may not even have a rootkit, hehe. If you want to continue this discussion, email me at electricnetworks[at]gmail[dot]com

        • Richard Carpenter
          November 17, 2011 at 9:11 pm

          I flew off the wagon with my previous comment, so no need to finish the discussion else where. I am a "Security" guy and almost live and breath the stuff. My opinion has not changed, but I could have presented it better. That said, you made valid argument to it. I have had great luck removing rootkits, and my technique is sound, but that does not mean I have removed every malware that has come my way by any means.

          Sorry to Ray and everyone else, that is not what this forum is for. 

    November 16, 2011 at 6:00 am

    Hello, one of the reason this error could happen is overheating.  Disconnect cpu cooler and remove the cpu.  Reset the cpu in socket.  Apply new thermal paste.  Recommend to use Artic Silver 5.  Make sure that all connections are set properly inside case and free of dust.  Also recommend to do the following after:

    -- install updates and device drivers for your computer from Windows Update-- full scan with antivirus-- check harddrive for errors

    Is your graphics card overclocked?  If it is, make sure to set it back to defaults.  Also to make sure your hardware is ok, try stress testing it.  You could use the following:

    For testing temperature, use the following:

    For GPU, you can use the following:

  9. Ray
    November 16, 2011 at 12:49 am

    When I happen to be on the computer, it just gets very jerky in it's actions.  When you move the cursor it is not smooth, it sort of takes lots of tiny steps.  Moving a window same only steps seem bigger.  Task manager and perfmon show no indication of this symptom.

    Once it crashes once it will run for days with no issues.   

    I don't think it has to do with any software.

    I have gone so far as restarting once after 15 minutes in which case the issue does not arise. 

    I actually could think it has to do with warming up of Graphics card, but I have no way to check that.

    As information it is a Radeon HD5770 with 1024mb memory.  The Driver version is 8.850 and was installed around 4-19-2011 when it was released.  GPU is running at core temp right now (after 8 hours online) of 116F (this seems like it might be high)  It says the CPU is running at 93F (min=91F,max=100F).  It is important to note I have not been doing anything on that system today.  It has been on with the thought I would be using it, but I have been distracted all day.  

    I am on a different computer at the moment..  I might just take out the GPU and see what happens.  I am leery because being unemployed if anything goes wrong I am SOL...  U know that old law by Mr Murphy always haunts us....

    I have done this before but here is information I can get to...

    It did crash after about an hour, but restarted, 
    Who Crash reports:
        On Tue 11/15/2011 6:28:28 PM your computer crashed
        This was likely caused by the following module: hardware
        Bugcheck code: 0x124 (0x0, 0xFFFFFA8007195038, 0xB2000040, 0x800)
        Dump file: C:WindowsMinidump111511-33259-01.dmp
    AppCrash View Reports

        DynamicSig[1].Name=OS Version
        DynamicSig[2].Name=Locale ID
        UI[3]=Windows has recovered from an unexpected shutdown
        UI[4]=Windows can check online for a solution to the problem.
        UI[5]=&Check for solution
        UI[6]=&Check later
        UI[8]=Windows has recovered from an unexpected shutdown
        UI[9]=A problem caused Windows to stop working correctly.  Windows will notify you         if a solution is available.
        Sec[5].Key=OS Version
        Sec[6].Key=Service Pack
    State[2].Value=CHKSUM=5855F179CFEA1893919100F567FAC80F;BID=OCATAG;ID=1eb41b07-39a3-4b74-99cb-5d5cccf55f9c;SUB=11//15//2011 10:50:18 AM
        FriendlyEventName=Shut down unexpectedly

    • Jeff
      November 16, 2011 at 2:36 am

      Hi Ray,

      After sorting through your log I believe there may be two issues rendering your system unusable. First is either your Intel processor or your graphics card, second is a system fault (looks like a service pack, though it could really be anything dealing with Windows). You should backup your data while you still can, just in case. Though, worst case scenario is you just use your hard drive on another system and backup your data there (assuming your hard drive isn't on the verge of death).

      The most important part of this log is your stop error. 0x124 is definitely indicative of a hardware fault, but its specific cause of the stop is still unknown. Research on this error suggest's that it's most likely caused by overlocking for extended periods of time or poor cooling. I suggest you open up your computer (after grounding yourself) and clean out any dust, especially by your fans. 

      Check for driver updates using Slim DriversMa-config or Device Doctor for all drivers for which updates are available on (do a backup first!). You may have to use this software in normal mode, so do it very quickly. If any Windows Updates are available, please install them as well.

      Next, restart to make sure you get those drivers & updates installed before the next inevitable crash. Once your PC loads up again, run the SFC /SCANNOW command to check your system's file integrity. If any issues are found, you'll need your installation disk to repair the file. 

      If the crashes persist, reboot into Safe Mode and leave it running. Does it still crash? Based on these results, we can eliminate a few things. If it does, put a fan (yes, you read it correctly - an actual box fan) facing the natural airflow direction in the computer to help cooling. It sounds primitive but this helped on my last POS computer. Though this method is too elementary to be considered a primary solution, it will certainly perpetuate the up-time to help you resolve other issues and perform analysis (prolonging its death :) Try this also in normal mode. If you find that this fixes it, you can bet it's a cooling issue, in which case reply back and we'll set our sites on fixing that.

      Lastly, most modern BIOS's ship with a utility to perform hardware diagnostics. When you reboot, at your BIOS splash screen see if there is a hotkey to launch into this utility. It may also be located inside your BIOS settings, under "boot order/priority" you may need to chose the utility.

      Keep us updated!
      - Jeff

      • Richard Carpenter
        November 16, 2011 at 4:04 am

        Also if none of what Jeff says does not ease anything, which he has cover just about everything, I would try running without the GPU and going with your integrated onboard for awhile.

        Also, have you tried to overclock that GPU or anything else, I have seen similar on a few gamers PCs. 

    • Jay
      November 16, 2011 at 2:57 am

      such cursor movement was on my pc also, but task manager did show 100% memory usage. and the responsible task was using the explorer.exe.
      termination of the process could set everything to normal.
      I fixed the problem by re-installing the k lite package which was causing this when i open a folder of videos or videos.

      anything similar in your case ?

      • Jeff
        November 16, 2011 at 4:24 am

        The skipping cursor suggests Windows is unable to process messages in the queue, therefore implying that yes - the system is probably processing some resource intensive instructions. 

        It's possible that a rootkit is installed and his computer is a slave, which would explain why Task Manager is not registering the activity. To scan for such activity, use Rootkit Revealer, Root Repeal, Sophos Anti-Rootkit or GMER. Please also post a HiJack This log to Pastebin, then reply with the link.

        • Jay
          November 16, 2011 at 5:09 am

          hey, i just shared my experience , if it can help @c832165898bd1592ebef28a50c45de8e:disqus , if he is in the same situation, I don't have such problem right now, I updated the codec and got rid of it months ago. :)

          so Ray also can find if there is something responsible and get rid of it, it is possible that his friend also uses the same thing which is causing such cursor movement.

          but what you said in your comment can help him, so thank you for that !

  10. Ray
    November 15, 2011 at 11:21 pm

    All I have to do is start the computer after approx 1 hour it happens, even if I have done nothing....

    I have analysed it before in great detail, taking hours of reading and checking.   I am sure it has to do with my Graphics Card.   

    Then again I am not sure...

    oh well...   I am very leery of all the driver verification software advertised out there.  Years ago, tried one and wish I had not.   If it does not come from Trusted Site or Microsoft, I really won't do it.

    I run task manager and performance monitor when the cursor starts being nasty (indicating it's about to happen).   Nothing shows.

    I am not a novice, I am not the Most expert (some people think I am but I know enough to know how much I don't know).    But I can do what needs to be done a and thought the question was worth asking.  

    If their is no answer, I understand...

    I am a Microsoft Visual Studio programmer, I wonder where I could get the info to force a Full crash dump (without the crash) and implement analysis (all with a button click)...

    That could be a help...

    Does that make any sense?

    • Richard Carpenter
      November 15, 2011 at 11:48 pm

      A crash dump will not help much if the general cause is unknown. This will lead no where quickly and waste alot of time. I have had to do some of this troubleshooting Unix, In my opinion it is more aggravating than it is worth, but that is just my opinion.

      If it starts to freeze up after a hour and it steadily keeps doing so it sounds like it could possibly be overheating. How old is the machine and is it dust free?

      Also a program in the background could be starting up, causing the problem. 

      There is always a answer, Just may drive you crazy trying to figure it out...

  11. Richard Carpenter
    November 12, 2011 at 5:52 pm

    There is not one magic program that will give all the information, Computers are just more complex than that. You have to take several pieces and put them together to get a clear and correct idea of what is happening.

    What are you doing before it is crashing? Running a certain program? The Process and Performance tabs under the Task Manager will work if you feel the computer slowing down and have time to pull them up. Ctrl+Shift+Esc is the quickest way to pull it up, especially in Win 7

    I have two more pieces of advice to start with:

    Remove ALL programs out of the MSConfig startup tab, restart and see if anything changes. Then go back and re-enable just one Antivirus program, nothing else. This also has the added bonus of speeding up your startup times

    Also if you think it is the video card, download and install the latest driver. That will tell you really fast if it is that driver and/or card. If you think the problem may be hardware related, try using a site called MAConfig to update all out of date drivers.

  12. Anonymous
    November 12, 2011 at 9:08 am

    if you give more details, about the software installed in your pc, now if you are using softs like sandboxie, returnil....they can interfer with your antivirus update sessions and they can cause crashes. Now if you have more than one firewall or antivirus, also they can cause crashes.

    November 12, 2011 at 8:16 am

    Hello, you could try the Problems Step recorder tool included with windows 7.  To access it, do the following:

    -- click on start
    -- type the following in search bar

    -- click enter
    -- a small box will open
    -- click on down arrow on the right beside
    -- click on settings
    -- setup folder for capturing
    -- click on start record.  You can stop it at any time.  Try to recreate your problem or just record until it happens. 

  14. Ray
    November 12, 2011 at 6:49 am

    I have who crashed and it provides nothing on Hardware related issues.  It says: 
    On Wed 11/9/2011 6:01:02
    PM your computer crashedThis was likely caused by the following module:
    hardwareBugcheck code: 0x124 (0x0,
    0xFFFFFA80071FF038, 0xF2000040, 0x800)Error: WHEA_UNCORRECTABLE_ERRORDump file:

    I have been around and around on this.  It has something to do with the Video Card.  

    Here's the point we know it's about to happen, you can feel the system slow down...

    There must be something that could run to get complete picture...  I will check the other  alternatives...  

    Trying to catch it before the crash....

    November 12, 2011 at 5:25 am
  16. Jay
    November 12, 2011 at 3:09 am

    you can use soluto, which helps you find the reasons of crash.
    click :

    (credit goes to fellow members of this site, i dint know that soluto existed, nor did it work well for me, but you can still try it.)

  17. Jeff Fabish
    November 12, 2011 at 12:16 am

    Hi Ray,

    Yes. Windows Event Viewer is probably the best tool you're going to find. However, if you're looking for a more user friendly application, my favourite of which is WhoCrashed, which is simple to use and free. It provides detailed information about the crash, what event/driver/application initiated the error, how to fix it, etc. 

    - Jeff

Ads by Google