How to get more info out of the uninformative Windows 8 BSOD?

25

5

Windows 8's Blue Screen of Death is different from the previous Windows versions' one:

Windows 8 BSOD

In order to find out what caused the problem you need to write down or remember the search term it presents you with. The two search terms I have seen suggested so far are
SYSTEM_SERVICE_EXCEPTION and HAL_INITIALIZATION_FAILED.

While it’s nice not to have to look at a blue screen full of text, the previous BSOD was more informative than the Windows 8 BSOD, since it contained a detailed error code (information for diagnostic purposes that was collected as the operating system performed a bug check), which could get you closer to tracking down the root of the problem.

How can I get more information about the error Windows 8 has encountered, in order to track down the root of the problem?

amiregelz

Posted 2012-10-24T21:33:12.697

Reputation: 6 965

1On previous versions of windows, the event was logged in the "system" category. HAL_INITIALIZATION_FAILED is an alias (a named constant) to the error code. The old BSOD gave the constant and its value, but they are the same thing. – horatio – 2012-10-24T21:37:14.640

BSOD will make a dump file on the hard drive, either on the root of C: or in C:\Windows\minidump, then see this page to analyse the dump file...http://support.microsoft.com/kb/315263

– Moab – 2012-10-24T21:37:21.867

Check for C:\Windows\MEMORY.DMP or the latest file in C:\Windows\Minidumps\; if its the former see whether it's viable to upload it in a zip / rar / 7z file, if its the latter you can just upload it as it will be pretty small. We're happy to take a look for you... – Tamara Wijsman – 2012-10-24T22:40:55.823

Answers

10

Ignoring the typical BSOD name, these are more formally referred to a as Bug Checks. In order to look up what a certain BSOD code actually means you can look it up in Bug Check Code Reference.

Bug Check 0x3B: SYSTEM_SERVICE_EXCEPTION and 0x5C: HAL_INITIALIZATION_FAILED sound familiar to you, you can read them there but I will detail things that might seem unclear to someone who doesn't do debugging or low-level driver programming.

SYSTEM_SERVICE_EXCEPTION

The description on the page is:

This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.

This happens when some code on your system attempts to execute other code that is of a higher privelege, when this happens without elevation of privileges it means that the non-privileged code would breach security. This is often what a malfunctioning driver does, but could also be a rootkit under the form of a driver that bumps into some form of protection.

That doesn't mean we should exclude other possible errors like memory corruption, which could be seen by investigating the crash dump to see whether the behavior points down to a driver or is more random. Even if the crash dump were random it wouldn't necessary point down to bad memory, but could again be the result of a driver corrupting the memory. Doing a memory test is therefore handy to check whether there is bad memory to get a more clear idea if we're down this road.

HAL_INITIALIZATION_FAILED

The description on the page is:

This indicates that the HAL initialization failed.

Yeah, that's all she said. Studying what the HAL is would be the logical next step to understand what's going on here, in short this part from the "In Operating Systems" section helps:

A hardware abstraction layer (HAL) is an abstraction layer, implemented in software, between the physical hardware of a computer and the software that runs on that computer. Its function is to hide differences in hardware from most of the operating system kernel, so that most of the kernel-mode code does not need to be changed to run on systems with different hardware.

On a PC, HAL can basically be considered to be the driver for the motherboard and allows instructions from higher level computer languages to communicate with lower level components, such as directly with hardware.

Yeah, it's still pretty long. But it points down some more interesting possible causes: Malfunctioning hardware, abstraction code, motherboard / chipset drivers or other drivers. Walking through these possible causes backwards allows us to see level-by-level where the problem might lie; and for this, we once again need to inspect the crash dump.

Inspecting a crash dump?!

As pointed out in the comments, you can visit this URL for some basic instructions although I'd suggest to upload the dump if possible so we can check it for you. I usually use WinDBG from the Debugging Tool for Windows to do this. Alternatively you can use the online Instant Online Crash Dump Analyzer from OSR Online, although that doesn't let you inspect things further than the generic analysis of the crash dump. So, once you have obtained the crash dump, let us know...

Tamara Wijsman

Posted 2012-10-24T21:33:12.697

Reputation: 54 163

6

You can see the same information that was on the old Blue Screen in the Event Viewer. System log, Event-id 1001

http://msdn.microsoft.com/en-us/library/ff559069(v=vs.85).aspx

David Marshall

Posted 2012-10-24T21:33:12.697

Reputation: 6 698

1

You can also get rid of the new message :-( blue screen and restore the old bug check screen like XP and W7 has.

First be sure KB2929742 is already installed.

Then open the registry editor in Windows and edit this key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl

Make a new Dword "DisplayParameters" and set it to 1.

Set "AutoReboot" to 0

Restart the PC for changes to take effect. Next time is BSOD's it will display more information on the blue screen and stay on the bsod screen until you force a shutdown.

Moab

Posted 2012-10-24T21:33:12.697

Reputation: 54 203