Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Getting last BSOD info

Mauro_LeggieriMauro_Leggieri Member Posts: 107
edited February 17 in NTDEV

Hi community!

Is it possible, from a driver, to get details about the last raised BSOD?

Although one can fill the code with try/catch blocks, where are some types of crashes that cannot be trapped. As a last resource, I would like to skip driver loading if my driver is causing the crashes.

Regards,
Mauro.

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    If you’re concerned about your driver rendering the system unstable, the “typical” thing to do is not load in Safe Mode.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Mauro_LeggieriMauro_Leggieri Member Posts: 107

    Hi Peter, yes it does not load in safe mode.

    My intention is the following: Let's asume you install your product in some medim-large company and it fails for any reason, manually recovery of each computer can be tedious (mainly in a distributed environment) so, if driver can disable itself so computers boots, we would be able to, for e.g., remote access to them and apply a fix.

    I know the info is usually stored in event log but I didn't know how to read it from kernel. If it is on another place, no idea.

    Regards,
    Mauro.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    Yeah... I don’t know any way to do this.

    It doesn’t even strike me as a reasonable thing to do. It’s hard enough to figure out why the system crashed from WinDbg... never mind at startup time, in kernel mode. As you know: It’s not always the driver that crashed that’s responsible for the crash. Suppose you pool scribble, for example? So even if you can figure out the crashing driver, it’s not 100% guaranteed.

    And.., doesn’t Windows already do something like this automatically?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Mauro_LeggieriMauro_Leggieri Member Posts: 107

    It doesn’t even strike me as a reasonable thing to do. It’s hard enough to figure out why the system crashed from WinDbg... never mind at startup time, in kernel mode. As you know: It’s not always the driver that crashed that’s responsible for the crash. Suppose you pool scribble, for example? So even if you can figure out the crashing driver, it’s not 100% guaranteed.

    Sure but if customer sees yourdriver.sys caused the BSOD, it complains no matter if it is really your fault. And if customer sees symantec.sys or microsoft.sys driver caused BSOD, it complains to you because you are the little and new company.

    And.., doesn’t Windows already do something like this automatically?

    I thought that but no. Even you can try asking the user to boot with last known good configuration (although does not always work), customers says "come here and fix yourself"

    Shitty customers of course.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    And if customer sees symantec.sys or microsoft.sys driver caused BSOD, it complains to you because you are the little and new company.

    Yeah, I get it.

    Because this intrigued me, I spent some time this afternoon trying to figure out how to do this. And I came to the conclusion that it's just not possible. SURE, you could write a service that analyzes the dump file on reboot, and then tells the driver it it was the likely cause of the crash. But that's going to be (probably) minutes after the system starts and hence your driver is already loaded.

    I can't figure out any legit way to do this during the crash itself or after the fact.

    Sorry...

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334
    via Email
    Any particular way to set up a driver not to load during Safe mode?
    Ours always does, by default, and we want it that way, but just checking ;)
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    See the link in my first reply above. Check if safe mode and fail DriverEntry.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Mauro_LeggieriMauro_Leggieri Member Posts: 107

    @Peter_Viscarola_(OSR) said:
    Because this intrigued me, I spent some time this afternoon trying to figure out how to do this. And I came to the conclusion that it's just not possible. SURE, you could write a service that analyzes the dump file on reboot, and then tells the driver it it was the likely cause of the crash. But that's going to be (probably) minutes after the system starts and hence your driver is already loaded.

    Thanks for the effort. I would like to keep the driver starting before the service because it can still do some tasks (it is some sort of AV app) but I'll take into account your hint.

    @Dejan_Maksimovic said:
    Any particular way to set up a driver not to load during Safe mode?
    Ours always does, by default, and we want it that way, but just checking ;)

    Actually it does not load on safe mode. It is not a problem to recover from a disaster but, as said above, want to minimize problems.

    Regards!

  • Pavel_APavel_A Member Posts: 2,726
    edited February 24

    Instead of safe mode, you can boot to WinRE and delete the trouble-making driver.
    There are ways to boot managed servers from alternative device.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334
    via Email
    Which would yield a "windows cannot boot because the driver is not found".

    Well, it would for FS filters. For device filtesr, it would simply
    make the device inaccessible. Not sure about regular hardware drivers?

    On 2/24/20, Pavel_A wrote:
    > OSR https://community.osr.com/
    >
    > Pavel_A commented on Getting last BSOD info
    >
    > Instead of safe mode, you can boot to WinRE and delete the touble-making
    > driver.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA