Getting last BSOD info

Hi community!

Is it possible, from a driver, to get details about the last raised BSOD?

Although one can fill the code with try/catch blocks, where are some types of crashes that cannot be trapped. As a last resource, I would like to skip driver loading if my driver is causing the crashes.

Regards,
Mauro.

If you’re concerned about your driver rendering the system unstable, the “typical” thing to do is not load in Safe Mode.

Peter

Hi Peter, yes it does not load in safe mode.

My intention is the following: Let’s asume you install your product in some medim-large company and it fails for any reason, manually recovery of each computer can be tedious (mainly in a distributed environment) so, if driver can disable itself so computers boots, we would be able to, for e.g., remote access to them and apply a fix.

I know the info is usually stored in event log but I didn’t know how to read it from kernel. If it is on another place, no idea.

Regards,
Mauro.

Yeah… I don’t know any way to do this.

It doesn’t even strike me as a reasonable thing to do. It’s hard enough to figure out why the system crashed from WinDbg… never mind at startup time, in kernel mode. As you know: It’s not always the driver that crashed that’s responsible for the crash. Suppose you pool scribble, for example? So even if you can figure out the crashing driver, it’s not 100% guaranteed.

And…, doesn’t Windows already do something like this automatically?

Peter

It doesn’t even strike me as a reasonable thing to do. It’s hard enough to figure out why the system crashed from WinDbg… never mind at startup time, in kernel mode. As you know: It’s not always the driver that crashed that’s responsible for the crash. Suppose you pool scribble, for example? So even if you can figure out the crashing driver, it’s not 100% guaranteed.

Sure but if customer sees yourdriver.sys caused the BSOD, it complains no matter if it is really your fault. And if customer sees symantec.sys or microsoft.sys driver caused BSOD, it complains to you because you are the little and new company.

And…, doesn’t Windows already do something like this automatically?

I thought that but no. Even you can try asking the user to boot with last known good configuration (although does not always work), customers says “come here and fix yourself”

Shitty customers of course.

And if customer sees symantec.sys or microsoft.sys driver caused BSOD, it complains to you because you are the little and new company.

Yeah, I get it.

Because this intrigued me, I spent some time this afternoon trying to figure out how to do this. And I came to the conclusion that it’s just not possible. SURE, you could write a service that analyzes the dump file on reboot, and then tells the driver it it was the likely cause of the crash. But that’s going to be (probably) minutes after the system starts and hence your driver is already loaded.

I can’t figure out any legit way to do this during the crash itself or after the fact.

Sorry…

Peter

Any particular way to set up a driver not to load during Safe mode?
Ours always does, by default, and we want it that way, but just checking :wink:

See the link in my first reply above. Check if safe mode and fail DriverEntry.

Peter

@“Peter_Viscarola_(OSR)” said:
Because this intrigued me, I spent some time this afternoon trying to figure out how to do this. And I came to the conclusion that it’s just not possible. SURE, you could write a service that analyzes the dump file on reboot, and then tells the driver it it was the likely cause of the crash. But that’s going to be (probably) minutes after the system starts and hence your driver is already loaded.

Thanks for the effort. I would like to keep the driver starting before the service because it can still do some tasks (it is some sort of AV app) but I’ll take into account your hint.

@Dejan_Maksimovic said:
Any particular way to set up a driver not to load during Safe mode?
Ours always does, by default, and we want it that way, but just checking :wink:

Actually it does not load on safe mode. It is not a problem to recover from a disaster but, as said above, want to minimize problems.

Regards!

Instead of safe mode, you can boot to WinRE and delete the trouble-making driver.
There are ways to boot managed servers from alternative device.

Which would yield a “windows cannot boot because the driver is not found”.

Well, it would for FS filters. For device filtesr, it would simply
make the device inaccessible. Not sure about regular hardware drivers?

On 2/24/20, Pavel_A wrote:
> OSR https://community.osr.com/
>
> Pavel_A commented on Getting last BSOD info
>
> Instead of safe mode, you can boot to WinRE and delete the touble-making
> driver.