Catch a bsod exception and send it through LWF?

Is it possible? If not is there an alternative way to notify the bsod exception(just code or stack trace or driver name) to another computer?
(Sending the memory.dmp file on next boot time is not an option…)

No you can’t do it through a LWF. By the time a BSOD happens you have to assume you do not have an operating system. With the KeRegisterBugCheckReasonCallback you can get called most of the time, and if you have a simple device you can talk to it directly. Most systems that want to do this use a dedicated device, because otherwise you have to worry about the devices state. At the time of the callback you basically have the ability to talk to the device, but no operating system support, for instance no memory allocation.

1 Like

Is it possible?

https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/writing-a-bug-check-callback-routine

[begin quote]

A bug check callback routine executes at IRQL = HIGH_LEVEL, which imposes strong restrictions on what it can do.

A bug check callback routine cannot:

Allocate memory
Access pageable memory
Use any synchronization mechanisms
Call any routine that must execute at IRQL = DISPATCH_LEVEL or below

[end quote]

Once NDIS routines that actually deal with sending and receiving data run at IRQL== DISPATCH_LEVEL, you are already not in a position to use the network services at the time your bugcheck callback routine gets invoked

Anton Bassov

2 Likes

If not is there an alternative way to notify the bsod exception(just code or stack trace or driver name) to another computer?

Of course, there is a way. If the other computer is connected thru kernel debugger interface, it will see the BSOD and pull all the details.
If the machine runs under hypervisor, there should be a way to pass some details to host.
Want more ideas? :wink:

–pa

Pavel, you can definitely do it through a hypervisor. I did it through a smart hardware device for a client almost 20 years ago, so a hypervisor interface should definitely work.

1 Like

Thank you everyone!

If the machine runs under hypervisor, there should be a way to pass some details to host.

Assuming that the hypevisor provides the hypercalls that you can invoke in this situation, it definitely seems to be the right way to go…

Anton Bassov

A while ago I worked on a project that pulled the entire dump in real time
out of a crashed vm and re-assembled it into a functional dump file. It is
entirely do-able.

Mark Roddy