BugCheck Information

Don_Burn_1 · July 25, 2002, 10:36am

Is there a way to capture the bugcheck information that is displayed on
the BSOD, preferably without hacking the kernel? I am working on a bladed
headless server, that may not always have a way of reporting the blue
screen or taking a dump in some instances. It does have the way of saving
in permanent storage a small number of bytes of info, so I would like to
save the 20 bytes of data displayed on the blue screen, so that I can
later retrieve them. Any suggestions would be appreciated.

Don Burn
Egenera, Inc

OSR_Community_User · July 25, 2002, 12:07pm

Yes, it’s relatively easy to obtain the bugcheck data, i.e., the
bugcheck
number and the four ULONGs of bugcheck data if you have setup a driver
to get called back. To read the bugcheck data declare the following
external declaration:

extern PULONG_PTR KiBugCheckData;

Then access entries 0 - 4 of the bugcheck data, casting
KiBugCheckData[0] to a ULONG.

For example:

ULONG BugCheckCode;
ULONG_PTR BugCheckParameter1;
ULONG_PTR BugCheckParameter2;
ULONG_PTR BugCheckParameter3;
ULONG_PTR BugCheckParameter4;

BugCheckCode =3D (ULONG)KiBugCheckData[0];
BugCheckParameter1 =3D KiBugCheckData[1];
BugCheckParameter2 =3D KiBugCheckData[2];
BugCheckParameter3 =3D KiBugCheckData[3];
BugCheckParameter4 =3D KiBugCheckData[4];

To get called back when a bugcheck occurs, you can use the DDK function
KeRegisterBugCheckCallback. This will allow you to get called back when
a bugcheck occurs. At the time of the bugcheck, you can use your private
mechanism to save the bugcheck data to permanent storage.

Note that the time at which the bugcheck callbacks are called varies
from OS
version to OS version. On Win2k and WinXP they are called before the
crashdump, whereas on Windows .NET server they are called after the
crashdump. This shouldn’t matter for what you’re doing, but it would
matter for other people using this mechanism.

Finally, the bugcheck callback context (i.e., the context in which you
are running when your bugcheck callback is being called) is very
restrictive. All processors but the one on which your code is executing
have been stopped, the IRQL has been raised to IPI_LEVEL or HIGH_LEVEL
which means you can’t take page faults, acquire spinlocks, etc. This
also means that various driver and system data structures may not be
consistent. Try to make your bugcheck callback very simple and use as
few kernel routines as you can, so that you don’t end up either hanging
or further corrupting the system.

It would be difficult to get any more data than this without doing
something underhanded.

Matt

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: xxxxx@acm.org [mailto:xxxxx@acm.org]
Sent: Thursday, July 25, 2002 7:38 AM
To: NT Developers Interest List
Subject: [ntdev] BugCheck Information

Is there a way to capture the bugcheck information that is displayed on
the BSOD, preferably without hacking the kernel? I am working on a
bladed
headless server, that may not always have a way of reporting the blue
screen or taking a dump in some instances. It does have the way of
saving
in permanent storage a small number of bytes of info, so I would like to
save the 20 bytes of data displayed on the blue screen, so that I can
later retrieve them. Any suggestions would be appreciated.

Don Burn
Egenera, Inc

You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to %%email.unsub%%

Dan_Partelly · July 25, 2002, 12:32pm

If you need to write them on disk, your in big mess and is not possible
whithout building your own dump stack, or hack the existing one, for a
private dump.

----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Thursday, July 25, 2002 5:37 PM
Subject: [ntdev] BugCheck Information

> Is there a way to capture the bugcheck information that is displayed on
> the BSOD, preferably without hacking the kernel? I am working on a bladed
> headless server, that may not always have a way of reporting the blue
> screen or taking a dump in some instances. It does have the way of saving
> in permanent storage a small number of bytes of info, so I would like to
> save the 20 bytes of data displayed on the blue screen, so that I can
> later retrieve them. Any suggestions would be appreciated.
>
> Don Burn
> Egenera, Inc
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

OSR_Community_User · July 26, 2002, 3:37pm

I can suggest using KeRegisterBugCheckCallback and save data to
reserved CMOS space (provided this space will be enough) using
well-know port addresses.

Max

----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Thursday, July 25, 2002 6:37 PM
Subject: [ntdev] BugCheck Information

> Is there a way to capture the bugcheck information that is displayed
on
> the BSOD, preferably without hacking the kernel? I am working on a
bladed
> headless server, that may not always have a way of reporting the
blue
> screen or taking a dump in some instances. It does have the way of
saving
> in permanent storage a small number of bytes of info, so I would
like to
> save the 20 bytes of data displayed on the blue screen, so that I
can
> later retrieve them. Any suggestions would be appreciated.
>
> Don Burn
> Egenera, Inc
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>