Anatomy of a Blue Screen
The Error Message
The section circled (with a white box) in Figure A shows the actual error message. This message contains an error code number, the addresses where the error occurred, and a text code indicating the type of error. Below, I've listed some of the more common error codes and their causes.
The section circled (with a white box) in Figure A shows the actual error message. This message contains an error code number, the addresses where the error occurred, and a text code indicating the type of error. Below, I've listed some of the more common error codes and their causes.
DIVIDE_BY_ZERO_ERROR
This error is caused by an application trying to divide by zero. If you receive this error and don't know which application caused it, you might try examining the memory dump.
This error is caused by an application trying to divide by zero. If you receive this error and don't know which application caused it, you might try examining the memory dump.
IRQL_NOT_LESS_OR_EQUAL
The IRQL_NOT_LESS_OR_EQUAL error is caused by a buggy device driver or an actual hardware conflict. If you've recently added new hardware to your system, try removing it and see if the error goes away. Likewise, if you've recently loaded a new device driver, you might try using ERD Commander Professional Edition, by Winternals Software, to temporarily disable the new driver and see if the problem goes away.
KMODE_EXCEPTION_NOT_HANDLED
An incorrectly configured device driver usually causes this type of error. As I'll explain later, you can use another section of the blue screen to figure out which driver is causing the problem.
REGISTRY_ERROR
Such an error indicates a catastrophic failure in the system's registry. However, this error can sometimes be caused by failure to read the registry from the hard disk rather than because the registry itself is corrupt. Most of the time though, if you get this error, you'll have to restore from backup.
INACCESSIBLE_BOOT_DEVICE
Just as the name implies, this error indicates that Windows NT is having trouble reading from the hard disk. This error can be caused by a faulty device driver or a bad small computer systems interface (SCSI) terminator. If you've checked for these problems, but are still receiving the error, check to make sure that a virus hasn't destroyed your boot sector.
UNEXPECTED_KERNEL_MODE_TRAP
This error message is almost always caused by your computer's memory. If you receive this error, check to make sure that all of your single inline memory modules (SIMMs) are the same type and speed. You should also check to make sure that your computer's Complementary Metal Oxide Semiconductor (CMOS) is set for the correct amount of RAM. If all of these suggestions check out, try replacing the memory in the computer.
BAD_POOL_HEADER
This is, perhaps, the most obscure error message. In most cases, if you receive this error, it's related to the most recent change you've made on your system. Try undoing the change to get rid of the error.
NTFS_FILE_SYSTEM
An NTFS_FILE_SYSTEM error indicates hard disk corruption. If your system is bootable, run CHKDSK /F on all of your partitions immediately. If your system isn't bootable, try installing a new copy of Windows NT in a different directory. You can use that copy to run the CHKDSK program. When you're done with the second copy, you can edit your BOOT.INI file to make your computer start your original copy of Windows NT.
KERNEL_DATA_INPAGE_ERROR
This error indicates that Windows NT wasn't able to read a page of kernel data from the page file. Bad memory, a bad processor, incorrectly terminated SCSI devices, or a corrupt PAGEFILE.SYS file may cause this situation. The first step in correcting such an error is to recreate the PAGEFILE.SYS file and see if you can bring your system back online.
NMI_HARDWARE_FAILURE
This is a generic error message in which the hardware abstraction layer can't report on the true cause of the error. In such a situation, Microsoft recommends calling the hardware vendor. This error can sometimes be caused by mixing parity and non-parity SIMMs, or by bad SIMMs.
Modules That Have Loaded
The section that I've circled in Figure B shows the modules that Windows NT has already loaded into memory. You can use this section primarily to look at the modules that are already loaded, and be somewhat confident that none of the modules listed are causing your problem.
The section that I've circled in Figure B shows the modules that Windows NT has already loaded into memory. You can use this section primarily to look at the modules that are already loaded, and be somewhat confident that none of the modules listed are causing your problem.
Modules That Were About to Load
The section that I've circled in Figure C shows which modules were about to load when the error occurred. Many times, this section can give you an idea of which module is causing your problem. This is especially true if you're receiving a KMODE_EXCEPTION_NOT_HANDLED error. For example, suppose that the next module on the stack to load was tcpip.sys. In such a situation, it's likely that an incorrect network card driver may be causing your problem. If you happen to own ERD Commander Professional Edition by Winternals Software you could disable the network card driver, and try booting your system again. If the system boots, you could correct the driver problem.
The section that I've circled in Figure C shows which modules were about to load when the error occurred. Many times, this section can give you an idea of which module is causing your problem. This is especially true if you're receiving a KMODE_EXCEPTION_NOT_HANDLED error. For example, suppose that the next module on the stack to load was tcpip.sys. In such a situation, it's likely that an incorrect network card driver may be causing your problem. If you happen to own ERD Commander Professional Edition by Winternals Software you could disable the network card driver, and try booting your system again. If the system boots, you could correct the driver problem.
Kernel Debugger
The section circled in Figure D indicates the current status of the kernel debugger. The kernel debugger enables you to link two computers running Windows NT via a RAS connection or a null modem cable. When a Blue Screen of Death occurs, the crash dump information is sent to the functional computer for diagnosis.
