Debugging Windows crashes with minidumps? Not at Lenovo
Like many of you, my copies of Windows XP crash with the now-classic "blue screen of death" (BSOD). When this happened a couple times recently to a new ThinkCentre A61 tower, I called Lenovo tech support. As the title of this posting suggests, it did not go well.
When Windows XP crashes, the default behavior is to create a minidump, a small file (only 88K) with a summary of, hopefully, the most important information about the failure. I wrote about minidumps back in November (see Dealing with software crashes, Part 2). If your copy of Windows has crashed (aka "blue-screened") in the past, you may find a minidump describing the problem in the C:\WINDOWS\Minidump folder. The format of the filename is MiniMMDDYY-99.DMP (the last two numbers being a sequence number).
Minidumps are in a binary format, opening them with Notepad is a waste of time. Windows XP doesn't include the necessary software (program Dumpchk.exe) to open a minidump file. The target audience for a minidump is a tech support person.
But, it seems Lenovo didn't get the memo.
When I spoke to a Lenovo technician on the phone, I was told they don't do that. That is, they aren't allowed to accept minidump files from customers. Instead, the debugging session is totally verbal. Been there, done that. Verbal debugging of computer problems over the phone is all but guaranteed to be a waste of time. It was in this case.
Although the minidump can be impenetrable, the Windows event log, specifically the System event log, also has information about Windows crashes. Shown below is the identifying information about the two Windows crashes I experienced.
The bugcheck was: 0x0000001a (0x00041284, 0xd7817001, 0x00003fde, 0xc0e00000)
A dump was saved in: C:\WINDOWS\Minidump\Mini021508-01.dmp
The computer has rebooted from a bugcheck.
The bugcheck was: 0x1000000a (0x00000010, 0x00000002, 0x00000001, 0x8051b0c8)
A dump was saved in: C:\WINDOWS\Minidump\Mini021508-02.dmp
At this point you have more information than the Lenovo tech support person assisting me had. He was only interested in the two error codes, not any of the additional data fields shown above in parentheses, which provide additional information about the problem.
While the System event log doesn't provide much information about the crash itself, taken together, the six event logs can provide a wealth of information about the overall goings-on inside Windows. Like the minidump files, the event logs are not very big; in XP they max out at 512K by default. You can see them below for the computer in question.
Lenovo's technicians are also not allowed to accept event logs from customers.
What's Your Experience?
Lenovo is only one company of many offering technical support for Windows. What has been your experience in trying to get a technician to review either a minidump or an event log?
Do other computer manufacturers also refuse to accept these small files when offered?
Has a support person ever asked for them?
Is there an equivalent situation with Macs?
Either leave a comment below, or e-mail me at minidump at michaelhorowitz dot com.
And, if anyone works for Lenovo, is this, in fact, the normal procedure or did the person I dealt with not follow the rules?
Debugging operating system crashes can be hard to impossible, especially with the small amount of information in a minidump. But not even trying is disgraceful.
See a summary of all my Defensive Computing postings.
Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Most recently I was talking with Marvin at Dell. My friend has an Inspiron 9200 and it was BSODing on boot. Most specifically on loading the video driver. So being the good little technician that was. I decided to trying boot the system in safe mode. As we all know safe mode will load the generic windows vidoe driver. Guess what, it BSODed there too. Hmm has to be hardware but let me check the web and see what that code means. Sure enough MS support was pretty non-commital, said it could be hardware but that it was probably the driver. (Wrong, I tried the generic VGA driver. Must be hardware.) Since my friend has complete care I call Dell. Marvin answers. His default answer? Reload the OS. "You have got to be kidding", I say. "No it is the driver", he says. I told him what I did an he insists it has to be the driver. He and I argue about this for AN HOUR. Finally in frustration I agree to reload the OS. I back up all my friends data to my laptop, by removing the drive and putting it in a USB chassis, and I reload. Guess what? Yep it still BSOD's. I call Marvin back and basically rip him a new one. I tell him to get someone out here to replace the system board. He still argues with me. Finally in complete frustration, I ask him how long he has been doing this. His answer? "A couple years." I litteraly wnet crazy on him, and said, "Well I have been doing this stuff for a couple decades. Send out the tech with a new systemboard!!!" I think he got the idea. Next day, new system board and no more BSOD. Hmmm Marvin who was right on this one?
Anyway, in my first email I clearly stated the what the drive was, it was out of warranty and that I had already replaced the defective drive. The reply simply restated the information I had already given. I replied that I had already told them that and again asked my question. I received a reply saying that I shouldn't replace the drive as it would void the warranty. Uh, excuse me but I already told you it was out of warranty.
So I fire back a third email requesting that maybe they could have someone read my messages that actually knew something about the HW in question. I really was surprised to get an answer from a senior support technician who actually did understand my question and answered it.
Final resolution was that I purchased a new external case with an actual physical jumper block for configuring how it saw the twin drives in the case. Dual moral here is that when buying external HD's cheap is not the way to go and Tech Support pretty much sucks when it comes to computers.
You just need to EXPECT a problem to occur, and prepare to set up for it. I have set up my new Vista environment (whaddayoucrazy?) to take full dumps. I should activate a performance monitor too. Anyhow, I thank you for allowing me to preach to the choir, already singing the hymn I am thinking of...
There are add-on products to handle first-fault problem resolution, like BMC's AppSight (not for the home gamer however).
It is nice to solve a problem on its first occurrence, isn't it? Even if you don't have a million-dollar business running off it, just your home life, finances, email, investments, games, businesses....
I will do consulting for money (see my website), or as you can plainly see here, just for grins and giggles.... Good luck you crazy folks who don't think do-overs are mandatory....!!!
What I am REALLY looking for is the call from Microsoft to help them design a software 'black-box' (data recorder like mainframe software trace tables)- their event recorder is not sufficiently fine-grained - kind of a weak magnifying glass, you know?!
Determining hardware vs. software as the root cause of a problem is not easy.
In your case, I would have made a disk image backup of Windows before deleting anything. Even if Windows can't boot, there may be a minidump for the crash that can be retrieved by booting with a Linux live CD.
To: RicABlair
My point wasn't that the technician didn't know what a minidump was, but that corporate policy does not allow Lenovo tech support personnel to have files sent to them, files specifically designed by Microsoft to aid in debugging problems. I fully understand your giving up and not even bothering to call, but maybe, just maybe, some company will actually know what a minidump is, accept it from the customer and review it. If such a company exists, I hope someone will let me know. It's not much to expect.
Michael Horowitz
You can use WinDbg to read the dump (free download from MS), but if you don't know what WinDbg is, it won't make you any good.
By the way, bugcheck 1A/41284 is "A PTE or the working set list is corrupted.".
Bugcheck 1000000A is a variant of IRQL_NOT_LESS_OR_EQUAL. Usually a crappy driver
The first one tells that you have some driver that is very intrusive to the system. Uninstall your antiviruses. Yes, I mean it, most are crap, especially Sym***. Change your user account type to "Limited user", so you won't have to be afraid of viruses.
Obviously you didn't read my post that closely. If the manufacture spcific driver fails, and the generic windows driver fails, it is that device. Given that it was the video driver that means there is a system board problem.
What it comes down to, is that these guys are paid to get people off the phone and not deploy the field tech. I am sure my 2 hours on the phone with Marvin cost him dearly on his metrics.
Face it take the guy with 20 years experience word for it and don't argue with them.