From: Riedwaan on 02/27/2002
Please note this is a very intensive reply and I dont suggest that you do it. Rather have some other person with programing skills handle it.
Often times when debugging a crash dump, the stack appears to be corrupt. Other times, we are encountering limitations of our debugging tools. In spite of these obstacles, the procedures presented above will more often than not produce the information we seek. The challenge in developing these debugging methods is assimilating information from disparate locations. For example, the information for this article was gleaned from the Platform SDK, the NT DDK, MSJ, The NT Insider, the Microsoft Knowledge Base, the book Inside Windows NT by Helen Custer, and the experience of looking at countless kernel dumps.
Researching the Bug Code
The very first thing I do when looking at a crashed system or a crash dump is inspect the numbers from the top of the blue screen, and try to divine their meaning. Fortunately, when you are given a crash dump, you do not have to ask the customer what was displayed on the blue screen. When you open a crash dump, WinDbg displays the important information from the blue screen. That output is shown in Figure 1. This is analogous to the top two lines of the blue screen, as shown in Figure 2. "Bugcheck 0000001e" means "KMODE_EXCEPTION _NOT_HANDLED." If you compare the two figures, you will notice WinDbg does not perform this translation for you. Fortunately, if you are analyzing a crash dump, you can determine the alphanumeric equivalent of the Bugcheck number by looking in "\NTDDK\INC\BUGCODES.H." If you search BUGCODES.H, you will find "KMODE_EXCEPTION _NOT_HANDLED" is defined to be "0000001E." Of course this still does not tell us exactly what this bugcheck number means, or the four numbers displayed next to it.
Kernel Debugger connection established for F:\dumps\Memory.dmp
Kernel Version 1381 Free loaded @ 0x80100000
Bugcheck 0000001e : c0000005 80112bf0 00000000 0000001d
Figure 1 -- Windbg Displays Blue Screen Information
*** STOP: 0x0000001E (0xC0000005,0x80112BF0,0x00000000,0x0000001D)
KMODE_EXCEPTION_NOT_HANDLED*** Address 80112bf0 has base at 80100000 - ntoskrnl.
Figure 2 -- Top of Blue Screen
The five numbers together are the five parameters to the function KeBug CheckEx(), as documented in the DDK. The system or a driver calls KeBugCheckEx() to bring the system down in a controlled fashion when the system or driver detects an unrecoverable error. Ultimately, this results in a blue screen, and a crash dump if you are lucky and you configured the system to create crash dumps. We can seek the meaning of these five numbers by referring to Microsoft Knowledge Base Article "Q103059 - Descriptions of Bug Codes for Windows NT." By searching the article for "KMODE_ EXCEPTION_NOT_ HANDLED", we expect to find a description of the bugcode, and the meaning of the next four parameters to KeBugC