When booting a custom image in VMWare I was crashing and restarting so rapidly couldn’t catch the Blue Screen message. I tried safe mode, and last known configuration to no avail. I used boot logging and noticed the last driver attempted to load was AGP440.sys, the Intel AGP Bus Filter. However connecting via a virtual serial port and using Kernel Debugger I was able to find the correct cause.
- On VM you set up serial port to named pipe like this. In this case I’ve added a Serial Port and selected Use Named pip which I’ve called \\.\pipe\com_1 with the setting “This end is the server” and “The other end is an application”
2. You then need to ensure a copy of WinDbg is installed on your host system, which is available from http://www.microsoft.com/whdc/devtools/debugging/default.mspx
Before launching WinDbg you should install you have setup a path to the Microsoft Symbol Servers. These symbols provide information about Windows files that will assist in crash analysis. To make this recognized in all programs that support it I suggest opening a command prompt as administrator and running the command:
setx _NT_SYMBOL_PATH “symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/download/symbols” /m
(Replace C:\localsymbols with wherever you want to symbols to be downloaded)
3. Once installed you can launch WinDbg from Start –> All Programs –> Debugging Tools For Windows –> WinDbg or if you are using Windows Vista/7 just type “WinDbg” [ENTER] in Start Menu search bar.
4. In WinDbg hit Ctrl+K or select File –> Kernel Debug. Baud Rate should be 115200, Port should match what you configured in VMWare i.e. \\.\pipe\com_1 and ensure Pipe and Reconnect are selected.
5. You then need to boot into your Windows Virtual Machine with F8 option, and chose Debugging Mode. Now when the system crashes you won’t get a blue screen, but instead you will break into the debugger, where you can run commands to identify cause of crash.
6. To do an automated analysis we just can type !analyse –v [enter]. In this case I’m lucky and it’s a very simple crash to analyse. Note many crashes will require more complex analysis methods, but this gets the cause of a good number of crashes. From this command we find likely culprit to be SynTP.sys. Note: If you find actual windows files here as the cause i.e. ntoskrnl/etc is likely that the automated analysis is wrong – this type of crash will require more complex commands to determine cause, and in some cases would require use of Driver Verifier (verifier.exe)
So now I will boot into the Windows 7 DVD in my Virtual Machine to attempt to fix the cause of the crash, by disabling SynTP.sys driver:
1. Selected Time and currency format then clicked Next
2. Clicked Repair Your Computer
3. Selected operating system partition then clicked Next
4. Click View advanced options for system recovery and support
5. Open a command prompt
6. Run command reg load HKLM\Computer_System C:\Windows\system32\config\system (where C:\Windows\ is the location of your Windows partition)
7. Run regedit and browse to HKEY_LOCAL_MACHINE\Computer_System\ControlSet001\services\SynTP and set Start to 4 (disabled)
8. Exit Regedit and run reg unload HKLM\Computer_System
9. Exit command prompt and in Recovery Options click Restart
10. Yay! System boots up now!
P.S. If you don’t like going through hassle of using RegEdit to disable drivers on an offline system you can also use :