Resolving Windows 7 Startup BSOD in VMWare using WinDBG

When booting a custom image in VMWare I was crashing and restarting so rapidly couldn’t catch the Blue Screen message. I tried safe mode, and last known configuration to no avail. I used boot logging and noticed the last driver attempted to load was AGP440.sys, the Intel AGP Bus Filter. However connecting via a virtual serial port and using Kernel Debugger I was able to find the correct cause.

  1. On VM you set up serial port to named pipe like this. In this case I’ve added a Serial Port and selected Use Named pip which I’ve called \\.\pipe\com_1 with the setting “This end is the server” and “The other end is an application”

clip_image001[4]

2. You then need to ensure a copy of WinDbg is installed on your host system, which is available from http://www.microsoft.com/whdc/devtools/debugging/default.mspx 

Before launching WinDbg you should install you have setup a path to the Microsoft Symbol Servers. These symbols provide information about Windows files that will assist in crash analysis. To make this recognized in all programs that support it I suggest opening a command prompt as administrator and running the command:

setx _NT_SYMBOL_PATH “symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/download/symbols” /m

(Replace C:\localsymbols with wherever you want to symbols to be downloaded)

image

3. Once installed you can launch WinDbg from Start –> All Programs –> Debugging Tools For Windows –> WinDbg or if you are using Windows Vista/7 just type “WinDbg” [ENTER] in Start Menu search bar.

4. In WinDbg hit Ctrl+K or select File –> Kernel Debug. Baud Rate should be 115200, Port should match what you configured in VMWare i.e. \\.\pipe\com_1 and ensure Pipe and Reconnect are selected.

clip_image002[4]

5. You then need to boot into your Windows Virtual Machine with F8 option, and chose Debugging Mode. Now when the system crashes you won’t get a blue screen, but instead you will break into the debugger, where you can run commands to identify cause of crash.

6. To do an automated analysis we just can type !analyse –v [enter]. In this case I’m lucky and it’s a very simple crash to analyse. Note many crashes will require more complex analysis methods, but this gets the cause of a good number of crashes. From this command we find likely culprit to be SynTP.sys. Note: If you find actual windows files here as the cause i.e. ntoskrnl/etc is likely that the automated analysis is wrong – this type of crash will require more complex commands to determine cause, and in some cases would require use of Driver Verifier (verifier.exe)

clip_image003[4]

So now I will boot into the Windows 7 DVD in my Virtual Machine to attempt to fix the cause of the crash, by disabling SynTP.sys driver:

1. Selected Time and currency format then clicked Next

2. Clicked Repair Your Computer

3. Selected operating system partition then clicked Next

clip_image004[4]

4. Click View advanced options for system recovery and support

clip_image005[4]

5. Open a command prompt

6. Run command reg load HKLM\Computer_System C:\Windows\system32\config\system  (where C:\Windows\ is the location of your Windows partition)

7. Run regedit and browse to HKEY_LOCAL_MACHINE\Computer_System\ControlSet001\services\SynTP and set Start to 4 (disabled)

clip_image006[4]

8. Exit Regedit and run reg unload HKLM\Computer_System

9. Exit command prompt and in Recovery Options click Restart

10. Yay! System boots up now!

P.S. If you don’t like going through hassle of using RegEdit to disable drivers on an offline system you can also use :

AutoRuns (http://technet.microsoft.com/en-us/sysinternals/bb963902)

ServiWin (http://www.nirsoft.net/utils/serviwin.html)

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Debugging, VMWare, Windows PE and tagged . Bookmark the permalink.

One Response to Resolving Windows 7 Startup BSOD in VMWare using WinDBG

  1. Pingback: FDS-Team » Windows 7 Partition in Virtualbox / KVM unter Linux starten

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s