Recently, a friend of mine had the following problem: his computer crashed exactly 2 hours after booting into windows. As usual, I opened windbg and executed !analyze -v in the minidumps, however I didn't get any useful information:
Unfortunately, windbg doesn't have any other information from the call stack, so he can only point to the windows kernel. This is a common behavior that can be seen, when a driver really messes things up. You should be alert that, when this happens, you might have to do some more advanced digging or some more "trial and error" (like I did). I'm sure that the problematic driver could have been found using driver verifier or some more advanced techniques, but here I would like to show a more quick-and-dirty solution.
Since the problem happened exactly 2 hours after he booted into windows, this could not be a hardware problem (since a hardware problem would occur more randomly). Also, from the bugcheck code it is obvious that it is a driver's fault. As a first step, I executed
lm and lm kv m specific_driver*
to find all the drivers that were loaded into the system and also to find specific information about some "interesting" ones. I saw that no driver was loaded at an address close to 0x865d6668.
The next step was to try and isolate drivers that might seem more suspicious than others. I found that an easy way to look at the drivers running on a system is driverview. This tool shows approximately the same information like windbg (driver name, corresponding filename, description, company name, etc), but also has a nice GUI. So, after finding some "interesting" cases, the next step was to uninstall some drivers. Of course, before that I tried to enable driver verifier on different driver categories, however this took quite some time and I opted for an easier solution :)
The problem here was the fact that by default not all drivers are viewable from the control panel. In order to show all drivers (even the hidden ones), you need to do the following:
Of course, if you want to have a tool that allows you to remove drivers easily, you can download the Driver Manager, which shows the list of the running drivers and allows you to disable them or remove them.
So, in my case, after removing different sets of suspicious drivers, the culprit was found and removed from the system, so everything is now back to normal :)
Thank goodness I finally found this source.
I have been struggling to learn for a long time.
Showing drivers for nonpresent devices is not
THAT hard -- just add this to the registry one time:
That's a DWORD, I think.
Then log off and log on.
Now, for the life of that computer (installation), in the regular device manager, click the option View/Show Hidden Devices. There you go.
I keep a file holding this registry entry on my USB thumb drive, to merge into the registry when I'm trying to debug anyone's computer. Often there are a couple of obsolete monitors and printers that don't need to remain.
That's a good addition Dvid. Thanks.
when running avg - it shows that there is a hidden driver in my system. how can i remove it - avg can not do it