Is there always a log when you crash?

Hi ChrisStacy,

Yes it can if either the system is not set to save the error files, such as the minidumps,

or the type of error, usually hardware, prevents the error files being created. Though

rare no error information being recorded is possible. The EventViewer usually has some

sort of information about a crash and/or restart.

Check with these utilities to see if any information can be gathered :

This is an excellent tool for posting Blue Screen Error Information

BlueScreenView - Free - scans all your minidump files created during 'blue screen of death' crashes,

and displays the information about all crashes in one table.

http://www.nirsoft.net/utils/blue\_screen\_view.html

MyEventViewer can be checked at the time of the BlueScreen (BSOD) or other Events to within a

second or so of the time of the BSOD or Event to provide more information as to possible cause -

see TIP.

MyEventViewer - Free - a simple alternative to the standard event viewer of Windows.

TIP - Options - Advanced Filter allows you to see a time frame instead of the whole file -

set it to a bit before and after the time of the BSOD or Event.

http://www.nirsoft.net/utils/my\_event\_viewer.html

AppCrashView - Free - a small utility for Windows Vista and Windows 7 that displays the details

of all application crashes occurred in your system. The crashes information is extracted from the

.wer files created by the Windows Error Reporting (WER) component of the operating system every

time that a crash is occurred. AppCrashView also allows you to easily save the crashes list to

text/csv/html/xml file.

http://www.nirsoft.net/utils/app\_crash\_view.html

WinCrashReport - Free - provides an alternative to the built-in crash reporting program of

Windows operating system. When application crashes in your system and Windows displays

the internal crash window of the operating system, you can run WinCrashReport, and get

extensive report about the crashed application. The crash report of WinCrashReport is displayed

as simple text or in HTML, and includes the following information: Crash memory address,

Exception code, Exception description, Strings found in the stack, call stack, processor registers,

modules list, threads list, and more...

http://www.nirsoft.net/utils/application_crash_report.html

Hope this helps.

Rob Brown - Microsoft MVP <- profile - Windows Expert - Consumer : Bicycle <- Mark Twain said it right.

Here is some chatter about looking for events in the Event Viewer logs:

Look in the Event Viewer for clues around the time of the incident.

To see the Event Viewer logs, click Start, Settings, Control Panel, Administrative Tools, Event Viewer.

A shortcut to Event Viewer is to click Start, Run and in the box enter:

%SystemRoot%\system32\eventvwr.msc /s

Click OK to launch the Event Viewer.

The most interesting logs are usually the Application and System logs.

Some logs such as Security and Internet Explorer may be completely empty or have only a few items.  The default settings for XP is not to log all that activity unless you need to troubleshoot some issue in those areas.  If you enable the logging for them the logs fill up quickly and could negatively effect your system performance with all the extra (usually unnecessary) activity.

If you have Microsoft Office installed, it has its own logs and they may be empty or occasional boring activity or very little activity if there is no problem with your Office applications.  This is normal.

Not every event is a problem, some are informational messages that things are working okay and some are warnings.

However, no event should defy reasonable explanation.

Each event is sorted by Date and Time.  Errors will have red Xs, Warnings will have yellow !s.   Information messages have white is.  Not every Error or Warning event means there is a serious issue.   Some are excusable at startup time when Windows is booting.  Try to find just the events at the date

and time around your problem.

If you double click an event, it will open a Properties window with more information.  On the right are black up and down arrow buttons to scroll through the open events. The third button that looks like two pages on top of each other is used to copy the event details to your Windows clipboard.

When you find an interesting event that occurred around the time of your issue, click the third button under the up and down arrows to copy the details and then you can paste the details (right click, Paste or CTRL-V) the detail text back here for analysis.  Remove any personal information from your information after pasting if you are compelled to do so.

If you paste an Event, it will look something like this boring system startup event:

Event Type:    Information

Event Source:    Service Control Manager

Event Category:    None

Event ID:    7035

Date:        7/14/2010

Time:        5:54:18 PM

User:        Jose

Computer:    Computer

Description:

The Remote Access Connection Manager service was successfully sent a start control.

To get a fresh start on any Event Viewer log, you can choose to clear the log (backing up the log is offered), then reproduce your issue, then look at just the events around the time of your issue and troubleshoot the events that are happening when you have your issue.

You can look up events on the following World Wide Web site and get some ideas.  This is where folks have events they see and then post up their questions, ideas and solutions:

http://www.eventid.net/

If you find your event in the discussion, the first idea or discussion does not necessarily mean it is the "answer" for your situation, so read through all of the ideas to find the one that sounds most like your situation.

Get a new technician.

Sometimes there will be a record of the failure in the Event Viewer logs, sometimes not.  It depends on the severity of the problem.

Maybe you just can't see the BSOD and if you are having a BSOD, you need to tell XP not to reboot (so you can see it) and to save the crash dump file.

Here are some things to check out on your system, it your image allows you to do such things:

XP is set up to automatically reboot on some system failures, so you need to disable that feature so the Blue Screen of Death (BSOD) information will stay on the screen for you to see it.  You should also configure XP to create a small memory dump file for each BSOD so you will have a crash dump file

to look at later if more debugging is needed.

If your system crashes later, the information you need will still be on the screen and then you can use the information in the memory dump files to figure out what the problem is and fix it.

Configure your system to not automatically restart on system failure.

Right click My Computer, Properties, Advanced, Startup and Recovery Settings.

In the System failure section:

Put a check mark in the "Write an event to the system log" box

Put a check mark in the "Send an administrative alert" box

Uncheck the "Automatically restart" box

In the Write debugging information section, choose:

Small memory dump (64 KB)

Set the Small dump directory to:

%SystemRoot%\Minidump

Click OK, OK to save the settings.

Restart your computer and then wait for the next restart/crash.

If you do have a BSOD, here is a BSOD example showing information you need to provide:

http://techrepublic.com.com/i/tr/downloads/images/bsod_a.jpg

Send the information pointed to with the red arrows (3-4 lines total). 

Send the entire *** STOP message line since there are clues in the 4 parameters.

Skip the boring text unless it looks important to you.  We know what a BSOD looks like, we need to know what your BSOD looks like.

Hmmm...

Things like a thermal event when the CPU overheats will not generate an event because the CPU totally quits working, nor will entering Stand By or Hibernation (or coming out of it).

If the CPU gets so hosed it just can't function anymore, it may be so incapacitated that it can't write an event or a crash dump file.

I would go ahead and double check the automatic restart options and if there are crash dumps, you can look for them by date in this folder:

c:\windows\minidump

Of you have some recent ones or accumulate one, we can take a look at them.

Maybe you can find a certain sequence of events to cause the failure and get some more clues/ideas... 

Playing a game, watching videos, downloading some big files, number crunching, anything that might be CPU intensive... or it could be some third party application.

Some BIOS have options to halt on certain errors like thermal or memory errors (or they will just reboot) and they will sometimes display a useful message.

At the moment, I have no good ideas, but somebody else might.

Thanks!  Yes I know all about the Event log.

(I've been administering and developing for Windows machines for about 20 years).  My experience is that the system can fail without leaving any traces in the Event log, and no crash dump (even if it's turned on).   I think this happens in a catastrophic hardware reboot situation.   There is definitely no BSOD in the failure scenario I am having.

But my question really is:   I think the system can crash and leave no trace in the obvious places we know to look.    The tech says there will always be an event.

I imagine this is because the system makes a note on stable storage that is supposed to be guaranteed to be flushed, indicating that the system was booted.   And indeed the system was running normally for a long while.  When it reboots, it always looks for a corresponding Shutdown mark.  If there is none, then the system must have been rebooted unexpectedly because nothing got written about a Shutdown.

And yet I see nothing in the Event logs.   The tech says the correct logging is enabled (it's a standard corporate image; I didn't look to see, myself).  Therefore, in his mind, I am hallucinating.

Maybe it doesn't work the way I imagined above, and if it does, maybe that's slightly buggy under certain circumstances.    I mean -- duh -- I know the machine died out from under me.  Tech thinks I'm crazy and making it up or something.