Filtering event viewer for BSOD data

Question

Requirement:- I need to fetch system crashes(kernel level crash in which your machine restarts or basically just crashes). I found the best way to be filtering through event viewer events. For that I found as of now, the best way to approach is filter using LogName : System,

EventId: 6008, 41, 1001, **Level:**1,2(Error, Critical) Do you suggest anything else?

Also, I found Id’s 1003 and 101 also reporting BSOD causes, but not everytime. Such as they report small issues with DHCP client and clock respectively. Refer the links:-

1. https://answers.microsoft.com/en-us/windows/forum/all/error-id-1003-your-computer-was-not-able-to-renew/d46c1bd4-792b-42a5-b2f9-b166b2ee5025
   2)Redirecting
   3)https://www.sevenforums.com/bsod-help-support/210666-bsod-101-clock-interrupt-not-received-secondary-processor.html

Consider I have to accurately and exhaustively represent these crashes, what shall I do more?

Answer 1

our approach to filtering system crashes using the Event Viewer is solid. The event IDs you've chosen are relevant for capturing critical errors and unexpected shutdowns. Here’s a brief overview of each:

• Event ID 6008: Indicates an unexpected shutdown.
• Event ID 41: Kernel Power event that occurs when the system reboots without a clean shutdown.
• Event ID 1001: Usually associated with BugCheck events, which can indicate system crashes.

Additional Suggestions

Include More Event IDs:

• Event ID 1074: Indicates a clean shutdown initiated by a process or a user.
• Event ID 101: Part of Windows Error Reporting, which can provide additional context about the crash. Check for Specific Error Codes:- Look for specific error codes in the event details that can provide more insight into the nature of the crash. Use Additional Filters:
  • Consider filtering by Source. Common sources include:

    - **Kernel-General**
    
          - **Kernel-Power**
    
                - **BugCheck**
    
                **Monitor for Memory Dumps**:
    
                   - You can also check if memory dump files were created during crashes. These can provide detailed insights for debugging.
    
                   **Power Events**:
    
                      - Monitor **Event ID 6006** (Event Log service stopped) and **6005** (Event Log service started) for additional context around shutdown events.
    

1. Use a Script for Automation:
   • You can automate the retrieval of these events using PowerShell or a similar scripting language. Here’s a simple PowerShell command example:our approach to filtering system crashes using the Event Viewer is solid. The event IDs you've chosen are relevant for capturing critical errors and unexpected shutdowns. Here’s a brief overview of each:
   • Event ID 6008: Indicates an unexpected shutdown.
   • Event ID 41: Kernel Power event that occurs when the system reboots without a clean shutdown.
   • Event ID 1001: Usually associated with BugCheck events, which can indicate system crashes.
   Additional Suggestions
   1. Include More Event IDs:
      • Event ID 1074: Indicates a clean shutdown initiated by a process or a user.
      • Event ID 101: Part of Windows Error Reporting, which can provide additional context about the crash.
   2. Check for Specific Error Codes:
      • Look for specific error codes in the event details that can provide more insight into the nature of the crash.
   3. Use Additional Filters:
      • Consider filtering by Source. Common sources include:
      • Kernel-General
      • Kernel-Power
      • BugCheck
   4. Monitor for Memory Dumps:
      • You can also check if memory dump files were created during crashes. These can provide detailed insights for debugging.
   5. Power Events:
      • Monitor Event ID 6006 (Event Log service stopped) and 6005 (Event Log service started) for additional context around shutdown events.
   6. Use a Script for Automation:
      • You can automate the retrieval of these events using PowerShell or a similar scripting language. Here’s a simple PowerShell command example:

                   Get-WinEvent -LogName System -FilterHashtable @{Id=6008,41,1001} | Where-Object { $_.LevelDisplayName -in @("Error", "Critical") }
                   
        

        Conclusion Your current selection is a strong foundation, but consider adding the suggested event IDs and additional filters for a more comprehensive analysis of system crashes. This will help you gather better insights into the causes of kernel-level crashes.
      • Sam W.

Answer 2

Regarding your additional events id's
Event ID 1074: Indicates a clean shutdown initiated by a process or a user.

Event ID 101: Part of Windows Error Reporting, which can provide additional context about the crash.

How doe event 1074 make sense, when it is created when a cleean shutdown is initiated by the user. Such cases don't happen during BSOD right.

Secondly event 101, I can see that it provides BSOD events at time but generally are not BSOD events and are from source Microsoft-Windows-TaskScheduler/Operational. What filter should I apply to this event to make it more robust for my use case?

Answer 3

Hi Vedang,

Thanks for your post. Basically, for BSOD issue, Kernel debugging is especially useful when other troubleshooting techniques fail, or for a recurring problem. Remember to capture the exact text in the bug check information section of the error message. To isolate a complex problem and develop a viable workaround, it's useful to record the exact actions that lead to the failure.

The !analyze debug extension displays information about the bug check and can be helpful in determining the root cause.

You can also set a breakpoint in the code leading up to this stop code and attempt to single step forward into the faulting code.

For more information, see the following articles:

Crash dump analysis using the Windows debuggers (WinDbg)

Analyzing a kernel-mode dump file with WinDbg

More information: Analyze Bug Check Blue Screen Data - Windows drivers | Microsoft Learn

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.