Filtering event viewer for BSOD data

Vedang Agarwal 0 Reputation points
2024-09-18T09:17:32.76+00:00

Requirement:- I need to fetch system crashes(kernel level crash in which your machine restarts or basically just crashes). I found the best way to be filtering through event viewer events. For that I found as of now, the best way to approach is filter using LogName : System,

EventId: 6008, 41, 1001, **Level:**1,2(Error, Critical) Do you suggest anything else?

Also, I found Id’s 1003 and 101 also reporting BSOD causes, but not everytime. Such as they report small issues with DHCP client and clock respectively. Refer the links:-

  1. https://answers.microsoft.com/en-us/windows/forum/all/error-id-1003-your-computer-was-not-able-to-renew/d46c1bd4-792b-42a5-b2f9-b166b2ee5025
    2)Redirecting
    3)https://www.sevenforums.com/bsod-help-support/210666-bsod-101-clock-interrupt-not-received-secondary-processor.html

Consider I have to accurately and exhaustively represent these crashes, what shall I do more?

Windows for business Windows Client for IT Pros User experience Other
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Samuel wales 0 Reputation points
    2024-09-18T14:06:14.2966667+00:00

    our approach to filtering system crashes using the Event Viewer is solid. The event IDs you've chosen are relevant for capturing critical errors and unexpected shutdowns. Here’s a brief overview of each:

    • Event ID 6008: Indicates an unexpected shutdown.
    • Event ID 41: Kernel Power event that occurs when the system reboots without a clean shutdown.
    • Event ID 1001: Usually associated with BugCheck events, which can indicate system crashes.

    Additional Suggestions

    Include More Event IDs:

    • Event ID 1074: Indicates a clean shutdown initiated by a process or a user.
    • Event ID 101: Part of Windows Error Reporting, which can provide additional context about the crash. Check for Specific Error Codes:- Look for specific error codes in the event details that can provide more insight into the nature of the crash. Use Additional Filters:
      • Consider filtering by Source. Common sources include:
        - **Kernel-General**
        
              - **Kernel-Power**
        
                    - **BugCheck**
        
                    **Monitor for Memory Dumps**:
        
                       - You can also check if memory dump files were created during crashes. These can provide detailed insights for debugging.
        
                       **Power Events**:
        
                          - Monitor **Event ID 6006** (Event Log service stopped) and **6005** (Event Log service started) for additional context around shutdown events.
        
    1. Use a Script for Automation:
      • You can automate the retrieval of these events using PowerShell or a similar scripting language. Here’s a simple PowerShell command example:our approach to filtering system crashes using the Event Viewer is solid. The event IDs you've chosen are relevant for capturing critical errors and unexpected shutdowns. Here’s a brief overview of each:
      • Event ID 6008: Indicates an unexpected shutdown.
      • Event ID 41: Kernel Power event that occurs when the system reboots without a clean shutdown.
      • Event ID 1001: Usually associated with BugCheck events, which can indicate system crashes.
      Additional Suggestions
      1. Include More Event IDs:
        • Event ID 1074: Indicates a clean shutdown initiated by a process or a user.
        • Event ID 101: Part of Windows Error Reporting, which can provide additional context about the crash.
      2. Check for Specific Error Codes:
        • Look for specific error codes in the event details that can provide more insight into the nature of the crash.
      3. Use Additional Filters:
        • Consider filtering by Source. Common sources include:
        • Kernel-General
        • Kernel-Power
        • BugCheck
      4. Monitor for Memory Dumps:
        • You can also check if memory dump files were created during crashes. These can provide detailed insights for debugging.
      5. Power Events:
        • Monitor Event ID 6006 (Event Log service stopped) and 6005 (Event Log service started) for additional context around shutdown events.
      6. Use a Script for Automation:
        • You can automate the retrieval of these events using PowerShell or a similar scripting language. Here’s a simple PowerShell command example:
                     Get-WinEvent -LogName System -FilterHashtable @{Id=6008,41,1001} | Where-Object { $_.LevelDisplayName -in @("Error", "Critical") }
                     
          
          Conclusion Your current selection is a strong foundation, but consider adding the suggested event IDs and additional filters for a more comprehensive analysis of system crashes. This will help you gather better insights into the causes of kernel-level crashes.
        • Sam W.
    0 comments No comments

  2. Vedang Agarwal 0 Reputation points
    2024-09-19T04:57:24.52+00:00

    Regarding your additional events id's
    Event ID 1074: Indicates a clean shutdown initiated by a process or a user.

    Event ID 101: Part of Windows Error Reporting, which can provide additional context about the crash.

    How doe event 1074 make sense, when it is created when a cleean shutdown is initiated by the user. Such cases don't happen during BSOD right.

    Secondly event 101, I can see that it provides BSOD events at time but generally are not BSOD events and are from source Microsoft-Windows-TaskScheduler/Operational. What filter should I apply to this event to make it more robust for my use case?

    0 comments No comments

  3. Anonymous
    2024-09-20T01:40:40.54+00:00

    Hi Vedang,

    Thanks for your post. Basically, for BSOD issue, Kernel debugging is especially useful when other troubleshooting techniques fail, or for a recurring problem. Remember to capture the exact text in the bug check information section of the error message. To isolate a complex problem and develop a viable workaround, it's useful to record the exact actions that lead to the failure.

    The !analyze debug extension displays information about the bug check and can be helpful in determining the root cause.

    You can also set a breakpoint in the code leading up to this stop code and attempt to single step forward into the faulting code.

    For more information, see the following articles:

    Crash dump analysis using the Windows debuggers (WinDbg)

    Analyzing a kernel-mode dump file with WinDbg

    More information: Analyze Bug Check Blue Screen Data - Windows drivers | Microsoft Learn

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.