Debugging MEMORY.DMP with WinDbg

Question

Hi,
a PC in my network is misteriously shutting down every lunch break. Since I don't have any particular reference in event viewer, I downloaded the Minidump file and opened in WinDbg.
After running run !analyze -v, the bugcheck analysis started but I can't understand the results. In particular many pages are missing, for example Page 84058e not present in the dump file. Type ".hh dbgerr004" for details.

the PC shutted down on 5.17 at 13:11, here the link of the file.
Can you help to understand the meaning?

Answer 1

The BSOD bugcheck was EA.

The misbehaving driver was amdkmdag.sys

This bugcheck is commonly seen with a misbehaving display driver or a malfunctioning video card.

The logs reported this bugcheck from 09/2021 to date.

Uninstall and reinstall the GPU card driver.

If there are continued BSOD with various drivers then plan to swap test the video card.

The swap test can be AMD or Nvidia.

Uninstall the video card using Display Driver Uninstaller (DDU).

Reinstall using the AMD website.

Make sure that the clean install box is checked.

https://www.wagnardsoft.com/display-driver-uninstaller-ddu-

https://www.sevenforums.com/tutorials/367109-display-driver-uninstaller-how-use.html

https://www.amd.com/en/support/kb/faq/gpu-131

https://www.amd.com/en/support/kb/faq/gpu-131#faq-Overview

https://www.amd.com/en/support/kb/faq/gpu-131#faq-Download-and-Setup

https://www.amd.com/en/support/kb/faq/gpu-131#faq-Additional-Resources

Download and install:
https://www.intel.com/content/www/us/en/download/18002/intel-driver-support-assistant.html

Report any additional drivers updated using either the AMD or Intel websites / software.

If there are any new BSOD then post a new V2 share link into the newest post.

Name AMD FirePro W5100
PNP Device ID PCI\VEN_1002&DEV_6649&SUBSYS_030C1002&REV_00\4&F5DCEB0&0&0008
Adapter Type AMD FirePro SDI (0x6649), Advanced Micro Devices, Inc. compatible
Adapter Description AMD FirePro W5100
Adapter RAM (1,048,576) bytes
Installed Drivers C:\WINDOWS\System32\DriverStore\FileRepository\u0366334.inf_amd64_f45fcc46e8aaf149\B365859\aticfx64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\u0366334.inf_amd64_f45fcc46e8aaf149\B365859\aticfx64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\u0366334.inf_amd64_f45fcc46e8aaf149\B365859\aticfx64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\u0366334.inf_amd64_f45fcc46e8aaf149\B365859\amdxc64.dll
Driver Version 27.20.14540.4003
INF File oem2.inf (ati2mtag_R505 section)
Driver C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\U0366334.INF_AMD64_F45FCC46E8AAF149\B365859\AMDKMDAG.SYS (27.20.14540.4003, 75.45 MB (79,113,440 bytes), 4/19/2021 5:17 PM)

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post there is /\ with a number: click = a helpful post
.
.
.
.
.

Answer 2

In the memory dump usually you can see which dll was called last, it's the starting point to find the culprit. If by example you see a disk controller .dll, you can asume you need to upgrade the driver / firmware of the device.

You can post a printscreen of the callstack so we can see it.

Answer 3

Please run the V2 log collector and post a share link into this thread using one drive, drop box, or google drive.

https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

https://www.elevenforum.com/t/bsod-posting-instructions.103/

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post there is /\ with a number: click = a helpful post
.
.
.
.
.

Answer 4

Hi there,

If you are not familiar with minidump you can try other conventional tools to find the reason for the shutdown. Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. You can get the tool from here https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. You can get the tool from here https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Based on the output from the above tools you can start the troubleshooting process.

--------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 5

The logs were in a foreign language and could not be scanned or read.

Please modify the default language to English during the troubleshooting and post a new V2 so that the logs can be scanned.

https://www.tenforums.com/tutorials/3813-add-remove-change-display-language-windows-10-a.html

https://www.tenforums.com/tutorials/136792-change-display-language-windows-10-a.html

Run:

(bat files by design trigger AV software and require manual overrides)

https://www.tenforums.com/attachments/bsod-crashes-debugging/360137d1645183388-batch-files-use-bsod-debugging-tuneup_plus_log.bat

Post a share link into this thread using one drive, drop box, or google drive.

List any of these installed non-Microsoft software:
a) antivirus
b) firewall
c) drive encryption

Open administrative command prompt and type or copy and paste:

msdt.exe -id WindowsUpdateDiagnostic

For the windows troubleshooter click on view detailed information > post images or share links into this thread using one drive, drop box, or google drive.

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post there is /\ with a number: click = a helpful post
.
.
.
.
.