How to troubleshoot bluescreen issues

Version 22

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.x

    Description

     

    This article is intended to help you understand BSOD (Blue Screen of Death) common causes and do a basic check of the memory dump file, In-depth analysis require full knowledge of the Windows kernel.

     

    Example of a blue screen error:

    bluescreen1.gif

              (Click for full size)

     


    Downloading and installing Windows Debugger from the SDK tools

     

    In order to install Windows Debugger to analyze the memory dump, please see the following link.

     

    Windows 10 SDK - Windows app development


    After downloading the Windows SDK, please do the following:

     

      1. Run the downloaded sdksetup.exe
      2. Accept default file paths and click Next
      3. Answer the Windows Kits Privacy participation option and click Next and then cilck Accept
      4. Deselect all options on the left-hand side except Debugging Tools for Windows and click Install

        WindowsDebugger.jpg

       For more general information about setting up WinDbg: How to Setup WinDBG

     

     

    Setting up the Symbol File download paths in Windows Debugger

     

    Prior to loading a Crash dump into Windows Debugger, make sure that you have the path for Symbol files set.  This will allow Windows Debugger to download the Symbol files for both the LANDESK files and for the Microsoft files.

     

    To set the symbol file path:

     

      1. Open Windows Debugger (WinDbg.exe)
      2. Click the File menu and go to Symbol File Path
      3. Copy and paste the line below:
        srv*C:\Symbols\MSsymbols*http://msdl.microsoft.com/download/symbols
      4. Go to the File menu and select "Save Workspace"

     

    This will cause the Symbol files to be downloaded as needed.  The Microsoft symbol files will be downloaded from the http://msdl.microsoft.com/download/symbols path and stored in C:\Symbols\MicrosoftSymbols

     

    To understand more bout the Symbol Path syntax: Symbol path for Windows debuggers

     

    Note: So save your symbol file path for future sessions, be sure to answer "Yes" to "Save Workspace?" when exiting.

     

    Interpreting the memory dump

     

    Blue screens are caused by conflicts or issues with drivers.  Drivers operate at a kernel level with the operating system vs. the user level which the applications on top of the OS run in.

     

    There are only 3 components that use drivers within LANDESK Management Suite.  Blue screens are caused by conflicts or issues with drivers.  Drivers operate at a kernel level with the operating system vs. the user level which the applications on top of the OS run in.

     

    It is possible WMI calls and other calls that gather information about drivers *could* cause a blue screen, however this is rare.

     

    These 3 components and the driver files will be located in C:\Windows\System32\Drivers and are:

     

    LANDESK Antivirus: kl1.sys, klflt.sys, klif.sys, klim6.sys, kltdi.sys, kneps.sys  (Depending on version these driver names may vary somewhat).  Look in the driver folder and add "Company" to the column set, that will show you all Kaspersky drivers.

    LANDESK Endpoint Security: LDSECDRV.SYS

    LANDESK Remote Control (only when mirror driver is enabled): mirrorflt.sys, mirrorflt64.sys

     

    The number one contributor to blue screens is a conflict with another software.   Typically this will be software that contains a filter level driver


    General steps

     

      1. Duplicate the BSOD issue and gather the DUMP file as detailed in article How to troubleshoot LANDESK Device Control
      2. Open the dump file with windbg.  The dump file is typically found in the C:\Windows folder by default.
        (Make sure you can successfully open the dump file. If you open the dump file and see an error message as shown below, this dump file is likely corrupted and will need to be gathered again.)
        Executable search path is:
        *************************************************************************
        THIS DUMP FILE IS PARTIALLY CORRUPT.
        KdDebuggerDataBlock is not present or unreadable.
        *************************************************************************
      3. Click the !analyze -v option or type !analyze -v in the command bar at the bottom of the WinDBG screen.
      4. Click the driver name in blue next to MODULE_NAME: for more specific information about that problematic module.

     

    If troubleshooting LANDESK Endpoint Security, ensure that the client is using latest EPS driver, you can check LDSecDrv.sys located in the C:\Windows\System32\Drivers directory on the affected machine.  It is quite common for the Core Server to be updated, but some clients are not updated.  This should always be checked before submitting a support ticket.  It is a best practice to always ensure you have the latest component patch.


    If troubleshooting LANDESK Endpoint Security, ensure that the client is using latest EPS driver, you can check LDSecDrv.sys located in the C:\Windows\System32\Drivers directory on the affected machine.  It is quite common for the Core Server to be updated, but some clients are not updated.  This should always be checked before submitting a support ticket.  It is a best practice to always ensure you have the latest component patch.  The latest component patch can be installed on a single computer for testing purposes by doing the following:

     

      1. Extract the EPS component patch (Default directory is to C:\landesk_patches
      2. Go to the landesk_patches directory and then to the directory created for the extracted component patch.
      3. Extract the main.zip file (not the -client.zip file).
      4. Navigate to the Updates -> 1 -> Image folder in the newly created unzipped directory.
      5. Make a backup of the existing files in the LDCLIENT\HIPS folder on the client.  (Endpoint Security will need to be stopped first).
      6. Copy all of the files from the UPDATES\1\IMAGE folder from the patch into the LDCLIENT\HIPS folder on the client.
      7. Run HIPSClientConfig.exe on the client.  Wait 10 seconds and then reboot the computer (This will install the new driver).
      8. Test the issue.

     

    You can also run the “lm n t” command within WinDBG to list all loaded modules at the time of the crash (This stands for "loaded modules name and time"):

    dump.png

    Using “!analyze –v” will give further information on the offending driver.  Once it returns this information, the offending driver name is returned and highlighted in Blue.   

    Clicking on the driver or system file name returned will give further information about that file.

                      

     

    Common Causes

     

      • Nvidia Drivers
      • Symantec Antivirus being outdated (update of Symantec resolves the issue)
      • Mirror Driver (removing the mirror driver resolves the issue or identifying a graphics card driver that is likely conflicting)