A Windows NT STOP screen contains five major sections, as shown in Figure 38.1. Whenever a STOP error occurs, you should examine at least the BugCheck Information section for analysis when troubleshooting the problem. The next most useful information is the filenames listed on the right side of the stack dump (Section 4).
These indicators provide serial communication information, much like the indicators on a modem. This area shows DSR and CTS. Also, the text "SND" flashes to indicate that data is being sent to the COM port. The COM port being used is detailed in Section 5: Debug Port Information.
This section contains the error code—up to four developer-defined parameters — and an interpretation of the error. In Figure 38.1, the error code is 0x0000000A. The error code can also be called a BugCheck code.
Under some conditions, the Kernel displays only the top line of the STOP message. This can occur if vital services needed for the display have been affected by the trap condition.
This section lists driver information in three columns. The first two columns list the preferred load address (base address in memory) and the link time stamp (dated created) for each loaded driver. The third column displays the names of all drivers loaded on the computer at the time the STOP message occurred. This information is important because many STOP messages contain in their parameter list the address of the instruction that caused the error. The date-stamp (seconds since 1970) can be converted to the common date/time format by using Cvtime.exe.
This is the build number of the kernel, Ntoskrnl.exe (Build 1057 in Figure 38.1). The presence of service packs and third-party device drivers is not indicated because this is the base build number only.
The dump portion is a stack dump. Rather than showing the name of specific functions, it shows the range of addresses that pertain to the module that failed. A true stack trace requires the kernel debugger.
Sometimes, the top few lines can tell what component or driver caused the error. For example:
Section 4: Kernel Build Number and Stack Dump
Address dword dump Build [1057] - Name
8014004c fc873d6c fc873d6c ff05e051 00000000 ff05e04b 0000002f - i8042prt.SYS <-
8014007c 801400c4 801400c4 00000000 00000023 00000023 00000037 - ntoskrnl.exe
80140098 fc87258e fc87258e 801400e8 00000030 ff0d141c ff0d1598 - i8042prt.SYS
8014009c 801400e8 801400e8 00000030 ff0d141c ff0d1598 00000002 - ntoskrnl.exe
The topmost routines on the stack do not always represent the failing code. The code for various kernel trap handlers might execute last as the error information is preserved. This depends on the particular trap error.
This section provides confirmation of the communications parameters (COM port and baud rate) used by the Kernel debugger on the target computer, if enabled. It also confirms whether a dump file was created.