Automatically Reporting BSoD’s

Sooner or later, everyone will encounter the Blue Screen of Death (BSoD) (Figure 1). A BSoD will occur when a system failure happens at the Windows kernel level due to an issue with a Windows driver and/or hardware failure takes place. When these happen, an organization should have procedures and workflows in place to log the incident and to investigate the root cause. 

Often BSoDs never get addressed since a help desk ticket needs to be opened, and files need to be collected and examined so most users simple allow the system to reboot and do not report them. By not being alerted to BSoD’s the help desk can not investigate the reason for that BSoD and see if there is a larger trend with systems BSoD’ing.

In this blog, I will show you how to automate the process of being alerted to BSoD’s using Edge DX.

Figure 1

Collecting Information about the BSoD

When a BSoD happens, Windows will collect information about the machine’s state when it occurred. You have different options about what information to collect, the most popular is to create a small memory dump, or minidump, of this information. Minidumps contain the smallest amount of data about the problem, such as the stop code for the BSoD, a list of all the loaded drivers, and some processor and kernel information. This information is stored in the %SystemRoot%Minidump (C:\Windows\Minidump) folder. 

Configuring a System for Minidumps

By default, systems are NOT configured to create minidumps. However, configuring a system for one is quite simple by completing the following steps:

1. Type sysdm.cpl into the Windows Search box.
2. Click the Advanced tab and select Settings under Startup and Recovery (Figure 2).

Figure 2: Settings

1. Enable the following options: write an event to the system log; automatically restart; automatic memory dump; and overwrite any existing file. Also verify that the dump file location (Figure 3) is %SystemRoot%\MEMORY.DMP. Then, click OK. 

Figure 3: Dump location

Automatically Reporting a BSoD

Edge DX can be configured to recognize when a BSoD occurs and then to send a webhook, run a custom action (script), and/or send an email alert to someone.

The trigger you need to use is stored in the Edge DX win_even_log data index with an event_id of 41, which indicates that the system rebooted without cleanly shutting down first. Although this is not a definitive indicator of a BSoD it does suggest that a BSoD may have occurred and something bad happened on the system that needs to be investigated.

The screenshot below (Figure 4) shows this trigger and that a custom action (Demo_SNOW_BSOD_Ticket)  is enacted and the helpdesk is emailed when this occurs.

Figure 4: Trigger Settings

The script opens a ServiceNow ticket and then sends the contents of the %SystemRoot%\MEMORY.DMP folder to a central repository. The contents of this script are not shown as each company will have its method (SMB, FTS, SCP, etc.) to move the file to a central repository, and the opening of a service now ticket in Edge DX is covered in this blog. 

The key point here is a BSoD can automatically be detected by Edge DX, and a workflow can be initiated automatically by Edge DX rather than relying on the user to initiate the process manually.

To see a video of this in action, click here. For more information on how Edge DX can streamline the notification and collection of devices that have experienced a BSoD, schedule a demo with a ControlUp sales engineer.