All Products
Search

This Product

    :[Recommended] How to Handle Abnormal Restart of Windows System and Blue Screen

    Document Center

    :[Recommended] How to Handle Abnormal Restart of Windows System and Blue Screen

    Last Updated:Nov 28, 2022

    Note

    Disclaimer: This topic may contain information about third-party products. The information is for reference only. Alibaba Cloud does not make a guarantee, explicitly or implicitly, with respect to the performance and reliability of the third-party products, and potential impacts of operations on the products.

    Issue

    Under Windows system, sometimes you will encounter blue screen (BSOD,Blue Screen of Death). When the Windows operating system encounters an exception, in order to prevent data loss, the system automatically crashes the blue screen. If there is a collection of configuration memory dump files (crash dump), the system will automatically generate a blue screen dump to the specified directory. The default file is C:\Windows\memory.dmp.

    Cause

    There are usually a variety of reasons for operating system blue screen, some of which are shown below.

    • System files and registry damage caused by misoperation or virus.

    • Abnormal memory access caused by driver compatibility with the operating system.

    • Bug of the operating system itself.

    • The third-party antivirus software driver is abnormal.

    If the operating system has a blue screen, the corresponding Bug Check Code Reference and the modules that may cause the blue screen will be displayed. The reason for the problem will be roughly explained in the displayed interface.

    Solution

    Note

    T*e note of the following items:

    • Before you perform high-ri* operations, for example, modify the configurations or data of Alibaba Cloud instances, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.

    • You can modify the configurations and data of Alibaba Cloud instances, such as Elastic Compute Service (ECS) and ApsaraDB RDS instances. We recommend that you create snapshots or enable RDS log backup before you modify instance configurations or data.

    • If you granted permissions to users or submitted sensitive information such as logon usernames and passwords in Alibaba Cloud Management Console, we recommend that you modify the information at the earliest opportunity.

    Microsoft officially lists Bug Check Code Reference how to handle Window*lue screens. For more information, see Practical operations and Follow-up plan.

    Practical operations

    According to Microsoft's official suggestions and daily troubleshooting experience, in order to prevent the occurrence of the blue screen of the system and possible data loss, we recommend that you do the following operations.

    • Enable Server Guard protection or other commercial antivirus protection tools on the ECS, regularly kill viruses, and regularly update antivirus software versions to prevent blue screens caused by viruses or compatibility between antivirus software drivers and the operating system.

    • Please run Windows Update regularly to ensure that the latest security updates from Microsoft are installed.

    • Do not put important data on the system di*, but use the data di*.

    • Periodically t*e snapshots of system di*s and data di*s to restore data in case of problems.

    • Please back up the registry file*efore modifying the system registry to avoid modifying the system files.

    Follow-up plan

    If the Windows instance is suddenly disconnected and cannot be remotely connected during use, check the logs and find an abnormal restart. It is suspected that the system blue screen may have occurred. Please use the following method to verify.

    • Method 1: In the Event Viewer, open the system log. At the time when the problem occurs, if an event with an event ID of 46 thrown by the source "volmgr" is seen, a blue screen has occurred before. However, the dump collection fail*ecause the configuration of the page file and the memory dump file is not configured. The fault dump initialization is unsuccessful.

    • Method 2: If blue screen collection ha*een configured normally before, the key error log of Kernel-Power with event ID of 41 can be found in the system log, prompting the system to reply from unexpected shutdown and the log with event ID of 1001 and Bugcheck to prompt the system to crash.

    Because the analysis of blue-screen logs is very time-consuming, it may t*e a week or more. Considering the rapid recovery of the service, we strongly recommend that you refer to the above best practices after restarting the machine when you encounter a blue screen. Depending on the cause of the problem, you can use the following methods to avoid potential known problems after the problem occurs.

    • Uninstall all third-party antivirus software of the system and disable the protection function of the antivirus software. Generally, the influence of the kernel driver of the antivirus software will not be eliminated.

    • In safe mode, use the Microsoft Msert offline antivirus tool or a third-party charged version of antivirus software to disinfect.

    • Run Windows Update to install all updates.

    Applicable scope

    • Elastic Compute Service (ECS)