This chapter covers the Blue Screen of Death (BSOD) in Windows, a critical stop error that forces the system to halt to prevent data corruption. For the 220-1102 exam, BSOD troubleshooting appears in roughly 10–15% of questions in Domain 3.0 (Software Troubleshooting), specifically under Objective 3.1. Mastery of BSOD analysis—including stop codes, memory dumps, and common fixes—is essential for passing the exam and for real-world desktop support.
Jump to a section
Imagine your heart suddenly stops beating because of a critical arrhythmia. The heart's electrical system (the operating system) detects that the rhythm is no longer pumping blood (processing data) safely. It immediately triggers a defibrillator (the bugcheck) that halts all activity, records the exact time and electrical pattern (the stop code and parameters), and then displays a flatline on the monitor (the blue screen). Just as doctors analyze the EKG strip to find the cause—like a blocked artery or electrolyte imbalance—technicians analyze the minidump file to identify the faulty driver or hardware. The system does not attempt to restart the heart because the underlying condition could cause immediate reinfarction. Instead, it forces a halt to prevent data corruption. The blue screen is not the problem; it is the symptom of a deeper failure, just as a flatline is the symptom, not the disease.
What is the BSOD?
The Blue Screen of Death (BSOD), officially called a bug check or stop error, is a hardware or software failure so severe that Windows cannot continue safe operation. When the Windows kernel detects an illegal operation or an unrecoverable condition, it calls KeBugCheckEx, which halts the system, saves diagnostic information to a memory dump file, and displays a blue screen with error codes. The BSOD is a protective measure: it stops the system before it can corrupt data or damage hardware.
Why Does the BSOD Exist?
Windows runs in two processor modes: user mode (applications) and kernel mode (operating system core, drivers, hardware abstraction). Kernel-mode code has unrestricted access to system memory and hardware. A bug in kernel-mode code—such as a driver writing to an invalid memory address—can corrupt critical data structures. If Windows ignored the error, it could silently corrupt files, databases, or the registry. Instead, it triggers a BSOD to force a reboot, giving the technician a chance to diagnose and fix the root cause.
How the BSOD Works Internally
When a kernel-mode component (driver, file system, or the kernel itself) invokes a bug check, the following sequence occurs:
Detection: A kernel function like KeBugCheckEx is called with a bug check code (e.g., 0x0000001A for MEMORY_MANAGEMENT) and up to four parameters that provide additional context.
Synchronization: All processors in a multi-core system are halted using inter-processor interrupts (IPIs).
Dump Writing: The kernel writes a memory dump file to the page file. The type of dump (complete, kernel, small, or automatic) is configured in System Properties > Startup and Recovery.
Screen Display: The kernel switches to a low-resolution VGA mode and draws the blue screen with the stop code, module name, and parameters.
Halt: The system enters an infinite loop (Hlt instruction) until the user reboots.
Key Components, Defaults, and Timers
- Stop Code: A hexadecimal number that identifies the error category. Common codes:
- 0x0000001A (MEMORY_MANAGEMENT) – memory corruption.
- 0x00000050 (PAGE_FAULT_IN_NONPAGED_AREA) – access to invalid memory.
- 0x0000007B (INACCESSIBLE_BOOT_DEVICE) – boot drive not found.
- 0x000000D1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL) – driver attempted to access memory at too high an IRQL.
- 0x0000009F (DRIVER_POWER_STATE_FAILURE) – driver power management issue.
- Parameters: Four additional codes that help pinpoint the faulty component. For example, in 0x00000050, parameter 1 is the memory address accessed, parameter 2 is the access type (0=read, 1=write), parameter 3 is the address of the instruction, and parameter 4 is the address of the referenced page table entry.
- Memory Dump Types (default values):
- Automatic memory dump (default since Windows 8): Same as kernel dump but can be smaller if the system can compress it.
- Kernel memory dump: Contains kernel-mode memory (drivers, kernel, HAL). Default location: %SystemRoot%\Memory.dmp.
- Small memory dump (minidump): 64 KB file containing the stop code, parameters, list of loaded drivers, and the processor context (PRCB). Default location: %SystemRoot%\Minidump\*.dmp.
- Complete memory dump: Contains all physical memory. Requires a page file at least as large as RAM + 1 MB.
- Page File Requirement: To capture a dump, the page file must be at least:
Small dump: 2 MB.
Kernel dump: 800 MB on x64 systems (or 1/3 of RAM, whichever is larger).
Complete dump: RAM size + 1 MB.
Automatic Restart: By default, Windows automatically restarts after a BSOD (System Properties > Startup and Recovery > Automatically restart). Disable this during troubleshooting to see the error details.
Configuration and Verification Commands
- Check current dump settings:
wmic RECOVEROS get DebugInfoType, AutoReboot, KernelDumpOnly- Change dump type via command line:
wmic RECOVEROS set DebugInfoType = 2 (1=complete, 2=kernel, 3=small, 7=automatic)- Disable automatic restart:
wmic RECOVEROS set AutoReboot = False- Analyze minidump files with BlueScreenView (third-party) or WinDbg (Microsoft):
- Load minidump in WinDbg: File > Open Crash Dump.
- Run !analyze -v to get detailed analysis.
- Look for MODULE_NAME and IMAGE_NAME to identify the failing driver.
- Check for driver verifier triggers: Driver Verifier (verifier.exe) can force a BSOD if a driver violates rules. Use verifier /query to see current settings.
How BSOD Interacts with Related Technologies
Driver Verifier: A tool that stresses drivers by allocating memory from special pools and checking for illegal operations. When a violation occurs, it triggers a BSOD with a specific stop code like 0x000000C4 (DRIVER_VERIFIER_DETECTED_VIOLATION).
Windows Error Reporting (WER): After a reboot, Windows Error Reporting collects crash data and may send it to Microsoft. The event is logged in Event Viewer under Windows Logs > System with source BugCheck.
Safe Mode: Booting into Safe Mode loads only essential drivers. If the BSOD does not occur in Safe Mode, a third-party driver is the likely cause.
System Restore: Rolling back to a restore point can undo recent driver or registry changes that introduced the fault.
CHKDSK and SFC: File system corruption can cause BSODs. chkdsk /f repairs disk errors; sfc /scannow repairs system files.
Common BSOD Traps on the Exam
Trap: Assuming a BSOD is always hardware. Reality: Many BSODs are caused by drivers or software. The exam will present a scenario where the user installed new software or updated a driver, and the BSOD started. The correct answer is often to roll back the driver or uninstall the software.
Trap: Choosing 'Reinstall Windows' immediately. Reality: Reinstallation is a last resort. The exam expects you to try less destructive steps first: Safe Mode, Last Known Good Configuration, System Restore, driver rollback, or SFC.
Trap: Ignoring the stop code. Reality: The exam will often give a stop code in the question. You must know what it means. For example, 0x00000050 points to memory or driver issues, not a failing CPU.
Trap: Confusing memory dump types. The exam asks which dump type captures kernel-mode memory only. Answer: Kernel memory dump (or Automatic, which is similar). Small dump captures only minimal info; complete dump captures everything.
Trap: Thinking a BSOD always requires hardware replacement. Reality: A single BSOD can be a one-time glitch. The exam expects you to check for recent changes, run diagnostics, and analyze the minidump before replacing parts.
Identify the Stop Code
When a BSOD occurs, the first thing to do is record the stop code (e.g., 0x0000001A) and any parameters displayed on the screen. If the system automatically reboots, disable automatic restart by pressing F8 during boot and selecting 'Disable automatic restart on system failure.' Alternatively, boot into Safe Mode and change the setting in System Properties > Startup and Recovery. The stop code tells you the category of the error. For example, 0x00000050 indicates a memory access violation. Write down all four parameters as they provide clues about the specific fault.
Analyze the Memory Dump
After the system reboots, locate the memory dump file. The default location for minidumps is C:\Windows\Minidump. Use a tool like BlueScreenView (NirSoft) or WinDbg to open the file. In WinDbg, run '!analyze -v' to get a detailed analysis. Look for the MODULE_NAME and IMAGE_NAME fields—they identify the driver or module that caused the crash. For example, if IMAGE_NAME is nvlddmkm.sys, the NVIDIA display driver is at fault. Also check the stack trace to see which function was executing when the crash occurred.
Check for Recent Changes
Ask the user if they installed new hardware, software, or drivers recently. Also check Windows Update history for recent updates. Common culprits: new graphics drivers, antivirus software, or system utilities that install kernel-mode components. If a driver update was installed, roll back the driver in Device Manager (right-click device > Properties > Driver > Roll Back Driver). If a software update is suspected, uninstall it via Programs and Features. Use System Restore to revert the system to a point before the changes.
Boot into Safe Mode
Restart the computer and press F8 (or Shift + Restart in Windows 10/11) to access Advanced Boot Options. Select Safe Mode. Safe Mode loads only essential drivers and services. If the system boots successfully in Safe Mode, the problem is likely caused by a third-party driver or service. Use msconfig to disable non-Microsoft services and startup items, then reboot normally. If the BSOD still occurs, enable services one by one to isolate the culprit.
Run Hardware Diagnostics
If the stop code suggests hardware (e.g., 0x0000001A for memory, 0x0000007A for disk I/O), run diagnostics. For memory: use Windows Memory Diagnostic (mdsched.exe) or MemTest86. For disk: run chkdsk /f /r from an elevated command prompt to check for bad sectors. For overheating: monitor temperatures with HWMonitor. For power supply: test with a known-good PSU. The exam often presents a scenario where a BSOD occurs after adding new RAM—the answer is to reseat or replace the RAM.
Verify System Files and Drivers
Corrupted system files can cause BSODs. Run System File Checker (sfc /scannow) from an elevated command prompt. If it finds issues, follow up with DISM (DISM /Online /Cleanup-Image /RestoreHealth). Also check driver integrity: use Driver Verifier (verifier.exe) to stress-test drivers. Be cautious: Driver Verifier can cause additional BSODs if a driver is faulty. Only enable it for specific drivers or use standard settings. After testing, disable Driver Verifier by running verifier /reset.
Apply Advanced Fixes
If the BSOD persists, consider advanced options. Use Last Known Good Configuration (F8 menu) to revert registry and driver settings. Perform a System Restore to a previous restore point. If the system won't boot, use Windows Recovery Environment (WinRE) from installation media to run Startup Repair, System Restore, or Command Prompt. In extreme cases, reset the PC (Keep my files) or reinstall Windows. The exam expects you to exhaust all other options before reinstallation.
Enterprise Scenario 1: Driver Conflict After Patch Tuesday
A large enterprise with 5000 Windows 10 workstations deploys a monthly security update via SCCM. After the update, 200 machines experience BSODs with stop code 0x000000D1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL). Analysis of minidumps reveals the crash is in rt640x64.sys, a Realtek network driver. The update replaced the driver with a newer version that conflicts with the company's VPN client. The IT team uses Group Policy to roll back the driver to the previous version and creates a driver exclusion list for future updates. They also set up Windows Error Reporting to collect crash dumps centrally. The lesson: always test driver updates in a pilot group before broad deployment.
Enterprise Scenario 2: Memory Leak in Legacy Application
A hospital uses a legacy patient management application that runs on Windows 10. After a few days of uptime, the system crashes with 0x0000001A (MEMORY_MANAGEMENT). Analysis shows a nonpaged pool leak—the application allocates memory but never frees it. The IT team uses PoolMon (part of Windows Driver Kit) to identify the pool tag belonging to the application. They work with the vendor to patch the memory leak. In the meantime, they set up a scheduled task to reboot the machine daily. This scenario highlights that BSODs can be caused by user-mode applications if they trigger kernel-mode callbacks that leak memory.
Enterprise Scenario 3: Faulty SSD Firmware
A cloud hosting provider uses custom-built servers with NVMe SSDs. After a firmware update, 10% of servers crash with 0x0000007A (KERNEL_DATA_INPAGE_ERROR). The minidump shows the crash occurs during paging operations. The storage team discovers that the SSD firmware has a bug that causes data corruption under heavy write loads. They roll back the firmware and contact the vendor for a fix. They also implement monitoring of disk I/O errors using Windows Performance Monitor and set up alerts for Event ID 50 (disk errors). The key takeaway: BSODs can stem from firmware-level issues, not just drivers.
What the 220-1102 Exam Tests
Objective 3.1: 'Given a scenario, troubleshoot common Windows OS problems.' The exam specifically tests your ability to diagnose and resolve BSODs. You must know:
How to identify the stop code and interpret its meaning.
The correct sequence of troubleshooting steps: analyze dump, check recent changes, boot Safe Mode, run diagnostics, repair system files.
The difference between memory dump types and when to use which.
How to use tools like BlueScreenView, Driver Verifier, SFC, and CHKDSK.
Common Wrong Answers and Why
'Replace the RAM immediately.' Wrong because a BSOD with stop code 0x00000050 could also be caused by a faulty driver. The exam expects you to analyze the dump first.
'Reinstall Windows.' Wrong because less destructive methods (System Restore, driver rollback) should be attempted first.
'Run CHKDSK /f.' Wrong if the stop code indicates a driver issue (e.g., 0x000000D1). CHKDSK repairs file system errors, not driver bugs.
'Disable the antivirus.' Wrong as a first step; while antivirus can cause BSODs, you should first check the stop code and dump.
Specific Numbers and Terms on the Exam
Stop codes: 0x00000050, 0x0000007B, 0x000000D1, 0x0000001A, 0x0000009F.
Dump file locations: %SystemRoot%\Memory.dmp and %SystemRoot%\Minidump.
Default dump type: Automatic memory dump (since Windows 8).
Page file size requirements: at least RAM + 1 MB for complete dump.
Tool to analyze minidumps: BlueScreenView (third-party) or WinDbg.
Command to disable automatic restart: System Properties > Startup and Recovery or wmic RECOVEROS set AutoReboot = False.
Edge Cases the Exam Loves
BSOD during boot: Use Safe Mode or Last Known Good Configuration.
BSOD after driver update: Roll back the driver.
BSOD after hardware installation: Check compatibility, reseat hardware, update drivers.
BSOD in Safe Mode: Indicates a problem with core drivers or hardware (e.g., faulty RAM).
Stop code 0x000000ED (UNMOUNTABLE_BOOT_VOLUME): Check for disk corruption, bad cable, or incorrect boot order.
How to Eliminate Wrong Answers
If the question mentions a specific stop code, look for the answer that matches that code's typical cause.
If the scenario says 'after installing new software,' the answer is likely to uninstall the software or use System Restore.
If the scenario says 'after adding RAM,' the answer is to reseat or test the RAM.
If the question asks for the first step, never choose 'reinstall Windows' or 'replace hardware'—always choose diagnostic or analysis steps.
BSOD = bug check that halts the system to prevent data corruption.
Always disable automatic restart to see the stop code.
Analyze the minidump with BlueScreenView or WinDbg to find the faulty driver.
Common stop codes: 0x00000050 (memory), 0x000000D1 (driver IRQL), 0x0000007B (boot device), 0x0000001A (memory management).
First steps: check recent changes, boot Safe Mode, run SFC and CHKDSK.
Default dump type in Windows 10/11 is Automatic memory dump.
Driver Verifier can force a BSOD to test driver stability.
Use System Restore or driver rollback before reinstalling Windows.
BSOD in Safe Mode indicates core driver or hardware issue.
Page file must be at least RAM + 1 MB for a complete dump.
These come up on the exam all the time. Here's how to tell them apart.
Small Memory Dump (Minidump)
Size: 64 KB only.
Contains: stop code, parameters, list of loaded drivers, processor context.
Default location: %SystemRoot%\Minidump.
Fast to write and analyze.
May not contain enough info for complex driver bugs.
Kernel Memory Dump
Size: Approximately 1/3 of RAM (default) or up to 800 MB.
Contains: All kernel-mode memory (drivers, kernel, HAL).
Default location: %SystemRoot%\Memory.dmp (or as Automatic).
Slower to write but provides full kernel context.
Sufficient for most driver and kernel analysis.
Mistake
A single BSOD always means hardware failure.
Correct
A single BSOD can be a one-time glitch due to a transient error (e.g., power fluctuation, driver race condition). The exam expects you to check for recent changes and analyze the dump before replacing hardware.
Mistake
The BSOD stop code alone tells you exactly which component is faulty.
Correct
The stop code narrows down the category, but you need to analyze the parameters and the minidump to identify the specific driver or hardware. For example, 0x00000050 could be RAM or a driver.
Mistake
You should always enable automatic restart to avoid seeing the blue screen.
Correct
Automatic restart prevents you from reading the stop code. Disable it during troubleshooting to capture the error details.
Mistake
A complete memory dump is always the best choice.
Correct
Complete dumps require a large page file and take longer to write. For most troubleshooting, a kernel or automatic dump is sufficient and faster.
Mistake
BSODs only occur in kernel mode.
Correct
While BSODs originate in kernel mode, a user-mode application can trigger a BSOD if it causes a kernel-mode callback to fail (e.g., via a buggy driver that the application calls).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Write down the stop code and all four parameters. If the system reboots automatically, press F8 during boot and select 'Disable automatic restart on system failure' to prevent it from rebooting. Then, after the system restarts, locate the minidump file in C:\Windows\Minidump and analyze it with a tool like BlueScreenView. This gives you the specific driver or module that caused the crash.
Use a free tool like BlueScreenView (NirSoft) or Microsoft's WinDbg. In BlueScreenView, simply open the program and it will list all minidumps. Select the dump and it shows the stop code, parameters, and the driver that caused the crash (highlighted in red). In WinDbg, open the dump file and run the command '!analyze -v' to get a detailed analysis including the module name and stack trace.
Stop code 0x00000050 is PAGE_FAULT_IN_NONPAGED_AREA. It means the system tried to access a memory address that does not exist or is invalid. This is often caused by a faulty driver, incompatible software, or defective RAM. Check the minidump to see which driver is referenced. Also run Windows Memory Diagnostic to test RAM. On the exam, if the scenario mentions a new driver, roll it back.
No. A single BSOD can be caused by a software glitch or driver issue. Always analyze the minidump first. If the stop code points to memory (e.g., 0x0000001A) and you have multiple errors, then run a memory test. Only replace hardware after you have ruled out software causes and the diagnostics indicate a hardware failure.
A small dump (minidump) is only 64 KB and contains the stop code, parameters, list of loaded drivers, and processor context. It is quick to write and analyze but lacks full kernel context. A kernel dump contains all kernel-mode memory (drivers, kernel, HAL) and is much larger (typically 800 MB or 1/3 of RAM). It provides more detail for complex driver bugs. The default in Windows 10/11 is Automatic, which is similar to a kernel dump but can be compressed.
Boot into Safe Mode to see if the BSOD occurs there. If not, the new software is likely the cause. Uninstall the software via Programs and Features. If the problem persists, use System Restore to revert the system to a point before the installation. Also check if the software installed a kernel-mode driver—look in Device Manager for any new devices.
Driver Verifier is a Windows tool that stresses drivers by monitoring their behavior for illegal operations. It can force a BSOD if a driver violates rules, which helps identify faulty drivers. Use it when a BSOD is intermittent and you suspect a driver but cannot reproduce it. Be careful: Driver Verifier can cause crashes. Enable it for specific drivers or use standard settings. After testing, disable it with 'verifier /reset'.
You've just covered Troubleshoot: Blue Screen of Death (BSOD) — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?