This content is from a WindowsForum.com forum thread -
Where are dump files (.dmp) saved after crash ?
jcgriff2 said:
Edy said:
When system crash, i get a bsod like this:
View attachment 47125
After it crash, windows saves the log in C as prefix crash.dmp Where can i get to that log file?
Hi -
The bugcheck from the screenshot -
-
0x50 (0xfd3094c2,0x1,0xfbfe7617,0x0) = invalid memory referenced; the object in memory address
0xfbfe7617 attempted to write to the memory address
0xfd3094c2
Either someone is playing a joke on you or you on us. Whichever it is, it is a waste of time and valuable resources.
The screenshot from your alleged Windows 7 system BSOD shows:
- bugcheck =
0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)
- fault info -
SPCMDCON.SYS - Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c
It is identical to the screenshot found at this CMD_TRICKS_101 site -->
BSOD(Blue Screen Of Death)
Whoever is responsible is not too smart to think that at some point this would not be discovered as the timestamp on the XP recovery console related driver =
3d6dd67c - which translates to
Thu Aug 29 04:08:28 2002
Not only is the driver name and timestamp identical to the Tricks_101 screenshot - so are the memory addresses.
Your screenshot is on the left; the screenshot from CMD_Tricks_101 on the right
View attachment 47123 View attachment 47124
The batch script from CMD_Tricks_101 that creates that exact BSOD screen -
Code:
step 5 BSOD (Blue Screen Of Death)
to create the BSOD, make a batch file, then type what's between the stars
*****************************************************
@echo off
cd /
cls
color 17
echo A problem has been detected and Windows has been shut down to prevent damage
echo to your computer.
echo.
echo The problem seems to be caused by the following file: SPCMDCON.SYS
echo.
echo PAGE_FAULT_IN_NONPAGED_AREA
echo.
echo If this is the first time you've seen this stop error screen,
echo restart your computer. If this screen appears again, follow
echo these steps:
echo.
echo Check to make sure any new hardware or software is properly installed.
echo If this is a new installation, ask your hardware or software manufacturer
echo for any Windows updates you might need.
echo.
echo If problems continue, disable or remove any newly installed hardware
echo or software. Disable BIOS memory options such as caching or shadowing.
echo If you need to use Safe Mode to remove or disable components, restart
echo your computer, press F8 to select Advanced Startup Options, and then
echo select Safe Mode.
echo.
echo Technical information:
echo.
echo *** STOP: 0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)
echo.
echo.
echo *** SPCMDCON.SYS - Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c
pause >nul
cls
echo Downloading viruses . . .
ping localhost -n 5 >nul
dir /s
pause >nul
shutdown -s -t 120 -c \\\\\\\\\\\"Your computer has committed suicide, have a nice day.\\\\\\\\\\\"
*****************************************************
note no damage is done, just prints all files to screen, then shuts down.
Regards. . .
jcgriff2
I have come across "fake BSOD threads" dozens of times during my last 12+ years posting in various forums.
What immediately caught my eye on this particular dump at the time I answered the thread was the hex code timestamp -
3d6dd67c for the driver named in the actual blue screen posted by the OP. The beginning number of the hex timestamp was too low for it to be a recently dated driver, so I decided to check out the timestamp.
The OP gave very little information in post #1 + the BSOD screenshot. OP posted in the Windows 7 forum. Windows 7 was released to the public in 2009, so it should not have had a kernel mode driver from 2002 running on it. Yes -- it is remotely possible that the OP was running some very old software, but most software contains user mode drivers and not kernel mode drivers. That is the reason that I Googled the driver name and ultimately found the CMD_Tricks_101 site and the identical blue screen with identical memory addresses. Two different Windows 7 systems experiencing a BSOD naming the same driver as the probable cause is of course possible, but the chance that the memory addresses would be the same on both systems in P1 and P3 is astronomical, if at all possible.
Perhaps it would have been possible in versions of Windows
prior to Vista when drivers and EXEs were loaded in the same memory address ranges, but starting in Vista and continuing with every version of Windows since then, a random number is added to the beginning memory address number, thus changing the memory address range for every module making it much more difficult for hackers to know where any module resides in memory.
You can easily find out/convert hex timestamps (or decimal timestamps) by using the Sysnative Timestamp Converter which can be found in the top row of options of the Driver Reference Table (DRT) -
Driver Reference Table (DRT)
Sysnative Timestamp Converter link -
Sysnative Timestamp Converter
Simply enter the hex timestamp (or a decimal timestamp number); click "Convert" and the converted date will appear above the 2 boxes -
View attachment 47129
Hopefully, you will never need to use this for the purpose that I used it for; but you never know what some idiot with too much free time on his hands is likely to do!
Lastly, be sure to take a good look at the batch script. I can just imagine how many computer users must have thought their system (or just the data/files) was totally trashed.
Located about half-way down the batch script is this - which the user would see for 5 seconds
Downloading viruses . . .
That remains on the screen and is then followed by this message (part of the Windows system SHUTDOWN command), which would be displayed for a full agonizing 2 minutes -
\\\\\\\\\\\"Your computer has committed suicide, have a nice day.\\\\\\\\\\\
Then the computer turns off due to the Windows SHUTDOWN command.
All of this turns out to be benign; no files are harmed (at least not from this sole batch file); unknown as to what else was placed on the user's system along with this batch script.
I don't know how this batch script would get on to a user's system, nor do I know what triggers its execution.
John
