This comprehensive guide provides PowerShell commands and advanced techniques to diagnose Windows crashes (BSODs, random restarts, freezes). Each command includes detailed explanations of what it does and why it's useful.
---
Get-WinEvent -LogName System -MaxEvents 50 | Format-List
What it does: Shows the last 50 system events from the Windows Event Log
Why it's useful: System events contain critical information about crashes, driver failures, and hardware issues. This gives you a quick overview of recent problems.
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1} | Format-List
What it does: Retrieves only critical events (Level 1 = Critical errors)
Why it's useful: Critical events are the most severe - these often indicate system crashes, hardware failures, or major driver problems. Start here for serious issues.
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'} |
Format-List -Property TimeCreated, Message
What it does: Finds bug check (BSOD) events specifically from Windows Error Reporting
Why it's useful: This pinpoints actual Blue Screen events and can show you the STOP code and driver responsible for crashes.
Get-WinEvent -LogName Application -MaxEvents 100 |
Where-Object {$_.Message -like "*faulting*"} |
Format-Table TimeCreated, Message -AutoSize
What it does: Searches application logs for faulting programs and services
Why it's useful: Application crashes can sometimes trigger system instability. This helps identify problematic software that might be causing system-wide issues.
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-DriverFrameworks-UserMode'} |
Format-Table TimeCreated, Message -AutoSize
What it does: Lists driver-related errors from the Driver Framework
Why it's useful: Driver issues are a leading cause of system crashes. This shows you which drivers are having problems loading or operating.
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-WHEA-Logger'} |
Format-Table TimeCreated, Message -AutoSize
What it does: Shows Windows Hardware Error Architecture (WHEA) logs
Why it's useful: WHEA logs capture hardware-level errors from CPU, memory, PCIe devices. These are often early warning signs of failing hardware.
Get-WmiObject Win32_PnPSignedDriver |
Select DeviceName, DriverVersion, DriverDate |
Sort-Object DriverDate -Descending |
Format-Table -AutoSize
What it does: Lists all installed drivers with versions and dates, sorted by newest first
Why it's useful: Helps identify recently installed or very old drivers that might be causing stability issues. Look for drivers installed around the time crashes started.
mdsched.exe
What it does: Launches Windows Memory Diagnostic tool
Why it's useful: Bad RAM is a common cause of random crashes and BSODs. This schedules a memory test for the next reboot to check for memory errors.
Get-PhysicalDisk | Select-Object FriendlyName, HealthStatus, OperationalStatus
What it does: Checks the health status of all physical drives in the system
Why it's useful: Failing hard drives can cause system crashes, especially during boot or when accessing files. Shows "Healthy" vs "Warning" vs "Unhealthy" status.
sfc /scannow
What it does: Scans all protected system files and repairs corrupted ones
Why it's useful: Corrupted system files can cause crashes and instability. This tool can fix many issues by restoring original system files from Windows backup.
DISM /Online /Cleanup-Image /RestoreHealth
What it does: Repairs the Windows system image using Windows Update
Why it's useful: If SFC finds corruption it can't fix, DISM can repair the Windows image itself. This fixes deeper system corruption issues.
powercfg /energy
What it does: Analyzes power efficiency and identifies power-related problems
Why it's useful: Power management issues can cause random shutdowns, sleep/wake problems, and system instability. Creates a detailed HTML report of power issues.
Get-HotFix | Sort-Object InstalledOn -Descending
What it does: Lists all installed Windows updates sorted by installation date
Why it's useful: Sometimes Windows updates can introduce instability. This helps identify if crashes started after a specific update was installed.
Get-ChildItem "C:\Windows\Minidump\" | Sort-Object LastWriteTime -Descending
What it does: Lists all crash dump files sorted by when they were created
Why it's useful: Each BSOD creates a minidump file. The timestamps help correlate crashes with system events and show crash frequency patterns.
---
Get-WinEvent -FilterHashtable @{LogName='System'; Id=6005,6006,6008} |
Format-Table TimeCreated, Id, Message -AutoSize
What it does: Shows system startup (6005), shutdown (6006), and unexpected shutdown (6008) events
Why it's useful: Event ID 6008 indicates the system shut down unexpectedly (crash or power loss). Helps identify crash patterns and frequency.
Get-EventLog -LogName System -Source "BugCheck" -Newest 5
What it does: Finds the 5 most recent BugCheck events (Blue Screen crashes)
Why it's useful: Gives you specific BSOD events with STOP codes. Newer PowerShell method, but this older syntax sometimes catches events the newer method misses.
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-UserPnp'} |
Format-Table TimeCreated, Id, Message -AutoSize
What it does: Shows Plug and Play device failures and issues
Why it's useful: USB devices, graphics cards, and other hardware can cause crashes when they fail to initialize properly or malfunction.
Get-WinEvent -LogName System | Where-Object {$_.Message -like "*degraded*"} |
Format-Table TimeCreated, Message -AutoSize
What it does: Searches for any system events mentioning "degraded" performance
Why it's useful: System components can run in degraded mode before failing completely. This provides early warning of developing hardware issues.
Get-WinEvent -LogName Setup | Format-Table TimeCreated, Id, Message -AutoSize
What it does: Shows Windows Update installation events and failures
Why it's useful: Failed Windows updates can leave the system in an unstable state. Helps identify if crashes coincide with update problems.
Get-WinEvent -LogName Application | Where-Object {$_.Message -like "*service terminated unexpectedly*"} |
Format-Table TimeCreated, Message -AutoSize
What it does: Finds Windows services that have crashed or terminated unexpectedly
Why it's useful: Critical services crashing can destabilize the entire system. Shows which services are having problems.
Get-WmiObject Win32_PnPEntity | Where-Object { $_.ConfigManagerErrorCode -ne 0 } |
Select-Object Name, ConfigManagerErrorCode | Format-Table -AutoSize
What it does: Lists devices with configuration manager error codes (non-zero = problem)
Why it's useful: Shows devices that Windows can't configure properly. Error codes indicate specific driver or hardware problems.
Get-WinEvent -LogName Application -MaxEvents 200 |
Group-Object -Property ProviderName | Sort-Object Count -Descending |
Select-Object Count, Name | Format-Table -AutoSize
What it does: Groups application errors by source and counts them
Why it's useful: Helps identify which applications or services are generating the most errors. High error counts indicate problematic software.
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-Power'} |
Format-Table TimeCreated, Id, Message -AutoSize
What it does: Shows power management events including thermal shutdowns and battery issues
Why it's useful: Overheating can cause system crashes. This reveals thermal throttling, emergency shutdowns, and power supply problems.
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl" |
Select-Object CrashDumpEnabled, LastCrashTime
What it does: Shows crash dump settings and when the last crash occurred according to the registry
Why it's useful: Confirms crash dump creation is enabled and provides another timestamp for crash correlation.
Get-WmiObject -Namespace root\wmi -Class MSStorageDriver_FailurePredictStatus |
Select InstanceName, PredictFailure
What it does: Checks SMART status to predict disk failure
Why it's useful: Hard drives report their health through SMART. "PredictFailure = True" means the drive is about to fail and should be replaced immediately.
---
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-Processor-Power'} |
Where-Object {$_.Message -like "*thermal*"} | Format-Table TimeCreated, Message -AutoSize
What it does: Searches for thermal-related events from the processor power management system
Why it's useful: CPU overheating is a major cause of system crashes. This shows thermal throttling events and temperature warnings.
Get-WmiObject Win32_PnPEntity | Where-Object {$_.ConfigManagerErrorCode -eq 12} |
Select-Object Name, DeviceID | Format-Table -AutoSize
What it does: Finds devices with error code 12 (insufficient resources available)
Why it's useful: Hardware resource conflicts can cause system instability. Code 12 means Windows can't allocate enough resources (IRQ, memory, I/O) for the device.
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1,41,42,107} |
Format-Table TimeCreated, Id, Message -AutoSize
What it does: Shows specific power-related event IDs (1=system boot, 41=unexpected shutdown, 42=sleep, 107=power button)
Why it's useful: Event ID 41 specifically indicates unexpected shutdowns due to power loss, overheating, or system crashes.
# DirectX Diagnostics
dxdiag /t C:\temp\dxdiag.txt
# System Information
msinfo32 /report C:\temp\sysinfo.txt
What it does: Creates comprehensive hardware and software reports
Why it's useful: DXDiag shows graphics hardware info and DirectX issues. MSInfo32 creates a complete system configuration report for analysis.
---
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-NDIS'} |
Format-Table TimeCreated, Id, Message -AutoSize
What it does: Shows Network Driver Interface Specification (NDIS) errors
Why it's useful: Network adapter drivers can cause system crashes, especially with WiFi cards. NDIS errors indicate network driver problems.
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Tcpip'} |
Where-Object {$_.LevelDisplayName -eq "Error"} | Format-Table TimeCreated, Message -AutoSize
What it does: Shows TCP/IP protocol stack errors
Why it's useful: TCP/IP stack corruption can cause network-related crashes and system instability, especially on servers or heavy network usage systems.
---
Get-WinEvent -FilterHashtable @{LogName='System'; Id=6,13} |
Format-Table TimeCreated, Id, Message -AutoSize
What it does: Shows registry hive corruption events (Event IDs 6 and 13)
Why it's useful: Registry corruption can cause boot failures and system crashes. These events indicate when Windows detects registry problems.
Get-WmiObject Win32_OperatingSystem |
Select-Object @{Name="LastBootUpTime";Expression={$_.ConvertToDateTime($_.LastBootUpTime)}},
@{Name="Uptime";Expression={(Get-Date) - $_.ConvertToDateTime($_.LastBootUpTime)}}
What it does: Shows when the system last booted and current uptime
Why it's useful: Short uptimes suggest frequent crashes. Helps establish crash patterns and system stability trends.
bcdedit /enum all
What it does: Lists all boot configuration entries
Why it's useful: Corrupted or misconfigured boot settings can cause startup crashes and boot loops. Shows boot manager configuration.
---
Get-WmiObject Win32_StartupCommand |
Select-Object Name, Location, Command | Format-Table -AutoSize
What it does: Lists all programs that start automatically with Windows
Why it's useful: Faulty startup programs can cause crashes during boot or shortly after login. Helps identify problematic software.
Get-Process | Sort-Object Handles -Descending |
Select-Object -First 10 Name, Handles, WorkingSet | Format-Table -AutoSize
What it does: Shows processes with the highest number of open handles
Why it's useful: Handle leaks can exhaust system resources and cause crashes. Processes with excessive handles (>10,000) may have memory leaks.
Get-WinEvent -FilterHashtable @{LogName='System'; Id=2019,2020} |
Format-Table TimeCreated, Id, Message -AutoSize
What it does: Shows pool memory allocation warnings and errors
Why it's useful: Pool memory exhaustion can cause system crashes. Event 2019/2020 indicate the system is running low on pool memory.
Get-WmiObject Win32_PageFileUsage |
Select-Object Name, AllocatedBaseSize, CurrentUsage, PeakUsage | Format-Table -AutoSize
What it does: Shows page file (virtual memory) usage statistics
Why it's useful: Insufficient virtual memory can cause application and system crashes. Shows if page file is too small or heavily used.
Get-WinEvent -FilterHashtable @{LogName='System'; Id=6008} |
Format-Table TimeCreated, Message -AutoSize
What it does: Shows unexpected system shutdown events
Why it's useful: Event ID 6008 is logged when Windows starts after an unexpected shutdown (crash, power loss, forced restart).
Get-Counter "\PhysicalDisk(*)\% Disk Time" -SampleInterval 1 -MaxSamples 5 |
ForEach-Object {$_.CounterSamples} |
Where-Object {$_.CookedValue -gt 80} |
Format-Table InstanceName, CookedValue -AutoSize
What it does: Measures disk activity percentage over 5 seconds, showing disks over 80% busy
Why it's useful: Extremely busy disks (>90% constantly) can cause system slowdowns and timeouts that lead to crashes.
---
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='Windows Error Reporting'} |
Where-Object {$_.Message -like "*antivirus*" -or $_.Message -like "*security*"} |
Format-Table TimeCreated, Message -AutoSize
What it does: Searches for error reports mentioning antivirus or security software
Why it's useful: Antivirus software can conflict with system drivers and cause crashes. Multiple security products can also conflict with each other.
Get-WinEvent -LogName Application -MaxEvents 100 |
Where-Object {$_.LevelDisplayName -eq "Error" -and $_.ProviderName -notlike "Microsoft*"} |
Group-Object ProviderName | Sort-Object Count -Descending |
Select-Object Count, Name | Format-Table -AutoSize
What it does: Counts errors from non-Microsoft software, sorted by frequency
Why it's useful: Identifies which third-party applications are generating the most errors. Problematic software can destabilize the entire system.
$verifier = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name VerifyDriverLevel -ErrorAction SilentlyContinue
if ($verifier) {
Write-Host "Driver Verifier is ENABLED - Level: $($verifier.VerifyDriverLevel)" -ForegroundColor Red
} else {
Write-Host "Driver Verifier is disabled" -ForegroundColor Green
}
What it does: Checks if Driver Verifier is enabled and shows the verification level
Why it's useful: Driver Verifier intentionally causes crashes when it detects driver bugs. If enabled, it explains why the system is crashing during testing.
---
Get-ComputerRestorePoint | Sort-Object CreationTime -Descending |
Select-Object CreationTime, Description, RestorePointType | Format-Table -AutoSize
What it does: Lists all available system restore points
Why it's useful: Shows restore points you can use to roll back the system to before crashes started. Helps identify when problems began.
Stop-Service wuauserv, cryptSvc, bits, msiserver -Force
Remove-Item C:\Windows\SoftwareDistribution\* -Recurse -Force -ErrorAction SilentlyContinue
Start-Service wuauserv, cryptSvc, bits, msiserver
What it does: Resets Windows Update components by stopping services, clearing cache, and restarting services
Why it's useful: Corrupt Windows Update files can cause instability. This reset procedure fixes many update-related problems.
---
1. Check for critical errors (Command #2) - Start with the most severe issues
2. Look for recent BSODs (Command #3) - Identify actual crash events
3. Review hardware errors (Command #6) - Hardware problems cause most crashes
4. Check driver failures (Command #5) - Driver issues are the #2 cause of crashes
5. Examine application crashes (Command #4) - Apps can destabilize the system
6. Review minidump files (Command #14) - Get specific crash details
7. Check disk health (Command #9) - Failing drives cause crashes
8. Run memory diagnostics (Command #8) - Bad RAM is a common culprit
9. Analyze thermal events (Command #26) - Overheating causes shutdowns
10. Check power issues (Command #28) - Power problems cause unexpected shutdowns
11. Run system file check (Command #10) - Fix corrupted system files
12. Repair Windows image (Command #11) - Fix deeper corruption
13. Check registry corruption (Command #32) - Registry issues cause boot problems
14. Verify boot configuration (Command #34) - Ensure proper boot setup
15. Correlate timeline events - Use timeline function to find patterns
16. Check resource exhaustion (Commands #36-38) - Memory/handle leaks
17. Analyze third-party conflicts (Commands #41-42) - Software conflicts
18. Review startup programs (Command #35) - Remove problematic startup items
---
$dumpFiles = Get-ChildItem "C:\Windows\Minidump\" -ErrorAction SilentlyContinue
foreach ($dump in $dumpFiles) {
Write-Host "=== $($dump.Name) ===" -ForegroundColor Yellow
Write-Host "Created: $($dump.CreationTime)"
Write-Host "Size: $([math]::Round($dump.Length/1KB,2)) KB"
$content = Get-Content $dump.FullName -Raw -Encoding Byte -TotalCount 1024 -ErrorAction SilentlyContinue
if ($content) {
Write-Host "Dump file exists and is readable"
}
}
What it does: Lists all minidump files with creation times and validates they're readable
Why it's useful: Shows crash frequency and helps identify the most recent crashes for analysis. File size can indicate crash type.
findstr /i "BugCheck" C:\Windows\Minidump\*.dmp
strings C:\Windows\Minidump\*.dmp | Select-String "BugCheck|Probably caused by"
What it does: Searches minidump files for crash information using text extraction
Why it's useful: Can sometimes extract basic crash information without specialized tools, including the driver that caused the crash.
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl" |
Select-Object AutoReboot, CrashDumpEnabled, DumpFile, MinidumpDir
What it does: Shows how the system is configured to handle crashes
Why it's useful: Ensures crash dumps are being created. If CrashDumpEnabled=0, no dumps are created and you lose crash data.
---
function Get-CrashTimeline {
param([int]$Hours = 24)
$start = (Get-Date).AddHours(-$Hours)
Write-Host "=== CRASH TIMELINE (Last $Hours hours) ===" -ForegroundColor Cyan
# System crashes
$crashes = Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start; Id=41,1001,1074} -ErrorAction SilentlyContinue
# Application crashes
$appCrashes = Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$start; Id=1000,1001} -ErrorAction SilentlyContinue
# Hardware errors
$hwErrors = Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start; ProviderName='Microsoft-Windows-WHEA-Logger'} -ErrorAction SilentlyContinue
$allEvents = @($crashes; $appCrashes; $hwErrors) | Sort-Object TimeCreated -Descending
foreach ($event in $allEvents) {
Write-Host "$($event.TimeCreated) - $($event.LogName) - ID:$($event.Id) - $($event.LevelDisplayName)" -ForegroundColor Yellow
}
}
What it does: Creates a chronological timeline of crashes, application failures, and hardware errors
Why it's useful: Helps identify patterns, crash frequency, and correlations between different types of failures. Usage: Get-CrashTimeline -Hours 48
---
function Invoke-CrashAnalysis {
Write-Host "Starting comprehensive crash analysis..." -ForegroundColor Green
# Recent critical events
Write-Host "`n=== RECENT CRITICAL EVENTS ===" -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1} -MaxEvents 10 -ErrorAction SilentlyContinue |
Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
# Hardware errors
Write-Host "`n=== HARDWARE ERRORS ===" -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-WHEA-Logger'} -MaxEvents 5 -ErrorAction SilentlyContinue |
Format-Table TimeCreated, Message -Wrap
# Recent minidumps
Write-Host "`n=== RECENT MINIDUMPS ===" -ForegroundColor Yellow
Get-ChildItem "C:\Windows\Minidump\" -ErrorAction SilentlyContinue |
Sort-Object LastWriteTime -Descending | Select-Object -First 5 |
Format-Table Name, LastWriteTime, Length
# System health
Write-Host "`n=== SYSTEM HEALTH ===" -ForegroundColor Yellow
Get-PhysicalDisk | Format-Table FriendlyName, HealthStatus, OperationalStatus -AutoSize
# Driver issues
Write-Host "`n=== PROBLEMATIC DRIVERS ===" -ForegroundColor Yellow
Get-WmiObject Win32_PnPEntity | Where-Object { $_.ConfigManagerErrorCode -ne 0 } |
Select-Object Name, ConfigManagerErrorCode | Format-Table -AutoSize
# Recent crashes timeline
Write-Host "`n=== CRASH TIMELINE (Last 24 hours) ===" -ForegroundColor Yellow
Get-CrashTimeline -Hours 24
Write-Host "`nAnalysis complete!" -ForegroundColor Green
}
What it does: Runs a comprehensive automated analysis combining multiple diagnostic checks
Why it's useful: Provides a complete system health overview in one command. Perfect for initial troubleshooting. Usage: Invoke-CrashAnalysis
---
| Code | Meaning | Explanation |
|--------------|---------------------------------------|----------------------------------------------------------|
| 0x00000001 | APC_INDEX_MISMATCH | Asynchronous Procedure Call mismatch. Driver bug. |
| 0x0000000A | IRQL_NOT_LESS_OR_EQUAL | Driver accessed pageable memory at too high IRQL. Common driver error. |
| 0x00000019 | BAD_POOL_HEADER | Pool header corruption in memory. Driver corrupted memory pool. |
| 0x0000001A | MEMORY_MANAGEMENT | Severe memory management issue. Hardware or driver problem. |
| 0x0000001E | KMODE_EXCEPTION_NOT_HANDLED | Kernel mode exception not handled. Driver caused unhandled exception. |
| 0x00000024 | NTFS_FILE_SYSTEM | NTFS file system corruption. Disk or file system driver issue. |
| 0x0000002E | DATA_BUS_ERROR | Hardware memory parity error. Bad RAM or motherboard. |
| 0x00000035 | NO_MORE_IRP_STACK_LOCATIONS | Driver stack exhaustion. Too many drivers in chain. |
| 0x0000003A | SYSTEM_UNWIND_PREVIOUS_USER | Exception during system unwind. Driver or system bug. |
| 0x0000003B | SYSTEM_SERVICE_EXCEPTION | Exception in system service. Driver or kernel bug. |
| 0x0000004E | PFN_LIST_CORRUPT | Physical memory page corruption. Bad RAM or driver bug. |
| 0x00000050 | PAGE_FAULT_IN_NONPAGED_AREA | Invalid system memory access. Bad RAM or driver bug. |
| 0x00000051 | REGISTRY_ERROR | Registry corruption or I/O error. Disk or registry corruption. |
| 0x0000007A | KERNEL_DATA_INPAGE_ERROR | Kernel failed to read data from storage. Disk problem. |
| 0x0000007B | INACCESSIBLE_BOOT_DEVICE | Windows cannot access boot device. Disk or driver problem. |
| 0x0000007E | SYSTEM_THREAD_EXCEPTION_NOT_HANDLED | Driver or system thread caused unhandled exception. |
| 0x0000009F | DRIVER_POWER_STATE_FAILURE | Driver failed during power state change. Power management bug. |
| 0x000000C2 | BAD_POOL_CALLER | Bad memory pool request. Driver made invalid memory request. |
| 0x000000C4 | DRIVER_VERIFIER_DETECTED_VIOLATION | Driver verifier found a violation. Driver has bugs. |
| 0x000000C5 | DRIVER_CORRUPTED_EXPOOL | Driver corrupted system memory pool. Driver bug. |
| 0x000000D1 | DRIVER_IRQL_NOT_LESS_OR_EQUAL | Driver accessed invalid memory at high IRQL. Driver bug. |
| 0x000000D8 | DRIVER_USED_EXCESSIVE_PTES | Driver used too many page table entries. Driver memory leak. |
| 0x000000DA | SYSTEM_PTE_MISUSE | System page table entry misuse. Kernel or driver bug. |
| 0x000000E2 | MANUALLY_INITIATED_CRASH | Manual crash triggered (Ctrl+Scroll+Scroll). Intentional. |
| 0x000000EA | THREAD_STUCK_IN_DEVICE_DRIVER | GPU driver stuck in a loop. Graphics driver hang. |
| 0x000000F4 | CRITICAL_OBJECT_TERMINATION | Critical system process terminated. System corruption. |
| 0x000000FE | BUGCODE_USB_DRIVER | USB driver failure. USB device or driver problem. |
| 0x00000116 | VIDEO_TDR_ERROR | GPU driver crash or timeout detected. Graphics problem. |
| 0x00000124 | WHEA_UNCORRECTABLE_ERROR | Hardware reported unrecoverable error (CPU, RAM, etc.). |
| 0x00000133 | DPC_WATCHDOG_VIOLATION | Driver exceeded time limits (watchdog timeout). |
| 0x00000139 | KERNEL_SECURITY_CHECK_FAILURE | Kernel detected corruption or invalid structure. |
---
1. Always run PowerShell as Administrator for full access to system logs and diagnostic tools
2. Save command outputs to files for later analysis: | Out-File C:\temp\analysis.txt
3. Use Task Scheduler to automatically run diagnostics after system crashes
4. Correlate timestamps between different log sources to identify patterns
5. Check manufacturer-specific tools for additional hardware diagnostics
1. Start with the comprehensive analysis function (Invoke-CrashAnalysis)
2. Use timeline correlation to identify crash patterns
3. Focus on hardware errors first - they often cause cascading failures
4. Check recent changes (updates, new hardware, software installations)
5. Document findings and track recurring issues
1. Keep drivers updated but avoid beta versions
2. Monitor system temperatures regularly
3. Run memory diagnostics monthly
4. Maintain adequate free disk space (>15% of total capacity)
5. Use reliable power supplies and surge protection
6. Schedule regular system maintenance with built-in tools
1. Boot from Windows Recovery Environment if crashes prevent normal startup
2. Use System Restore to roll back recent changes
3. Run startup repair from advanced boot options
4. Consider safe mode for troubleshooting driver issues
5. Have external backup of critical data and system recovery media
---
# Quick system health check
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1} -MaxEvents 5
Get-PhysicalDisk | Select FriendlyName, HealthStatus
Get-ChildItem "C:\Windows\Minidump\" | Sort LastWriteTime -Desc | Select -First 3
What it does: Rapid assessment of critical errors, disk health, and recent crashes
Why it's useful: Gets you key information in under 30 seconds for emergency situations
$date = Get-Date -Format "yyyy-MM-dd_HH-mm"
Get-WinEvent -LogName System | Export-Csv "C:\temp\SystemLog_$date.csv" -NoTypeInformation
Get-WinEvent -LogName Application | Export-Csv "C:\temp\ApplicationLog_$date.csv" -NoTypeInformation
What it does: Exports complete system and application logs to CSV files with timestamps
Why it's useful: Creates detailed logs for offline analysis or sending to technical support
---
Remember: This guide provides diagnostic tools, but severe hardware failures may require professional repair services. Always backup important data before making system changes, and consider consulting with IT professionals for complex issues affecting business-critical systems.