Complete Windows Laptop Crash Troubleshooting Guide (PowerShell)

Category: System Troubleshooting Tags: Windows crashes, BSOD, PowerShell diagnostics, hardware monitoring, system analysis

This comprehensive guide provides PowerShell commands and advanced techniques to diagnose Windows crashes (BSODs, random restarts, freezes). Each command includes detailed explanations of what it does and why it's useful.

• Essential troubleshooting commands with explanations
• Advanced deep-dive diagnostics
• Hardware monitoring & analysis
• Step-by-step post-crash analysis
• Advanced minidump reading techniques
• Timeline correlation methods
• Comprehensive STOP codes reference
• Automated analysis functions

---

Essential PowerShell Commands for Crash Diagnostics

1. Check Event Logs

Get-WinEvent -LogName System -MaxEvents 50 | Format-List

What it does: Shows the last 50 system events from the Windows Event Log
Why it's useful: System events contain critical information about crashes, driver failures, and hardware issues. This gives you a quick overview of recent problems.

2. Filter for Critical Errors

Get-WinEvent -FilterHashtable @{LogName='System'; Level=1} | Format-List

What it does: Retrieves only critical events (Level 1 = Critical errors)
Why it's useful: Critical events are the most severe - these often indicate system crashes, hardware failures, or major driver problems. Start here for serious issues.

3. Look for BugCheck Events

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'} |
Format-List -Property TimeCreated, Message

What it does: Finds bug check (BSOD) events specifically from Windows Error Reporting
Why it's useful: This pinpoints actual Blue Screen events and can show you the STOP code and driver responsible for crashes.

4. Analyze Reliability History

Get-WinEvent -LogName Application -MaxEvents 100 |
Where-Object {$_.Message -like "*faulting*"} |
Format-Table TimeCreated, Message -AutoSize

What it does: Searches application logs for faulting programs and services
Why it's useful: Application crashes can sometimes trigger system instability. This helps identify problematic software that might be causing system-wide issues.

5. Driver Failures

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-DriverFrameworks-UserMode'} |
Format-Table TimeCreated, Message -AutoSize

What it does: Lists driver-related errors from the Driver Framework
Why it's useful: Driver issues are a leading cause of system crashes. This shows you which drivers are having problems loading or operating.

6. Hardware Errors (WHEA)

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-WHEA-Logger'} |
Format-Table TimeCreated, Message -AutoSize

What it does: Shows Windows Hardware Error Architecture (WHEA) logs
Why it's useful: WHEA logs capture hardware-level errors from CPU, memory, PCIe devices. These are often early warning signs of failing hardware.

7. Installed Drivers

Get-WmiObject Win32_PnPSignedDriver |
Select DeviceName, DriverVersion, DriverDate |
Sort-Object DriverDate -Descending |
Format-Table -AutoSize

What it does: Lists all installed drivers with versions and dates, sorted by newest first
Why it's useful: Helps identify recently installed or very old drivers that might be causing stability issues. Look for drivers installed around the time crashes started.

8. Memory Diagnostics

mdsched.exe

What it does: Launches Windows Memory Diagnostic tool
Why it's useful: Bad RAM is a common cause of random crashes and BSODs. This schedules a memory test for the next reboot to check for memory errors.

9. Disk Health

Get-PhysicalDisk | Select-Object FriendlyName, HealthStatus, OperationalStatus

What it does: Checks the health status of all physical drives in the system
Why it's useful: Failing hard drives can cause system crashes, especially during boot or when accessing files. Shows "Healthy" vs "Warning" vs "Unhealthy" status.

10. System File Integrity

sfc /scannow

What it does: Scans all protected system files and repairs corrupted ones
Why it's useful: Corrupted system files can cause crashes and instability. This tool can fix many issues by restoring original system files from Windows backup.

11. Repair Windows Image

DISM /Online /Cleanup-Image /RestoreHealth

What it does: Repairs the Windows system image using Windows Update
Why it's useful: If SFC finds corruption it can't fix, DISM can repair the Windows image itself. This fixes deeper system corruption issues.

12. Power Issues

powercfg /energy

What it does: Analyzes power efficiency and identifies power-related problems
Why it's useful: Power management issues can cause random shutdowns, sleep/wake problems, and system instability. Creates a detailed HTML report of power issues.

13. Recent Updates

Get-HotFix | Sort-Object InstalledOn -Descending

What it does: Lists all installed Windows updates sorted by installation date
Why it's useful: Sometimes Windows updates can introduce instability. This helps identify if crashes started after a specific update was installed.

14. Minidump Files

Get-ChildItem "C:\Windows\Minidump\" | Sort-Object LastWriteTime -Descending

What it does: Lists all crash dump files sorted by when they were created
Why it's useful: Each BSOD creates a minidump file. The timestamps help correlate crashes with system events and show crash frequency patterns.

---

Advanced System Diagnostics

15. Startup/Shutdown Logs

Get-WinEvent -FilterHashtable @{LogName='System'; Id=6005,6006,6008} |
Format-Table TimeCreated, Id, Message -AutoSize

What it does: Shows system startup (6005), shutdown (6006), and unexpected shutdown (6008) events
Why it's useful: Event ID 6008 indicates the system shut down unexpectedly (crash or power loss). Helps identify crash patterns and frequency.

16. Last BSOD Occurrence

Get-EventLog -LogName System -Source "BugCheck" -Newest 5

What it does: Finds the 5 most recent BugCheck events (Blue Screen crashes)
Why it's useful: Gives you specific BSOD events with STOP codes. Newer PowerShell method, but this older syntax sometimes catches events the newer method misses.

17. Device Failures

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-UserPnp'} |
Format-Table TimeCreated, Id, Message -AutoSize

What it does: Shows Plug and Play device failures and issues
Why it's useful: USB devices, graphics cards, and other hardware can cause crashes when they fail to initialize properly or malfunction.

18. Performance Degradation

Get-WinEvent -LogName System | Where-Object {$_.Message -like "*degraded*"} |
Format-Table TimeCreated, Message -AutoSize

What it does: Searches for any system events mentioning "degraded" performance
Why it's useful: System components can run in degraded mode before failing completely. This provides early warning of developing hardware issues.

19. Windows Update Failures

Get-WinEvent -LogName Setup | Format-Table TimeCreated, Id, Message -AutoSize

What it does: Shows Windows Update installation events and failures
Why it's useful: Failed Windows updates can leave the system in an unstable state. Helps identify if crashes coincide with update problems.

20. Service Crashes

Get-WinEvent -LogName Application | Where-Object {$_.Message -like "*service terminated unexpectedly*"} |
Format-Table TimeCreated, Message -AutoSize

What it does: Finds Windows services that have crashed or terminated unexpectedly
Why it's useful: Critical services crashing can destabilize the entire system. Shows which services are having problems.

21. Problematic Drivers

Get-WmiObject Win32_PnPEntity | Where-Object { $_.ConfigManagerErrorCode -ne 0 } |
Select-Object Name, ConfigManagerErrorCode | Format-Table -AutoSize

What it does: Lists devices with configuration manager error codes (non-zero = problem)
Why it's useful: Shows devices that Windows can't configure properly. Error codes indicate specific driver or hardware problems.

22. Faulty Processes

Get-WinEvent -LogName Application -MaxEvents 200 |
Group-Object -Property ProviderName | Sort-Object Count -Descending |
Select-Object Count, Name | Format-Table -AutoSize

What it does: Groups application errors by source and counts them
Why it's useful: Helps identify which applications or services are generating the most errors. High error counts indicate problematic software.

23. Thermal and Battery Events

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-Power'} |
Format-Table TimeCreated, Id, Message -AutoSize

What it does: Shows power management events including thermal shutdowns and battery issues
Why it's useful: Overheating can cause system crashes. This reveals thermal throttling, emergency shutdowns, and power supply problems.

24. Last Crash Registry Info

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl" | 
Select-Object CrashDumpEnabled, LastCrashTime

What it does: Shows crash dump settings and when the last crash occurred according to the registry
Why it's useful: Confirms crash dump creation is enabled and provides another timestamp for crash correlation.

25. Advanced Disk SMART

Get-WmiObject -Namespace root\wmi -Class MSStorageDriver_FailurePredictStatus |
Select InstanceName, PredictFailure

What it does: Checks SMART status to predict disk failure
Why it's useful: Hard drives report their health through SMART. "PredictFailure = True" means the drive is about to fail and should be replaced immediately.

---

Temperature & Hardware Monitoring

26. CPU Temperature Events

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-Processor-Power'} |
Where-Object {$_.Message -like "*thermal*"} | Format-Table TimeCreated, Message -AutoSize

What it does: Searches for thermal-related events from the processor power management system
Why it's useful: CPU overheating is a major cause of system crashes. This shows thermal throttling events and temperature warnings.

27. Hardware Resource Conflicts

Get-WmiObject Win32_PnPEntity | Where-Object {$_.ConfigManagerErrorCode -eq 12} |
Select-Object Name, DeviceID | Format-Table -AutoSize

What it does: Finds devices with error code 12 (insufficient resources available)
Why it's useful: Hardware resource conflicts can cause system instability. Code 12 means Windows can't allocate enough resources (IRQ, memory, I/O) for the device.

28. Battery/Power Supply Issues

Get-WinEvent -FilterHashtable @{LogName='System'; Id=1,41,42,107} |
Format-Table TimeCreated, Id, Message -AutoSize

What it does: Shows specific power-related event IDs (1=system boot, 41=unexpected shutdown, 42=sleep, 107=power button)
Why it's useful: Event ID 41 specifically indicates unexpected shutdowns due to power loss, overheating, or system crashes.

29. Hardware Diagnostics

# DirectX Diagnostics
dxdiag /t C:\temp\dxdiag.txt

# System Information
msinfo32 /report C:\temp\sysinfo.txt

What it does: Creates comprehensive hardware and software reports
Why it's useful: DXDiag shows graphics hardware info and DirectX issues. MSInfo32 creates a complete system configuration report for analysis.

---

Network-Related Crashes

30. Network Driver Failures

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-NDIS'} |
Format-Table TimeCreated, Id, Message -AutoSize

What it does: Shows Network Driver Interface Specification (NDIS) errors
Why it's useful: Network adapter drivers can cause system crashes, especially with WiFi cards. NDIS errors indicate network driver problems.

31. TCP/IP Stack Issues

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Tcpip'} |
Where-Object {$_.LevelDisplayName -eq "Error"} | Format-Table TimeCreated, Message -AutoSize

What it does: Shows TCP/IP protocol stack errors
Why it's useful: TCP/IP stack corruption can cause network-related crashes and system instability, especially on servers or heavy network usage systems.

---

Registry & System State Analysis

32. Registry Corruption Detection

Get-WinEvent -FilterHashtable @{LogName='System'; Id=6,13} |
Format-Table TimeCreated, Id, Message -AutoSize

What it does: Shows registry hive corruption events (Event IDs 6 and 13)
Why it's useful: Registry corruption can cause boot failures and system crashes. These events indicate when Windows detects registry problems.

33. System State Analysis

Get-WmiObject Win32_OperatingSystem | 
Select-Object @{Name="LastBootUpTime";Expression={$_.ConvertToDateTime($_.LastBootUpTime)}},
@{Name="Uptime";Expression={(Get-Date) - $_.ConvertToDateTime($_.LastBootUpTime)}}

What it does: Shows when the system last booted and current uptime
Why it's useful: Short uptimes suggest frequent crashes. Helps establish crash patterns and system stability trends.

34. Boot Configuration Data (BCD) Check

bcdedit /enum all

What it does: Lists all boot configuration entries
Why it's useful: Corrupted or misconfigured boot settings can cause startup crashes and boot loops. Shows boot manager configuration.

---

Startup & Performance Issues

35. Problematic Startup Programs

Get-WmiObject Win32_StartupCommand | 
Select-Object Name, Location, Command | Format-Table -AutoSize

What it does: Lists all programs that start automatically with Windows
Why it's useful: Faulty startup programs can cause crashes during boot or shortly after login. Helps identify problematic software.

36. Handle Leaks Detection

Get-Process | Sort-Object Handles -Descending | 
Select-Object -First 10 Name, Handles, WorkingSet | Format-Table -AutoSize

What it does: Shows processes with the highest number of open handles
Why it's useful: Handle leaks can exhaust system resources and cause crashes. Processes with excessive handles (>10,000) may have memory leaks.

37. Pool Memory Usage

Get-WinEvent -FilterHashtable @{LogName='System'; Id=2019,2020} |
Format-Table TimeCreated, Id, Message -AutoSize

What it does: Shows pool memory allocation warnings and errors
Why it's useful: Pool memory exhaustion can cause system crashes. Event 2019/2020 indicate the system is running low on pool memory.

38. Virtual Memory Issues

Get-WmiObject Win32_PageFileUsage | 
Select-Object Name, AllocatedBaseSize, CurrentUsage, PeakUsage | Format-Table -AutoSize

What it does: Shows page file (virtual memory) usage statistics
Why it's useful: Insufficient virtual memory can cause application and system crashes. Shows if page file is too small or heavily used.

39. Critical Process Monitoring

Get-WinEvent -FilterHashtable @{LogName='System'; Id=6008} |
Format-Table TimeCreated, Message -AutoSize

What it does: Shows unexpected system shutdown events
Why it's useful: Event ID 6008 is logged when Windows starts after an unexpected shutdown (crash, power loss, forced restart).

40. Disk Performance Analysis

Get-Counter "\PhysicalDisk(*)\% Disk Time" -SampleInterval 1 -MaxSamples 5 |
ForEach-Object {$_.CounterSamples} | 
Where-Object {$_.CookedValue -gt 80} |
Format-Table InstanceName, CookedValue -AutoSize

What it does: Measures disk activity percentage over 5 seconds, showing disks over 80% busy
Why it's useful: Extremely busy disks (>90% constantly) can cause system slowdowns and timeouts that lead to crashes.

---

Security & Software Conflicts

41. Antivirus Conflicts

Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='Windows Error Reporting'} |
Where-Object {$_.Message -like "*antivirus*" -or $_.Message -like "*security*"} |
Format-Table TimeCreated, Message -AutoSize

What it does: Searches for error reports mentioning antivirus or security software
Why it's useful: Antivirus software can conflict with system drivers and cause crashes. Multiple security products can also conflict with each other.

42. Third-Party Software Crashes

Get-WinEvent -LogName Application -MaxEvents 100 |
Where-Object {$_.LevelDisplayName -eq "Error" -and $_.ProviderName -notlike "Microsoft*"} |
Group-Object ProviderName | Sort-Object Count -Descending |
Select-Object Count, Name | Format-Table -AutoSize

What it does: Counts errors from non-Microsoft software, sorted by frequency
Why it's useful: Identifies which third-party applications are generating the most errors. Problematic software can destabilize the entire system.

43. Driver Verifier Status

$verifier = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name VerifyDriverLevel -ErrorAction SilentlyContinue
if ($verifier) {
    Write-Host "Driver Verifier is ENABLED - Level: $($verifier.VerifyDriverLevel)" -ForegroundColor Red
} else {
    Write-Host "Driver Verifier is disabled" -ForegroundColor Green
}

What it does: Checks if Driver Verifier is enabled and shows the verification level
Why it's useful: Driver Verifier intentionally causes crashes when it detects driver bugs. If enabled, it explains why the system is crashing during testing.

---

Recovery & Prevention Commands

44. System Restore Points

Get-ComputerRestorePoint | Sort-Object CreationTime -Descending |
Select-Object CreationTime, Description, RestorePointType | Format-Table -AutoSize

What it does: Lists all available system restore points
Why it's useful: Shows restore points you can use to roll back the system to before crashes started. Helps identify when problems began.

45. Windows Update Troubleshooter

Stop-Service wuauserv, cryptSvc, bits, msiserver -Force
Remove-Item C:\Windows\SoftwareDistribution\* -Recurse -Force -ErrorAction SilentlyContinue
Start-Service wuauserv, cryptSvc, bits, msiserver

What it does: Resets Windows Update components by stopping services, clearing cache, and restarting services
Why it's useful: Corrupt Windows Update files can cause instability. This reset procedure fixes many update-related problems.

---

Step-by-Step Crash Analysis Process

Phase 1: Initial Assessment

1. Check for critical errors (Command #2) - Start with the most severe issues
2. Look for recent BSODs (Command #3) - Identify actual crash events
3. Review hardware errors (Command #6) - Hardware problems cause most crashes
4. Check driver failures (Command #5) - Driver issues are the #2 cause of crashes
5. Examine application crashes (Command #4) - Apps can destabilize the system

Phase 2: Hardware Analysis

1. Review minidump files (Command #14) - Get specific crash details
2. Check disk health (Command #9) - Failing drives cause crashes
3. Run memory diagnostics (Command #8) - Bad RAM is a common culprit
4. Analyze thermal events (Command #26) - Overheating causes shutdowns
5. Check power issues (Command #28) - Power problems cause unexpected shutdowns

Phase 3: System Integrity

1. Run system file check (Command #10) - Fix corrupted system files
2. Repair Windows image (Command #11) - Fix deeper corruption
3. Check registry corruption (Command #32) - Registry issues cause boot problems
4. Verify boot configuration (Command #34) - Ensure proper boot setup

Phase 4: Deep Analysis

1. Correlate timeline events - Use timeline function to find patterns
2. Check resource exhaustion (Commands #36-38) - Memory/handle leaks
3. Analyze third-party conflicts (Commands #41-42) - Software conflicts
4. Review startup programs (Command #35) - Remove problematic startup items

---

Advanced Minidump Analysis

Extract Crash Context

$dumpFiles = Get-ChildItem "C:\Windows\Minidump\" -ErrorAction SilentlyContinue
foreach ($dump in $dumpFiles) {
    Write-Host "=== $($dump.Name) ===" -ForegroundColor Yellow
    Write-Host "Created: $($dump.CreationTime)"
    Write-Host "Size: $([math]::Round($dump.Length/1KB,2)) KB"

    $content = Get-Content $dump.FullName -Raw -Encoding Byte -TotalCount 1024 -ErrorAction SilentlyContinue
    if ($content) {
        Write-Host "Dump file exists and is readable"
    }
}

What it does: Lists all minidump files with creation times and validates they're readable
Why it's useful: Shows crash frequency and helps identify the most recent crashes for analysis. File size can indicate crash type.

Basic Minidump Content Search

findstr /i "BugCheck" C:\Windows\Minidump\*.dmp
strings C:\Windows\Minidump\*.dmp | Select-String "BugCheck|Probably caused by"

What it does: Searches minidump files for crash information using text extraction
Why it's useful: Can sometimes extract basic crash information without specialized tools, including the driver that caused the crash.

Crash Dump Configuration Check

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl" |
Select-Object AutoReboot, CrashDumpEnabled, DumpFile, MinidumpDir

What it does: Shows how the system is configured to handle crashes
Why it's useful: Ensures crash dumps are being created. If CrashDumpEnabled=0, no dumps are created and you lose crash data.

---

Advanced Correlation & Timeline Analysis

Timeline Correlation Function

function Get-CrashTimeline {
    param([int]$Hours = 24)

    $start = (Get-Date).AddHours(-$Hours)

    Write-Host "=== CRASH TIMELINE (Last $Hours hours) ===" -ForegroundColor Cyan

    # System crashes
    $crashes = Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start; Id=41,1001,1074} -ErrorAction SilentlyContinue

    # Application crashes  
    $appCrashes = Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=$start; Id=1000,1001} -ErrorAction SilentlyContinue

    # Hardware errors
    $hwErrors = Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start; ProviderName='Microsoft-Windows-WHEA-Logger'} -ErrorAction SilentlyContinue

    $allEvents = @($crashes; $appCrashes; $hwErrors) | Sort-Object TimeCreated -Descending

    foreach ($event in $allEvents) {
        Write-Host "$($event.TimeCreated) - $($event.LogName) - ID:$($event.Id) - $($event.LevelDisplayName)" -ForegroundColor Yellow
    }
}

What it does: Creates a chronological timeline of crashes, application failures, and hardware errors
Why it's useful: Helps identify patterns, crash frequency, and correlations between different types of failures. Usage: Get-CrashTimeline -Hours 48

---

Comprehensive Analysis Function

All-in-One Crash Analysis

function Invoke-CrashAnalysis {
    Write-Host "Starting comprehensive crash analysis..." -ForegroundColor Green

    # Recent critical events
    Write-Host "`n=== RECENT CRITICAL EVENTS ===" -ForegroundColor Yellow
    Get-WinEvent -FilterHashtable @{LogName='System'; Level=1} -MaxEvents 10 -ErrorAction SilentlyContinue |
    Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

    # Hardware errors
    Write-Host "`n=== HARDWARE ERRORS ===" -ForegroundColor Yellow
    Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-WHEA-Logger'} -MaxEvents 5 -ErrorAction SilentlyContinue |
    Format-Table TimeCreated, Message -Wrap

    # Recent minidumps
    Write-Host "`n=== RECENT MINIDUMPS ===" -ForegroundColor Yellow
    Get-ChildItem "C:\Windows\Minidump\" -ErrorAction SilentlyContinue |
    Sort-Object LastWriteTime -Descending | Select-Object -First 5 |
    Format-Table Name, LastWriteTime, Length

    # System health
    Write-Host "`n=== SYSTEM HEALTH ===" -ForegroundColor Yellow
    Get-PhysicalDisk | Format-Table FriendlyName, HealthStatus, OperationalStatus -AutoSize

    # Driver issues
    Write-Host "`n=== PROBLEMATIC DRIVERS ===" -ForegroundColor Yellow
    Get-WmiObject Win32_PnPEntity | Where-Object { $_.ConfigManagerErrorCode -ne 0 } |
    Select-Object Name, ConfigManagerErrorCode | Format-Table -AutoSize

    # Recent crashes timeline
    Write-Host "`n=== CRASH TIMELINE (Last 24 hours) ===" -ForegroundColor Yellow
    Get-CrashTimeline -Hours 24

    Write-Host "`nAnalysis complete!" -ForegroundColor Green
}

What it does: Runs a comprehensive automated analysis combining multiple diagnostic checks
Why it's useful: Provides a complete system health overview in one command. Perfect for initial troubleshooting. Usage: Invoke-CrashAnalysis

---

Complete BugCheck STOP Codes Reference

Code	Meaning	Explanation
0x00000001	APC_INDEX_MISMATCH	Asynchronous Procedure Call mismatch. Driver bug.
0x0000000A	IRQL_NOT_LESS_OR_EQUAL	Driver accessed pageable memory at too high IRQL. Common driver error.
0x00000019	BAD_POOL_HEADER	Pool header corruption in memory. Driver corrupted memory pool.
0x0000001A	MEMORY_MANAGEMENT	Severe memory management issue. Hardware or driver problem.
0x0000001E	KMODE_EXCEPTION_NOT_HANDLED	Kernel mode exception not handled. Driver caused unhandled exception.
0x00000024	NTFS_FILE_SYSTEM	NTFS file system corruption. Disk or file system driver issue.
0x0000002E	DATA_BUS_ERROR	Hardware memory parity error. Bad RAM or motherboard.
0x00000035	NO_MORE_IRP_STACK_LOCATIONS	Driver stack exhaustion. Too many drivers in chain.
0x0000003A	SYSTEM_UNWIND_PREVIOUS_USER	Exception during system unwind. Driver or system bug.
0x0000003B	SYSTEM_SERVICE_EXCEPTION	Exception in system service. Driver or kernel bug.
0x0000004E	PFN_LIST_CORRUPT	Physical memory page corruption. Bad RAM or driver bug.
0x00000050	PAGE_FAULT_IN_NONPAGED_AREA	Invalid system memory access. Bad RAM or driver bug.
0x00000051	REGISTRY_ERROR	Registry corruption or I/O error. Disk or registry corruption.
0x0000007A	KERNEL_DATA_INPAGE_ERROR	Kernel failed to read data from storage. Disk problem.
0x0000007B	INACCESSIBLE_BOOT_DEVICE	Windows cannot access boot device. Disk or driver problem.
0x0000007E	SYSTEM_THREAD_EXCEPTION_NOT_HANDLED	Driver or system thread caused unhandled exception.
0x0000009F	DRIVER_POWER_STATE_FAILURE	Driver failed during power state change. Power management bug.
0x000000C2	BAD_POOL_CALLER	Bad memory pool request. Driver made invalid memory request.
0x000000C4	DRIVER_VERIFIER_DETECTED_VIOLATION	Driver verifier found a violation. Driver has bugs.
0x000000C5	DRIVER_CORRUPTED_EXPOOL	Driver corrupted system memory pool. Driver bug.
0x000000D1	DRIVER_IRQL_NOT_LESS_OR_EQUAL	Driver accessed invalid memory at high IRQL. Driver bug.
0x000000D8	DRIVER_USED_EXCESSIVE_PTES	Driver used too many page table entries. Driver memory leak.
0x000000DA	SYSTEM_PTE_MISUSE	System page table entry misuse. Kernel or driver bug.
0x000000E2	MANUALLY_INITIATED_CRASH	Manual crash triggered (Ctrl+Scroll+Scroll). Intentional.
0x000000EA	THREAD_STUCK_IN_DEVICE_DRIVER	GPU driver stuck in a loop. Graphics driver hang.
0x000000F4	CRITICAL_OBJECT_TERMINATION	Critical system process terminated. System corruption.
0x000000FE	BUGCODE_USB_DRIVER	USB driver failure. USB device or driver problem.
0x00000116	VIDEO_TDR_ERROR	GPU driver crash or timeout detected. Graphics problem.
0x00000124	WHEA_UNCORRECTABLE_ERROR	Hardware reported unrecoverable error (CPU, RAM, etc.).
0x00000133	DPC_WATCHDOG_VIOLATION	Driver exceeded time limits (watchdog timeout).
0x00000139	KERNEL_SECURITY_CHECK_FAILURE	Kernel detected corruption or invalid structure.

---

Pro Tips & Best Practices

General Guidelines

1. Always run PowerShell as Administrator for full access to system logs and diagnostic tools
2. Save command outputs to files for later analysis: | Out-File C:\temp\analysis.txt
3. Use Task Scheduler to automatically run diagnostics after system crashes
4. Correlate timestamps between different log sources to identify patterns
5. Check manufacturer-specific tools for additional hardware diagnostics

Analysis Workflow

1. Start with the comprehensive analysis function (Invoke-CrashAnalysis)
2. Use timeline correlation to identify crash patterns
3. Focus on hardware errors first - they often cause cascading failures
4. Check recent changes (updates, new hardware, software installations)
5. Document findings and track recurring issues

Prevention Strategies

1. Keep drivers updated but avoid beta versions
2. Monitor system temperatures regularly
3. Run memory diagnostics monthly
4. Maintain adequate free disk space (>15% of total capacity)
5. Use reliable power supplies and surge protection
6. Schedule regular system maintenance with built-in tools

Emergency Procedures

1. Boot from Windows Recovery Environment if crashes prevent normal startup
2. Use System Restore to roll back recent changes
3. Run startup repair from advanced boot options
4. Consider safe mode for troubleshooting driver issues
5. Have external backup of critical data and system recovery media

---

Quick Reference Commands

Emergency Diagnostics (Run First)

# Quick system health check
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1} -MaxEvents 5
Get-PhysicalDisk | Select FriendlyName, HealthStatus
Get-ChildItem "C:\Windows\Minidump\" | Sort LastWriteTime -Desc | Select -First 3

What it does: Rapid assessment of critical errors, disk health, and recent crashes
Why it's useful: Gets you key information in under 30 seconds for emergency situations

Save Complete Log Export

$date = Get-Date -Format "yyyy-MM-dd_HH-mm"
Get-WinEvent -LogName System | Export-Csv "C:\temp\SystemLog_$date.csv" -NoTypeInformation
Get-WinEvent -LogName Application | Export-Csv "C:\temp\ApplicationLog_$date.csv" -NoTypeInformation

What it does: Exports complete system and application logs to CSV files with timestamps
Why it's useful: Creates detailed logs for offline analysis or sending to technical support

---

Remember: This guide provides diagnostic tools, but severe hardware failures may require professional repair services. Always backup important data before making system changes, and consider consulting with IT professionals for complex issues affecting business-critical systems.