Site search

Analyze crash dumps with WhoCrashed

By , logo. Last updated: 2018-08-21

How to use WhoCrashed for determining crash causes in Windows XP, Vista, 7, 8, 8.1 and 10

Ah, not the Blue Screen of Death (BSOD) again! As you probably know, the dreaded blue screen often consists of hard-to-understand error messages and cryptic error numbers.

Luckily, there is a solution: WhoCrashed (free for home users only) is able to analyze the memory dump files that Windows creates. The program prepares an overview of what caused the crash(es) so that you are able to find out whether you need to update driver software, Windows, some programs or even replace RAM (memory modules) or other hardware components.

In case you want to find out why applications or programs crash or stop responding, use Reliability Monitor instead.

Verifying that crash dumps are enabled in Windows

First, there must be something to analyze. By default, Windows creates kernel memory dumps that contain enough data for troubleshooting. To verify the setting is still correct, use keyboard shortcut Windows Key+Pause/Break to open System Properties.

Alternatively, right-click (My) Computer (or This PC icon in Windows 8.1 and later) icon on Desktop, Start menu/screen or Windows/File Explorer and select Properties.
Windows XP Start Menu, My Computer right-click menu. Click Properties to see general system information.

In Windows Vista, 7, 8, 8.1 and 10, click Advanced system settings on the left.
Windows Vista, Control Panel. To open System Properties, click Advanced system settings.

Next, open the Advanced tab of System Properties window. Then click Settings button in the Startup and Recovery section.
Windows 7, System Properties, Advanced. To verify that crash dumps are enabled, click Settings in the Startup and Recovery section.

In the Startup and Recovery window, make sure all check boxes (Write an event to the system log, Automatically restart, etc) in the System failure section are ticked. Then verify that the Write debugging information combo box says Kernel memory dump. If not, select it from the list.
In Windows 10, the Disable automatic deletion of memory dumps when disk space is low check box should be unticked in most cases.
Windows 7, System Properties, Advanced, Startup and Recovery. Make sure all check boxes in the System failure section are ticked. Then verify that Write debugging information says 'Kernel memory dump'.

Click OK twice to close Startup and Recovery and System Properties windows.

You should also check if Windows paging file meets minimum requirements for creating crash dumps: Set paging file to a fixed size in Windows.

Downloading and installing WhoCrashed

Open WhoCrashed download page at Resplendence Software Projects, scroll down to the Crash Analysis Tools section and click Download free home edition to the right of WhoCrashed.
WhoCrashed download page, click 'Download free home edition'.

After the download is complete, WhoCrashed Home Edition Setup Wizard opens. The process is very simple, just click those Next buttons. After the installation is complete, click Finish to run WhoCrashed right away.

Windows XP users will probably see the Required Windows Debugging package not found dialog upon the first run of WhoCrashed Home. Click Download the required file from Microsoft site now to download and install the missing package automatically. Please stand by until the process is complete.
WhoCrashed: required Windows Debugging package not found. Click 'Download the required file from Microsoft site now'.

Analyzing crash dumps with WhoCrashed Home Edition

After WhoCrashed opens, click Analyze (the leftmost button) on Toolbar.
WhoCrashed Home Edition. Click Analyze to start troubleshooting crashes.

Depending on the number of available memory dumps, the process might take up to a minute. Information dialog appears after the analysis is complete - click OK.
WhoCrashed Home Edition, Please scroll down the information window to read the report. Click OK.

In case there are no memory dumps available, WhoCrashed has nothing to analyze. Please verify that the line above states "Crash dumps are enabled on your computer" - if not, scroll to the beginning of this tutorial and enable Kernel memory dumps.

Please note that Disk Cleanup and CCleaner can also delete stored crash dump files, so do not use these tools until you have located the source of Windows crashes. After you've resolved the problems, you can safely remove memory dumps, since they can occupy quite a chunk of disk space.
WhoCrashed Home Edition, No valid crash dumps have been found on your computer. There is nothing to analyze, verify that crash dumps are enabled.

If one or more memory dumps are available, WhoCrashed sorts these by date and time. Please do check the year of the crashes, since there is absolutely no need to make wrong assumptions on very old crashes!

Each crash analysis contains detailed information, please read the description and suggestions thoroughly.

Here is a bad example of a Blue Screen of Death (BSOD): everything is unknown, except that the crash was probably not caused by hardware. You can still search the Bugcheck code on Google or Bing - you might not be alone with this problem.
Please note that this analysis is based on a minidump, so Kernel memory dump might still reveal the cause.
WhoCrashed Home Edition, crash was probably caused by Unknown module. Nothing much to do except for searching for the Bugcheck code on Google or Bing.

And here's the Kernel memory dump for the problem above - this time it is certain that the crash was caused by a third party driver ntkrpamp.exe. WhoCrashed was not able to determine the manufacturer and type of the driver (this usually means the driver is not digitally signed and should be updated ASAP), but googling "What is ntkrpamp.exe" reveals that this is a part of Realtek ethernet (network) driver - so seek for a driver update; or if you just upgraded the driver, roll it back in Safe Mode.
WhoCrashed Home Edition, crash was probably caused by ntkrpamp.exe. Google the module name and seek for driver update.

Here's another example: Microsoft's own standard module caused a crash. You can either run Windows Update or revert any system configuration changes you might have made lately.
WhoCrashed Home Edition, crash took place in a standard Microsoft module wmiacpi.sys. Run Windows Update or revert latest system configuration changes.

Back to third party drivers - this time BSOD was caused by Intel graphics/video driver. But there is also a suggestion that the problem might have been caused by a thermal issue (read: overheating).
First, look for an updated driver again. Second, verify your computer is not very hot - if it is, check or upgrade cooling.
WhoCrashed Home Edition, a typical software driver bug, problem might be caused by a thermal issue. Update the driver and verify that cooling works.

In the end of each WhoCrashed report there is the Conclusion section that contains links to related Google searches. In case you are not really good at searching, use these links instead.
WhoCrashed Home Edition, Conclusion. Each report offers links to related Google searches.

In case you see problems related to hardware (sorry, no examples at the moment), you need to replace the faulty components. If your computer is still under warranty, you are in luck. If not, you still need to take it to some repair shop unless you are an IT specialist.

Good luck with troubleshooting and updating!


Ctrl+F searches in the contents

Next: Check memory modules with Memtest86+
Previous: Reliability Monitor in Windows