Monday, January 23, 2012

How to Determine Current DirectX Version

To check the DirectX version, the most straightforward way is to use the dxdiag.exe utility from the search box or the "run" prompt in Windows (this is known to work for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2).




After launching the DirectX Diagnostic utility, the version will be listed.




See Also,
Windows Crash Dump Analysis
Troubleshooting 0x116 VIDEO_TDR_ERROR

Wednesday, January 18, 2012

SOPA and PIPA - A Step Backward for Net Neutrality


We're not saying that we want to pirate copyrighted material; we just think there is a better way of handling copyright infringement.

After reading the Stop Online Piracy Act and the PROTECT Intellectual Property Act in their current forms, I'm fairly convinced that these two pieces of legislation could virtually stop the Internet as we currently know it. Some of the requirements include having Internet Service Providers (ISPs) block any networks that serve content that is suspected of being copyright infringement. Search engines would also be required to wholesale block entire domains from the language included in the drafts. This poses a tremendous risk for cloud computing and multi-tenant systems because an attempt to block one set of content could wind up taking down a content delivery network for everyone else who is hosting legitimate content. This is effectively a government initiated denial of service attack against the companies that may or may not be perpetuating the infringement.

It is clear that the movie and music industries (who have yelled the loudest since piracy took off in the 1990s) lobbied to create these two extremely misguided pieces of legislation, but let's get to the heart of the issue. The music, movie, and cable TV industries are failing to adapt their business models to the changes in the business environment from the late 20th century and early 21st century. Additionally, these industries are feeling too lazy to police their own intellectual property, so they are trying to make it a taxpayer issue to bring criminal charges against infringement on private property. For the rest of the world, this is handled in civil (lawsuit) case law. If you thought the bailout of the banks in 2008 was a waste of taxpayer money, The bills threaten to increase the amount of federal spending on copyright infringement related enforcement..

We've heard a lot of arguments that piracy is hurting jobs and piracy is hurting incomes for different businesses, but this is not the real cause of the issue. The loss of jobs is't from piracy, it is from a natural evolution of these markets as they are revolutionized by technology.

Let's take the music industry for example, in the 1990s there was not an alternative to buying a full CD for $10-$20. What this typically meant was that the average individual would end up paying $10-$20 for a single good song on the CD. An artist gets a hit and the record company (not the artist) sells 100,000 records and makes $2 Million. Now with MP3 services like iTunes and Amazon, the single good song can be purchased for $1, and the other 19$ worth of crap on the CD doesn't need to be bought (because it won't be listened to anyway). Now assume the same hit occurs and now the record company only makes $100,000. Most people would call this progress because the average consumer pays less and is able to get a product/service that is tailored to their wants and needs. From an economic standpoint, this is more economically efficient and serves to motivate intellectual property creators to produce more high-quality content to make the same revenue. Fewer jobs are needed because artists are only producing their best work since they know that people won’t buy the junk any more...

Let's take it a step further, numerous services like Youtube, Grooveshark, and internet radio services like iHeartRadio and Pandora are now used to listen to full songs/albums before a consumer buys them and to discover new music. In most cases the consumer is going to buy the songs that he/she really likes (to put onto their iPod, Zune, or whatever), but this means only a few dollars in revenue for a record company instead of dozens or hundreds. In an economic study on music piracy, researchers from MIT found out that the average person who pirates a song doesn't like the song enough to actually buy it, and the real net effect is that someone has a song that they didn't buy that is taking up space on a hard drive, but not being listened to... Nowadays, people don't even pirate music, they simply look to stream it.

The Cable TV industry is now suffering a similar fate because of the evolution of streaming services like Hulu and Netflix. More and more people are asking the obvious questions, "Why should I watch commercial supported broadcasts when I can have on-demand, commercial free access to my movies and TV shows?" I myself dropped my Comcast Cable TV earlier this week so that I could save 60$ a month on something that I never watch anymore (I watch Netflix mainly now...). The reaction isn't to embrace the times and change with the business environment; instead Comcast implemented a 250 GB cap on monthly data traffic with a stern threat of cancelling service for users that go over the limit. This is an implied attack on net neutrality because it biases customers to use Comcast's cable TV service instead of using bandwidth consuming streaming services. This is especially effective if someone is using their Internet connection for voice, data, and TV-ng services and is using a lot of bandwidth. The bottom line is that the FCC should probably prohibit this policy under network neutrality rules.

It's time for the music, movie, and Cable TV industries to join the 21st century and adapt their business models to the changing times. Write/call your congressional leaders and get involved in stopping this train wreck of new legislation that threatens the continuation and evolution of the Internet...

Thursday, January 12, 2012

Troubleshooting 0xc000000f - Boot Failed, Inaccessible Device

From time to time an error occurs with Windows that does not result in a blue screen, but the system is unable to boot.. One of those cases is when the Windows Boot Manager Displays the following message:

"Windows failed to start. A recent hardware or software change might be the cause. To fix the problem:

1. Insert the Windows installation disk and restart your computer.
2. Choose your language settings, and click 'Next'
3. Click 'Repair your computer'

If you do not have this disc, contact your system administrator or computer manufacturer for assistance.

Status: 0xc000000f

Info: The boot selection failed because a required device is inaccessible"



Error 0xc000000f in this case is STATUS_NO_SUCH_FILE:

# for hex 0xc000000f / decimal -1073741809 :
  STATUS_NO_SUCH_FILE                                  ntstatus.h
# {File Not Found}
# The file %hs does not exist.
  USBD_STATUS_NOT_ACCESSED                             usb.h
# 2 matches found for "c000000f" 

In my testing and research of this issue, this issue occurs when the boot partition becomes corrupted and the Windows boot manager cannot successfully access the volume that Windows is installed on (In my case I mangled the NTFS boot sector with a Linux Live CD). Repair of this issue is fairly straightforward (as long as the volume is still relatively uncorrupted). First, boot off of DVD media or USB media for Windows and access the repair utilities (by clicking on "Repair your computer".



In this case, the system partition (the one containing the boot loader) is still in working order and the recovery tools can identify that there is supposed to be a Windows installation on the second partition (labeled D: in this example). The oddity is that the partition size is reported as 0 MB (when it is actually 39 GB). For most users, using startup repair at the tools screen will allow this issue to be automatically found and resolved. For more advanced users, access the command prompt from the tools selection.



Examine the available volumes with diskpart (using the list volumes command). The system volume is labeled "System Reserved" and there is a 39 GB RAW volume (this should actually be NTFS). Like most filesystem corruption, try a chksdk -r -f on the correct drive letter (in this case, D:).



The chkdsk identified the corruption in the volume and repaired it as well as it could. The main error reported in this case:

"The first NTFS boot sector is unreadable or corrupt."

Other errors involving indexes, the USN journal, and the master file table (MFT) are identified and corrected.



Repairing the filesystem allows the system to boot normally, but it is possible that there is still additional corruption that needs to be identified and corrected before Windows can boot properly (possibly missing/corrupt files, sections of registry, etc...). Performing an offline integrity verification may help with this. In some cases the damage is too extensive and the recovery tools included with Windows may not be sufficient to return the system to a functional state. In this case, the options are restoring from backup (if one is available) and reinstalling Windows. Performing the filesystem repair above may be enough to allow any personal files to be recovered using this rescue procedure.

After the data is rescued/backed up, it is important to identify the cause of the corruption (if possible). This might be anything from a virus to a hardware issue. In the case of a hardware issue, the system memory (RAM) and the hard drive should be checked for issues.

See Also,
Windows Crash Dump Analysis
Perform an Offline System Integrity Verification
Rescuing Files From a Damaged System
Troubleshooting Memory Errors
How to Detect a Failing Hard Drive

Wednesday, January 11, 2012

Troubleshooting 0x4E PFN_LIST_CORRUPT

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:

http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

0x0000004E PFN_LIST_CORRUPT is a fairly common bug check (blue screen of death) on the Windows platform (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8). This indicates that there was corruption with the page frame number list (PFN) or a page table entry (PTE). These are two important lists in the Windows memory manager that help keep track of pages in a process' virtual address space that are placed on disk.

For the vast majority of people, PFN_LIST_CORRUPT occurs in one of two cases: A badly designed/developed driver is corrupting the system state or there are hardware problems with the physical memory (RAM) or hard drive. Analysis of this bug check from a minidump doesn't typically yield results because the specific driver call that corrupted the running system state has long since passed and the error is detected by the kernel when it is encountered by the memory manager in Windows (often leaving the NT Kernel [ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe, and ntkrnlpamp.exe] as the faulting module in the crash dump). This is typical with parameter 1 equal to 0x01, 0x02, 0x8F, and 0x99, or other unknown/undocumented values for parameter 1. A virus or other malware may also cause this corruption.

On occasion, the faulting driver might be in the stack trace (use !analyze -v, or any of the k commands [kb, kv, etc.]). This is typical when parameter 1 = 0x07 or 0x9E.

For completeness, a dump is illustrated below,

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc).  If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 0000000000000099, A PTE or PFN is corrupt
Arg2: 0000000000099cdb, page frame number
Arg3: 0000000000000005, current page state
Arg4: 0000000000000000, 0

Debugging Details:
------------------


BUGCHECK_STR:  0x4E_99

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  witcher2.exe

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff80003117d7c to fffff8000308ec40

STACK_TEXT:  
... : nt!KeBugCheckEx
... : nt!MiBadShareCount+0x4c
... : nt! ?? ::FNODOBFM::`string'+0x333ca
... : nt!MiDeleteAddressesInWorkingSet+0x307
... : nt!MmCleanProcessAddressSpace+0x96
... : nt!PspExitThread+0x56a
... : nt!PsExitSpecialApc+0x1d
... : nt!KiDeliverApc+0x2ca
... : nt!KiInitiateUserApc+0x70
... : nt!KiSystemServiceExit+0x9c
... : 0x74b82e09


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!MiBadShareCount+4c
fffff800`03117d7c cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!MiBadShareCount+4c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4e02aaa3

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0x4E_99_nt!MiBadShareCount+4c

BUCKET_ID:  X64_0x4E_99_nt!MiBadShareCount+4c

Followup: MachineOwner
---------
 
 
Troubleshooting this error involves testing the RAM and identifying possible issues with the hard drive using vendor supplied diagnostic utilities or looking at the SMART statistics. If a hardware issue is identified, the failing component should be replaced (in the case of a hard drive, it may be desirable to rescue the data to a flash drive or other external hard drive).  Once a hardware issue is ruled out, the next stage is to try to identify the corrupting driver by enabling driver verifier (and looking at the associated verifier-enabled memory dumps). If any file corruption exists with critical system files, it may be necessary to check the filesystem and repair the damaged files offline.

See Also
Windows Crash Dump Analysis

Sunday, January 8, 2012

Troubleshooting 0x9C MACHINE_CHECK_EXCEPTION

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:

http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

0x0000009C MACHINE_CHECK_EXCEPTION is an error that primarily occurs on older versions of the Windows platform (Windows XP, Windows Server 2003, and before). This error has been replaced by 0x00000124 WHEA_UNCORRECTABLE_ERROR on newer versions of the Windows platform (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8), but still appears in a couple of rare cases (specifically when WHEA is not fully initialized or when a special processor issue on SMP systems occurs that is characterized by a failure with shared memory synchronization. Microsoft phrases this as "All processors that rendezvous have no errors in their registers").

This is typically considered a serious hardware error (typically with the motherboard or the processor) when it appears, but can also be found when the system's BIOS is out of date relative to the rest of the drivers that are running the system.

Debugging a dump with windbg/kd yields some interesting information,

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

MACHINE_CHECK_EXCEPTION (9c)
A fatal Machine Check Exception has occurred.
KeBugCheckEx parameters;
    x86 Processors
        If the processor has ONLY MCE feature available (For example Intel
        Pentium), the parameters are:
        1 - Low  32 bits of P5_MC_TYPE MSR
        2 - Address of MCA_EXCEPTION structure
        3 - High 32 bits of P5_MC_ADDR MSR
        4 - Low  32 bits of P5_MC_ADDR MSR
        If the processor also has MCA feature available (For example Intel
        Pentium Pro), the parameters are:
        1 - Bank number
        2 - Address of MCA_EXCEPTION structure
        3 - High 32 bits of MCi_STATUS MSR for the MCA bank that had the error
        4 - Low  32 bits of MCi_STATUS MSR for the MCA bank that had the error
    IA64 Processors
        1 - Bugcheck Type
            1 - MCA_ASSERT
            2 - MCA_GET_STATEINFO
                SAL returned an error for SAL_GET_STATEINFO while processing MCA.
            3 - MCA_CLEAR_STATEINFO
                SAL returned an error for SAL_CLEAR_STATEINFO while processing MCA.
            4 - MCA_FATAL
                FW reported a fatal MCA.
            5 - MCA_NONFATAL
                SAL reported a recoverable MCA and we don't support currently
                support recovery or SAL generated an MCA and then couldn't
                produce an error record.
            0xB - INIT_ASSERT
            0xC - INIT_GET_STATEINFO
                  SAL returned an error for SAL_GET_STATEINFO while processing 
                  INIT event.
            0xD - INIT_CLEAR_STATEINFO
                  SAL returned an error for SAL_CLEAR_STATEINFO while processing 
                  INIT event.
            0xE - INIT_FATAL
                  Not used.
        2 - Address of log
        3 - Size of log
        4 - Error code in the case of x_GET_STATEINFO or x_CLEAR_STATEINFO
    AMD64 Processors
        1 - Bank number
        2 - Address of MCA_EXCEPTION structure
        3 - High 32 bits of MCi_STATUS MSR for the MCA bank that had the error
        4 - Low  32 bits of MCi_STATUS MSR for the MCA bank that had the error
Arguments:
Arg1: 00000000
Arg2: 8054e170
Arg3: b2000000
Arg4: 1040080f

Debugging Details:
------------------

   NOTE:  This is a hardware error.  This error was reported by the CPU
   via Interrupt 18.  This analysis will provide more information about
   the specific error.  Please contact the manufacturer for additional
   information about this error and troubleshooting assistance.

   This error is documented in the following publication:

      - IA-32 Intel(r) Architecture Software Developer's Manual 
        Volume 3: System Programming Guide

   Bit Mask:

       MA                           Model Specific       MCA
    O  ID      Other Information      Error Code     Error Code
   VV  SDP ___________|____________ _______|_______ _______|______
   AEUECRC|                        |               |              |
   LRCNVVC|                        |               |              |
   ^^^^^^^|                        |               |              |
      6         5         4         3         2         1
   3210987654321098765432109876543210987654321098765432109876543210
   ----------------------------------------------------------------
   1011001000000000000000000000000000010000010000000000100000001111


VAL   - MCi_STATUS register is valid
        Indicates that the information contained within the IA32_MCi_STATUS
        register is valid.  When this flag is set, the processor follows the
        rules given for the OVER flag in the IA32_MCi_STATUS register when
        overwriting previously valid entries.  The processor sets the VAL 
        flag and software is responsible for clearing it.

UC    - Error Uncorrected
        Indicates that the processor did not or was not able to correct the 
        error condition.  When clear, this flag indicates that the processor
        was able to correct the error condition.

EN    - Error Enabled
        Indicates that the error was enabled by the associated EEj bit of the
        IA32_MCi_CTL register.

PCC   - Processor Context Corrupt
        Indicates that the state of the processor might have been corrupted
        by the error condition detected and that reliable restarting of the
        processor may not be possible.

BUSCONNERR - Bus and Interconnect Error   BUS{LL}_{PP}_{RRRR}_{II}_{T}_err
        These errors match the format 0000 1PPT RRRR IILL



   Concatenated Error Code:
   --------------------------
   _VAL_UC_EN_PCC_BUSCONNERR_F

   This error code can be reported back to the manufacturer.
   They may be able to provide additional information based upon
   this error.  All questions regarding STOP 0x9C should be
   directed to the hardware manufacturer.

BUGCHECK_STR:  0x9C_GenuineIntel

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

LAST_CONTROL_TRANSFER:  from 806f48db to 80533846

SYMBOL_ON_RAW_STACK:  1

STACK_ADDR_RAW_STACK_SYMBOL: ffffffff8054e1dc

STACK_COMMAND:  dds FFFFFFFF8054E1DC-0x20 ; kb

STACK_TEXT:  
8054e1bc  00000000
8054e1c0  00000000
8054e1c4  00000000
8054e1c8  00000000
8054e1cc  00000000
8054e1d0  ffdffc50
8054e1d4  00000000
8054e1d8  ba4e9162 intelppm+0x2162
8054e1dc  00000000
8054e1e0  80550f40 nt!KiDoubleFaultStack+0x2cc0
8054e1e4  00000000
8054e1e8  80550f38 nt!KiDoubleFaultStack+0x2cb8
8054e1ec  00000000
8054e1f0  00000046
8054e1f4  00000000
8054e1f8  806efe18 hal!HalpClockInterrupt+0xe4
8054e1fc  00000000
8054e200  00000000
8054e204  00000000
8054e208  00321213
8054e20c  00000000
8054e210  00000000
8054e214  00000000
8054e218  00000000
8054e21c  00000000
8054e220  00000000
8054e224  00000000
8054e228  00000000
8054e22c  00000000
8054e230  00000000
8054e234  00000000
8054e238  00000000


FOLLOWUP_IP: 
intelppm+2162
ba4e9162 ??              ???

SYMBOL_NAME:  intelppm+2162

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: intelppm

IMAGE_NAME:  intelppm.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  48025183

FAILURE_BUCKET_ID:  0x9C_GenuineIntel_intelppm+2162

BUCKET_ID:  0x9C_GenuineIntel_intelppm+2162

Followup: MachineOwner
---------

kd> lmvm intelppm
start    end        module name
ba4e7000 ba4efe00   intelppm T (no symbols)           
    Loaded symbol image file: intelppm.sys
    Image path: \SystemRoot\system32\DRIVERS\intelppm.sys
    Image name: intelppm.sys
    Timestamp:        Sun Apr 13 12:31:31 2008 (48025183)
    CheckSum:         0000C894
    ImageSize:        00008E00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4 
 
From this particular dump, we can tell that there was an error involving the bus. Analyzing Machine Check Architecture Error Codes involves looking at Volume 3 of the Intel Architecture Software Developer's Manual (or examining the appropriate developer's guide for other vendors, such as the Bios/Kernel Developer's Guides for AMD processors). This is an Intel chip, and in this case, bits 19-24 (the bits that indicate the model specific error) are 001000. This indicates an error of type BQ_DCU_WB_TYPE. Further research indicates that this is a failure of the processor to write a line back to memory. Still we don't know whether the processor or motherboard failed, and to determine this would require running vendor supplied diagnostic tools for the system or examining repeated errors.

Some troubleshooting steps for this error might include:
  • Verify that the CPU is specifically supported for the installed motherboard
  • Verify that the BIOS is up to date for the system
  • Disable any overclocking (or other abnormal timing/voltage modifications)
  • Reseat the processor, memory, and all power connections to the motherboard and connected components
  • Identify and resolve any cooling or power supply related issues (including abnormal voltage from a wall outlet)
  • Engage vendor and replace motherboard/CPU
Further isolation of this error involves looking at repeated crash dumps for a pattern and decoding the MCE error to see if one particular operation repeatedly fails.  Engaging the motherboard vendor to assist with troubleshooting would also be helpful, as the processor/motherboard likely needs to be replaced. The error may be able to be triggered under load using a stress test.

See Also
Windows Crash Dump Analysis
Stress Testing a CPU to Detect Hardware Failure
0x124 WHEA_UNCORRECTABLE_ERROR

Friday, January 6, 2012

Fixing "Bootmgr is missing"



This applies to Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8. This is a common issue that occurs when the system partition (the one that Windows boots from, not where the kernel is located) of a Windows installation gets corrupted or files on the system partition are deleted (specifically bootmgr). Resolution is fairly straightforward after booting from the Windows DVD and entering recovery mode.





Open a command prompt and use diskpart to find the system volume (usually labeled "System Reserved") and identify the installation DVD for windows (Identified for most users as the one with UDF in the Fs column and DVD-ROM in the Type column). From there, the bootmgr file can be copied back into the system partition using the copy command. The bootmgr file is located in the root of the DVD drive.Rebooting the system should allow the system to boot.



See Also
Windows Crash Dump Analysis

Wednesday, January 4, 2012

Troubleshooting 0xc0000135 STATUS_DLL_NOT_FOUND

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:

http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

This is a hard error for most users to debug because it requires setting up a live debug session with the system that is experiencing the error. This is a relatively simple process, but it involves 2 systems (one working with the debugging tools for Windows installed, and the broken system) and a serial cable connecting them. The Windows DVD and bcdedit need to be used to enable debug mode for the target system (since it is likely unbootable). I show an example of how this works in Hyper-V, but it should be virtually the same for two physical systems (the difference lies in choosing a serial port in WinDbg instead of a named pipe). The error text states that something is missing: "STOP: c0000135 The program can't start because %hs is missing from your computer. Try reinstalling the program to fix the problem."



This is not a common error on the Windows platform (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8), but it does occasionally crop up with some antivirus software (AVG is notorious for being connected with this BSOD). What makes this error bad is that the call to the printf like function isn't made (thus %hs isn't substituted for the missing file name) and the blue screen itself does not provide any indication of what is missing. From the error code, we know it is a missing/corrupt dll:
 
# for hex 0xc0000135 / decimal -1073741515 :
  STATUS_DLL_NOT_FOUND                         ntstatus.h
# {Unable To Locate Component}
# This application has failed to start because %hs was not
# found. Re-installing the application may fix this problem.
# 1 matches found for "0xc0000135" 
 
Attaching to a live debugging session, we can get more information about what went wrong, in this case the missing file is identified in the "Probably caused by" line near the start of the debug session. In my case I deleted gdi32.dll on purpose to recreate the error, the missing file on your system will probably be different:


*** Fatal System Error: 0xc0000135
                       (0xFFFFF8A00050ED60,0xFFFFF8A002A54B90,
                        0x0000000000000000,0x0000000000000000)


STOP: c0000135 The program can't start because (null) is missing 
from your computer. Try reinstalling the program to fix this problem.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x64 target at (Wed Jan  4 08:30:19.860 2012 (UTC - 7:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
............................................
Loading User Symbols

Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C0000135, {fffff8a00050ed60, fffff8a002a54b90, 0, 0}

Probably caused by : GDI32.dll

Followup: MachineOwner
---------

nt!DbgBreakPointWithStatus:
fffff800`0266bf60 cc              int     3 

We can gain more information by running a !analyze -v:

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000135)
Unknown bugcheck description
Arguments:
Arg1: fffff8a00050ed60
Arg2: fffff8a002a54b90
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000135 - The program can't start because %hs 
                                    is missing from your computer. Try 
                                    reinstalling the program to fix this problem.

EXCEPTION_CODE: (NTSTATUS) 0xc0000135 - The program can't start because %hs is 
                                        missing from your computer. Try 
                                        reinstalling the program to fix 
                                        this problem.

EXCEPTION_PARAMETER1:  fffff8a00050ed60

EXCEPTION_PARAMETER2:  fffff8a002a54b90

EXCEPTION_PARAMETER3:  0000000000000000

EXCEPTION_PARAMETER4: 0

BUGCHECK_STR:  STATUS_DLL_NOT_FOUND

IMAGE_NAME:  GDI32.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: GDI32

FAULTING_MODULE: 0000000000000000 

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff800027696d2 to fffff8000266bf60

STACK_TEXT:  
... : nt!DbgBreakPointWithStatus
... : nt!KiBugCheckDebugBreak+0x12
... : nt!KeBugCheck2+0x71e
... : nt!KeBugCheckEx+0x104
... : nt!PopGracefulShutdown+0x257
... : nt!NtSetSystemPowerState+0x864
... : nt!KiSystemServiceCopyEnd+0x13
... : nt!KiServiceLinkage
... : nt!PopIssueActionRequest+0x1d9
... : nt!PopPolicyWorkerAction+0x4c
... : nt!PopPolicyWorkerThread+0xfd
... : nt!ExpWorkerThread+0x111
... : nt!PspSystemThreadStartup+0x5a
... : nt!KxStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_STATUS_DLL_NOT_FOUND_VRF_IMAGE_GDI32.dll

BUCKET_ID:  X64_STATUS_DLL_NOT_FOUND_VRF_IMAGE_GDI32.dll

Followup: MachineOwner
--------- 
 
We have an undocumented bugcheck, so we need to make a couple of educated guesses to look at the parameters. I looked at parameter 1 and parameter 2 using the da (Display Memory - ASCII) debugger command. 

kd> da fffff8a00050ed60
fffff8a0`0050ed60  "GDI32.dll"
kd> da fffff8a002a54b90
fffff8a0`02a54b90  "C:\Windows\system32;C:\Windows\s"
fffff8a0`02a54bb0  "ystem32;C:\Windows;C:\Windows\Sy"
fffff8a0`02a54bd0  "stem32\Wbem;C:\Windows\System32\"
fffff8a0`02a54bf0  "WindowsPowerShell\v1.0\" 
 
Parameter 1 is clearly the missing DLL and parameter 2 appears to be the DLL search path that was searched to find the DLL. The resolution is fairly straightforward, the missing file needs to be restored in some way. This may be as easy as an offline integrity check, or as hard as needing to copy the files from a working system to a flash drive and copying them into place with a Linux Live CD (basically reversing this procedure to put files onto the system instead of take them off). Some users may find it simplest to rescue their files and reinstall Windows, or at least perform an in place upgrade.

See Also,
Windows Crash Dump Analysis
Live Debugging a Hyper-V Virtual Machine with WinDbg/KD
Rescuing Files From a Damaged System

Live Debugging a Hyper-V Virtual Machine with WinDbg/KD

Sometimes the need arises to debug a system remotely. This need can be anything from debuging device drivers, errors with critical system services during startup, and specific blue screen errors where no dump is generated. In my case, I was looking for a way to generate a blue screen with error code 0xc0000135 STATUS_DLL_NOT_FOUND to see if I could find a way to debug the issue through a remote debugger (since the error does not produce a memory dump and the blue screen itself is uninformative). Setting up the environment was a two step procedure for me that required enabling kernel debug mode with bcdedit and setting up the conduit for debugging (in this case, a named pipe attached to the COM port on a Hyper-V guest).

Enable Debug Mode Offline with bcdedit

First, boot off of the Windows DVD and navigate to the command prompt through the "repair your computer" link in Windows setup







There are a couple of bcdedit options that we need to combine to enable kernel debugging, /v (to get the full identifier) and /debug.





The debug switch needs to be specified on the boot loader entry (in my case, the identifier for the Windows 7 installation on D:\). If you use an invalid identifier, you get an error: "This command can only modify a Windows Boot Loader entry. The parameter is incorrect." bcdedit can modify the debug settings (COM/USB port, baud rate, etc) with the /dbgsettings flag,



Now that debugging is enabled, we can move on to attaching the debugger through a named pipe.

Use WinDbg/KD to Debug the Guest Operating system

Note: A similar process should be possible for VMWare.

To debug the system, COM1 for the Hyper-V guest needs to be configured to point to a named pipe on the host operating system,



WinDbg can then be launched and a kernel debug session can be started from the file menu (or ctrl+K),



Then the debugger will connect when the system starts,



And the rest is history...

See Also,
Windows Crash Dump Analysis














Tuesday, January 3, 2012

Troubleshooting 0x6B PROCESS1_INITIALIZATION_FAILED

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:

http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

I went on a quest to see if I could find a way to reproduce bug check 0xc0000135 STATUS_DLL_NOT_FOUND and I met a couple of interesting bug checks along the way. The first is 0x0000006B PROCESS1_INITIALIZATION_FAILED. This is a pretty rare bug check on the Windows platform (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8), I've never seen it appear in the forums and the Google keyword tool indicates that it is not searched for very often.



This is a bug check that is caused by missing system file (in my case, I deleted ntdll.dll with a LiveCD). The analysis of the dump yields only 1 piece of information... that a DLL was not loaded on the kernel's call to PsLocateSystemDlls. Parameter 1 lists the exception code (I show it here with more information):
 
# for hex 0xc0000034 / decimal -1073741772 :
  STATUS_OBJECT_NAME_NOT_FOUND                         ntstatus.h
# Object Name not found.
# 1 matches found for "c0000034" 
 
From the minidump it is impossible to tell what was missing,...
 
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PROCESS1_INITIALIZATION_FAILED (6b)
Arguments:
Arg1: ffffffffc0000034, Indicates the NT status code that caused the failure.
Arg2: 0000000000000002, (reserved)
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x6B

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002ac231d to fffff8000267df00

STACK_TEXT:  
... : nt!KeBugCheckEx
... : nt!PsLocateSystemDlls+0xbd
... : nt!IoInitSystem+0x85d
... : nt!Phase1InitializationDiscard+0x1290
... : nt!Phase1Initialization+0x9
... : nt!PspSystemThreadStartup+0x5a
... : nt!KxStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!PsLocateSystemDlls+bd
fffff800`02ac231d cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!PsLocateSystemDlls+bd

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc600

FAILURE_BUCKET_ID:  X64_0x6B_nt!PsLocateSystemDlls+bd

BUCKET_ID:  X64_0x6B_nt!PsLocateSystemDlls+bd

Followup: MachineOwner
--------- 
 
The fix was easy, running startup repair fixed the problem fairly immediately:
 
Startup Repair diagnosis and repair log
---------------------------
Last successful boot time: ‎12/‎30/‎2011 9:24:54 PM (GMT)
Number of repair attempts: 1

Session details
---------------------------
System Disk = \Device\Harddisk0
Windows directory = D:\Windows
AutoChk Run = 0
Number of root causes = 1

Test Performed: 
---------------------------
Name: Check for updates
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed: 
---------------------------
Name: System disk test
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed: 
---------------------------
Name: Disk failure diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed: 
---------------------------
Name: Disk metadata test
Result: Completed successfully. Error code =  0x0
Time taken = 47 ms

Test Performed: 
---------------------------
Name: Target OS test
Result: Completed successfully. Error code =  0x0
Time taken = 31 ms

Test Performed: 
---------------------------
Name: Volume content check
Result: Completed successfully. Error code =  0x0
Time taken = 188 ms

Test Performed: 
---------------------------
Name: Boot manager diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 62 ms

Test Performed: 
---------------------------
Name: System boot log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed: 
---------------------------
Name: Event log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 94 ms

Test Performed: 
---------------------------
Name: Internal state check
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed: 
---------------------------
Name: Boot status test
Result: Completed successfully. Error code =  0x0
Time taken = 0 ms

Test Performed: 
---------------------------
Name: Setup state check
Result: Completed successfully. Error code =  0x0
Time taken = 453 ms

Test Performed: 
---------------------------
Name: Registry hives test
Result: Completed successfully. Error code =  0x0
Time taken = 3453 ms

Test Performed: 
---------------------------
Name: Windows boot log diagnosis
Result: Completed successfully. Error code =  0x0
Time taken = 16 ms

Test Performed: 
---------------------------
Name: Bugcheck analysis
Result: Completed successfully. Error code =  0x0
Time taken = 828 ms

Root cause found: 
---------------------------
Bugcheck 6b. Parameters = 0xffffffffc0000034, 0x2, 0x0, 0x0.
Boot critical file d:\windows\system32\ntdll.dll is missing.

Repair action: File repair
Result: Completed successfully. Error code =  0x0
Time taken = 6469 ms

---------------------------
---------------------------
  
  
For other cases, it may be necessary to perform further analysis as to why the file disappeared (possibly due to memory or hard drive issues). For most cases, running startup repair or an offline integrity verification should be enough to restore the file and get the system running again.

See Also,
Windows Crash Dump Analysis

Monday, January 2, 2012

Troubleshooting 0x109 CRITICAL_STRUCTURE_CORRUPTION

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:

http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

0x00000109 CRITICAL_STRUCTURE_CORRUPTION is a relatively uncommon blue screen error on the Windows Platform (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8). This error typically indicates that a driver corrupted or attempted to patch the kernel or that there was a RAM issue in the particular DIMM(s) holding the kernel mode code. This is typically not the only blue screen for a system if this is a hardware issue, but may also be accompanied by other blue screens indicating memory issues or driver-related memory corruption (often with a specific exception code of 0xc0000005 STATUS_ACCESS_VIOLATION). If it is solely due to the driver (and not a hardware issue), parameter 4 will be between 0 and 7 indicating what the driver was doing that is not allowed by Microsoft (viruses that attempt to patch the kernel may also cause this error).

Here is an example of a CRITICAL_STRUCTURE_CORRUPTION that is probably due to a memory problem,

 
2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
 or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
 debugger that was not attached when the system was booted. Normal breakpoints,
 "bp", can only be set if the debugger is attached at boot time. Hardware
 breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d89d42e4f1, Reserved
Arg2: b3b7465eefc0b40f, Reserved
Arg3: fffff80002dcb510, Failure type dependent information
Arg4: 0000000000000000, Type of corrupted region, can be
 0 : A generic data region
 1 : Modification of a function or .pdata
 2 : A processor IDT
 3 : A processor GDT
 4 : Type 1 process list corruption
 5 : Type 2 process list corruption
 6 : Debug routine modification
 7 : Critical MSR modification

Debugging Details:
------------------


BUGCHECK_STR:  0x109

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff80002c89c40

STACK_TEXT:  
... : nt!KeBugCheckEx


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  X64_0x109_ANALYSIS_INCONCLUSIVE

BUCKET_ID:  X64_0x109_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------
 
 
Further troubleshooting/fixes involve determining the nature of the problem (hardware v. software). If it is a hardware issue, troubleshooting falls along the lines of troubleshooting memory problems. If it is specifically due to a driver engaging in an unsupported practice, this driver should be updated to a current version or disabled.

See Also,
Windows Crash Dump Analysis
Troubleshooting Memory Errors
How To Disable and Enable Windows Device Drivers

Troubleshooting 0x101 CLOCK_WATCHDOG_TIMEOUT

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:
http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

0x00000101 CLOCK_WATCHDOG_TIMEOUT belongs to a class of errors that are considered 'hardware' errors on the Windows platform (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8). These errors typically indicate a hardware failure or an impending hardware failure. In this case, this error indicates that a problem occurred with the interprocessor interrupt handling that is required for symmetric multiprocessing (SMP) systems.

These interrupts occur for a variety of reasons, but one of the most common is translation lookaside buffer (TLB) invalidation, which is used to keep memory caches synchronized between processors when multiple processors are performing options on the same memory segments. If this fails, then the memory becomes inconsistent between processors and corruption is likely. Interprocessor operations involving interrupts like TLB invalidations are considered critical for the correct functioning of the system and are taken very seriously when they are delayed or fail, resulting in an exception or a timeout (timeouts usually result in a CLOCK_WATCHDOG_TIMEOUT bug check). There isn't a lot to tell from a dump as the majority of the time the analysis is inconclusive as to whether hardware or software/firmware (system drivers, BIOS, etc) caused the issue. A sample dump output is below, isolation to a processor can be identified between dumps using the !cpuinfo command and the processor control block (PCRB) can be displayed using the !pcrb <processor_number> debugger command.


0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CLOCK_WATCHDOG_TIMEOUT (101)
An expected clock interrupt was not received on a secondary processor in an
MP system within the allocated interval. This indicates that the specified
processor is hung and not processing interrupts.
Arguments:
Arg1: 0000000000000031, Clock interrupt time out interval in nominal clock ticks.
Arg2: 0000000000000000, 0.
Arg3: fffff88003164180, The PRCB address of the hung processor.
Arg4: 0000000000000002, 0.

Debugging Details:
------------------


BUGCHECK_STR:  CLOCK_WATCHDOG_TIMEOUT_4_PROC

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  ccsvchst.exe

CURRENT_IRQL:  d

STACK_TEXT:  
... : nt!KeBugCheckEx
... : nt! ?? ::FNODOBFM::`string'+0x4e2e
... : nt!KeUpdateSystemTime+0x377
... : hal!HalpHpetClockInterrupt+0x8d
... : nt!KiInterruptDispatchNoLock+0x163
... : nt!KeFlushMultipleRangeTb+0x260
... : nt!MiFlushTbAsNeeded+0x1d1
... : nt!MiAllocatePoolPages+0x4de
... : nt!ExpAllocateBigPool+0xb0
... : nt!ExAllocatePoolWithTag+0x82e
... : nt!ExAllocatePoolWithQuotaTag+0x56
... : nt!IopXxxControlFile+0xb1b
... : nt!NtDeviceIoControlFile+0x56
... : nt!KiSystemServiceCopyEnd+0x13
... : 0x73692e09


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  X64_CLOCK_WATCHDOG_TIMEOUT_4_PROC_ANALYSIS_INCONCLUSIVE

BUCKET_ID:  X64_CLOCK_WATCHDOG_TIMEOUT_4_PROC_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------

0: kd> !cpuinfo
CP  F/M/S Manufacturer  MHz PRCB Signature    MSR 8B Signature Features
 0 18,1,0 AuthenticAMD 1397 0000000000000000                   203b7dfe
 
0: kd> !prcb 0
PRCB for Processor 0 at fffff780ffff0000:
Current IRQL -- 13
Threads--  Current fffffa8009fa5aa0 Next fffffa8007960a10 Idle fffff80003217cc0
Processor Index 0 Number (0, 0) GroupSetMember 1
Interrupt Count -- 008b247c
Times -- Dpc    0000009d Interrupt 00000047 
         Kernel 0007cb5a User      00005bbf  
 

First, remove any overclocking or nonstandard timing on the system (this almost always causes more problems than any resulting performance gain is worth). Also check the system for thermal issues.

If this error is due to software (typically deadlocked), then the system drivers and BIOS need to be updated to the latest versions (this is likely a first troubleshooting step before assuming hardware).

If this error is due to failing hardware (processor is typically unresponsive), then a stress test may serve to confirm the error or trigger a definitive hardware crash (like 0x124 WHEA_UNCORRECTABLE_ERROR). Diagnostics should be performed to identify whether it is a failure of the processors or motherboard for the system and appropriate corrective/replacement actions should be taken.

See Also
Windows Crash Dump Analysis
Stress Testing a CPU To Detect Hardware Failure
0x124 WHEA_UNCORRECTABLE_ERROR

Sunday, January 1, 2012

How to Create Your Own Free Ringtones

The examples that I show are all under 30 seconds with music that I legitimately purchased a license to (through a CD, MP3 download, etc). I'm not going to get into the legal debate of what is and what isn't fair use under the copyright laws for your country and/or a derivative work, but if you happen to do something illegal and get sued/prosecuted for it, I disclaim any liability for it (and you agree by reading any further in this post). This post is offered "As Is" with no warranties. If you read further, you solely accept liability for anything you might do.

As cell phones and other devices have proliferated in use, many expensive services such as Jamster have popped up to deliver ringtones wirelessly to your mobile phone. In my opinion, these services are for suckers because anybody with a little bit of technical knowledge and a couple of free applications can create ringtones for mobile phones. It is really easy to use existing music in your collection, or you can use other sources like DVDs, Youtube Videos, Streaming media sites (like Playlist.com, Pandora, and Grooveshark) and even video games to create ringtones. All it takes is the ability to play the audio track on your computer in some way.

So, what do you need?

You need an audio editing program that can take your sound card's output as input and record it or has the ability to open native formats such as Windows Media Audio (.wma), MP3, or .wav. I use Audacity because it is a free audio editor (for those who care, it is also open source). You also need a way to download the free ringtone onto your phone, this can sometimes be accomplished with WiFi, Bluetooth, or a specific application for your phone type (BlackBerry Desktop Manager for BlackBerry smartphones, iTunes for the iPhone, Zune for Windows Mobile/Windows Phone, etc). You may even be able to post it somewhere like Skydrive and use your phone's browser to download it (assuming you have a data plan).

After obtaining the audio editing/recording software,  you need the other dependencies for playing whatever you want to record. If you are creating ringtones from movies that are on DVDs or stored on a hard drive, then you need to have the necessary codecs installed on Windows Media Player or need an application such as VLC to play the movie while Audacity records the audio. If you are creating ringtones from Youtube videos, then you simply need Flash Player.

If your phone can't handle an MP3 ringtone (maybe it needs an Ogg Vorbis file (.ogg) or an Apple format [.aac or .m4a]), then you need a way to convert it to the correct format. Some phone applications can handle this functionality, but you may need a different tool like fre:ac.

Onto the examples and ringtone discussion...

What makes a good ringtone?

Ringtones have various purposes, the two most common are to annoy your coworkers (in a passive-agressive way) and annoy the general public at large (especially during movies, live performing arts, sporting events, etc). A secondary use is to know if you have an incoming call, text (SMS/MMS), PIN (BlackBerry), instant message (IM), e-mail, or voicemail.  An effective ringtone also implants part of the song into someone else's head so that they cannot get it out, this is especially effective if the other person's music tastes are radically different from yours. Seriously though, there are other pieces around audio type and quality that determine a 'good' ringtone from a 'bad' ringtone.

Most phones don't have sub-woofers, so an audio clip with louder mid-high range frequencies are best. Additionally, quiet audio clips don't work as well as louder audio clips, but this can be corrected using Audacity's Amplify effect (see the section on fixing quiet audio below).

How to Create a Ringtone From an MP3

Let's start with an easy example, a basic MP3 from a hard drive or network share. I'm going to create an alarm clock ringtone from the Disturbed song "Down With the Sickness." To start out, open the MP3 for the song in Audacity. The song's waveform overview is now visible in the editing window.


From here, select the section of the track that you want to be the ringtone, typically 10-30 seconds of audio is all that is needed. Note that you can zoom in to select the start and end points with greater precision.



From here, you can export the clip as an MP3 from the file menu (assuming LAME is set up correctly),



Verify that the correct output for your mobile device is selected for the format to save,



If your device has any special constraints around bit rate, output format, etc. Be sure to set those before exporting,



Finally, set the metadata (if applicable for the format),



From here, just perform the necessary steps to get the ringtone onto your phone. For me, I have a Windows Phone 7 running the Mango (7.5) release, so I simply imported it into Zune, changed the genre to 'Ringtone' and sync'd it to my phone. From there I could set it for my alarm clock.

Onto some more involved examples...

How to Create a Ringtone From Grooveshark

The procedure is essentially the same as creating the ringtone form an MP3 above, but the main difference lies in that we have to obtain the audio in Audacity before we can select the section to turn into a ringtone. To do this, we will be recording the audio that is sent to the speakers using Audacity. To get this to work, make sure that you can select a mixer/output device in Audacity for the recording device (In Edit -> Preferences -> Devices). For me, the mixer device for my laptop was not listed, so I had to go find it and enable it in the Control Panel -> Sounds applet,





Now, it was finally selectable in Audacity as the recording device,



Now, I can record whatever my computer plays directly in Audacity. To start, I move the song curser to a little before the ringtone should start (this procedure can also be used to record the full song, but you probably wouldn't be doing this if you owned the song in some other manner...).



Then start recording in Audacity using the record button and start playing the song in Grooveshark.



Simply stop recording after the end of the ringtone end and edit the track in the same way as the MP3 above.

Other examples

Youtube and the DVD example follow from the above example, but simply require a different sound source to be playing before audacity starts recording. In the Youtube case, start Audacity recording, then start the youtube video at the correct point. Then stop recording/playback. The same follows in VLC for a DVD.