While attending Citrix Synergy 2017 last week the BlueScreenView tool from NirSoft was mentioned as a tool for troubleshooting desktops in a Citrix VDI environment. Although this tool can be helpful for troubleshooting BSOD in both physical and virtual computers it also struck me as a good tool for incident response and digital forensics.
BlueScreenView is a free tool provided by NirSoft and is used to view the contents of the dump file generated when a BSOD occurs.
BlueScreenView automatically checks the C:\Windows\MiniDump location of the computer that it is running on but can easily be pointed to a dump file or folder that has been extracted from a forensic image. BlueScreenView also shows the ability to collect dump files from multiple computers that are specified in a text file. I have not tried the remote collection at the time of this post.
The main screen of BlueScreenView has two panes. The top pane showing the dump (.dmp) files that were found on the computer or within the extracted file / folders. The second pane shows any drives that were running when the crash occurred and highlights the offending driver in red.
The top pane will show columns with information about the crash dump file including the dump file, crash time, bug check screen, driver causing crash, product name, etc.
Double clicking on a dump file will bring up the properties for the dump file showing all the columns in a separate window.
The date and time can be shown in the system time or quickly converted to GMT via the Options menu.
BlueScreenView also allows you to export the information displayed as a CSV file or HTML report while giving you the option to include all items in the report or only selected items.
NirSoft states that BlueScreenView works with the following version of Microsoft Windows.
- Windows XP
- Windows Server 2003
- Windows Server 2008
- Windows Vista
- Windows 7
- Windows 8
- Windows 10
BlueScreenView is another great tool from NirSoft that may not always be utilized but is helpful when needed and allows an examiner to quickly check for dump files and view information contained in those .dmp files.
BlueScreenView can be downloaded from NirSoft here.