.claude/skills: add windows-bsod-ssh diagnosis skill

rucoder · claude · rucoder · commit 056c12cbb2b2 · 2026-03-19T15:54:19.000Z
Step-by-step playbook for diagnosing Windows BSOD and device Code 43
errors over SSH without GUI access. Covers: pnputil device enumeration,
WinEvent bugcheck log parsing, WER crash report reading, driver registry
inspection, crash-protection detection, and iGPU-specific BDSM/ASLS notes.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.claude/skills/windows-bsod-ssh/SKILL.md b/.claude/skills/windows-bsod-ssh/SKILL.md
@@ -0,0 +1,213 @@
+---
+name: windows-bsod-ssh
+description: Use this skill when diagnosing Windows BSOD (Blue Screen of Death), Code 43 device errors, or driver failures over SSH without a GUI. Applies when the user asks to analyze a Windows crash, investigate a device manager error code, check why a driver failed, or diagnose PCI device failures remotely.
+version: 1.0.0
+---
+
+# Windows BSOD and Device Error 43 Diagnosis Over SSH
+
+Remote diagnosis of Windows driver failures and BSODs via SSH (no RDP, no GUI).
+
+## SSH Connection
+
+All commands run via:
+```bash
+ssh -i <key> -l Administrator <host> -p <port> -o ConnectTimeout=10
+```
+
+**Important:** Always use one of these two invocation styles — bare `cmd.exe` commands
+or PowerShell with explicit flags. Do NOT mix them in the same ssh call.
+
+```bash
+# PowerShell commands:
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"<cmdlet>\""
+
+# cmd.exe commands (simpler, for reg/pnputil/dir/type):
+ssh ... "reg query ..."
+ssh ... "pnputil ..."
+```
+
+Prefer `reg query`, `pnputil`, and `dir`/`type` over PowerShell when possible —
+they produce clean text output reliably.
+
+---
+
+## Step 1 — Identify the Failing Device
+
+```bash
+# List all devices with errors (fastest overview)
+ssh ... "pnputil /enum-devices /problem"
+
+# Get details for a specific device (replace instance ID)
+ssh ... "pnputil /enum-devices /instanceid \"PCI\\VEN_8086&DEV_A721&SUBSYS_22128086&REV_04\\3&2411E6FE&0&10\" /drivers"
+```
+
+**Code 43 = CM_PROB_FAILED_POST_START**: driver loaded successfully but called
+`IoStopDevice` at runtime — the device itself reported failure, not Windows PnP.
+
+Other common codes: 10 = cannot start, 28 = no driver, 31 = device not working properly.
+
+```bash
+# Find all Code 43 devices via WMI
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+Get-WmiObject Win32_PnPEntity | Where-Object ConfigManagerErrorCode -eq 43 | \
+Select-Object Name, PNPDeviceID | Format-Table\""
+```
+
+---
+
+## Step 2 — Check for BSODs
+
+```bash
+# List recent bugchecks with timestamps and parameters
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+\$x = Get-WinEvent -LogName System -MaxEvents 500; \
+\$x | Where-Object Id -eq 1001 | ForEach-Object { \
+  Write-Host \$_.TimeCreated; Write-Host \$_.Message; Write-Host '---' }\""
+```
+
+**Bugcheck code interpretation:**
+
+| Code   | Name                              | Common cause in driver context            |
+|--------|-----------------------------------|-------------------------------------------|
+| 0x7E   | SYSTEM_THREAD_EXCEPTION_NOT_HANDLED | Access violation (0xC0000005) in kernel  |
+| 0xBE   | ATTEMPTED_WRITE_TO_READONLY_MEMORY | Driver wrote to read-only page (e.g. BDSM=0 → PA 0) |
+| 0x1A   | MEMORY_MANAGEMENT                  | Corrupt PTE, bad allocation               |
+| 0x50   | PAGE_FAULT_IN_NONPAGED_AREA        | NULL dereference or bad pointer           |
+| 0xD1   | DRIVER_IRQL_NOT_LESS_OR_EQUAL      | Bad pointer at DISPATCH_LEVEL             |
+| 0x3B   | SYSTEM_SERVICE_EXCEPTION           | Kernel exception during syscall           |
+
+For `0xBE`, Param 2 is the PTE value. If Bit 1 of the PTE is 0 → page is
+not writable. Param 1 is the virtual address that was written.
+
+```bash
+# List minidump files (one per BSOD)
+ssh ... "dir C:\\Windows\\Minidump /B"
+
+# Read WER crash report for a specific bugcheck type
+ssh ... "dir \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\""
+ssh ... "type \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\<folder>\\Report.wer\""
+```
+
+**WER folder names** encode the bugcheck code: `Kernel_be_...` = 0xBE crash.
+
+---
+
+## Step 3 — Check Driver Failure Events
+
+```bash
+# Boot-start or system-start drivers that failed to load (event 7026)
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+(Get-WinEvent -LogName System -MaxEvents 500 | Where-Object Id -eq 7026)[0].Message\""
+
+# Service terminated with error (event 7023)
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+(Get-WinEvent -LogName System -MaxEvents 500 | Where-Object Id -eq 7023)[0].Message\""
+
+# All non-trivial system events (excluding Windows Update noise)
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+Get-WinEvent -LogName System -MaxEvents 500 | \
+Where-Object { \$_.ProviderName -notmatch 'WindowsUpdate|Kernel-General' } | \
+Select-Object TimeCreated, ProviderName, Id, Message | \
+Select-Object -First 30 | Out-String\""
+```
+
+---
+
+## Step 4 — Read Driver Registry Info
+
+Find the device class slot (display class GUID example):
+```bash
+# Enumerate display driver slots to find the device
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+for(\$i=0; \$i -le 6; \$i++) {
+  \$p = Get-ItemProperty ('HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\' + \$i.ToString('0000')) -EA SilentlyContinue
+  if(\$p) { Write-Host 'Slot' \$i ':' \$p.DriverDesc }
+}\""
+```
+
+Read all values from a found slot:
+```bash
+ssh ... "reg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0005\""
+```
+
+Key values to look for:
+- `DriverDesc` — human-readable name
+- `DriverVersion` — e.g. `32.0.101.7085`
+- `MatchingDeviceId` — e.g. `PCI\VEN_8086&DEV_A721`
+- `HardwareInformation.MemorySize` — VRAM size (little-endian DWORD)
+- `VgaCompatible` — 0 means driver does not register as VGA
+
+---
+
+## Step 5 — Check Crash Protection State
+
+Windows enters crash-protection mode after 3+ BSODs from the same driver: the
+driver is still loaded but `IoStartDevice` is not fully called → Code 43.
+
+Crash protection is **per-boot** — a clean reboot where the driver does NOT crash
+clears it. If the underlying bug is fixed, one reboot is enough to recover.
+
+```bash
+# Check if device is in problem state after reboot
+ssh ... "pnputil /enum-devices /problem /class Display"
+
+# Force driver re-enumeration (non-destructive)
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+\$dev = Get-WmiObject Win32_PnPEntity | Where-Object { \$_.PNPDeviceID -like '*A721*' }
+\$dev.Enable()\""
+```
+
+---
+
+## Step 6 — Gather System and BIOS Info
+
+```bash
+# BIOS/UEFI version (useful to verify firmware was updated)
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+(Get-WmiObject Win32_BIOS).SMBIOSBIOSVersion; (Get-WmiObject Win32_BIOS).BIOSVersion\""
+
+# System product name (from SMBIOS — QEMU sets "Standard PC (Q35 + ICH9, 2009)")
+ssh ... "powershell -OutputFormat Text -NonInteractive -Command \"\
+(Get-WmiObject Win32_ComputerSystem).Model\""
+
+# All installed drivers for a device
+ssh ... "pnputil /enum-devices /instanceid \"<instance-id>\" /drivers"
+```
+
+---
+
+## Pitfalls and Lessons Learned
+
+**PowerShell output quirks:**
+- Empty output (no error) often means a pipeline silently produced nothing
+  — add `| Out-String` or use `Write-Host` explicitly.
+- `Get-EventLog` is deprecated in Windows 11; use `Get-WinEvent` instead.
+- Unicode text files (WER XML, CSVs) need `Get-Content` not `type` to read
+  properly, or use `Select-String` which handles encoding.
+
+**PCI config space:**
+- No built-in PowerShell cmdlet reads raw PCI config registers (ASLS at 0xFC,
+  BDSM at 0x5C, GMCH at 0x50). Requires a kernel driver or third-party tool.
+- Intel GPU driver does NOT store ASLS/BDSM values in the registry.
+- Workaround: add `error_report()` logging in the QEMU/firmware source and
+  check the hypervisor logs instead.
+
+**Code 43 vs BSOD relationship:**
+- Repeated BSODs (same driver) → Windows disables full init → Code 43
+- Code 43 WITHOUT recent BSODs in event log = driver failing at startup, not crash protection
+- Code 43 WITH ≥3 recent BSODs = likely crash protection; reboot and check again
+
+**WER folder naming:**
+- `Kernel_be_...` = 0xBE (ATTEMPTED_WRITE_TO_READONLY_MEMORY)
+- `Kernel_7e_...` = 0x7E (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED)
+- `Kernel_1a_...` = 0x1A (MEMORY_MANAGEMENT)
+- Report.wer contains Sig[0].Value = hex bugcheck code, Sig[1-4].Value = parameters
+
+**iGPU-specific (Intel passthrough on q35/KVM):**
+- 0xBE from `dxgmms2.sys` = BDSM register is 0 → driver maps physical address 0
+  as stolen GPU memory → write to read-only null page
+- Root cause: OVMF IgdAssignmentDxe not setting BDSM because QEMU did not write
+  `etc/igd-bdsm-size` fw_cfg entry (requires QEMU patch compiled into Xen binary)
+- To verify: add `error_report()` to the QEMU igd.c patch and check hypervisor logs
+  for "IGD bdsm-size:" messages after domain start
