» 本文链接:http://www.hpiss.com/7496.html
» 订阅本站:http://www.hpiss.com/feed
[隐藏]

1.前言

请结合《分析Windows Dump-一般软件问题》一起使用,分析时需要结合蓝屏代码的含义,查看蓝屏代码含义的方法在《分析Windows Dump-一般软件问题》中。这些CASE都是真实的CASE,有少部分CASE没有收集到硬件日志,并且通过dump解决了问题,这也体现了dump的重要性。

因为篇幅比较长,排版上有一定困难,并且没有详细的分析。但这些CASE在分析dump的思路都是通用的,总结规律后便能了解其中的含义。

CASE 6为早期练手找后线索取的腾讯dump,已经找不到CASE ID了,请谅解,谢谢!

 

2.CASE 1

故障现象:使用远程桌面后经常蓝屏

系统环境:Win 2003

蓝屏代码:BugCheck 50

硬件&dump日志:

2.1.dump信息:

打开dump并点击”!analyze -v”

ADDITIONAL_DEBUG_TEXT:

MODULE_NAME: RDPDD

FAULTING_MODULE: 80800000 NT

DEBUG_FLR_IMAGE_TIMESTAMP: 45D71FB9

READ_ADDRESS: GETPOINTERFROMADDRESS: UNABLE TO READ FROM 808A6CB0

GETPOINTERFROMADDRESS: UNABLE TO READ FROM 808A6CA8

…(因为太长省略)

STACK_TEXT:

WARNING: STACK UNWIND INFORMATION NOT AVAILABLE. FOLLOWING FRAMES MAY BE WRONG.

B7045D78 8085ECF1 00000050 BFF69EE0 00000008 NT+0X27C63

B7045DF0 8088C798 00000008 BFF69EE0 00000000 NT+0X5ECF1

B7045E08 BFF69EE0 BADB0D00 00000001 B7045E34 NT+0X8C798

B7045ECC BF8B2461 E3AA6008 00000001 0108000D RDPDD+0X9EE0

B7045F14 BF927DB0 E3AA6008 00000001 00000001 WIN32K!GRECREATECOMPATIBLEBITMAP+0XE5

B7045F4C BF920A1A 03010047 B7045FCC 000001B8 WIN32K!CREATECOMPATIBLEPUBLICDC+0X70

…(因为太长省略)

B7046D6C 0006F834 00000000 00000000 00000000 0XBADB0D00

B7046D70 00000000 00000000 00000000 00000000 0X6F834

STACK_COMMAND: KB

FOLLOWUP_IP:

RDPDD+9EE0

BFF69EE0
??
???

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: RDPDD+9EE0

FOLLOWUP_NAME: MACHINEOWNER

IMAGE_NAME: RDPDD.DLL

BUCKET_ID: WRONG_SYMBOLS

FAILURE_BUCKET_ID: WRONG_SYMBOLS

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: KM:WRONG_SYMBOLS

FAILURE_ID_HASH: {70B057E8-2462-896F-28E7-AC72D4D365F8}

FOLLOWUP: MACHINEOWNER

2.2.分析:

可以看出是RDPDD.DLL导致的蓝屏,最后建议用户关闭远程桌面的服务,并更换其它远程工具,问题解决,用户环境无法做Windows update。

 

 

3.CASE 2

故障现象:移除U盘后蓝屏

系统环境:Win 2003

蓝屏代码:BugCheck CE

硬件&dump日志:

2.1.dump信息:

打开并点击”!analyze -v”

STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.

bafaf60c 80860295 00000050 ae02a7fc 00000008 nt!KeBugCheckEx+0x1b

bafaf684 8088e680 00000008 ae02a7fc 00000000 nt!NtFreeVirtualMemory+0x7a29

bafaf6b0 80a633d9 00000001 00000000 8d923008 nt!Kei386EoiHelper+0x2728

(…因为太长省略)

bafaf71c 8081e185 8ad74ea0 8d923008 8d687ce8 hal!HalpCheckForSoftwareInterrupt+0x81

bafafd08 f7875d0c bafafd28 8e54e9a0 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b

bafafd40 8081e185 8e54e9a0 8d0991f8 00011000 fltMgr!FltpDispatch+0x122

bafafd54 8081e996 00000002 906ec438 00000000 nt!IofCallDriver+0x45

bafafd68 80849343 8a29640b 8e54e9a0 906ec440 nt!IoCallDriver+0xea

bafafdac 8094c16a 00000000 00000000 00000000 nt!MmDisableModifiedWriteOfSection+0x14b3

bafafddc 8088fe2e 8084921c 00000000 00000000 nt!PsRemoveCreateThreadNotifyRoutine+0x21e

00000000 00000000 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x57e

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:

USBSTOR+17fc

ae02a7fc
??
???

SYMBOL_NAME: USBSTOR+17fc

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: USBSTOR.SYS

BUCKET_ID: WRONG_SYMBOLS

FAILURE_BUCKET_ID: WRONG_SYMBOLS

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:wrong_symbols

FAILURE_ID_HASH: {70b057e8-2462-896f-28e7-ac72d4d365f8}

Followup: MachineOwner

2.2.分析:

从STACK_TEXT中可以看出是在做磁盘方面的操作时出现的蓝屏,并与USBSTOR.SYS有关。

怀疑是用户U盘和USBSTOR.SYS兼容性有关联,让用户更换U盘解决

 

 

4.CASE 3

故障现象:自动重启

系统环境: Win 2008

蓝屏代码:BugCheck BAD40000

dump日志:

2.1.dump信息:

打开并点击”!analyze -v”

STACK_TEXT:

fffff880`029bb328 fffff880`0c259252 : 00000000`bad40000 00000000`00000007 00000000`00000005 00000000`0000000e : nt!KeBugCheckEx

fffff880`029bb330 00000000`bad40000 : 00000000`00000007 00000000`00000005 00000000`0000000e 00000000`00000454 : gab+0x59252

(…因为太长省略)

fffff880`029bb3c0 fffffa80`18f2ded0 : 00000000`00000000 00000000`00000000 00000000`a0000003 fffffa80`18f2de10 : 0x12

fffff880`029bb3c8 00000000`00000000 : 00000000`00000000 00000000`a0000003 fffffa80`18f2de10 fffff800`018dedf3 : 0xfffffa80`18f2ded0

STACK_COMMAND: kb

FOLLOWUP_IP:

gab+59252

fffff880`0c259252
??
???

SYMBOL_STACK_INDEX: 1

SYMBOL_AME: gab+59252

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: gab

IMAGE_NAME: gab.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4e9c83d5

FAILURE_BUCKET_ID: X64_0xBAD40000_gab+59252

BUCKET_ID: X64_0xBAD40000_gab+59252

ANALYSIS_SOURCE: KM

2.2.分析:

从日志推测应该是gab.sys导致的蓝屏,从谷歌上查找到此为symantec的备份软件的驱动级文件,并且在symantec上可以查到相关bug

让用户更新symantec软件问题解决。

 

 

5.CASE 4

故障现象:自动重启

系统环境: Win 2008

蓝屏代码:BugCheck 50

硬件&dump日志:

2.1.dump信息:

打开并点击”!analyze -v”

STACK_TEXT:

fffff880`097d4938 fffff800`0190ebe0 : 00000000`00000050 ffffffff`ffffffd0 00000000`00000001 fffff880`097d4aa0 : nt!KeBugCheckEx

fffff880`097d4940 fffff800`0188ecae : 00000000`00000001 ffffffff`ffffffd0 00000000`00000000 ffffffff`ffffffd0 : nt! ?? ::FNODOBFM::`string’+0x4518f

fffff880`097d4aa0 fffff800`018810dd : fffffa80`1a19a0d0 fffff880`08ae96b4 fffff880`097d4ff0 00000000`0000004c : nt!KiPageFault+0x16e

fffff880`097d4c30 fffff800`01b7d484 : 00000000`00000000 fffff880`08aeb635 fffffa80`17965300 fffffa80`1a19a0d0 : nt!ObReferenceObjectByPointerWithTag+0x31

fffff880`097d4c60 fffff800`01b6ed7c : fffffa80`18c619c0 fffffa80`199be0c0 00000000`00000000 00000000`00000000 : nt!ObOpenObjectByPointerWithTag+0x64

fffff880`097d4e80 fffff880`08af6bd6 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`08ae9b8c : nt!ObOpenObjectByPointer+0x30

fffff880`097d4ed0 00000000`00000000 : 00000000`00000000 00000000`00000000 fffff880`08ae9b8c 00000000`00000000 : FSDriver+0xebd6

STACK_COMMAND: kb

FOLLOWUP_IP:

FSDriver+ebd6

fffff880`08af6bd6
??
???

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: FSDriver+ebd6

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: FSDriver

IMAGE_NAME: FSDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 52682e3d

FAILURE_BUCKET_ID: X64_0x50_FSDriver+ebd6

BUCKET_ID: X64_0x50_FSDriver+ebd6

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_0x50_fsdriver+ebd6

FAILURE_ID_HASH: {f6ca381e-2303-49b3-4d2b-29d045ce7f32}

2.2.分析:

可以看出是FSDriver.sys导致的蓝屏,和用户核对后,得知为一个审计工具的驱动级文件。让用户将其服务禁用问题解决。

 

 

6.CASE 5

故障现象:自动重启

系统环境: Win 2008

蓝屏代码:BugCheck 1000007E

dump日志:

2.1.dump信息:

打开并点击”!analyze -v”

STACK_TEXT:

fffff880`09452a00 fffff880`044ae39a : 00000000`00000004 fffffa80`195ccc10 00000000`00000005 00000000`00000005 : srv2!Smb2LeaseProcessBreak+0x115

fffff880`09452b80 fffff800`01d1fbae : 2d2d07d3`2d2d07d2 fffffa80`3db1d570 00000000`00000080 fffffa80`18e3a9e0 : srv2!SrvProcWorkerThread+0x15a

fffff880`09452c00 fffff800`01a728c6 : fffff880`025c8180 fffffa80`3db1d570 fffff880`025d34c0 2d2d0938`2d2d0937 : nt!PspSystemThreadStartup+0x5a

fffff880`09452c40 00000000`00000000 : fffff880`09453000 fffff880`0944d000 fffff880`09452870 00000000`00000000 : nt!KxStartSystemThread+0x16

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: srv2!Smb2LeaseProcessBreak+115

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: srv2

IMAGE_NAME:
srv2.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4dba2b0a

IMAGE_VERSION: 6.1.7601.17608

STACK_COMMAND: .cxr 0xfffff88009452020 ; kb

FAILURE_BUCKET_ID: X64_0x7E_srv2!Smb2LeaseProcessBreak+115

BUCKET_ID: X64_0x7E_srv2!Smb2LeaseProcessBreak+115

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_0x7e_srv2!smb2leaseprocessbreak+115

FAILURE_ID_HASH: {4bfdf1d8-82bf-9afe-fbfc-b663981a6617}

Followup: MachineOwner

2.2.分析:

可以看出此为srv2.sys导致的蓝屏,版本为6.1.7601.17608,从微软官网看,此本文件为SMB服务的驱动级文件

http://support.microsoft.com/kb/2536275

此版本文件在此链接中

可能是受到拒绝式服务攻击或者漏洞的隐含问题导致的,Windows Update后问题解决。

 

 

7.CASE 6

故障现象:自动重启

系统环境: Win 2008

蓝屏代码:BugCheck D1

硬件&dump日志:

2.1.dump信息:

打开并点击”!analyze -v”

STACK_TEXT:

fffff800`0151fd28 fffff800`0167e769 : 00000000`0000000a 00000000`00000010 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx

fffff800`0151fd30 fffff800`0167d3e0 : 00000074`7cfcbdbf fffffa80`314098e0 00000000`00000001 00000000`00000000 : nt!KiBugCheckDispatch+0x69

fffff800`0151fe70 fffff880`04343a40 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260

fffff800`01520008 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : e1q62x64+0x25a40

STACK_COMMAND: kb

FOLLOWUP_IP:

e1q62x64+25a40

fffff880`04343a40
??
???

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: e1q62x64+25a40

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: e1q62x64

IMAGE_NAME:
e1q62x64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4f7a1a39

FAILURE_BUCKET_ID: X64_0xD1_e1q62x64+25a40

BUCKET_ID: X64_0xD1_e1q62x64+25a40

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_0xd1_e1q62x64+25a40

FAILURE_ID_HASH: {99df4494-84f3-4d79-1474-9cefd525f73b}

Followup: MachineOwner

2.2.分析:

可以看出是e1q62x64.sys导致的蓝屏,此为Intel的网卡驱动,服务器为DL170e G6,集成网卡为NC362i,刚好是Intel的网卡。升级网卡驱动后解决。

 

8.附录

8.1.文件含义查询

http://hans01.com/

http://systemexplorer.net/file-database

http://technet.microsoft.com/zh-cn/

https://www.google.com/

» 本文链接:http://www.hpiss.com/7496.html
» 订阅本站:http://www.hpiss.com/feed

发表评论