初学winDBG,一点笔记。各路大侠请笑过。
这个dump文件是某童鞋蓝屏时dump出来的,简单看了下,可能是由于启动了硬件加速导致的。
错误代码:KERNEL_MODE_EXCEPTION_NOT_HANDLED_M,错误函数:RtlUnicodeToCustomCPN+2f
利用WinDBG分析系统崩溃时的dump文件,参考链接:http://bbs.pediy.com/showthread.php?threadid=35044
******************************************************************************** *
* Bugcheck Analysis *
* *
*******************************************************************************
// 指明错误
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
// 解释出错原因
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
// 参数信息,第二列是代号,第三列是解释。
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 846245c9, The address that the exception occurred at
Arg3: a49a7c08, Trap Frame
Arg4: 00000000
// 错误详细
Debugging Details:
------------------
// 参数1 [Arg1]
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
// 指出发生错误时所执行的指令
FAULTING_IP:
nt!RtlUnicodeToCustomCPN+2f
846245c9 8b4b04 mov ecx,dword ptr [ebx+4]
//错误时各寄存器的内容
TRAP_FRAME: a49a7c08 -- (.trap 0xffffffffa49a7c08)
ErrCode = 00000000
eax=8924639c ebx=ffffffff ecx=8924639c edx=00000000 esi=89246380 edi=8924639c
eip=846245c9 esp=a49a7c7c ebp=a49a7cb8 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
nt!RtlUnicodeToCustomCPN+0x2f:
846245c9 8b4b04 mov ecx,dword ptr [ebx+4] ds:0023:00000003=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: .exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8468ccfa to 846245c9
// 反映了错误前堆栈中函数调用情况
STACK_TEXT:
a49a7cb8 8468ccfa a276ebf8 00000400 a49a7cf4 nt!RtlUnicodeToCustomCPN+0x2f
a49a7d14 8447a21a 00000010 00000000 00000000 nt!NtWaitLowEventPair+0x46
a49a7d34 77ce70b4 badb0d00 02d8ff60 00000000 nt!KiEm87StateToNpxFrame+0xce
WARNING: Frame IP not in any known module. Following frames may be wrong.
a49a7d38 badb0d00 02d8ff60 00000000 00000000 0x77ce70b4
a49a7d3c 02d8ff60 00000000 00000000 00000000 0xbadb0d00
a49a7d40 00000000 00000000 00000000 00000000 0x2d8ff60
STACK_COMMAND: kb
// 反汇编了发生错误指令的代码
FOLLOWUP_IP:
nt!RtlUnicodeToCustomCPN+2f
846245c9 8b4b04 mov ecx,dword ptr [ebx+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!RtlUnicodeToCustomCPN+2f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4ea76eb4
FAILURE_BUCKET_ID: 0x8E_nt!RtlUnicodeToCustomCPN+2f
BUCKET_ID: 0x8E_nt!RtlUnicodeToCustomCPN+2f
Followup: MachineOwner
---------