1查看系统事件发现有 1076 事件id 记录如下
用户 xxx为这台机器上一次意外的关机提供的原因是: 系统故障: 停止错误
原因代码: 0x805000f
错误 ID:
错误检查字符: 0x0000007e (0xc0000005, 0x00000000, 0xf1fac17c, 0xf1fabe78)
注释: 0x0000007e (0xc0000005, 0x00000000, 0xf1fac17c, 0xf1fabe78)
0x0000007e只能大概知道为硬件兼容,驱动及服务问题,软件冲突导致
2遂用windbg工具open crash dump查看memory.dmp文件内容如下
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 3790.srv03_sp2_gdr.101019-0340
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Sat Apr 30 12:06:03.781 2011 (UTC + 8:00)
System Uptime: 13 days 0:32:16.166
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Loading Kernel Symbols
...............................................................
......................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 0, f1fac17c, f1fabe78}
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for termdd.sys -
*** ERROR: Module load completed but symbols could not be loaded for RDPWD.SYS
*** ERROR: Module load completed but symbols could not be loaded for TDTCP.SYS
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : rdpdr.sys ( rdpdr+10c93 )
Followup: MachineOwner
3 google上查rdpdr.sys与系统重启相关资料 可能正确的解释为rdpdr.sys漏洞导致远程用户重定向本地磁盘驱动后在从重定向本地驱动器复制文件时可能导致系统重启,需更新补丁kb960652更新rdpdr.sys文件
转载于:https://blog.51cto.com/mikehopes/557032
870
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
