各位大神,对于分析蓝屏DUMP文件小弟还是初步接触阶段,希望能得到大家的指导,在此非常感谢。
以下是一台windows 2003 系统的蓝屏产生的dump文件。
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.091215-1207
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Feb 25 20:49:44.353 2015 (GMT+8)
System Uptime: 41 days 2:24:14.703
Loading Kernel Symbols
...............................................................
..........................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 207700c, f7926c48, f7926944}
Probably caused by : ntkrpamp.exe ( nt!WmipGetLogFromHal+4f )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 0207700c, The address that the exception occurred at
Arg3: f7926c48, Exception Record Address
Arg4: f7926944, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
+16
0207700c ?? ???
EXCEPTION_RECORD: f7926c48 -- (.exr 0xfffffffff7926c48)
ExceptionAddress: 0207700c
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0207700c
Attempt to read from address 0207700c
CONTEXT: f7926944 -- (.cxr 0xfffffffff7926944)
eax=f7926d50 ebx=00000100 ecx=001373a0 edx=00000f2b esi=00000048 edi=8b379620
eip=0207700c esp=f7926d10 ebp=f7926d34 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
0207700c ?? ???
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0207700c
READ_ADDRESS: 0207700c
FOLLOWUP_IP:
nt!WmipGetLogFromHal+4f
809813a1 8bd8 mov ebx,eax
FAILED_INSTRUCTION_ADDRESS:
+56cc952f029bdcec
0207700c ?? ???
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from 809813a1 to 0207700c
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7926d0c 809813a1 0000000d 00000100 8b379620 0x207700c
f7926d34 8087b9fe 0000000d 59364117 f7926d6c nt!WmipGetLogFromHal+0x4f
f7926d64 809818a5 8089b300 8d14d8d0 808ae5fc nt!WmipQueryLogAndFireEvent+0x28
f7926d80 80880475 00000000 00000000 8d14d8d0 nt!WmipMceWorkerRoutine+0x41
f7926dac 80949b80 8089b300 00000000 00000000 nt!ExpWorkerThread+0xeb
f7926ddc 8088e0c2 8088038a 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!WmipGetLogFromHal+4f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4b27b13b
STACK_COMMAND: .cxr 0xfffffffff7926944 ; kb
FAILURE_BUCKET_ID: 0x7E_BAD_IP_nt!WmipGetLogFromHal+4f
BUCKET_ID: 0x7E_BAD_IP_nt!WmipGetLogFromHal+4f
Followup: MachineOwner