844      iPhone_iPad_Mac_apple

服務器在已經屏蔽 445,135,137,138,139;69端口後依然由於bugcheck重啟

開始windows服務器收到永恒之藍攻擊event顯示由於bugcheck導致重啟，在服務器屏蔽 445,135,137,138,139;69端口後依然由於bugcheck重啟，懷疑是驅動問題，請幫忙分析一下memory.dmp.

system log:

The computer has rebooted from a bugcheck.  The bugcheck was: 
        0x000000c5 (0x0000ffff, 0x00000002, 0x00000000, 808933b0). 
        A dump was saved in: F:\MEMORY.DMP.

memory dump debug:

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\123\HBSM25BAP1B_MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\DevLib\SymbolLocal*https://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.120821-0338
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Tue May 16 03:02:50.986 2017 (UTC + 8:00)
System Uptime: 417 days 2:19:55.046
Loading Kernel Symbols
...............................................................
...............................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd700c).  Type ".hh dbgerr001" for details
Loading unloaded module list
............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C5, {ffff, d0000002, 0, 808933b0}

Probably caused by : ntkrpamp.exe ( nt!ExAllocatePoolWithTag+838 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 0000ffff, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 808933b0, address which referenced memory

Debugging Details:
------------------


BUGCHECK_STR:  0xC5_D0000002

CURRENT_IRQL:  2

FAULTING_IP: 
nt!ExAllocatePoolWithTag+838
808933b0 8b07            mov     eax,dword ptr [edi]

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  svchost.exe

TRAP_FRAME:  b8f49a58 -- (.trap 0xffffffffb8f49a58)
ErrCode = 00000000
eax=00000000 ebx=808aeae0 ecx=808b4180 edx=f772f568 esi=808aed90 edi=0000ffff
eip=808933b0 esp=b8f49acc ebp=b8f49b08 iopl=0         nv up ei pl nz na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010207
nt!ExAllocatePoolWithTag+0x838:
808933b0 8b07            mov     eax,dword ptr [edi]  ds:0023:0000ffff=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 808933b0 to 8088ca3b

STACK_TEXT:  
b8f49a58 808933b0 badb0d00 f772f568 e290f500 nt!KiTrap0E+0x2a7
b8f49b08 8093951b 00000000 00000000 e5726854 nt!ExAllocatePoolWithTag+0x838
b8f49b2c 80939c3b 87830468 88d83901 00000000 nt!ObpAllocateObject+0xc9
b8f49b60 80949e9f 88d83901 8b17fad0 00000000 nt!ObCreateObject+0x129
b8f49cc8 8094af23 01e7ef1c 001f03ff 00000000 nt!PspCreateThread+0xb9
b8f49d3c 8088983c 01e7ef1c 001f03ff 00000000 nt!NtCreateThread+0xdd
b8f49d3c 7c82845c 01e7ef1c 001f03ff 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
01e7f2c8 00000000 00000000 00000000 00000000 0x7c82845c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExAllocatePoolWithTag+838
808933b0 8b07            mov     eax,dword ptr [edi]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExAllocatePoolWithTag+838

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  503382ff

FAILURE_BUCKET_ID:  0xC5_D0000002_nt!ExAllocatePoolWithTag+838

BUCKET_ID:  0xC5_D0000002_nt!ExAllocatePoolWithTag+838

Followup: MachineOwner
---------

最後更新：2017-05-19 07:20:51

  上一篇： windows10更新之後屏幕右下角為什麼出現了一個評估副本的東西，並且好像有時間限製

  下一篇： win10更新卡死