win8.1频繁蓝屏!!!急急急!!!（之前的帖子沉了，再发一次

尊敬的技术人员，本人有一台安装win8.1的系统（MSDN下载的），刚安装好没有问题，使用一段时间后开始频繁蓝屏，本人知道并非系统本身问题，所以想找出触发蓝屏的元凶。本人也会查看一些蓝屏日志，但是发现这个蓝屏日志和以往的都不太一样，例如一般蓝屏日志使用！thread查看线程信息时是如下代码（尤其注意红字部分）

1: kd> !thread

GetPointerFromAddress: unable to read from fffff803376511c0

THREAD ffffe0009256d040  Cid 0004.11b0  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1

IRP List:

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

   ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

    ffffe0009256d680: (d680,9256) Flags: 00000001  Mdl: ffffe0009256d680

Not impersonating

GetUlongFromAddress: unable to read from fffff8033759ffe8

Owning Process            ffffe00090b55680       Image:         System Process

Attached Process          N/A            Image:         N/A

fffff78000000000: Unable to get shared data

Wait Start TickCount      58186       

Context Switch Count      26576            

ReadMemory error: Cannot get nt!KeMaximumIncrement value.

UserTime                  00:00:00.000

KernelTime                00:00:00.000

Stack Init ffffd0003bbaac90 Current ffffd0003bbaa850

Base ffffd0003bbab000 Limit ffffd0003bba5000 Call 0

Priority 12 BasePriority 12 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5

Child-SP          RetAddr           : Args to Child                                                           : Call Site

ffffd000`3bbaa0a8 00000000`00000000 : 00000000`00000109 a3a01f59`237bd618 b3b72bdf`75fbe5ff ffffe000`919e1d80 :nt!KeBugCheckEx

但是！这个无解的日志是这样的代码（注意红字）

0: kd> !thread
GetPointerFromAddress: unable to read from 81c37958
THREAD aa9e5040  Cid 00d8.01ac  Teb: 7f459000 Win32Thread: 8c485460 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from 81bf6bbc
Owning Process            aa9986c0       Image:         System Process
Attached Process          f20008       Image:         <Unknown>
ffdf0000: Unable to get shared data
Wait Start TickCount      5150900      
Context Switch Count      221584             
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x76a54a40
Stack Init a9fbcfe0 Current a9fbcbe8 Base a9fbd000 Limit a9fba000 Call 0
Priority 11 BasePriority 9 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr  Args to Child              
82ea8b90 81b19213 0000000a 00000060 00000002 nt!KiBugCheck2
82ea8b90 8302c90c 0000000a 00000060 00000002 nt!KiTrap0E+0x1cf (FPO: [0,0] TrapFrame @ 82ea8c34)
82ea8ce0 83032c69 00000000 ffffffff b09ce530 Wdf01000!FxRequest::CompleteInternal+0x30 (FPO: [Non-Fpo])
82ea8d00 8b542ea8 00000000 b09ce448 00000000 Wdf01000!imp_WdfRequestComplete+0x75 (FPO: [Non-Fpo])
82ea8d20 8b543a89 ffffffff 00000000 00000000 USBXHCI!Bulk_Transfer_CompleteCancelable+0xde (FPO: [Non-Fpo])
82ea8d58 8b540e27 82ea8de4 8b53aa38 82ea8d94 USBXHCI!Bulk_ProcessTransferEventWithED1+0x287 (FPO: [Non-Fpo])
82ea8d60 8b53aa38 82ea8d94 00000000 b09ce583 USBXHCI!Bulk_EP_TransferEventHandler+0x19 (FPO: [2,0,0])
82ea8d70 8b5351ab 8ae373c0 8ae55e40 751aa1b8 USBXHCI!TR_TransferEventHandler+0x3a (FPO: [0,0,4])
82ea8de4 830a1c10 751aa1b8 751cb1f8 8ae55e9c USBXHCI!Interrupter_WdfEvtInterruptDpc+0x32d (FPO: [2,23,4])
82ea8e04 830a1f6b 00000000 00000000 81c1c300 Wdf01000!FxInterrupt::DpcHandler+0x9c (FPO: [Non-Fpo])
82ea8e18 81a579a6 8ae55e9c 8ae55e40 8ae55e40 Wdf01000!FxInterrupt::_InterruptDpcThunk+0x3c (FPO: [Non-Fpo])
82ea8ed0 81a575c6 82ea8f18 00000000 00000000 nt!KiExecuteAllDpcs+0x216 (FPO: [Non-Fpo])
82ea8ff4 81b19e3e a9fbc988 00000000 00000000 nt!KiRetireDpcList+0xf6 (FPO: [0,65,4])
82ea8ff8 a9fbc988 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2e (FPO: [Uses EBP] [0,0,1])
WARNING: Frame IP not in any known module. Following frames may be wrong.
81b19e3e 00000000 00000023 011b850f bb830000 0xa9fbc988

0: kd> dd bb830000 0xa9fbc988
                            ^ Range error in 'dd bb830000 0xa9fbc988'
0: kd> dd 0000000a81b19213
81b19213  d9ec3d83 0f0081c0 fffef285 403d83ff
81b19223  0081c0d5 fee5850f ffb8ffff eb000000
81b19233  54a164c1 64000000 005405c7 00000000
81b19243  45890000 d593e968 498dffff 7045f700
81b19253  00020000 45f60a75 840f016c 00000127
81b19263  0fc3210f 210fc921 145d89d7 89184d89
81b19273  210f1c7d f1210fdb 89ff210f 4d89205d
81b19283  89db3324 230f287d 3d8b64fb 00000020
0: kd> ln 0000000a81b19213
(81b19044)   nt!KiTrap0E+0x1cf   |  (81b19250)   nt!Dr_kitf_a
0: kd> !thread
GetPointerFromAddress: unable to read from 81c37958
THREAD aa9e5040  Cid 00d8.01ac  Teb: 7f459000 Win32Thread: 8c485460 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from 81bf6bbc
Owning Process            aa9986c0       Image:         System Process
Attached Process          f20008       Image:         <Unknown>
ffdf0000: Unable to get shared data
Wait Start TickCount      5150900      
Context Switch Count      221584             
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x76a54a40
Stack Init a9fbcfe0 Current a9fbcbe8 Base a9fbd000 Limit a9fba000 Call 0
Priority 11 BasePriority 9 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr  Args to Child              
82ea8b90 81b19213 0000000a 00000060 00000002 nt!KiBugCheck2
82ea8b90 8302c90c 0000000a 00000060 00000002 nt!KiTrap0E+0x1cf (FPO: [0,0] TrapFrame @ 82ea8c34)
82ea8ce0 83032c69 00000000 ffffffff b09ce530 Wdf01000!FxRequest::CompleteInternal+0x30 (FPO: [Non-Fpo])
82ea8d00 8b542ea8 00000000 b09ce448 00000000 Wdf01000!imp_WdfRequestComplete+0x75 (FPO: [Non-Fpo])
82ea8d20 8b543a89 ffffffff 00000000 00000000 USBXHCI!Bulk_Transfer_CompleteCancelable+0xde (FPO: [Non-Fpo])
82ea8d58 8b540e27 82ea8de4 8b53aa38 82ea8d94 USBXHCI!Bulk_ProcessTransferEventWithED1+0x287 (FPO: [Non-Fpo])
82ea8d60 8b53aa38 82ea8d94 00000000 b09ce583 USBXHCI!Bulk_EP_TransferEventHandler+0x19 (FPO: [2,0,0])
82ea8d70 8b5351ab 8ae373c0 8ae55e40 751aa1b8 USBXHCI!TR_TransferEventHandler+0x3a (FPO: [0,0,4])
82ea8de4 830a1c10 751aa1b8 751cb1f8 8ae55e9c USBXHCI!Interrupter_WdfEvtInterruptDpc+0x32d (FPO: [2,23,4])
82ea8e04 830a1f6b 00000000 00000000 81c1c300 Wdf01000!FxInterrupt::DpcHandler+0x9c (FPO: [Non-Fpo])
82ea8e18 81a579a6 8ae55e9c 8ae55e40 8ae55e40 Wdf01000!FxInterrupt::_InterruptDpcThunk+0x3c (FPO: [Non-Fpo])
82ea8ed0 81a575c6 82ea8f18 00000000 00000000 nt!KiExecuteAllDpcs+0x216 (FPO: [Non-Fpo])
82ea8ff4 81b19e3e a9fbc988 00000000 00000000 nt!KiRetireDpcList+0xf6 (FPO: [0,65,4])
82ea8ff8 a9fbc988 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2e (FPO: [Uses EBP] [0,0,1])
WARNING: Frame IP not in any known module. Following frames may be wrong.
81b19e3e 00000000 00000023 011b850f bb830000 0xa9fbc988

我希望求助两个问题：1.什么会导致这两个日志有这种差别；2.这个日志可以如何继续排查下去？

PS：特别说一下，我查看到日志中所描述的触发文件是USBXHCI.sys，但是这个是系统自带的，所以一般是由于外设引起的我也知道，我想知道的是在具体错误出现在哪里，在系统和外设交互过程中，处理信息到哪一阶段发生错误，例如哪个堆栈错误？或是指针错误？

---

---

最后更新：2017-11-01 09:04:14

  上一篇： 如何在Windows7设定密码的情况下如何实现开机自启程序

  下一篇： windows defender里面没有病毒防护

---

---