閱讀761 返回首頁    go 微軟 go windows

最近windows server 2008 down機頻繁,求助!

用windbg分析最近幾次down機的dmp文件,每次結果都不一樣,請大神幫忙分析一下。

第一次:

Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [E:\問題\MEMORY0928.DMP]
Kernel Summary Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
OK                                             C:\symbols
Symbol search path is: C:\symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`0161c000 PsLoadedModuleList = 0xfffff800`01861e90
Debug session time: Thu Sep 28 06:32:05.387 2017 (UTC + 8:00)
System Uptime: 7 days 17:44:05.012
Loading Kernel Symbols
...............................................................
................................................................
..........
Loading User Symbols

Loading unloaded module list
....
The context is partially valid. Only x86 user-mode context is available.
The wow64exts extension must be loaded to access 32-bit state.
.load wow64exts will do this if you haven't loaded it already.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C5, {ffff, 2, 0, fffff800017c66fb}

Probably caused by : Unknown_Image ( nt!ExDeferredFreePool+ca7 )

Followup: MachineOwner
---------

16.0: kd:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 000000000000ffff, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff800017c66fb, address which referenced memory

Debugging Details:
------------------


BUGCHECK_STR:  0xC5_2

CURRENT_IRQL:  0

FAULTING_IP: 
nt!ExDeferredFreePool+ca7
fffff800`017c66fb 48              dec     eax

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000000000000

STACK_TEXT:  
00000000 00000000 00000000 00000000 00000000 0x0


STACK_COMMAND:  .bugcheck ; kb

FOLLOWUP_IP: 
nt!ExDeferredFreePool+ca7
fffff800`017c66fb 48              dec     eax

SYMBOL_NAME:  nt!ExDeferredFreePool+ca7

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

IMAGE_VERSION:  6.1.7601.17514

MODULE_NAME: Unknown_Module

BUCKET_ID:  INVALID_KERNEL_CONTEXT

FAILURE_BUCKET_ID:  INVALID_KERNEL_CONTEXT

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:invalid_kernel_context

FAILURE_ID_HASH:  {ef5f68ed-c19c-e34b-48ec-8a37cd6f3937}

Followup: MachineOwner
---------

第二次:


Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [E:\問題\MEMORY1003.DMP]
Kernel Summary Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
OK                                             C:\symbols
Symbol search path is: C:\symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`01656000 PsLoadedModuleList = 0xfffff800`0189be90
Debug session time: Tue Oct  3 10:45:37.970 2017 (UTC + 8:00)
System Uptime: 3 days 23:35:16.737
Loading Kernel Symbols
...............................................................
................................................................
..........
Loading User Symbols

Loading unloaded module list
....
The context is partially valid. Only x86 user-mode context is available.
The wow64exts extension must be loaded to access 32-bit state.
.load wow64exts will do this if you haven't loaded it already.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc0000005, fffff880023cb000, 0, 0}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

16.0: kd:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff880023cb000, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception

Debugging Details:
------------------


READ_ADDRESS:  0000000000000000 

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%p

FAULTING_IP: 
+840
fffff880`023cb000 28bf3c0280f8    sub     byte ptr [edi-77FFDC4h],bh

BUGCHECK_STR:  0x1E_c0000005_R

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000000000000

STACK_TEXT:  
00000000 00000000 00000000 00000000 00000000 0x0


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

IMAGE_VERSION:  

BUCKET_ID:  INVALID_KERNEL_CONTEXT

FAILURE_BUCKET_ID:  INVALID_KERNEL_CONTEXT

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:invalid_kernel_context

FAILURE_ID_HASH:  {ef5f68ed-c19c-e34b-48ec-8a37cd6f3937}

Followup: MachineOwner
---------

第三次:


Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [E:\問題\MEMORY1013.DMP]
Kernel Summary Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
OK                                             C:\symbols
Symbol search path is: C:\symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`0161c000 PsLoadedModuleList = 0xfffff800`01861e90
Debug session time: Fri Oct 13 08:49:31.085 2017 (UTC + 8:00)
System Uptime: 0 days 3:19:32.599
Loading Kernel Symbols
...............................................................
................................................................
........
Loading User Symbols

Loading unloaded module list
....
The context is partially valid. Only x86 user-mode context is available.
The wow64exts extension must be loaded to access 32-bit state.
.load wow64exts will do this if you haven't loaded it already.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {3, fffff80001824740, ffff, ffff}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

16.0: kd:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000003, the pool freelist is corrupt.
Arg2: fffff80001824740, the pool entry being checked.
Arg3: 000000000000ffff, the read back flink freelist value (should be the same as 2).
Arg4: 000000000000ffff, the read back blink freelist value (should be the same as 2).

Debugging Details:
------------------


BUGCHECK_STR:  0x19_3

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000000000000

STACK_TEXT:  
00000000 00000000 00000000 00000000 00000000 0x0


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

IMAGE_VERSION:  

BUCKET_ID:  INVALID_KERNEL_CONTEXT

FAILURE_BUCKET_ID:  INVALID_KERNEL_CONTEXT

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:invalid_kernel_context

FAILURE_ID_HASH:  {ef5f68ed-c19c-e34b-48ec-8a37cd6f3937}

Followup: MachineOwner
---------

最後更新:2017-10-19 16:03:42

  上一篇:go windows任務欄置頂遮擋其他軟件標題欄
  下一篇:go Windows denfender被組策略關閉