我如何分析小型转储?
How can I analyze mindump?
有人可以通过命令找到第三方驱动程序,这可能是附加小型转储中 BSOD 的罪魁祸首。
https://1drv.ms/u/s!AqhhsryB84SOjPNG54-xPUQQ5SoouQ
我已经 运行 analyze -v 没有提供任何第三方驱动程序的线索,只有微软的驱动程序。
Analyzing the dump with Windbg by 运行 !analyze -v 没有显示足够的细节:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8032ae9ada2, Address of the instruction which caused the bugcheck
Arg3: ffff8c001ea8eda0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
00 nt!KeBugCheckEx
01 nt!KiBugCheckDispatch
02 nt!KiSystemServiceHandler
03 nt!RtlpExecuteHandlerForException
04 nt!RtlDispatchException
05 nt!KiDispatchException
06 nt!KiExceptionDispatch
07 nt!KiGeneralProtectionFault
08 nt!ObDereferenceSecurityDescriptor
09 nt!SeDefaultObjectMethod
0a nt!ObpRemoveObjectRoutine
0b nt!ObfDereferenceObjectWithTag
0c nt!ObCloseHandleTableEntry
0d nt!NtClose
0e nt!KiSystemServiceCopyEnd
0f 0x0
因此您在关闭句柄时收到 00000000c0000005 - 拒绝访问错误。接下来我使用了 Andrew Richards 的 PDE.dll 并使用 !pde.dpx 转储了所有数据,在这里我看到了一个 McAfee DLL:
0xffff8c001ea8ee08 : 0xfffff8032acd634b : nt!ExFreePoolWithTag+0x34b
0xffff8c001ea8ee98 : 0xfffff8032ae9ada2 : nt!ObDereferenceSecurityDescriptor+0x12
Unable to load image \SystemRoot\system32\drivers\mfehidk.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mfehidk.sys
*** ERROR: Module load completed but symbols could not be loaded for mfehidk.sys
0xffff8c001ea8f058 : 0xfffff8032aafdc5a : nt!ExpReleaseResourceForThreadLite+0x13a
0xffff8c001ea8f068 : 0xfffff8032aafdac4 : nt!ExAcquireResourceSharedLite+0x394
0xffff8c001ea8f0c8 : 0xfffff8032acd634b : nt!ExFreePoolWithTag+0x34b
0xffff8c001ea8f0e8 : 0xfffff8032aab5420 : nt!MiFlushTbList+0x2f0
0xffff8c001ea8f100 : 0xfffff8032adc1100 : nt!NonPagedPoolDescriptor
0xffff8c001ea8f228 : 0xfffff8032ab35ddc : nt!RtlGetExtendedContextLength+0x34
0xffff8c001ea8f248 : 0xfffff8032ae81619 : nt!ObpCallPreOperationCallbacks+0x269
0xffff8c001ea8f2f8 : 0xfffff8032ab51ecb : nt!MiFlushHyperSpace+0x8b
0xffff8c001ea8f348 : 0xfffff8032ac4ae2d : nt!HvlpFastFlushAddressSpaceTb+0x59
0xffff8c001ea8f3b8 : 0xfffff8032ac4abde : nt!HvlFlushAddressSpaceTb+0x5e
0xffff8c001ea8f438 : 0xfffff8032abe7a02 : nt!KiExceptionDispatch+0xc2
0xffff8c001ea8f538 : 0xfffff8032adac040 : nt!MiSystemPartition
0xffff8c001ea8f588 : 0xfffff8032ae9ada2 : nt!ObDereferenceSecurityDescriptor+0x12
0xffff8c001ea8f618 : 0xfffff8032abe5cbd : nt!KiGeneralProtectionFault+0xfd
0xffff8c001ea8f620 : 0xfffff8800001f2f8 : Trap @ ffff8c001ea8f620
0xffff8c001ea8f628 : 0xfffff8032aaead13 : nt!MiDeleteVirtualAddresses+0xf63
0xffff8c001ea8f6f8 : 0xfffff8032aad3470 : nt!MiGetVadWakeList+0x120
0xffff8c001ea8f718 : 0xfffff8032acd634b : nt!ExFreePoolWithTag+0x34b
0xffff8c001ea8f738 : 0xfffff8032adac040 : nt!MiSystemPartition
0xffff8c001ea8f748 : 0xfffff8032aeaa349 : nt!MiRemoveVadCharges+0x219
0xffff8c001ea8f788 : 0xfffff8032ae9ada2 : nt!ObDereferenceSecurityDescriptor+0x12
0xffff8c001ea8f7b8 : 0xfffff8032aad3307 : nt!MiFinishVadDeletion+0x3d7
0xffff8c001ea8f7c8 : 0xfffff8032acd634b : nt!ExFreePoolWithTag+0x34b
0xffff8c001ea8f7e8 : 0xfffff8032ae9a948 : nt!SeDefaultObjectMethod+0xa8
0xffff8c001ea8f7f8 : 0xfffff8032aea8f4a : nt!MiRemoveSharedCommitNode+0x29a
0xffff8c001ea8f828 : 0xfffff8032af268c9 : nt!ObpLookupDirectoryUsingHash+0x95
0xffff8c001ea8f838 : 0xfffff8032ae96337 : nt!ObpRemoveObjectRoutine+0xc7
0xffff8c001ea8f898 : 0xfffff8032ab00326 : nt!ObfDereferenceObjectWithTag+0xc6
0xffff8c001ea8f8d8 : 0xfffff8032aeb135b : nt!ObCloseHandleTableEntry+0x28b
0xffff8c001ea8fa18 : 0xfffff8032aefb5db : nt!NtClose+0xcb
Image path: \SystemRoot\system32\drivers\mfehidk.sys
Image name: mfehidk.sys
Browse all global symbols functions data
Timestamp: Wed Nov 30 22:56:01 2016
如果没有可用更新,请删除 McAfee 软件。
有人可以通过命令找到第三方驱动程序,这可能是附加小型转储中 BSOD 的罪魁祸首。
https://1drv.ms/u/s!AqhhsryB84SOjPNG54-xPUQQ5SoouQ
我已经 运行 analyze -v 没有提供任何第三方驱动程序的线索,只有微软的驱动程序。
Analyzing the dump with Windbg by 运行 !analyze -v 没有显示足够的细节:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8032ae9ada2, Address of the instruction which caused the bugcheck
Arg3: ffff8c001ea8eda0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
00 nt!KeBugCheckEx
01 nt!KiBugCheckDispatch
02 nt!KiSystemServiceHandler
03 nt!RtlpExecuteHandlerForException
04 nt!RtlDispatchException
05 nt!KiDispatchException
06 nt!KiExceptionDispatch
07 nt!KiGeneralProtectionFault
08 nt!ObDereferenceSecurityDescriptor
09 nt!SeDefaultObjectMethod
0a nt!ObpRemoveObjectRoutine
0b nt!ObfDereferenceObjectWithTag
0c nt!ObCloseHandleTableEntry
0d nt!NtClose
0e nt!KiSystemServiceCopyEnd
0f 0x0
因此您在关闭句柄时收到 00000000c0000005 - 拒绝访问错误。接下来我使用了 Andrew Richards 的 PDE.dll 并使用 !pde.dpx 转储了所有数据,在这里我看到了一个 McAfee DLL:
0xffff8c001ea8ee08 : 0xfffff8032acd634b : nt!ExFreePoolWithTag+0x34b
0xffff8c001ea8ee98 : 0xfffff8032ae9ada2 : nt!ObDereferenceSecurityDescriptor+0x12
Unable to load image \SystemRoot\system32\drivers\mfehidk.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mfehidk.sys
*** ERROR: Module load completed but symbols could not be loaded for mfehidk.sys
0xffff8c001ea8f058 : 0xfffff8032aafdc5a : nt!ExpReleaseResourceForThreadLite+0x13a
0xffff8c001ea8f068 : 0xfffff8032aafdac4 : nt!ExAcquireResourceSharedLite+0x394
0xffff8c001ea8f0c8 : 0xfffff8032acd634b : nt!ExFreePoolWithTag+0x34b
0xffff8c001ea8f0e8 : 0xfffff8032aab5420 : nt!MiFlushTbList+0x2f0
0xffff8c001ea8f100 : 0xfffff8032adc1100 : nt!NonPagedPoolDescriptor
0xffff8c001ea8f228 : 0xfffff8032ab35ddc : nt!RtlGetExtendedContextLength+0x34
0xffff8c001ea8f248 : 0xfffff8032ae81619 : nt!ObpCallPreOperationCallbacks+0x269
0xffff8c001ea8f2f8 : 0xfffff8032ab51ecb : nt!MiFlushHyperSpace+0x8b
0xffff8c001ea8f348 : 0xfffff8032ac4ae2d : nt!HvlpFastFlushAddressSpaceTb+0x59
0xffff8c001ea8f3b8 : 0xfffff8032ac4abde : nt!HvlFlushAddressSpaceTb+0x5e
0xffff8c001ea8f438 : 0xfffff8032abe7a02 : nt!KiExceptionDispatch+0xc2
0xffff8c001ea8f538 : 0xfffff8032adac040 : nt!MiSystemPartition
0xffff8c001ea8f588 : 0xfffff8032ae9ada2 : nt!ObDereferenceSecurityDescriptor+0x12
0xffff8c001ea8f618 : 0xfffff8032abe5cbd : nt!KiGeneralProtectionFault+0xfd
0xffff8c001ea8f620 : 0xfffff8800001f2f8 : Trap @ ffff8c001ea8f620
0xffff8c001ea8f628 : 0xfffff8032aaead13 : nt!MiDeleteVirtualAddresses+0xf63
0xffff8c001ea8f6f8 : 0xfffff8032aad3470 : nt!MiGetVadWakeList+0x120
0xffff8c001ea8f718 : 0xfffff8032acd634b : nt!ExFreePoolWithTag+0x34b
0xffff8c001ea8f738 : 0xfffff8032adac040 : nt!MiSystemPartition
0xffff8c001ea8f748 : 0xfffff8032aeaa349 : nt!MiRemoveVadCharges+0x219
0xffff8c001ea8f788 : 0xfffff8032ae9ada2 : nt!ObDereferenceSecurityDescriptor+0x12
0xffff8c001ea8f7b8 : 0xfffff8032aad3307 : nt!MiFinishVadDeletion+0x3d7
0xffff8c001ea8f7c8 : 0xfffff8032acd634b : nt!ExFreePoolWithTag+0x34b
0xffff8c001ea8f7e8 : 0xfffff8032ae9a948 : nt!SeDefaultObjectMethod+0xa8
0xffff8c001ea8f7f8 : 0xfffff8032aea8f4a : nt!MiRemoveSharedCommitNode+0x29a
0xffff8c001ea8f828 : 0xfffff8032af268c9 : nt!ObpLookupDirectoryUsingHash+0x95
0xffff8c001ea8f838 : 0xfffff8032ae96337 : nt!ObpRemoveObjectRoutine+0xc7
0xffff8c001ea8f898 : 0xfffff8032ab00326 : nt!ObfDereferenceObjectWithTag+0xc6
0xffff8c001ea8f8d8 : 0xfffff8032aeb135b : nt!ObCloseHandleTableEntry+0x28b
0xffff8c001ea8fa18 : 0xfffff8032aefb5db : nt!NtClose+0xcb
Image path: \SystemRoot\system32\drivers\mfehidk.sys
Image name: mfehidk.sys
Browse all global symbols functions data
Timestamp: Wed Nov 30 22:56:01 2016
如果没有可用更新,请删除 McAfee 软件。