【求助】Windows XP 蓝屏0x0000008E 调试
各位大大们,好:
小弟新人,初学WINDBG,遇到蓝屏一枚,跟踪无果,特此求租各位大神帮助。
【现象】
1、Windows XP系统启动后,大概15S后就蓝屏,蓝屏代码:BugCheck 8E, {c0000005, 8057d60c, f798b9cc, 0}
2、进入安全模式,能够正常启动并使用,不会蓝屏。
3、附件为核心转存的DUMP信息,请各位大大们指点一下,如能把分析方法告知,不胜感激。
4、DUMP文件见2楼。
【DUMP文件内容】
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*D:\Program Files (x86)\Debugging Tools for Windows (x86)\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer EmbeddedNT SingleUserTS
Built by: 2600.xpsp_sp3_qfe.090206-1316
Machine Name:
Kernel base = 0x804dd000 PsLoadedModuleList = 0x805694c0
Debug session time: Sat Dec 31 15:38:51.750 2011 (GMT+8)
System Uptime: 0 days 0:00:48.437
Loading Kernel Symbols
...............................................................
.........................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, 8057d60c, f798b9cc, 0}
Page bfea not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
Probably caused by : ntkrnlmp.exe ( nt!HvpGetCellMapped+5f )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8057d60c, The address that the exception occurred at
Arg3: f798b9cc, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
Page bfea not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
nt!HvpGetCellMapped+5f
8057d60c 8b4304 mov eax,dword ptr [ebx+4]
TRAP_FRAME: f798b9cc -- (.trap 0xfffffffff798b9cc)
ErrCode = 00000000
eax=00000be0 ebx=00000be0 ecx=86fab3d8 edx=0000000e esi=e1037008 edi=00000db8
eip=8057d60c esp=f798ba40 ebp=f798ba88 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!HvpGetCellMapped+0x5f:
8057d60c 8b4304 mov eax,dword ptr [ebx+4] ds:0023:00000be4=????????
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: services.exe
LAST_CONTROL_TRANSFER: from 805281f9 to 8053d67a
STACK_TEXT:
f798b594 805281f9 0000008e c0000005 8057d60c nt!KeBugCheckEx+0x1b
f798b95c 804e4403 f798b978 00000000 f798b9cc nt!KiDispatchException+0x3b1
f798b9c4 804e43b4 f798ba88 8057d60c badb0d00 nt!CommonDispatchException+0x4d
f798b9cc 8057d60c badb0d00 0000000e ffffffff nt!KiExceptionExit+0x18a
f798ba88 805da5fc e1037008 01cbedb8 e1037008 nt!HvpGetCellMapped+0x5f
f798baa4 8061f56b e1037008 01cbedb8 e1037008 nt!CmpCopyCell+0x12
f798baec 805db235 e1037008 00672f00 006855d0 nt!CmpCopyKeyPartial+0x89
f798bb2c 805dad1d e2150000 00000400 00000004 nt!CmpCopySyncTree2+0x25a
f798bb5c 805daf22 e1037008 00000178 e1037008 nt!CmpCopySyncTree+0x4f
f798bccc 805afd12 00010002 f798bd64 f798bce8 nt!CmpSaveBootControlSet+0x2b0
f798bcdc 804e399f 00000004 f798bd64 804e99c3 nt!NtInitializeRegistry+0x5e
f798bcdc 804e99c3 00000004 f798bd64 804e99c3 nt!KiFastCallEntry+0xfc
f798bd58 804e399f 00000004 0007fe8c 7c90e514 nt!ZwInitializeRegistry+0x11
f798bd58 7c90e514 00000004 0007fe8c 7c90e514 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0007fe8c 00000000 00000000 00000000 00000000 0x7c90e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!HvpGetCellMapped+5f
8057d60c 8b4304 mov eax,dword ptr [ebx+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!HvpGetCellMapped+5f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 498c1908
FAILURE_BUCKET_ID: 0x8E_nt!HvpGetCellMapped+5f
BUCKET_ID: 0x8E_nt!HvpGetCellMapped+5f
Followup: MachineOwner
---------
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课