-
-
[旧帖] 求助!XP电脑开机进桌面前8E蓝屏,有WINDBG DUMP文件 0.00雪花
-
发表于: 2014-9-29 17:03
-
电脑本来是能用的,被我很平常,日常的优化下,重启后就突然出现8E蓝屏了,是开机后,进度条走完了,出现‘欢迎使用’,鼠标光标都出来了,下一步就该出现桌面了,可是还没出现桌面就蓝屏了代码0000008E,上网搜索了下好像这个8E很难搞!我就搜索了很多东西,什么WINDBG分析DUMP的,于是我就用WINDBG分析DUMP了,看到一个Probably caused by : ntoskrnl.exe ( nt!PiProcessQueryRemoveAndEject+d01 ).ntoskrnl.exe它也不是一个驱动啊,不是说删了就行的,真是把我难住了,以我的水平只能知道是services.exe引起ntoskrnl.exe蓝屏!
求大神看看是怎么回事,
services.exe ntoskrnl.exe这些文件可以修复么?
MINI DUMP文件下载 见底下附件
WINDBG分析:
--------------------------------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [M:\Minidump\Mini092914-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\Windows\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Mon Sep 29 12:42:29.640 2014 (GMT+8)
System Uptime: 0 days 0:00:45.281
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...............................................................................................................................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 806390c7, b4ffe99c, 0}
Probably caused by : ntoskrnl.exe ( nt!PiProcessQueryRemoveAndEject+d01 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806390c7, The address that the exception occurred at
Arg3: b4ffe99c, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
nt!PiProcessQueryRemoveAndEject+d01
806390c7 8b4304 mov eax,dword ptr [ebx+4]
TRAP_FRAME: b4ffe99c -- (.trap 0xffffffffb4ffe99c)
ErrCode = 00000000
eax=00000600 ebx=00000600 ecx=8ad3a920 edx=00000003 esi=e1036758 edi=00000035
eip=806390c7 esp=b4ffea10 ebp=b4ffea58 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!PiProcessQueryRemoveAndEject+0xd01:
806390c7 8b4304 mov eax,dword ptr [ebx+4] ds:0023:00000604=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: services.exe
LOCK_ADDRESS: 805c75c0 -- (!locks 805c75c0)
Resource @ nt!PiEngineLock (0x805c75c0) Available
WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.
WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.
1 total locks
PNP_TRIAGE:
Lock address : 0x805c75c0
Thread Count : 0
Thread address: 0x00000000
Thread wait : 0x0
LAST_CONTROL_TRANSFER: from 8063176c to 806390c7
STACK_TEXT:
b4ffea58 8063176c e1036758 00660035 e1036758 nt!PiProcessQueryRemoveAndEject+0xd01
b4ffea74 8063a92a e1036758 e11f586c e1036758 nt!IopDumpCmResourceList+0x6da
b4ffea90 8063abcf e1036758 001d2a30 e14333ec nt!PpSetBlockedDriverEvent+0x108
b4ffeaac 8063ac6b e1036758 001d2a30 e1213a34 nt!PpSetPowerVetoEvent+0x1c9
b4ffeae8 8063b4aa e1036758 000c9738 e110a73c nt!PpSetPowerVetoEvent+0x265
b4ffeb2c 8063b61d e285a000 00000400 00000001 nt!IopProcessAssignResources+0x1e2
b4ffeb5c 80627b4e e1036758 000001b8 e1036758 nt!IopWriteAllocatedResourcesToRegistry+0x13f
b4ffeccc 8062340a 00010002 b4ffed64 b4ffece8 nt!IopSurpriseRemoveLockedDeviceNode+0x204
b4ffecdc 805427e8 00000004 b4ffed64 805014c9 nt!PipProcessNewDeviceNode+0x514
b4ffece8 805014c9 badb0d00 b4ffed60 000a001f nt!MiMakeOutswappedPageResident+0x2a4
b4ffed64 7c92e514 badb0d00 0007fe50 00000000 nt!IoReleaseRemoveLockEx+0xa3
WARNING: Frame IP not in any known module. Following frames may be wrong.
b4ffed74 00000000 00000000 00000000 00000000 0x7c92e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PiProcessQueryRemoveAndEject+d01
806390c7 8b4304 mov eax,dword ptr [ebx+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!PiProcessQueryRemoveAndEject+d01
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 51d4d90f
FAILURE_BUCKET_ID: 0x8E_nt!PiProcessQueryRemoveAndEject+d01
BUCKET_ID: 0x8E_nt!PiProcessQueryRemoveAndEject+d01
Followup: MachineOwner
---------
2: kd> process
^ No runnable debuggees error in 'process'
2: kd> !process
GetPointerFromAddress: unable to read from 80563134
PROCESS 88bbed78 SessionId: none Cid: 0370 Peb: 7ffdc000 ParentCid: 0344
DirBase: de8800a0 ObjectTable: e1ef5ae8 HandleCount: <Data Not Accessible>
Image: services.exe
VadRoot 88bce518 Vads 101 Clone 0 Private 320. Modified 24. Locked 0.
DeviceMap e1003118
Token e1667d70
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
ffdf0000: Unable to get shared data
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 35964
QuotaPoolUsage[NonPagedPool] 6064
Working Set Sizes (now,min,max) (887, 50, 345) (3548KB, 200KB, 1380KB)
PeakWorkingSetSize 887
VirtualSize 20 Mb
PeakVirtualSize 20 Mb
PageFaultCount 1158
MemoryPriority BACKGROUND
BasePriority 9
CommitCharge 470
THREAD 88b9f438 Cid 0370.0374 Teb: 7ffdf000 Win32Thread: e1fd4d38 RUNNING on processor 2
*** Error in reading nt!_ETHREAD @ 88b9e5d0
求大神看看是怎么回事,
services.exe ntoskrnl.exe这些文件可以修复么?
MINI DUMP文件下载 见底下附件
WINDBG分析:
--------------------------------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [M:\Minidump\Mini092914-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\Windows\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Mon Sep 29 12:42:29.640 2014 (GMT+8)
System Uptime: 0 days 0:00:45.281
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...............................................................................................................................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 806390c7, b4ffe99c, 0}
Probably caused by : ntoskrnl.exe ( nt!PiProcessQueryRemoveAndEject+d01 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806390c7, The address that the exception occurred at
Arg3: b4ffe99c, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
nt!PiProcessQueryRemoveAndEject+d01
806390c7 8b4304 mov eax,dword ptr [ebx+4]
TRAP_FRAME: b4ffe99c -- (.trap 0xffffffffb4ffe99c)
ErrCode = 00000000
eax=00000600 ebx=00000600 ecx=8ad3a920 edx=00000003 esi=e1036758 edi=00000035
eip=806390c7 esp=b4ffea10 ebp=b4ffea58 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!PiProcessQueryRemoveAndEject+0xd01:
806390c7 8b4304 mov eax,dword ptr [ebx+4] ds:0023:00000604=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: services.exe
LOCK_ADDRESS: 805c75c0 -- (!locks 805c75c0)
Resource @ nt!PiEngineLock (0x805c75c0) Available
WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.
WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.
1 total locks
PNP_TRIAGE:
Lock address : 0x805c75c0
Thread Count : 0
Thread address: 0x00000000
Thread wait : 0x0
LAST_CONTROL_TRANSFER: from 8063176c to 806390c7
STACK_TEXT:
b4ffea58 8063176c e1036758 00660035 e1036758 nt!PiProcessQueryRemoveAndEject+0xd01
b4ffea74 8063a92a e1036758 e11f586c e1036758 nt!IopDumpCmResourceList+0x6da
b4ffea90 8063abcf e1036758 001d2a30 e14333ec nt!PpSetBlockedDriverEvent+0x108
b4ffeaac 8063ac6b e1036758 001d2a30 e1213a34 nt!PpSetPowerVetoEvent+0x1c9
b4ffeae8 8063b4aa e1036758 000c9738 e110a73c nt!PpSetPowerVetoEvent+0x265
b4ffeb2c 8063b61d e285a000 00000400 00000001 nt!IopProcessAssignResources+0x1e2
b4ffeb5c 80627b4e e1036758 000001b8 e1036758 nt!IopWriteAllocatedResourcesToRegistry+0x13f
b4ffeccc 8062340a 00010002 b4ffed64 b4ffece8 nt!IopSurpriseRemoveLockedDeviceNode+0x204
b4ffecdc 805427e8 00000004 b4ffed64 805014c9 nt!PipProcessNewDeviceNode+0x514
b4ffece8 805014c9 badb0d00 b4ffed60 000a001f nt!MiMakeOutswappedPageResident+0x2a4
b4ffed64 7c92e514 badb0d00 0007fe50 00000000 nt!IoReleaseRemoveLockEx+0xa3
WARNING: Frame IP not in any known module. Following frames may be wrong.
b4ffed74 00000000 00000000 00000000 00000000 0x7c92e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PiProcessQueryRemoveAndEject+d01
806390c7 8b4304 mov eax,dword ptr [ebx+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!PiProcessQueryRemoveAndEject+d01
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 51d4d90f
FAILURE_BUCKET_ID: 0x8E_nt!PiProcessQueryRemoveAndEject+d01
BUCKET_ID: 0x8E_nt!PiProcessQueryRemoveAndEject+d01
Followup: MachineOwner
---------
2: kd> process
^ No runnable debuggees error in 'process'
2: kd> !process
GetPointerFromAddress: unable to read from 80563134
PROCESS 88bbed78 SessionId: none Cid: 0370 Peb: 7ffdc000 ParentCid: 0344
DirBase: de8800a0 ObjectTable: e1ef5ae8 HandleCount: <Data Not Accessible>
Image: services.exe
VadRoot 88bce518 Vads 101 Clone 0 Private 320. Modified 24. Locked 0.
DeviceMap e1003118
Token e1667d70
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
ffdf0000: Unable to get shared data
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 35964
QuotaPoolUsage[NonPagedPool] 6064
Working Set Sizes (now,min,max) (887, 50, 345) (3548KB, 200KB, 1380KB)
PeakWorkingSetSize 887
VirtualSize 20 Mb
PeakVirtualSize 20 Mb
PageFaultCount 1158
MemoryPriority BACKGROUND
BasePriority 9
CommitCharge 470
THREAD 88b9f438 Cid 0370.0374 Teb: 7ffdf000 Win32Thread: e1fd4d38 RUNNING on processor 2
*** Error in reading nt!_ETHREAD @ 88b9e5d0
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
