今晚回来的时候,刚开电脑启动到用户选择界面处,我还没有输入密码,过了一会就莫名的蓝屏然后重启了,幸好我的电脑设置了核心转储的设置,于是电脑很顺利的把DUMP保存下来了,之后再重启电脑,打开WINDBG看下这个DUMP到底是什么原因倒致蓝屏的。
一般分析内核DUMP,WINDBG会提示你用!anaylze -v来看DUMP的相关信息.在执行上述指令后我们得到了相关的信息
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff8a002408000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88001aed3f0, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: fffff8a002408000 Paged pool
FAULTING_IP:
nvpciflt+13f0
fffff880`01aed3f0 6642391c49 cmp word ptr [rcx+r9*2],bx
MM_INTERNAL_CODE: 0
IMAGE_NAME: nvpciflt.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 52314e29
MODULE_NAME: nvpciflt
FAULTING_MODULE: fffff88001aec000 nvpciflt
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff880043bd720 -- (.trap 0xfffff880043bd720)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8a002407f70 rbx=0000000000000000 rcx=fffff8a002407f80
rdx=fffffa800ab04b50 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001aed3f0 rsp=fffff880043bd8b0 rbp=fffff880043bdb60
r8=0000000000000000 r9=0000000000000040 r10=fffffa8003f0f148
r11=fffffa800ab04b50 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac pe nc
nvpciflt+0x13f0:
fffff880`01aed3f0 6642391c49 cmp word ptr [rcx+r9*2],bx ds:fffff8a0`02408000=????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80004301be0 to fffff80004283b80
STACK_TEXT:
fffff880`043bd5b8 fffff800`04301be0 : 00000000`00000050 fffff8a0`02408000 00000000`00000000 fffff880`043bd720 : nt!KeBugCheckEx
fffff880`043bd5c0 fffff800`04281cae : 00000000`00000000 fffff8a0`02408000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4518f
fffff880`043bd720 fffff880`01aed3f0 : 00000000`00000000 fffff880`043bdb60 fffff880`043bda60 fffff880`043bd8f8 : nt!KiPageFault+0x16e
fffff880`043bd8b0 fffff800`0462f460 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff8a0`02407f70 : nvpciflt+0x13f0
fffff880`043bd910 fffff800`04504b34 : 00000000`00000002 fffff880`043bda60 00000000`00000001 00000000`00000011 : nt!CmpCallCallBacks+0x1c0
fffff880`043bd9e0 fffff800`04282e13 : 00000000`00000624 fffffa80`0ab04b50 00000000`00000000 00000000`00000000 : nt!NtDeleteValueKey+0x2b3
fffff880`043bdae0 00000000`77c91e4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`01d3e538 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77c91e4a
STACK_COMMAND: kb
FOLLOWUP_IP:
nvpciflt+13f0
fffff880`01aed3f0 6642391c49 cmp word ptr [rcx+r9*2],bx
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nvpciflt+13f0
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: X64_0x50_nvpciflt+13f0
BUCKET_ID: X64_0x50_nvpciflt+13f0
Followup: MachineOwner
---------
1: kd> !pcr 1
KPCR for Processor 1 at fffff88004900000:
Major 1 Minor 1
NtTib.ExceptionList: fffff8800490b540
NtTib.StackBase: fffff88004904f40
NtTib.StackLimit: 0000000001d3e538
NtTib.SubSystemTib: fffff88004900000
NtTib.Version: 0000000004900180
NtTib.UserPointer: fffff880049007f0
NtTib.SelfTib: 000007fffff86000
SelfPcr: 0000000000000000
Prcb: fffff88004900180
Irql: 0000000000000000
IRR: 0000000000000000
IDR: 0000000000000000
InterruptMode: 0000000000000000
IDT: 0000000000000000
GDT: 0000000000000000
TSS: 0000000000000000
CurrentThread: fffffa800ab04b50
NextThread: 0000000000000000
IdleThread: fffff8800490afc0
DpcQueue:
THREAD fffffa800ab04b50 Cid 0364.050c Teb: 000007fffff86000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap fffff8a000008aa0
Owning Process fffffa80078b4b30 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 4313 Ticks: 0
Context Switch Count 3239 IdealProcessor: 2
UserTime 00:00:00.046
KernelTime 00:00:00.109
Win32 Start Address 0x0000000077c5fbf0
Stack Init fffff880043bdc70 Current fffff880043bd680
Base fffff880043be000 Limit fffff880043b8000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880`043bd5b8 fffff800`04301be0 : 00000000`00000050 fffff8a0`02408000 00000000`00000000 fffff880`043bd720 : nt!KeBugCheckEx
fffff880`043bd5c0 fffff800`04281cae : 00000000`00000000 fffff8a0`02408000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4518f
fffff880`043bd720 fffff880`01aed3f0 : 00000000`00000000 fffff880`043bdb60 fffff880`043bda60 fffff880`043bd8f8 : nt!KiPageFault+0x16e (TrapFrame @ fffff880`043bd720)
fffff880`043bd8b0 fffff800`0462f460 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff8a0`02407f70 : nvpciflt+0x13f0
fffff880`043bd910 fffff800`04504b34 : 00000000`00000002 fffff880`043bda60 00000000`00000001 00000000`00000011 : nt!CmpCallCallBacks+0x1c0
fffff880`043bd9e0 fffff800`04282e13 : 00000000`00000624 fffffa80`0ab04b50 00000000`00000000 00000000`00000000 : nt!NtDeleteValueKey+0x2b3
fffff880`043bdae0 00000000`77c91e4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`043bdae0)
00000000`01d3e538 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77c91e4a
确实这个过程和用!analyze -v分析的栈信息一致.如果我们还在怀疑的话我们可以读取下当前CPU的CR3寄存器,看下当前CR3这个寄存器里的值是否和这个进程一致
1: kd> r cr3
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
