Fragensteller
BlueScreen bei Anwendung von Office
Frage
-
Guten Tag,
es treten sporadisch BlueScreens auf, wenn der User Word oder Excel aufmacht und was speichern bzw öffnen will. Anbei ein Ausschnitt aus der Dump File:
Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\xxx\Documents\Neuer Ordner\021014-15990-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.22436.x86fre.win7sp1_ldr.130828-1532
Machine Name:
Kernel base = 0x82a14000 PsLoadedModuleList = 0x82b5e4d0
Debug session time: Mon Feb 10 11:28:57.209 2014 (UTC + 1:00)
System Uptime: 0 days 2:41:54.993
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
Loading Kernel Symbols
...............................................................
................................................................
...............................................
Loading User Symbols
Loading unloaded module list
........
************* Symbol Loading Error Summary **************
Module name Error
ntkrnlpa The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {d1862000, 0, 8ff1a519, 0}
*** WARNING: Unable to verify timestamp for mssmbios.sys
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
*** WARNING: Unable to verify timestamp for rdbss.sys
*** ERROR: Module load completed but symbols could not be loaded for rdbss.sys
*** WARNING: Unable to verify timestamp for mrxsmb.sys
*** ERROR: Module load completed but symbols could not be loaded for mrxsmb.sys
*** WARNING: Unable to verify timestamp for mup.sys
*** ERROR: Module load completed but symbols could not be loaded for mup.sys
*** WARNING: Unable to verify timestamp for fltmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for fltmgr.sys
*** WARNING: Unable to verify timestamp for DLFldEnc.sys
*** ERROR: Module load completed but symbols could not be loaded for DLFldEnc.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : rdbss.sys ( rdbss+27519 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: d1862000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8ff1a519, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
ADDITIONAL_DEBUG_TEXT:
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.
MODULE_NAME: rdbss
FAULTING_MODULE: 82a14000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 51d636ae
READ_ADDRESS: GetPointerFromAddress: unable to read from 00000000
GetPointerFromAddress: unable to read from 00000000
unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
d1862000
FAULTING_IP:
rdbss+27519
8ff1a519 0fb709 movzx ecx,word ptr [ecx]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
LAST_CONTROL_TRANSFER: from 82a54f28 to 82aa1877
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
9ae710b0 82a54f28 00000000 d1862000 00000000 nt+0x8d877
9ae710c8 8ff1a519 badb0d00 0000fffe 8fef4700 nt+0x40f28
9ae71150 8ff0bc65 9ae711d0 00000001 00000000 rdbss+0x27519
9ae71210 8ff0ef00 855fb520 8748f008 9ae7123c rdbss+0x18c65
9ae71254 8ff12057 855fb520 8748f008 87435ca0 rdbss+0x1bf00
9ae71290 8fef5f02 855fb520 8748f008 15176507 rdbss+0x1f057
9ae71318 8ff0dd3c 8ff07240 8748f008 87435c70 rdbss+0x2f02
9ae71348 992fe6a2 87204a68 0048f008 8748f0c0 rdbss+0x1ad3c
9ae71364 82a4b09a 87204a68 0148f008 8748f0e4 mrxsmb+0x166a2
9ae7137c 8b1ecbb0 00000103 856bfee8 87435c70 nt+0x3709a
9ae71398 8b1ebb52 856bfee8 c0000016 8748f0c0 mup+0x6bb0
9ae713b0 8b1ebf5b 856bfee8 11f9b286 00000000 mup+0x5b52
9ae713fc 82a4b09a 84f5ca90 8748f008 8748f008 mup+0x5f5b
9ae71414 8ac2d20c 8748f008 00000000 8748f0e4 nt+0x3709a
9ae71438 8ac408c9 9ae71458 84f5c488 00000000 fltmgr+0x620c
9ae71484 82a4b09a 84f5c488 85dd4008 8748f008 fltmgr+0x198c9
9ae7149c 8ac2d20c 8748f008 00000000 8748f108 nt+0x3709a
9ae714c0 8ac408c9 9ae714e0 85f15470 00000000 fltmgr+0x620c
9ae7150c 82a4b09a 85f15470 85edf6a8 873395a0 fltmgr+0x198c9
9ae71524 8b223f56 872560d8 87435c70 87339458 nt+0x3709a
9ae71550 8b21c200 85f15470 87339458 87435c70 DLFldEnc+0xdf56
9ae715b0 82a4b09a 87256020 87339458 87435ccc DLFldEnc+0x6200
9ae715c8 82c5b87d b9e56e07 9ae71770 00000000 nt+0x3709a
9ae716a0 82c3af2e 84f5ca90 84f6d900 86f2e918 nt+0x24787d
9ae7171c 82c4b34c 00000000 9ae71770 00000040 nt+0x226f2e
9ae71778 82c41e35 9ae71924 84f6d900 ffffff00 nt+0x23734c
9ae717f4 82c65748 9ae71950 00100001 9ae71924 nt+0x22de35
9ae71840 82a51d46 9ae71950 00100001 9ae71924 nt+0x251748
9ae71874 82a4f7b9 badb0d00 9ae718ec 00000000 nt+0x3dd46
9ae71954 8b2223f0 85dfe000 85dfe000 00610048 nt+0x3b7b9
9ae71968 8b2224e4 85dfe000 0000000a 85dfe000 DLFldEnc+0xc3f0
9ae7197c 8b21ad68 85dfe000 0000002a 86da7c30 DLFldEnc+0xc4e4
9ae719dc 8b21b5cf 00000001 8b220d01 00000001 DLFldEnc+0x4d68
9ae71a18 8b21c006 87256020 9ae71a44 9ae71a57 DLFldEnc+0x55cf
9ae71a70 82a4b09a 87256020 86620200 86da7c8c DLFldEnc+0x6006
9ae71a88 82c5b87d b9e563c7 9ae71c30 00000000 nt+0x3709a
9ae71b60 82c3af2e 84f5ca90 85f6d900 87544a18 nt+0x24787d
9ae71bdc 82c4b34c 00000000 9ae71c30 00000040 nt+0x226f2e
9ae71c38 82c41e35 007af568 84f6d900 b688c001 nt+0x23734c
9ae71cb4 82c65748 007af634 00100000 007af568 nt+0x22de35
9ae71d00 82a51d46 007af634 00100000 007af568 nt+0x251748
9ae71d34 771d70d4 badb0d00 007af530 00000000 nt+0x3dd46
9ae71d38 badb0d00 007af530 00000000 00000000 0x771d70d4
9ae71d3c 007af530 00000000 00000000 00000000 0xbadb0d00
9ae71d40 00000000 00000000 00000000 00000000 0x7af530
STACK_COMMAND: kb
FOLLOWUP_IP:
rdbss+27519
8ff1a519 0fb709 movzx ecx,word ptr [ecx]
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: rdbss+27519
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: rdbss.sys
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: WRONG_SYMBOLS
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:wrong_symbols
FAILURE_ID_HASH: {70b057e8-2462-896f-28e7-ac72d4d365f8}
Followup: MachineOwner
kann hier jemand helfen?
- Bearbeitet Gregor1981 Dienstag, 11. Februar 2014 11:39
Alle Antworten
-
Am 10.02.2014 schrieb Gregor1981:
es treten sporadisch BlueScreens auf, wenn der User Word oder Excel aufmacht und was speichern bzw öffnen will. Anbei ein Ausschnitt aus der Dump File:
Was genau steht auf dem Bluescreen? Wann genau tritt der Bluescreen
auf? Beim öffnen von Word/Excel oder beim Speichern von Dokumenten?
Welches Os hast Du im Einsatz? Welche Sicherheitssoftware ist
installiert?
Servus
Winfried
Gruppenrichtlinien
WSUS Package Publisher
HowTos zum WSUS Package Publisher
NNTP-Bridge für MS-Foren -
Hallo,
gerade eben hatten wir wieder ein BlueScreen, der User meinte das er in Excel gearbeitet hat, hat was gespeichert, konnte noch kurz Excel gehen und dann kam der BlueScreen.
OS haben wir Windows 7 32bit
Domäne: 2008R2
Sicherheitssoftware haben wir Sophos.
Anbei der Screenshot
http://www.directupload.net/file/d/3530/8jfjcwwp_jpg.htm
- Bearbeitet Gregor1981 Dienstag, 11. Februar 2014 14:39
-
Am 11.02.2014 schrieb Gregor1981:
gerade eben hatten wir wieder ein BlueScreen, der User meinte das er in Excel gearbeitet hat, hat was gespeichert, konnte noch kurz Excel gehen und dann kam der BlueScreen.
OS haben wir Windows 7 32bitAlle Treiber aktualisieren, NIC und Grafikkarte könnten schon helfen.
Alternativ mit einem passenden Programm über Nacht den RAM testen.
Servus
Winfried
Gruppenrichtlinien
WSUS Package Publisher
HowTos zum WSUS Package Publisher
NNTP-Bridge für MS-Foren
