locked
Memory Dum Auswertung RRS feed

  • Allgemeine Diskussion

  • Hallo zusammen,

    ein Windows 7 PC stürzt sehr häufig schon direkt nach dem Einschalten mit einem Bluescreen ab ( 0xf7 )

    Ich habe mir nun mal das Memory Dump File angesehen, werde daraus aber nicht wirklich schlau. Vielleicht könnt ihr mir ja helfen:

    Das Dump File habe ich hier auch zur Verfügung gestellt: https://www.dropbox.com/sh/a9qs59sjc7p6kdf/moj4Ix0iF0

    Speichermodule sowie Festplatte habe ich bereits mit der UBCD auf Fehler geprüft.

    Vielen Dank schpnmal für Eure Tipps und Ratschläge.

    Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [E:\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available
    
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    OK                                             c:\windows\system32
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: c:\windows\system32
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Built by: 7601.18247.amd64fre.win7sp1_gdr.130828-1532
    Machine Name:
    Kernel base = 0xfffff800`02c65000 PsLoadedModuleList = 0xfffff800`02ea86d0
    Debug session time: Sun Nov 17 14:57:19.948 2013 (UTC + 1:00)
    System Uptime: 0 days 0:04:28.509
    Loading Kernel Symbols
    ............................................Missing image name, possible paged-out or corrupt data.
    .*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000
    Unable to add module at 00000000`00000000
    Unable to read KLDR_DATA_TABLE_ENTRY at 00000000`00000000 - NTSTATUS 0xC0000147
    
    WARNING: .reload failed, module list may be incomplete
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck F7, {fffff880095a5990, 1d3e48f1651b, ffffe2c1b70e9ae4, 0}
    
    Page 12b68c not present in the dump file. Type ".hh dbgerr004" for details
    Probably caused by : memory_corruption
    
    Followup: memory_corruption
    ---------
    
    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_OVERRAN_STACK_BUFFER (f7)
    A driver has overrun a stack-based buffer.  This overrun could potentially
    allow a malicious user to gain control of this machine.
    DESCRIPTION
    A driver overran a stack-based buffer (or local variable) in a way that would
    have overwritten the function's return address and jumped back to an arbitrary
    address when the function returned.  This is the classic "buffer overrun"
    hacking attack and the system has been brought down to prevent a malicious user
    from gaining complete control of it.
    Do a kb to get a stack backtrace -- the last routine on the stack before the
    buffer overrun handlers and bugcheck call is the one that overran its local
    variable(s).
    Arguments:
    Arg1: fffff880095a5990, Actual security check cookie from the stack
    Arg2: 00001d3e48f1651b, Expected security check cookie
    Arg3: ffffe2c1b70e9ae4, Complement of the expected security check cookie
    Arg4: 0000000000000000, zero
    
    Debugging Details:
    ------------------
    
    Page 12b68c not present in the dump file. Type ".hh dbgerr004" for details
    
    DEFAULT_BUCKET_ID:  CODE_CORRUPTION
    
    SECURITY_COOKIE:  Expected 00001d3e48f1651b found fffff880095a5990
    
    BUGCHECK_STR:  0xF7
    
    CURRENT_IRQL:  0
    
    ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
    
    EXCEPTION_RECORD:  fffff880095a4ff8 -- (.exr 0xfffff880095a4ff8)
    ExceptionAddress: fffff80002ce6759 (nt!ExAcquireRundownProtectionCacheAwareEx+0x0000000000000009)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: 0000000000000017
    Attempt to read from address 0000000000000017
    
    TRAP_FRAME:  fffff880095a50a0 -- (.trap 0xfffff880095a50a0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=fffff88002fd3180 rbx=0000000000000000 rcx=0000000000000003
    rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80002ce6759 rsp=fffff880095a5238 rbp=fffffa8004d900a0
     r8=0000000000000000  r9=0000000000000000 r10=fffff88001055940
    r11=fffff880095a52a0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na po nc
    nt!ExAcquireRundownProtectionCacheAwareEx+0x9:
    fffff800`02ce6759 83791404        cmp     dword ptr [rcx+14h],4 ds:00000000`00000017=????????
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from fffff80002d6ead5 to fffff80002cdabc0
    
    STACK_TEXT:  
    fffff880`095a4098 fffff800`02d6ead5 : 00000000`000000f7 fffff880`095a5990 00001d3e`48f1651b ffffe2c1`b70e9ae4 : nt!KeBugCheckEx
    fffff880`095a40a0 fffff800`02cb1c2a : 00000000`00000000 fffff800`02d05c50 fffff800`02efd66c fffff800`02fda43c : nt!_report_gsfailure+0x25
    fffff880`095a40e0 fffff800`02d0575d : fffff800`02e365ac 00000000`00000000 fffff800`02c65000 00000000`00000000 : nt!_GSHandlerCheck_SEH+0x42
    fffff880`095a4110 fffff800`02d04535 : fffff800`02e365ac fffff880`095a4188 fffff880`095a4ff8 fffff800`02c65000 : nt!RtlpExecuteHandlerForException+0xd
    fffff880`095a4140 fffff800`02d154c1 : fffff880`095a4ff8 fffff880`095a4850 fffff880`00000000 fffffa80`03cbd160 : nt!RtlDispatchException+0x415
    fffff880`095a4820 fffff800`02cda242 : fffff880`095a4ff8 fffffa80`03a82180 fffff880`095a50a0 fffffa80`04d90108 : nt!KiDispatchException+0x135
    fffff880`095a4ec0 fffff800`02cd8dba : 00000000`00000000 00000000`00000017 00000000`00000000 fffffa80`03a82180 : nt!KiExceptionDispatch+0xc2
    fffff880`095a50a0 fffff800`02ce6759 : fffff880`01042ba9 00000000`00000000 fffffa80`049a9010 fffffa80`04d900a0 : nt!KiPageFault+0x23a
    fffff880`095a5238 fffff880`01042ba9 : 00000000`00000000 fffffa80`049a9010 fffffa80`04d900a0 fffffa80`03d95320 : nt!ExAcquireRundownProtectionCacheAwareEx+0x9
    fffff880`095a5240 fffff880`01049b44 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000401 : fltmgr! ?? ::FNODOBFM::`string'+0x30a2
    fffff880`095a52c0 fffff880`0108d36b : fffffa80`03cbd160 fffff8a0`07426070 00000000`00000001 fffff880`095a53f0 : fltmgr!FltGetFileNameInformation+0x184
    fffff880`095a5350 fffff880`0108bbdb : fffff140`0039e867 00000000`00000001 00000000`00000000 00000000`00002d39 : fileinfo!FIStreamGetInfo+0x11f
    fffff880`095a53d0 fffff880`0103c288 : 00000000`00000000 fffff8a0`07426070 fffffa80`03db2fb0 00000000`00000000 : fileinfo!FIPostCreateCallback+0x1c7
    fffff880`095a5460 fffff880`0103ad1b : fffffa80`04e2e030 fffffa80`03be4d80 fffffa80`049a9010 fffffa80`049a9230 : fltmgr!FltpPerformPostCallbacks+0x368
    fffff880`095a5530 fffff880`0105a2b9 : fffffa80`03db2c10 fffffa80`04d90010 fffffa80`03db2c00 fffffa80`049a9a30 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    fffff880`095a55c0 fffff800`02fda43c : 00000000`00000045 fffffa80`03ef0cc8 fffffa80`03d95320 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`095a5670 fffff800`02fd5db8 : fffffa80`048edbd0 fffff800`00000000 fffffa80`03ef0b10 fffff8a0`00000001 : nt!IopParseDevice+0x14d3
    fffff880`095a57d0 fffff800`02fd6fd6 : 00000000`00000000 fffffa80`03ef0b10 fffff8a0`0749c9f0 fffffa80`03a50660 : nt!ObpLookupObjectName+0x588
    fffff880`095a58c0 fffff800`02fb5066 : 00000000`00000040 00000000`0053ee40 fffff680`00000101 fffff800`02cf74f3 : nt!ObOpenObjectByName+0x306
    fffff880`095a5990 fffff800`02cd9e53 : 00000000`00000001 00000000`00020000 fffffa80`03c47060 00000000`c0000034 : nt!NtQueryAttributesFile+0x145
    fffff880`095a5c20 00000000`76d8168a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0053ee08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76d8168a
    
    
    STACK_COMMAND:  kb
    
    CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
        fffff80002e365c0 - nt!_imp_NtOpenSymbolicLinkObject+15088
    	[ 61:41 ]
        fffff80002efd5d0 - nt!BBTBuffer <PERF> (nt+0x2985d0)
    	[ 3b:1b ]
    Page 12b68c not present in the dump file. Type ".hh dbgerr004" for details
        fffff8000324505f-fffff80003245060  2 bytes - nt!_NULL_IMPORT_DESCRIPTOR <PERF> (nt+0x5e005f)
    	[ 0d 0a:00 00 ]
        fffff800032466ab-fffff800032466ac  2 bytes - nt!_NULL_IMPORT_DESCRIPTOR <PERF> (nt+0x5e16ab) (+0x164c)
    	[ 0d 0a:00 00 ]
        fffff8000324677c-fffff8000324677f  4 bytes - nt!_NULL_IMPORT_DESCRIPTOR <PERF> (nt+0x5e177c) (+0xd1)
    	[ 0d 0a 0d 0a:00 00 00 00 ]
        fffff80003246972-fffff80003246973  2 bytes - nt!_NULL_IMPORT_DESCRIPTOR <PERF> (nt+0x5e1972) (+0x1f6)
    	[ 0d 0a:00 00 ]
        fffff80003246992-fffff80003246993  2 bytes - nt!_NULL_IMPORT_DESCRIPTOR <PERF> (nt+0x5e1992) (+0x20)
    	[ 0d 0a:00 00 ]
    14 errors : !nt (fffff80002e365c0-fffff80003246993)
    
    MODULE_NAME: memory_corruption
    
    IMAGE_NAME:  memory_corruption
    
    FOLLOWUP_NAME:  memory_corruption
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  0
    
    MEMORY_CORRUPTOR:  LARGE
    
    FAILURE_BUCKET_ID:  X64_MEMORY_CORRUPTION_LARGE
    
    BUCKET_ID:  X64_MEMORY_CORRUPTION_LARGE
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:x64_memory_corruption_large
    
    FAILURE_ID_HASH:  {6332b0e4-cf0e-2392-6ba8-f96ca91b7f36}
    
    Followup: memory_corruption
    ---------
    
    

    • Typ geändert Alex Pitulice Freitag, 22. November 2013 08:40 Warten auf Feedback
    Dienstag, 19. November 2013 21:58

Alle Antworten

  • > Unable to read KLDR_DATA_TABLE_ENTRY at 00000000`00000000 - NTSTATUS 0xC0000147
     
    Hast Du das Pagefile abgeschaltet? Und mit einem Kernel-Dump wirst Du
    nicht weiterkommen - schalte das mal auf "Full Memory Dump" um.
     

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Mittwoch, 20. November 2013 08:08
  • Hallo Martin,

    Danke für den hinweis. Pagefile sollte nicht abgeschalten sein. Ich versuch die Tage das umzustellen und nach dem nächsten Bluescreen melde ich mich hier wieder.

    Danke Michael

    Mittwoch, 20. November 2013 08:46
  • Hallo zusammen,

    ich bins nochmal mit dem Mini Dump.

    Seit nunmehr 17.11 stürzt der PC weiterhin mit Bluescreen hab.
    Ich habe hier mal 4 minidumps abgelegt:

    https://www.dropbox.com/sh/a9qs59sjc7p6kdf/moj4Ix0iF0

    Ich werde leider nicht wirklich schlau daraus.
    Bei dem PC handelt es sich um ein AMD System mit 4 GB RAM, AMD Phenom II X4 955 auf einem Asus M4A785TD-V evo Mainboard.

    Wär echt toll wenn ihr mir sagen könnt was an dem PC faul ist; nein es ist kein angebissener apfel der irgendwann sowiso fault^^

    Recht herzlichen Dank

    Samstag, 30. November 2013 20:57