none
Archivo de volcado de memoria RRS feed

  • Pregunta

  • Buen día.

    El día de ayer un servidor con windows server 2012 R2 Foundation tuvo un reinicio inesperado, al revisar el visor de eventos localize el evento ID 6008 y ví que genero un archivo sobre lo sucedido, por lo que descague "debuggin tools for windows" y el paquete de simbolos, pero no logro abrir el archivo, marca un problema con los simbolos, descargue varios paquetes de simbolos pero ninguno funciono.

    Adjunto un enlace del archivo que creo el servidor. Pueden ayudarme a saber su contenido o decirme alguna guia o algo para abrir el archivo en mi servidor.

    https://onedrive.live.com/redir?resid=6B1F0222B1A6AD6E!3923&authkey=!ALNgIJa3LruqXv8&ithint=file%2crar

    <p>https://onedrive.live.com/redir?resid=6B1F0222B1A6AD6E!3923&authkey=!ALNgIJa3LruqXv8&ithint=file%2crar</p>

    viernes, 13 de marzo de 2015 23:36

Respuestas

  • 1: kd> !analyze -v

    ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff960001f8fa1, Address of the instruction which caused the bugcheck Arg3: ffffd00108654000, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: win32k!zzzUpdateCursorImage+f1 fffff960`001f8fa1 48630c81 movsxd rcx,dword ptr [rcx+rax*4] CONTEXT: ffffd00108654000 -- (.cxr 0xffffd00108654000;r) rax=0000000000000020 rbx=fffff9014010b2a0 rcx=000000005a0539d4 rdx=fffff901449e1e70 rsi=0000000000000001 rdi=fffff9014425f010 rip=fffff960001f8fa1 rsp=ffffd00108654a30 rbp=ffffd00108654b80 r8=0000000000000001 r9=0000000000000000 r10=fffff8025900c000 r11=ffffd001086549c0 r12=000000007e9ac000 r13=000000000025fdb0 r14=0000000000000000 r15=0000000000000008 iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206 win32k!zzzUpdateCursorImage+0xf1: fffff960`001f8fa1 48630c81 movsxd rcx,dword ptr [rcx+rax*4] ds:002b:00000000`5a053a54=???????? Last set context: rax=0000000000000020 rbx=fffff9014010b2a0 rcx=000000005a0539d4 rdx=fffff901449e1e70 rsi=0000000000000001 rdi=fffff9014425f010 rip=fffff960001f8fa1 rsp=ffffd00108654a30 rbp=ffffd00108654b80 r8=0000000000000001 r9=0000000000000000 r10=fffff8025900c000 r11=ffffd001086549c0 r12=000000007e9ac000 r13=000000000025fdb0 r14=0000000000000000 r15=0000000000000008 iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206 win32k!zzzUpdateCursorImage+0xf1: fffff960`001f8fa1 48630c81 movsxd rcx,dword ptr [rcx+rax*4] ds:002b:00000000`5a053a54=???????? Resetting default scope DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: 0x3B PROCESS_NAME: OUTLOOK.EXE CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre LAST_CONTROL_TRANSFER: from fffff960001cc97c to fffff960001f8fa1 STACK_TEXT: ffffd001`08654a30 fffff960`001cc97c : fffff901`4520d010 ffffd001`08654b80 00000000`2fb55a00 fffff901`404000a8 : win32k!zzzUpdateCursorImage+0xf1 ffffd001`08654a80 fffff960`0030a863 : 00000000`00000000 ffffd001`08654b80 00000000`2fb55a00 00000000`00010007 : win32k!zzzSetCursor+0x78 ffffd001`08654ad0 fffff802`5916b7b3 : ffffe000`12152880 ffffd001`08654b80 00000000`00000000 00000000`00000000 : win32k!NtUserSetCursor+0x43 ffffd001`08654b00 00000000`76ef2772 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000`0025e938 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76ef2772 FOLLOWUP_IP: win32k!zzzUpdateCursorImage+f1 fffff960`001f8fa1 48630c81 movsxd rcx,dword ptr [rcx+rax*4] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: win32k!zzzUpdateCursorImage+f1 FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 5308949c IMAGE_VERSION: 6.3.9600.17031 STACK_COMMAND: .cxr 0xffffd00108654000 ; kb BUCKET_ID_FUNC_OFFSET: f1 FAILURE_BUCKET_ID: 0x3B_win32k!zzzUpdateCursorImage BUCKET_ID: 0x3B_win32k!zzzUpdateCursorImage ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x3b_win32k!zzzupdatecursorimage FAILURE_ID_HASH: {6485c50f-2bcf-c34e-a3c3-36223f93a9a0} Followup: MachineOwner --------- 1: kd> lmvm win32k start end module name fffff960`001a2000 fffff960`005bc000 win32k (pdb symbols) c:\symbols\win32k.pdb\D495C28BADD44E639AE223FBDF9108752\win32k.pdb Loaded symbol image file: win32k.sys Image path: \SystemRoot\System32\win32k.sys Image name: win32k.sys Timestamp: Sat Feb 22 13:14:20 2014 (5308949C) CheckSum: 0040E3D4 ImageSize: 0041A000 File version: 6.3.9600.17031 Product version: 6.3.9600.17031 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.7 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: win32k.sys OriginalFilename: win32k.sys ProductVersion: 6.3.9600.17031 FileVersion: 6.3.9600.17031 (winblue_gdr.140221-1952) FileDescription: Multi-User Win32 Driver LegalCopyright: © Microsoft Corporation. All rights reserved. 1: kd> .cxr 0xffffd00108654000;r rax=0000000000000020 rbx=fffff9014010b2a0 rcx=000000005a0539d4 rdx=fffff901449e1e70 rsi=0000000000000001 rdi=fffff9014425f010 rip=fffff960001f8fa1 rsp=ffffd00108654a30 rbp=ffffd00108654b80 r8=0000000000000001 r9=0000000000000000 r10=fffff8025900c000 r11=ffffd001086549c0 r12=000000007e9ac000 r13=000000000025fdb0 r14=0000000000000000 r15=0000000000000008 iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206 win32k!zzzUpdateCursorImage+0xf1: fffff960`001f8fa1 48630c81 movsxd rcx,dword ptr [rcx+rax*4] ds:002b:00000000`5a053a54=???????? Last set context: rax=0000000000000020 rbx=fffff9014010b2a0 rcx=000000005a0539d4 rdx=fffff901449e1e70 rsi=0000000000000001 rdi=fffff9014425f010 rip=fffff960001f8fa1 rsp=ffffd00108654a30 rbp=ffffd00108654b80 r8=0000000000000001 r9=0000000000000000 r10=fffff8025900c000 r11=ffffd001086549c0 r12=000000007e9ac000 r13=000000000025fdb0 r14=0000000000000000 r15=0000000000000008 iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206 win32k!zzzUpdateCursorImage+0xf1: fffff960`001f8fa1 48630c81 movsxd rcx,dword ptr [rcx+rax*4] ds:002b:00000000`5a053a54=????????

    Hola,

    Podrías actualizar el driver de la tarjeta de video y también verificar los parches de Outlook. A su vez puedes aplicar ésta kb para resolver un problema de seguridad http://support.microsoft.com/en-us/kb/2975685 que está relacionad con el driver win32k.sys y con la versión que está dentro del dump.
    Saludos!
    • Propuesto como respuesta Moderador M lunes, 23 de marzo de 2015 20:30
    • Marcado como respuesta Moderador M viernes, 27 de marzo de 2015 15:29
    sábado, 14 de marzo de 2015 19:02