none
目测怀疑是显卡驱动 求分析文件 D1 RRS feed

全部回复

  • 这两个dump有点妖异。

    你怀疑是显卡驱动,一定是因为dump信息里,看到引发DRIVER_IRQL_NOT_LESS_OR_EQUAL的指令分别是
    fffff880104ad198(nvlddmkm+0x888198)

    fffff880`104891a7(nvlddmkm+0x8881a7)
    对吧?
    CallStack根本看不到,因为dump里的CPU寄存器都没存下来,包括rsp都是0。。。

    0: kd> r
    rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
    rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
    rip=0000000000000000 rsp=0000000000000000 rbp=0000000000000000
     r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up di pl nz na pe nc
    cs=0000  ss=0000  ds=0000  es=0000  fs=0000  gs=0000             efl=00000000
    00000000`00000000 ??              ???

    但是,我发现一个很诡异的地方:你这两个dump里,同样nvlddmkm+0x888198的代码居然是不一样的!


    7月24的dump里

    0: kd> u nvlddmkm+0x888198
    nvlddmkm+0x888198:
    fffff880`104ad198 40d84883        fmul    dword ptr [rax-7Dh]
    fffff880`104ad19c ec              in      al,dx
    fffff880`104ad19d 20837a608348    and     byte ptr [rbx+4883607Ah],al
    fffff880`104ad1a3 8bda            mov     ebx,edx
    fffff880`104ad1a5 741e            je      nvlddmkm+0x8881c5 (fffff880`104ad1c5)
    fffff880`104ad1a7 4585bb7415837a  test    dword ptr [r11+7A831574h],r15d
    fffff880`104ad1ae 5c              pop     rsp
    fffff880`104ad1af 00486f          add     byte ptr [rax+6Fh],cl

    0: kd> dd nvlddmkm+0x888198
    fffff880`104ad198  8348d840 7a8320ec 8b488360 451e74da
    fffff880`104ad1a8  1574bb85 005c7a83 44026f48 7548428b
    fffff880`104ad1b8  1850d205 50ff03eb 60638308 48c03300
    fffff880`104ad1c8  5b20c483 ccccccc3 245c8948 74894808
    fffff880`104ad1d8  48572024 4820ec83 8d4c028b 48402444
    fffff880`104ad1e8  8b48da8b 3310fff1 607b39ff 7b390a74
    fffff880`104ad1f8  8b05755c 16eb4843 4c0b8b4c 3824448d
    fffff880`104ad208  48d38b48 ff41ce8b 448b1051 44393824

    7月25的dump里

    0: kd> u nvlddmkm+0x888198
    nvlddmkm+0x888198:
    fffff880`10489198 409b            wait
    fffff880`1048919a 4883ec20        sub     rsp,20h
    fffff880`1048919e 837a6074        cmp     dword ptr [rdx+60h],74h
    fffff880`104891a2 488bda          mov     rbx,rdx
    fffff880`104891a5 741e            je      nvlddmkm+0x8881c5 (fffff880`104891c5)
    fffff880`104891a7 4585937415837a  test    dword ptr [r11+7A831574h],r10d
    fffff880`104891ae 5c              pop     rsp
    fffff880`104891af 00489f          add     byte ptr [rax-61h],cl
    0: kd> dd nvlddmkm+0x888198
    fffff880`10489198  83489b40 7a8320ec 8b487460 451e74da
    fffff880`104891a8  15749385 005c7a83 44029f48 7548428b
    fffff880`104891b8  18509205 50ff03eb 60638308 48c03300
    fffff880`104891c8  5b20c483 ccccccc3 245c8948 74894808
    fffff880`104891d8  48572024 4820ec83 8d4c028b 48402444
    fffff880`104891e8  8b48da8b 3310fff1 607b39ff 7b390a74
    fffff880`104891f8  8b05755c 16eb4843 4c0b8b4c 3824448d
    fffff880`10489208  48d38b48 ff41ce8b 448b1051 44393824

    仔细对比一下就能发现,这两者的这个代码段里很多字节都不一样!这是不应该的!

    我敢说:要么是你物理内存条有问题,要么就是之前某Driver Corrupt了这个Driver的代码段。。。

    建议0:把dump设置成kernel dump,这样下次可以看多一些信息

    建议1:换内存

    建议2:启用Driver verifier来捕捉Memory Corruption的源头





    • 已编辑 Finy 2012年7月25日 13:18
    2012年7月25日 12:59
  • 折腾了很久了  

    之前我也来这边发帖求助 试了很多方法

    上次重装系统后 维持了10多天不蓝屏 以为没事了 

    后来因为个游戏而更新了显卡驱动  蓝了一次 我又装回旧的驱动  几天后 就是24的那个蓝了

    然后我又重装了显卡驱动  之后还是发生蓝屏 就是25号的那个

    内存我换过一次了  也检测过了 磁盘检测了 都没问题

    因为是更新显卡驱动后蓝的 所以是最大嫌疑

    建议2  太专业 不懂啊

    2012年7月25日 13:31
  • 建议2  太专业 不懂啊

    你就运行verifier命令,走一次向导,把各种非微软的驱动都监视起来,这样一旦它们有一点点破环系统的风吹草动行为,系统立即Crash,这时产生的Dump最有分析价值。


    不管如何,你先把建议0做掉吧,这样以后再Crash时,也许能从dump里看到更多信息。
    • 已编辑 Finy 2012年7月25日 13:53
    2012年7月25日 13:52
  • 监视所有驱动后  重启 开机就蓝 D1 50什么的 都有

    差点进不了系统  进安全模式结束后 进系统  又蓝了一次

    现在生成了个400多M的DMP文件  最后一次是D1


    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available

    Symbol search path is: SRV*c:\temp*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
    Machine Name:
    Kernel base = 0xfffff800`0461b000 PsLoadedModuleList = 0xfffff800`04860e90
    Debug session time: Wed Jul 25 22:38:26.957 2012 (UTC + 8:00)
    System Uptime: 0 days 0:04:15.206
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ..............................
    Loading User Symbols

    Loading unloaded module list
    ......
    The context is partially valid. Only x86 user-mode context is available.
    The wow64exts extension must be loaded to access 32-bit state.
    .load wow64exts will do this if you haven't loaded it already.
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck D1, {1000000, 2, 1, fffff88010426aff}

    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for nvlddmkm.sys - 
    Probably caused by : Unknown_Image ( nvlddmkm+7efaff )

    Followup: MachineOwner
    ---------

    16.0: kd:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 0000000001000000, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
    Arg4: fffff88010426aff, address which referenced memory

    Debugging Details:
    ------------------


    WRITE_ADDRESS:  0000000001000000 

    CURRENT_IRQL:  0

    FAULTING_IP: 
    nvlddmkm+7efaff
    fffff880`10426aff 41              inc     ecx

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xD1

    LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000000000000

    STACK_TEXT:  
    00000000 00000000 00000000 00000000 00000000 0x0


    STACK_COMMAND:  .bugcheck ; kb

    FOLLOWUP_IP: 
    nvlddmkm+7efaff
    fffff880`10426aff 41              inc     ecx

    SYMBOL_NAME:  nvlddmkm+7efaff

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Unknown_Module

    IMAGE_NAME:  Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    BUCKET_ID:  INVALID_KERNEL_CONTEXT

    Followup: MachineOwner
    ---------

    2012年7月25日 14:45
  • 检测未签名 

    vkbms.sys    HID mini driver for USB Fx2 Device


    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available

    Symbol search path is: SRV*c:\temp*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
    Machine Name:
    Kernel base = 0xfffff800`0461e000 PsLoadedModuleList = 0xfffff800`04863e90
    Debug session time: Wed Jul 25 23:19:38.484 2012 (UTC + 8:00)
    System Uptime: 0 days 0:00:10.748
    Loading Kernel Symbols
    ...............................................................
    ................................
    Loading User Symbols

    The context is partially valid. Only x86 user-mode context is available.
    The wow64exts extension must be loaded to access 32-bit state.
    .load wow64exts will do this if you haven't loaded it already.
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck CD, {fffff9800154b008, 0, fffff80004966b1c, 0}

    Probably caused by : Unknown_Image ( nt!SeCaptureSecurityDescriptor+13a )

    Followup: MachineOwner
    ---------

    16.2: kd:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_BEYOND_END_OF_ALLOCATION (cd)
    N bytes of memory was allocated and more than N bytes are being referenced.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: fffff9800154b008, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff80004966b1c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    Debugging Details:
    ------------------


    READ_ADDRESS:  fffff9800154b008 

    FAULTING_IP: 
    nt!SeCaptureSecurityDescriptor+13a
    fffff800`04966b1c 48              dec     eax

    MM_INTERNAL_CODE:  0

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xCD

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000000000000

    STACK_TEXT:  
    00000000 00000000 00000000 00000000 00000000 0x0


    STACK_COMMAND:  .bugcheck ; kb

    FOLLOWUP_IP: 
    nt!SeCaptureSecurityDescriptor+13a
    fffff800`04966b1c 48              dec     eax

    SYMBOL_NAME:  nt!SeCaptureSecurityDescriptor+13a

    FOLLOWUP_NAME:  MachineOwner

    IMAGE_NAME:  Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    BUCKET_ID:  INVALID_KERNEL_CONTEXT

    MODULE_NAME: Unknown_Module

    Followup: MachineOwner
    ---------


    2012年7月25日 15:26
  • 哈,你的后一个dump很直接反映问题了:

    PAGE_FAULT_BEYOND_END_OF_ALLOCATION (cd)
    N bytes of memory was allocated and more than N bytes are being referenced.

    这个dump里应该能看到是哪个驱动做了内存的越界读写

    lmvm vkbms.sys看看这是啥驱动?我的Win7机器上没这,应该不是微软的,否则也不会没symbol

    • 已编辑 Finy 2012年7月26日 3:23
    2012年7月26日 3:22
  • vkbms.sys 这个我找了很久  搜也搜不到  后来发现是 雷蛇鼠标 的驱动程序 
    2012年7月26日 5:39
  • vkbms.sys 这个我找了很久  搜也搜不到  后来发现是 雷蛇鼠标 的驱动程序 

    为什么要找好久。。。

    windbg下lmvm一下就能看到它的文件路径。系统里driverquery命令或者msinfo32也能显示所有驱动及其描述。

    既然你确认是个鼠标驱动,我们也通过verifier强检测来确认了它有内存越界读写,那好把它先卸载了吧,继续verifier着看看。

    2012年7月26日 6:07
  • 继续verifier后 蓝屏  进系统又蓝了次一下结果

    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
    Machine Name:
    Kernel base = 0xfffff800`0464d000 PsLoadedModuleList = 0xfffff800`04892e90
    Debug session time: Thu Jul 26 14:23:16.153 2012 (UTC + 8:00)
    System Uptime: 0 days 0:00:53.402
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...........................................
    Loading User Symbols

    Loading unloaded module list
    .....
    The context is partially valid. Only x86 user-mode context is available.
    The wow64exts extension must be loaded to access 32-bit state.
    .load wow64exts will do this if you haven't loaded it already.
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck BE, {fffff8801080e809, 20d9d3121, fffff80000b9c1c0, a}

    Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

    Followup: MachineOwner
    ---------

    16.0: kd:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
    An attempt was made to write to readonly memory.  The guilty driver is on the
    stack trace (and is typically the current instruction pointer).
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: fffff8801080e809, Virtual address for the attempted write.
    Arg2: 000000020d9d3121, PTE contents.
    Arg3: fffff80000b9c1c0, (reserved)
    Arg4: 000000000000000a, (reserved)

    Debugging Details:
    ------------------


    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xBE

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000000000000

    STACK_TEXT:  
    00000000 00000000 00000000 00000000 00000000 0x0


    STACK_COMMAND:  kb

    SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Unknown_Module

    IMAGE_NAME:  Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    BUCKET_ID:  INVALID_KERNEL_CONTEXT

    Followup: MachineOwner
    ---------

    2012年7月26日 6:29
  • 又走一次
    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
    Machine Name:
    Kernel base = 0xfffff800`0464f000 PsLoadedModuleList = 0xfffff800`04894e90
    Debug session time: Thu Jul 26 14:40:17.104 2012 (UTC + 8:00)
    System Uptime: 0 days 0:00:13.369
    Loading Kernel Symbols
    ...............................................................
    ....................................
    Loading User Symbols

    The context is partially valid. Only x86 user-mode context is available.
    The wow64exts extension must be loaded to access 32-bit state.
    .load wow64exts will do this if you haven't loaded it already.
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck CD, {fffff98007109008, 0, fffff80004997b1c, 0}

    Probably caused by : Unknown_Image ( nt!SeCaptureSecurityDescriptor+13a )

    Followup: MachineOwner
    ---------

    16.3: kd:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_BEYOND_END_OF_ALLOCATION (cd)
    N bytes of memory was allocated and more than N bytes are being referenced.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: fffff98007109008, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff80004997b1c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    Debugging Details:
    ------------------


    READ_ADDRESS:  fffff98007109008 

    FAULTING_IP: 
    nt!SeCaptureSecurityDescriptor+13a
    fffff800`04997b1c 48              dec     eax

    MM_INTERNAL_CODE:  0

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xCD

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000000000000

    STACK_TEXT:  
    00000000 00000000 00000000 00000000 00000000 0x0


    STACK_COMMAND:  .bugcheck ; kb

    FOLLOWUP_IP: 
    nt!SeCaptureSecurityDescriptor+13a
    fffff800`04997b1c 48              dec     eax

    SYMBOL_NAME:  nt!SeCaptureSecurityDescriptor+13a

    FOLLOWUP_NAME:  MachineOwner

    IMAGE_NAME:  Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    BUCKET_ID:  INVALID_KERNEL_CONTEXT

    MODULE_NAME: Unknown_Module

    Followup: MachineOwner
    ---------
    2012年7月26日 6:47
  • 这两dump很明显了

    这第一个已经告诉你

    ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
    An attempt was made to write to readonly memory.  The guilty driver is on the
    stack trace (and is typically the current instruction pointer).

    你往Stack看一下嘛(你没贴出来)。。。

    而且它说:

    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.

    也就是在蓝屏时,你应该在屏幕上就能看到这个问题驱动的文件名。。。

    第二个也是差不多的意思

    你的dump在哪里?这次是kernel dump了吧?

    2012年7月26日 7:03
  • 第一个蓝屏上显示的是nvlddmkm

    现在是在MEMORY.DMP

    stack 怎么看 

    2012年7月26日 7:15
  • 第一个蓝屏上显示的是nvlddmkm

    现在是在MEMORY.DMP

    stack 怎么看 


    先把kvn结果贴出来吧
    2012年7月26日 7:25
  • 求具体步骤 
    2012年7月26日 7:32
  • 求具体步骤 

    在windbg里打开dmp文件后,在下方命令栏里输入kvn并回车
    2012年7月26日 8:09
  • 16.3: kd:x86> kvn
     # ChildEBP          RetAddr           Args to Child                                         
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00 00000000 00000000 00000000 00000000 00000000 0x0
    2012年7月26日 8:12
  • 16.3: kd:x86> kvn
     # ChildEBP          RetAddr           Args to Child                                         
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00 00000000 00000000 00000000 00000000 00000000 0x0

    这dump难道又没把CPU寄存器存下来。。。?

    你r一下看看那些寄存器是不是都是0?

    2012年7月27日 2:52