none
WIN7 蓝屏 RRS feed

  • 问题

  • DUMP代码如下

     


    Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [D:\新建文件夹 (2)\050810-20264-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7600.16481.x86fre.win7_gdr.091207-1941
    Machine Name:
    Kernel base = 0x84242000 PsLoadedModuleList = 0x8438a810
    Debug session time: Sat May  8 15:09:25.134 2010 (GMT+8)
    System Uptime: 0 days 1:39:51.726
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ......................................
    Loading User Symbols
    Loading unloaded module list
    .........
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 1000008E, {c0000005, 842f5686, 9130cb24, 0}

    Probably caused by : memory_corruption ( nt!MiRemoveMappedView+4ad )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 842f5686, The address that the exception occurred at
    Arg3: 9130cb24, Trap Frame
    Arg4: 00000000

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

    FAULTING_IP:
    nt!MiRemoveMappedView+4ad
    842f5686 8903            mov     dword ptr [ebx],eax

    TRAP_FRAME:  9130cb24 -- (.trap 0xffffffff9130cb24)
    ErrCode = 00000002
    eax=040e0007 ebx=63664d46 ecx=8e7f1a10 edx=869ea8d8 esi=8438ace4 edi=8e7f1a10
    eip=842f5686 esp=9130cb98 ebp=9130cc58 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!MiRemoveMappedView+0x4ad:
    842f5686 8903            mov     dword ptr [ebx],eax  ds:0023:63664d46=????????
    Resetting default scope

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0x8E

    PROCESS_NAME:  iexplore.exe

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from 842e72a4 to 842f5686

    STACK_TEXT: 
    9130cc58 842e72a4 869ea6e8 86764b60 869ea6e8 nt!MiRemoveMappedView+0x4ad
    9130cc88 8448ad22 ba666ebe 00000000 8e7f1a10 nt!MmCleanProcessAddressSpace+0x198
    9130ccfc 844a3d37 00000000 ffffffff 001af934 nt!PspExitThread+0x683
    9130cd24 8428547a ffffffff 00000000 001af940 nt!NtTerminateProcess+0x1fa
    9130cd24 774364f4 ffffffff 00000000 001af940 nt!KiFastCallEntry+0x12a
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    001af940 00000000 00000000 00000000 00000000 0x774364f4


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    nt!MiRemoveMappedView+4ad
    842f5686 8903            mov     dword ptr [ebx],eax

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  nt!MiRemoveMappedView+4ad

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: nt

    DEBUG_FLR_IMAGE_TIMESTAMP:  4b1e090a

    IMAGE_NAME:  memory_corruption

    FAILURE_BUCKET_ID:  0x8E_nt!MiRemoveMappedView+4ad

    BUCKET_ID:  0x8E_nt!MiRemoveMappedView+4ad

    Followup: MachineOwner
    ---------

    麻烦懂的兄弟帮忙看看

    2010年5月8日 7:52

答案

  • Minidump文件里两次提到了memory_corruption,我觉得你有必要检查以下内存是否有问题。

     

    你可以通过内存检查工具或者运行系统自带的内存诊断工具来检测内存。

     

    不过这些工具都不能查出内存之间或者内存和主板的兼容行问题。如果你有电脑里有多条内存,可以一根根拔除来做测试。


    Arthur Li - MSFT
    2010年5月11日 2:33
    版主

全部回复

  • 又蓝屏两次,DUMP如下

     

     


    Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [D:\新建文件夹 (2)\050810-28095-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7600.16539.x86fre.win7_gdr.100226-1909
    Machine Name:
    Kernel base = 0x8420a000 PsLoadedModuleList = 0x84352810
    Debug session time: Sat May 8 18:51:53.705 2010 (GMT+8)
    System Uptime: 0 days 0:06:59.297
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...................................
    Loading User Symbols
    Loading unloaded module list
    ......
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 1000008E, {c0000005, 8444f5d3, c9b1cb44, 0}

    GetPointerFromAddress: unable to read from 84372718
    Unable to read MiSystemVaType memory at 84352160
    GetPointerFromAddress: unable to read from 84372718
    Unable to read MiSystemVaType memory at 84352160
    GetPointerFromAddress: unable to read from 84372718
    Unable to read MiSystemVaType memory at 84352160
    Probably caused by : ntkrpamp.exe ( nt!ObpCloseHandleTableEntry+28 )

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003. This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG. This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG. This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 8444f5d3, The address that the exception occurred at
    Arg3: c9b1cb44, Trap Frame
    Arg4: 00000000

    Debugging Details:
    ------------------

    GetPointerFromAddress: unable to read from 84372718
    Unable to read MiSystemVaType memory at 84352160
    GetPointerFromAddress: unable to read from 84372718
    Unable to read MiSystemVaType memory at 84352160
    GetPointerFromAddress: unable to read from 84372718
    Unable to read MiSystemVaType memory at 84352160

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

    FAULTING_IP:
    nt!ObpCloseHandleTableEntry+28
    8444f5d3 837b7400 cmp dword ptr [ebx+74h],0

    TRAP_FRAME: c9b1cb44 -- (.trap 0xffffffffc9b1cb44)
    ErrCode = 00000000
    eax=c991d100 ebx=00000000 ecx=00000000 edx=8cc71bd0 esi=8cc71bd0 edi=8d7e5660
    eip=8444f5d3 esp=c9b1cbb8 ebp=c9b1cbf0 iopl=0 nv up ei ng nz na po nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
    nt!ObpCloseHandleTableEntry+0x28:
    8444f5d3 837b7400 cmp dword ptr [ebx+74h],0 ds:0023:00000074=????????
    Resetting default scope

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP

    BUGCHECK_STR: 0x8E

    PROCESS_NAME: SvcGuiHlpr.exe

    CURRENT_IRQL: 0

    LAST_CONTROL_TRANSFER: from 84481919 to 8444f5d3

    STACK_TEXT:
    c9b1cbf0 84481919 bde190a8 c991d100 8d7a8030 nt!ObpCloseHandleTableEntry+0x28
    c9b1cc20 84487267 bde190a8 c9b1cc34 c9918588 nt!ExSweepHandleTable+0x5f
    c9b1cc40 84452cb8 e41c9028 8d7e5660 00000000 nt!ObKillProcess+0x54
    c9b1ccb4 84487191 00000000 8d6a4878 00000001 nt!PspExitThread+0x5d9
    c9b1cccc 842b2133 8d6a4878 c9b1ccf8 c9b1cd04 nt!PsExitSpecialApc+0x22
    c9b1cd1c 8424d504 00000001 00000000 c9b1cd34 nt!KiDeliverApc+0x28b
    c9b1cd1c 77c964f4 00000001 00000000 c9b1cd34 nt!KiServiceExit+0x64
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    01f4ff88 00000000 00000000 00000000 00000000 0x77c964f4


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    nt!ObpCloseHandleTableEntry+28
    8444f5d3 837b7400 cmp dword ptr [ebx+74h],0

    SYMBOL_STACK_INDEX: 0

    SYMBOL_NAME: nt!ObpCloseHandleTableEntry+28

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME: ntkrpamp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cacf

    FAILURE_BUCKET_ID: 0x8E_VRF_nt!ObpCloseHandleTableEntry+28

    BUCKET_ID: 0x8E_VRF_nt!ObpCloseHandleTableEntry+28

    Followup: MachineOwner
    ---------

    2010年5月8日 11:02

  • Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [D:\新建文件夹 (2)\050810-21231-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7600.16539.x86fre.win7_gdr.100226-1909
    Machine Name:
    Kernel base = 0x84240000 PsLoadedModuleList = 0x84388810
    Debug session time: Sat May 8 18:31:00.162 2010 (GMT+8)
    System Uptime: 0 days 0:00:56.614
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ..................................
    Loading User Symbols
    Loading unloaded module list
    ......
    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    PFN_LIST_CORRUPT (4e)
    Typically caused by drivers passing bad memory descriptor lists (ie: calling
    MmUnlockPages twice with the same list, etc). If a kernel debugger is
    available get the stack trace.
    Arguments:
    Arg1: 00000099, A PTE or PFN is corrupt
    Arg2: 00072646, page frame number
    Arg3: 00000001, current page state
    Arg4: 0005a346, 0

    Debugging Details:
    ------------------

    *** WARNING: Unable to verify timestamp for lnsfw1.sys
    *** ERROR: Module load completed but symbols could not be loaded for lnsfw1.sys

    BUGCHECK_STR: 0x4E_99

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP

    PROCESS_NAME: wmpnscfg.exe

    CURRENT_IRQL: 2

    LAST_CONTROL_TRANSFER: from 843296dc to 8431cd10

    STACK_TEXT:
    c9271a68 843296dc 0000004e 00000099 00072646 nt!KeBugCheckEx+0x1e
    c9271a80 84326d9a c62ef000 84326c88 c62ee000 nt!MiBadShareCount+0x24
    c9271b64 8435f0db c62eefc8 87f156f8 c62eefc8 nt!MmFreeSpecialPool+0x320
    c9271bc8 84570f90 c62eefc8 00000000 c492e878 nt!ExFreePoolWithTag+0xd6
    c9271bdc 90fb0f91 c62eefc8 00000000 00000001 nt!VerifierExFreePoolWithTag+0x30
    WARNING: Stack unwind information not available. Following frames may be wrong.
    c9271bf0 90fb1c23 0000003b 0000003b c9271c0c lnsfw1+0x9f91
    c9271c00 90fb5af6 00000eb0 c9271c38 844b1bd7 lnsfw1+0xac23
    c9271c0c 844b1bd7 00000944 00000eb0 00000000 lnsfw1+0xeaf6
    c9271c38 84488c77 00000001 0191ead0 e499dae7 nt!PspExitProcess+0xa3
    c9271cb4 844bd191 00000000 9904ad98 00000001 nt!PspExitThread+0x598
    c9271ccc 842e8133 9904ad98 c9271cf8 c9271d04 nt!PsExitSpecialApc+0x22
    c9271d1c 84283504 00000001 00000000 c9271d34 nt!KiDeliverApc+0x28b
    c9271d1c 77b064f4 00000001 00000000 c9271d34 nt!KiServiceExit+0x64
    0142f914 00000000 00000000 00000000 00000000 0x77b064f4


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    nt!MiBadShareCount+24
    843296dc cc int 3

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: nt!MiBadShareCount+24

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cacf

    IMAGE_NAME: memory_corruption

    FAILURE_BUCKET_ID: 0x4E_99_VRF_nt!MiBadShareCount+24

    BUCKET_ID: 0x4E_99_VRF_nt!MiBadShareCount+24

    Followup: MachineOwner
    ---------


    2010年5月8日 11:03
  • 三个DUMP文件都在这里,

     

     

    http://cid-c933bd97a2e73891.skydrive.live.com/browse.aspx/DUMP

     

     

     

     

    请兄弟们帮忙分析分析

    2010年5月8日 11:12
  • 分析结果:

    • 可能是IE引起的,当你无法正常关闭IE时,系统会出现保护进程的程序,然后这个时候出现了蓝屏,请你检查下是否IE中加载了恶意BHO。
    • 可能是SvcGuiHlpr进程引起,这个进程是IBMThinkPad网络切换管理程序,也是因为某种原因触发了ntkrpamp进程,从而导致蓝屏。
    个人觉得SvcGuiHlpr引起蓝屏的肯能行较小,IE的嫌疑较大,建议你使用安全软件进程系统查杀,找出恶意软体或者尝试重置IE

    个人名字乃古代三豪杰之名各自取一组合而成:
    天人三策称圣意 董生一举天下知—董仲舒;
    人生自古谁无死,留取丹心照汗青—文天祥;
    一片丹心昭日月,满腔铁血莽昆仑—龙且。
    2010年5月8日 14:58
    版主
  • 恢复IE加载项目为默认设置,internet选项-高级-恢复默认设置。

    清理系统恶意插件


    王万利 http://hackerjx.blog.51cto.com/
    2010年5月9日 6:06
    版主
  • 我用360安全卫士检查了IE插件,并且在IE里的管理加载项查看,也只有FLASH、淘宝、迅雷、中国银行这几个插件。别的都是微软的插件了。并没有看到有恶意的插件。

    2010年5月9日 15:16
  • Minidump文件里两次提到了memory_corruption,我觉得你有必要检查以下内存是否有问题。

     

    你可以通过内存检查工具或者运行系统自带的内存诊断工具来检测内存。

     

    不过这些工具都不能查出内存之间或者内存和主板的兼容行问题。如果你有电脑里有多条内存,可以一根根拔除来做测试。


    Arthur Li - MSFT
    2010年5月11日 2:33
    版主