WIN7 蓝屏

全部回复

• 

  

  0

  登录进行投票

  又蓝屏两次，DUMP如下

   

   

  
  Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
  Copyright (c) Microsoft Corporation. All rights reserved.
  
  
  Loading Dump File [D:\新建文件夹 (2)\050810-28095-01.dmp]
  Mini Kernel Dump File: Only registers and stack trace are available
  
  Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
  Executable search path is:
  Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
  Product: WinNt, suite: TerminalServer SingleUserTS
  Built by: 7600.16539.x86fre.win7_gdr.100226-1909
  Machine Name:
  Kernel base = 0x8420a000 PsLoadedModuleList = 0x84352810
  Debug session time: Sat May 8 18:51:53.705 2010 (GMT+8)
  System Uptime: 0 days 0:06:59.297
  Loading Kernel Symbols
  ...............................................................
  ................................................................
  ...................................
  Loading User Symbols
  Loading unloaded module list
  ......
  *******************************************************************************
  * *
  * Bugcheck Analysis *
  * *
  *******************************************************************************
  
  Use !analyze -v to get detailed debugging information.
  
  BugCheck 1000008E, {c0000005, 8444f5d3, c9b1cb44, 0}
  
  GetPointerFromAddress: unable to read from 84372718
  Unable to read MiSystemVaType memory at 84352160
  GetPointerFromAddress: unable to read from 84372718
  Unable to read MiSystemVaType memory at 84352160
  GetPointerFromAddress: unable to read from 84372718
  Unable to read MiSystemVaType memory at 84352160
  Probably caused by : ntkrpamp.exe ( nt!ObpCloseHandleTableEntry+28 )
  
  Followup: MachineOwner
  ---------
  
  1: kd> !analyze -v
  *******************************************************************************
  * *
  * Bugcheck Analysis *
  * *
  *******************************************************************************
  
  KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
  This is a very common bugcheck. Usually the exception address pinpoints
  the driver/function that caused the problem. Always note this address
  as well as the link date of the driver/image that contains this address.
  Some common problems are exception code 0x80000003. This means a hard
  coded breakpoint or assertion was hit, but this system was booted
  /NODEBUG. This is not supposed to happen as developers should never have
  hardcoded breakpoints in retail code, but ...
  If this happens, make sure a debugger gets connected, and the
  system is booted /DEBUG. This will let us see why this breakpoint is
  happening.
  Arguments:
  Arg1: c0000005, The exception code that was not handled
  Arg2: 8444f5d3, The address that the exception occurred at
  Arg3: c9b1cb44, Trap Frame
  Arg4: 00000000
  
  Debugging Details:
  ------------------
  
  GetPointerFromAddress: unable to read from 84372718
  Unable to read MiSystemVaType memory at 84352160
  GetPointerFromAddress: unable to read from 84372718
  Unable to read MiSystemVaType memory at 84352160
  GetPointerFromAddress: unable to read from 84372718
  Unable to read MiSystemVaType memory at 84352160
  
  EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
  
  FAULTING_IP:
  nt!ObpCloseHandleTableEntry+28
  8444f5d3 837b7400 cmp dword ptr [ebx+74h],0
  
  TRAP_FRAME: c9b1cb44 -- (.trap 0xffffffffc9b1cb44)
  ErrCode = 00000000
  eax=c991d100 ebx=00000000 ecx=00000000 edx=8cc71bd0 esi=8cc71bd0 edi=8d7e5660
  eip=8444f5d3 esp=c9b1cbb8 ebp=c9b1cbf0 iopl=0 nv up ei ng nz na po nc
  cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
  nt!ObpCloseHandleTableEntry+0x28:
  8444f5d3 837b7400 cmp dword ptr [ebx+74h],0 ds:0023:00000074=????????
  Resetting default scope
  
  CUSTOMER_CRASH_COUNT: 1
  
  DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
  
  BUGCHECK_STR: 0x8E
  
  PROCESS_NAME: SvcGuiHlpr.exe
  
  CURRENT_IRQL: 0
  
  LAST_CONTROL_TRANSFER: from 84481919 to 8444f5d3
  
  STACK_TEXT:
  c9b1cbf0 84481919 bde190a8 c991d100 8d7a8030 nt!ObpCloseHandleTableEntry+0x28
  c9b1cc20 84487267 bde190a8 c9b1cc34 c9918588 nt!ExSweepHandleTable+0x5f
  c9b1cc40 84452cb8 e41c9028 8d7e5660 00000000 nt!ObKillProcess+0x54
  c9b1ccb4 84487191 00000000 8d6a4878 00000001 nt!PspExitThread+0x5d9
  c9b1cccc 842b2133 8d6a4878 c9b1ccf8 c9b1cd04 nt!PsExitSpecialApc+0x22
  c9b1cd1c 8424d504 00000001 00000000 c9b1cd34 nt!KiDeliverApc+0x28b
  c9b1cd1c 77c964f4 00000001 00000000 c9b1cd34 nt!KiServiceExit+0x64
  WARNING: Frame IP not in any known module. Following frames may be wrong.
  01f4ff88 00000000 00000000 00000000 00000000 0x77c964f4
  
  
  STACK_COMMAND: kb
  
  FOLLOWUP_IP:
  nt!ObpCloseHandleTableEntry+28
  8444f5d3 837b7400 cmp dword ptr [ebx+74h],0
  
  SYMBOL_STACK_INDEX: 0
  
  SYMBOL_NAME: nt!ObpCloseHandleTableEntry+28
  
  FOLLOWUP_NAME: MachineOwner
  
  MODULE_NAME: nt
  
  IMAGE_NAME: ntkrpamp.exe
  
  DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cacf
  
  FAILURE_BUCKET_ID: 0x8E_VRF_nt!ObpCloseHandleTableEntry+28
  
  BUCKET_ID: 0x8E_VRF_nt!ObpCloseHandleTableEntry+28
  
  Followup: MachineOwner
  ---------
  

  2010年5月8日 11:02

  回复

  |

  引用
• 

  

  0

  登录进行投票

  
  Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
  Copyright (c) Microsoft Corporation. All rights reserved.
  
  
  Loading Dump File [D:\新建文件夹 (2)\050810-21231-01.dmp]
  Mini Kernel Dump File: Only registers and stack trace are available
  
  Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
  Executable search path is:
  Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
  Product: WinNt, suite: TerminalServer SingleUserTS
  Built by: 7600.16539.x86fre.win7_gdr.100226-1909
  Machine Name:
  Kernel base = 0x84240000 PsLoadedModuleList = 0x84388810
  Debug session time: Sat May 8 18:31:00.162 2010 (GMT+8)
  System Uptime: 0 days 0:00:56.614
  Loading Kernel Symbols
  ...............................................................
  ................................................................
  ..................................
  Loading User Symbols
  Loading unloaded module list
  ......
  1: kd> !analyze -v
  *******************************************************************************
  * *
  * Bugcheck Analysis *
  * *
  *******************************************************************************
  
  PFN_LIST_CORRUPT (4e)
  Typically caused by drivers passing bad memory descriptor lists (ie: calling
  MmUnlockPages twice with the same list, etc). If a kernel debugger is
  available get the stack trace.
  Arguments:
  Arg1: 00000099, A PTE or PFN is corrupt
  Arg2: 00072646, page frame number
  Arg3: 00000001, current page state
  Arg4: 0005a346, 0
  
  Debugging Details:
  ------------------
  
  *** WARNING: Unable to verify timestamp for lnsfw1.sys
  *** ERROR: Module load completed but symbols could not be loaded for lnsfw1.sys
  
  BUGCHECK_STR: 0x4E_99
  
  CUSTOMER_CRASH_COUNT: 1
  
  DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
  
  PROCESS_NAME: wmpnscfg.exe
  
  CURRENT_IRQL: 2
  
  LAST_CONTROL_TRANSFER: from 843296dc to 8431cd10
  
  STACK_TEXT:
  c9271a68 843296dc 0000004e 00000099 00072646 nt!KeBugCheckEx+0x1e
  c9271a80 84326d9a c62ef000 84326c88 c62ee000 nt!MiBadShareCount+0x24
  c9271b64 8435f0db c62eefc8 87f156f8 c62eefc8 nt!MmFreeSpecialPool+0x320
  c9271bc8 84570f90 c62eefc8 00000000 c492e878 nt!ExFreePoolWithTag+0xd6
  c9271bdc 90fb0f91 c62eefc8 00000000 00000001 nt!VerifierExFreePoolWithTag+0x30
  WARNING: Stack unwind information not available. Following frames may be wrong.
  c9271bf0 90fb1c23 0000003b 0000003b c9271c0c lnsfw1+0x9f91
  c9271c00 90fb5af6 00000eb0 c9271c38 844b1bd7 lnsfw1+0xac23
  c9271c0c 844b1bd7 00000944 00000eb0 00000000 lnsfw1+0xeaf6
  c9271c38 84488c77 00000001 0191ead0 e499dae7 nt!PspExitProcess+0xa3
  c9271cb4 844bd191 00000000 9904ad98 00000001 nt!PspExitThread+0x598
  c9271ccc 842e8133 9904ad98 c9271cf8 c9271d04 nt!PsExitSpecialApc+0x22
  c9271d1c 84283504 00000001 00000000 c9271d34 nt!KiDeliverApc+0x28b
  c9271d1c 77b064f4 00000001 00000000 c9271d34 nt!KiServiceExit+0x64
  0142f914 00000000 00000000 00000000 00000000 0x77b064f4
  
  
  STACK_COMMAND: kb
  
  FOLLOWUP_IP:
  nt!MiBadShareCount+24
  843296dc cc int 3
  
  SYMBOL_STACK_INDEX: 1
  
  SYMBOL_NAME: nt!MiBadShareCount+24
  
  FOLLOWUP_NAME: MachineOwner
  
  MODULE_NAME: nt
  
  DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cacf
  
  IMAGE_NAME: memory_corruption
  
  FAILURE_BUCKET_ID: 0x4E_99_VRF_nt!MiBadShareCount+24
  
  BUCKET_ID: 0x4E_99_VRF_nt!MiBadShareCount+24
  
  Followup: MachineOwner
  ---------
  
  
  

  2010年5月8日 11:03

  回复

  |

  引用
• 

  

  0

  登录进行投票

  三个DUMP文件都在这里，

   

   

  http://cid-c933bd97a2e73891.skydrive.live.com/browse.aspx/DUMP

   

   

   

   

  请兄弟们帮忙分析分析

  2010年5月8日 11:12

  回复

  |

  引用
• 

  

  0

  登录进行投票

  分析结果：

  • 可能是IE引起的，当你无法正常关闭IE时，系统会出现保护进程的程序，然后这个时候出现了蓝屏，请你检查下是否IE中加载了恶意BHO。
  • 可能是SvcGuiHlpr进程引起，这个进程是IBMThinkPad网络切换管理程序，也是因为某种原因触发了ntkrpamp进程，从而导致蓝屏。

  个人觉得SvcGuiHlpr引起蓝屏的肯能行较小，IE的嫌疑较大，建议你使用安全软件进程系统查杀，找出恶意软体或者尝试重置IE

  ---

  
  个人名字乃古代三豪杰之名各自取一组合而成：
  天人三策称圣意 董生一举天下知—董仲舒；
  人生自古谁无死，留取丹心照汗青—文天祥；
  一片丹心昭日月，满腔铁血莽昆仑—龙且。

  2010年5月8日 14:58

  回复

  |

  引用

  版主
• 

  

  0

  登录进行投票

  恢复IE加载项目为默认设置，internet选项-高级-恢复默认设置。

  清理系统恶意插件

  ---

  王万利 http://hackerjx.blog.51cto.com/

  2010年5月9日 6:06

  回复

  |

  引用

  版主
• 

  

  0

  登录进行投票

  我用360安全卫士检查了IE插件，并且在IE里的管理加载项查看，也只有FLASH、淘宝、迅雷、中国银行这几个插件。别的都是微软的插件了。并没有看到有恶意的插件。

  2010年5月9日 15:16

  回复

  |

  引用
• 

  

  0

  登录进行投票

  Minidump文件里两次提到了memory_corruption，我觉得你有必要检查以下内存是否有问题。

   

  你可以通过内存检查工具或者运行系统自带的内存诊断工具来检测内存。

   

  不过这些工具都不能查出内存之间或者内存和主板的兼容行问题。如果你有电脑里有多条内存，可以一根根拔除来做测试。

  ---

  Arthur Li - MSFT

  • 已标记为答案 Arthur_LiMicrosoft contingent staff, Moderator 2010年5月17日 3:19

  2010年5月11日 2:33

  回复

  |

  引用

  版主