none
WinDbg分析DMP檔案的內容看不太懂??? RRS feed

  • 問題

  • 各位高手大家好

    我有一台windows 2000 server,這星期常常無緣無故重開機,

    後來我用了WinDbg的工具來分析MEMORY.DMP文件,

    可是我不太清楚分析後的內容問題是出在哪裡??

    我把分析後的文件貼上來,

    希望有經驗的高手可以指點迷津一下告訴我可能的原因是什麼,感激不盡,謝謝!

    文件如下,請參考

    --------------------------------------------------------------------------------------------------------------------------

    Microsoft (R) Windows Debugger  Version 6.6.0007.5
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\WINNT\MEMORY.DMP]
    Kernel Complete Dump File: Full address space is available

    Symbol search path is: SRV*c:\temp*http://msdl.microsoft.com/download/symbol
    Executable search path is:
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe -
    Windows 2000 Kernel Version 2195 (Service Pack 4) MP (4 procs) Free x86 compatible
    Product: Server, suite: TerminalServer SingleUserTS
    Kernel base = 0x80400000 PsLoadedModuleList = 0x80485b80
    Debug session time: Fri May  9 13:54:20.172 2008 (GMT+8)
    System Uptime: 2 days 21:52:41.174
    WARNING: Process directory table base 231AD000 doesn't match CR3 00030000
    WARNING: Process directory table base 231AD000 doesn't match CR3 00030000
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe -
    Loading Kernel Symbols
    ..........................................................................................................
    Loading User Symbols
    .........
    Loading unloaded module list
    ..........*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 7F, {8, 0, 0, 0}

    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    Probably caused by : ntkrnlmp.exe ( nt!Kei386EoiHelper+173f )

    Followup: MachineOwner
    ---------

    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    UNEXPECTED_KERNEL_MODE_TRAP (7f)
    This means a trap occurred in kernel mode, and it's a trap of a kind
    that the kernel isn't allowed to have/catch (bound trap) or that
    is always instant death (double fault).  The first number in the
    bugcheck params is the number of the trap (8 = double fault, etc)
    Consult an Intel x86 family manual to learn more about what these
    traps are. Here is a *portion* of those codes:
    If kv shows a taskGate
            use .tss on the part before the colon, then kv.
    Else if kv shows a trapframe
            use .trap on that value
    Else
            .trap on the appropriate frame will show where the trap was taken
            (on x86, this will be the ebp that goes with the procedure KiTrap)
    Endif
    kb will then show the corrected stack.
    Arguments:
    Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
    Arg2: 00000000
    Arg3: 00000000
    Arg4: 00000000

    Debugging Details:
    ------------------

    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.


    MODULE_NAME: nt

    FAULTING_MODULE: 80400000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP:  45ec3c8f

    BUGCHECK_STR:  0x7f_8

    DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

    LAST_CONTROL_TRANSFER:  from 00000000 to 8046a18f

    STACK_TEXT: 
    00000000 00000000 00000000 00000000 00000000 nt!Kei386EoiHelper+0x173f


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    nt!Kei386EoiHelper+173f
    8046a18f ebef            jmp     nt!Kei386EoiHelper+0x1730 (8046a180)

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  nt!Kei386EoiHelper+173f

    FOLLOWUP_NAME:  MachineOwner

    IMAGE_NAME:  ntkrnlmp.exe

    BUCKET_ID:  WRONG_SYMBOLS

    Followup: MachineOwner
    ---------

    3: kd> lmvm nt
    start    end        module name
    80400000 805a2940   nt         (export symbols)       ntkrnlmp.exe
        Loaded symbol image file: ntkrnlmp.exe
        Image path: ntkrnlmp.exe
        Image name: ntkrnlmp.exe
        Timestamp:        Mon Mar 05 23:51:43 2007 (45EC3C8F)
        CheckSum:         001AAA04
        ImageSize:        001A2940
        File version:     5.0.2195.7133
        Product version:  5.0.2195.7133
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        1.0 App
        File date:        00000000.00000000
        Translations:     0404.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft(R) Windows (R) 2000 Operating System
        InternalName:     ntkrnlmp.exe
        OriginalFilename: ntkrnlmp.exe
        ProductVersion:   5.00.2195.7133
        FileVersion:      5.00.2195.7133
        FileDescription:  NT Kernel & System
        LegalCopyright:   Copyright (C) Microsoft Corp. 1981-1999

    2008年5月9日 上午 08:34

解答

  • 您的symbols配置错误。

    请依次输入以下命令然后帖出结果

    .sympath c:\symbols

    !symfix

    .reload

    !analyze -v

    2008年5月14日 下午 01:09

所有回覆

  • 您的symbols配置错误。

    请依次输入以下命令然后帖出结果

    .sympath c:\symbols

    !symfix

    .reload

    !analyze -v

    2008年5月14日 下午 01:09
  • Hi! tgri:

    感謝您的回覆,我已經依照您的建議重新貼上新的錯誤訊息,

    看上去好像是devicelockdriver導致的問題是嗎??

    非常感謝您的解答,感恩~~

    *******************************************************************************************************************

    Microsoft (R) Windows Debugger  Version 6.6.0007.5
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\WINNT\MEMORY.DMP]
    Kernel Complete Dump File: Full address space is available

    Symbol search path is: SRV**http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 2000 Kernel Version 2195 (Service Pack 4) MP (4 procs) Free x86 compatible
    Product: Server, suite: TerminalServer SingleUserTS
    Kernel base = 0x80400000 PsLoadedModuleList = 0x80485b80
    Debug session time: Wed May 21 11:58:52.537 2008 (GMT+8)
    System Uptime: 4 days 23:42:18.896
    WARNING: Process directory table base 21936000 doesn't match CR3 00030000
    WARNING: Process directory table base 21936000 doesn't match CR3 00030000
    Loading Kernel Symbols
    ..........................................................................................................
    Loading User Symbols
    .........
    Loading unloaded module list
    ..............
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 7F, {8, 0, 0, 0}

    *** ERROR: Module load completed but symbols could not be loaded for DeviceLockDriver0.SYS
    *** ERROR: Module load completed but symbols could not be loaded for SymSnap.sys
    *** ERROR: Module load completed but symbols could not be loaded for savrt.sys
    Probably caused by : DeviceLockDriver0.SYS ( DeviceLockDriver0+221a0 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    UNEXPECTED_KERNEL_MODE_TRAP (7f)
    This means a trap occurred in kernel mode, and it's a trap of a kind
    that the kernel isn't allowed to have/catch (bound trap) or that
    is always instant death (double fault).  The first number in the
    bugcheck params is the number of the trap (8 = double fault, etc)
    Consult an Intel x86 family manual to learn more about what these
    traps are. Here is a *portion* of those codes:
    If kv shows a taskGate
            use .tss on the part before the colon, then kv.
    Else if kv shows a trapframe
            use .trap on that value
    Else
            .trap on the appropriate frame will show where the trap was taken
            (on x86, this will be the ebp that goes with the procedure KiTrap)
    Endif
    kb will then show the corrected stack.
    Arguments:
    Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
    Arg2: 00000000
    Arg3: 00000000
    Arg4: 00000000

    Debugging Details:
    ------------------


    BUGCHECK_STR:  0x7f_8

    TSS:  00000028 -- (.tss 28)
    eax=bcb49048 ebx=874a1898 ecx=00000003 edx=874a1708 esi=874a1708 edi=bcb49064
    eip=bdf701a0 esp=bcb49000 ebp=bcb49090 iopl=3         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00013246
    DeviceLockDriver0+0x221a0:
    bdf701a0 ff750c          push    dword ptr [ebp+0Ch]  ss:0010:bcb4909c=874a1708
    Resetting default scope

    DEFAULT_BUCKET_ID:  DRIVER_FAULT

    PROCESS_NAME:  csrss.exe

    TRAP_FRAME:  bcb4929c -- (.trap ffffffffbcb4929c)
    ErrCode = 00000000
    eax=0000000f ebx=bcb49458 ecx=de9f4000 edx=00000000 esi=8737d020 edi=00000000
    eip=804120e3 esp=bcb49310 ebp=bcb49354 iopl=3         nv up ei ng nz ac po cy
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00013293
    nt!CcMapData+0xd9:
    804120e3 8a0c11          mov     cl,byte ptr [ecx+edx]      ds:0023Big Smilee9f4000=00
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from bdf71026 to bdf701a0

    STACK_TEXT: 
    WARNING: Stack unwind information not available. Following frames may be wrong.
    bcb49090 bdf71026 88c6a020 874a1708 00000021 DeviceLockDriver0+0x221a0
    bcb490a4 8041eecb 88c6a020 874a1708 874a1708 DeviceLockDriver0+0x23026
    bcb490b8 bfe04f4c 874a1708 88c6b0d8 00000000 nt!IopfCallDriver+0x35
    bcb49190 bfe07452 88c6b020 874a1708 88c6b020 SymSnap+0x5f4c
    bcb491d0 8041eecb 88863820 874a1708 88c698f8 SymSnap+0x8452
    bcb491e4 8042028d 00000000 00000000 87545608 nt!IopfCallDriver+0x35
    bcb491f8 80443838 88c698f8 87545640 87545620 nt!IoPageRead+0xb1
    bcb49234 8044c6b8 00000000 de9f4000 c037a7d0 nt!MiDispatchFault+0x24c
    bcb49284 8046b063 00000000 00000000 00000000 nt!MmAccessFault+0x704
    bcb49284 804120e3 00000000 00000000 00000000 nt!KiTrap0E+0xc7
    bcb49354 bfd87661 88c698f8 bcb49388 00000400 nt!CcMapData+0xd9
    bcb49378 bfd87721 874ad768 88c69b88 00274000 Ntfs!NtfsMapStream+0x4d
    bcb493f0 bfd87a5e 874ad768 88c6a0f0 e14f3c30 Ntfs!NtfsReadMftRecord+0xa5
    bcb49424 bfd87cc4 874ad768 88c6a0f0 e14f0001 Ntfs!NtfsReadFileRecord+0x8e
    bcb49460 bfd70220 874ad768 e14f3c28 e14f3c30 Ntfs!NtfsLookupInFileRecord+0x36
    bcb49570 bfd7a05e 874ad768 e14f3cf8 00000000 Ntfs!NtfsLookupAllocation+0xd2
    bcb49740 bfd7087f 874ad768 87a19108 e14f3cf8 Ntfs!NtfsPrepareBuffers+0x25e
    bcb49914 bfd75424 874ad768 87a19108 e14f3cf8 Ntfs!NtfsNonCachedIo+0x121
    bcb49b2c bfd743ba 874ad768 87a19108 00000001 Ntfs!NtfsCommonRead+0xeee
    bcb49bcc bdf70add 88c6a020 87a19108 88c6a020 Ntfs!NtfsFsdRead+0x164
    bcb49c64 bdf71026 88c6a020 87a19108 00000021 DeviceLockDriver0+0x22add
    bcb49c78 8041eecb 88c6a020 87a19108 87a19108 DeviceLockDriver0+0x23026
    bcb49c8c bfe04f4c 87a19108 88c6b0d8 00000000 nt!IopfCallDriver+0x35
    bcb49d64 bfe07452 88c6b020 87a19108 88c6b020 SymSnap+0x5f4c
    bcb49da4 8041eecb 88863820 87a19108 875d04c8 SymSnap+0x8452
    bcb49db8 8042028d 00000000 00000000 86f2af08 nt!IopfCallDriver+0x35
    bcb49dcc 80443838 875d04c8 86f2af40 86f2af20 nt!IoPageRead+0xb1
    bcb49e08 8044c6b8 00000000 e0440000 c0381100 nt!MiDispatchFault+0x24c
    bcb49e58 804494c5 00000000 00000000 00000000 nt!MmAccessFault+0x704
    bcb49e88 8040b4da e0440000 00000000 875d1ce0 nt!MmCheckCachedPageState+0x299
    bcb49f58 bfd7578d 874472e8 bcb4a114 00000100 nt!CcCopyRead+0x65e
    bcb4a16c bfd743ba 87528168 875d1cc8 00000001 Ntfs!NtfsCommonRead+0x1257
    bcb4a20c bdf70add 88c6a020 875d1cc8 88c6a020 Ntfs!NtfsFsdRead+0x164
    bcb4a2a4 bdf71026 88c6a020 875d1cc8 00000021 DeviceLockDriver0+0x22add
    bcb4a2b8 8041eecb 88c6a020 875d1cc8 875d1cc8 DeviceLockDriver0+0x23026
    bcb4a2cc bfe04f4c 875d1cc8 88c6b0d8 00000000 nt!IopfCallDriver+0x35
    bcb4a3a4 bfe07452 88c6b020 875d1cc8 88c6b020 SymSnap+0x5f4c
    bcb4a3e4 8041eecb 88863820 875d1cc8 875d1cc8 SymSnap+0x8452
    bcb4a3f8 804b32d0 875d1e7c 875d1cc8 00000000 nt!IopfCallDriver+0x35
    bcb4a40c 804af7dc 88863820 875d1cc8 874472e8 nt!IopSynchronousServiceTail+0x60
    bcb4a4ec 80468389 80000f00 00000000 00000000 nt!NtReadFile+0x5b0
    bcb4a4ec 80431e97 80000f00 00000000 00000000 nt!KiSystemService+0xc9
    bcb4a588 be87a083 80000f00 00000000 00000000 nt!ZwReadFile+0xb
    bcb4a618 be84bcff e7414eb0 e3cb2010 00000100 savrt+0x46083
    bcb4a63c be862c8c e3cb2010 00000100 be85cc0c savrt+0x17cff
    bcb4a648 be85cc0c e74da5f8 e3cb2010 00000100 savrt+0x2ec8c
    bcb4a670 be85cddd e74da5e8 00000000 00000000 savrt+0x28c0c
    bcb4a6dc be857d3c e3cb2008 e74da5e8 00000002 savrt+0x28ddd
    bcb4a720 be84da59 e74ed010 e1368288 e74da5e8 savrt+0x23d3c
    00000000 00000000 00000000 00000000 00000000 savrt+0x19a59


    STACK_COMMAND:  .tss 0x28 ; kb

    FOLLOWUP_IP:
    DeviceLockDriver0+221a0
    bdf701a0 ff750c          push    dword ptr [ebp+0Ch]

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  DeviceLockDriver0+221a0

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: DeviceLockDriver0

    IMAGE_NAME:  DeviceLockDriver0.SYS

    DEBUG_FLR_IMAGE_TIMESTAMP:  46e0a5a0

    FAILURE_BUCKET_ID:  0x7f_8_DeviceLockDriver0+221a0

    BUCKET_ID:  0x7f_8_DeviceLockDriver0+221a0

    Followup: MachineOwner
    ---------

     

    2008年5月21日 上午 06:12
  • 感謝您的答覆,這篇文章我之前有找到,

    然後已經換過新的RAM/Power/主機板,

    可是還是重新開機,

    之前的錯誤訊息只有顯示kernerl的錯誤,

    沒有很明確的方向,所以只好先換RAM/Power/主機板

    不過今天symbol重新配置後,

    錯誤訊息有明顯指出devicelockdriver,

    可能跟這個有關,

    再觀察幾天看看好了,

    非常謝謝您的指教,感恩~~

    2008年5月21日 上午 06:41
  • 從你這個 !analyze -v 結果來看...你的 stack 爆掉了, 你可以試著去移掉一些filter driver.
    2010年12月31日 上午 09:04