Понимание мини-дамп Bluescreen из Windows 7

598
Madoc Comadrin

Мой компьютер с Windows 7 страдает от синего экрана, который происходит вскоре после загрузки.

Я использовал Windbg для анализа тупого файла события, но я не уверен, что понимаю, что он говорит мне.

Эти строки кажутся интересными:

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT PROCESS_NAME: fsgk32.exe

Означает ли это, что проблема в драйверах или в fsgk32.exe (который является частью F-secure) или в обоих?

Полный результат:

2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * *******************************************************************************  KMODE_EXCEPTION_NOT_HANDLED (1e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: ffffffffc0000005, The exception code that was not handled Arg2: fffff80002ed05ce, The address that the exception occurred at Arg3: 0000000000000000, Parameter 0 of the exception Arg4: ffffffffffffffff, Parameter 1 of the exception  Debugging Details: ------------------  READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030f7100 GetUlongFromAddress: unable to read from fffff800030f71c0 0000000000000000 Nonpaged pool  EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.  FAULTING_IP:  nt!MiUnlinkPageFromLockedList+36e fffff800`02ed05ce 49890cc0 mov qword ptr [r8+rax*8],rcx BUGCHECK_STR: 0x1E_c0000005_R CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT PROCESS_NAME: fsgk32.exe CURRENT_IRQL: 2 ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre LAST_CONTROL_TRANSFER: from fffff80002f0a738 to fffff80002ebfbc0  STACK_TEXT:  fffff880`060eed48 fffff800`02f0a738 : 00000000`0000001e ffffffff`c0000005 fffff800`02ed05ce 00000000`00000000 : nt!KeBugCheckEx fffff880`060eed50 fffff800`02ebf242 : fffff880`060ef528 fffffa80`0aeff270 fffff880`060ef5d0 fffffa80`0aeff270 : nt! ?? ::FNODOBFM::`string'+0x487ed fffff880`060ef3f0 fffff800`02ebdb4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0xc2 fffff880`060ef5d0 fffff800`02ed05ce : fffff700`01080000 fffffa80`0aeff270 fffff800`030fa2c0 fffff680`00394f28 : nt!KiGeneralProtectionFault+0x10a fffff880`060ef760 fffff800`02ef006b : fffffa80`0aeff270 fffffa80`0efb1578 00000000`00000000 00000000`00000000 : nt!MiUnlinkPageFromLockedList+0x36e fffff880`060ef7e0 fffff800`02edcc8f : 00000000`00000000 00000000`00000000 fffff680`003b5818 fffffa80`0efb1578 : nt!MiResolveTransitionFault+0x16b fffff880`060ef870 fffff800`02ecc179 : 00000000`00000000 ffffffff`ffffffff fffffa80`0f946060 00000000`00000000 : nt!MiDispatchFault+0x95f fffff880`060ef980 fffff800`02ebdcee : 00000000`00000000 00000000`001dedf8 fffff880`060efa01 00000000`00000007 : nt!MmAccessFault+0x359 fffff880`060efae0 00000000`772fe2be : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x16e 00000000`0328fa18 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x772fe2be   STACK_COMMAND: kb  FOLLOWUP_IP:  nt!MiUnlinkPageFromLockedList+36e fffff800`02ed05ce 49890cc0 mov qword ptr [r8+rax*8],rcx  SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: nt!MiUnlinkPageFromLockedList+36e FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 531590fb IMAGE_VERSION: 6.1.7601.18409 IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: X64_0x1E_c0000005_R_nt!MiUnlinkPageFromLockedList+36e BUCKET_ID: X64_0x1E_c0000005_R_nt!MiUnlinkPageFromLockedList+36e ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:x64_0x1e_c0000005_r_nt!miunlinkpagefromlockedlist+36e FAILURE_ID_HASH:   Followup: MachineOwner
1
удалите рекламу F-Secure, если вы все еще получаете краш-тест RAM с memtest86 +: http://www.memtest.org/#downiso magicandre1981 9 лет назад 0
Оказывается, F-secure был виновен в этом. Madoc Comadrin 9 лет назад 0

1 ответ на вопрос

1
Thomas Weller

IMHO there are two important things to know when analyzing a blue screen.

a) As you found out: the PROCESS_NAME: fsgk32.exe

If it cannot directly be associated with a product, a Google search will usually give some hints. You found out F-Secure, which Google also indicates.

b) The type of the problem, which is KMODE_EXCEPTION_NOT_HANDLED in this case.

This becomes a bit tricky, since there are problems which immediately lead to a blue screen, such as an exception in kernel mode (this one) but there are also other problems, e.g. memory leaks, which can go undetected for a while and then crash later.

In your case, it is an immediate blue screen, so the process name is typically correct. You verified this by uninstalling in safe mode, I assume.

In that latter case (memory leak), the listed process name is not correct and other measures need to be taken. There might be different approaches for delayed crashes. I use driver verifier, which comes with Windows (Win+R, verifier.exe). You may want to read about it before using it, since it can be cumbersome to turn it off if results in crashes during boot time.

Похожие вопросы