|
阅读:7595回复:5
驱动蓝屏与ntkrnlpa.exe有关,不知如何分析dump文件
我的驱动蓝屏了,从dump文件看是由于ntkrnlpa.exe的原因,再往下怎么做,是不是我的驱动里哪地方误用了内存,这类问题还没碰到过,大牛们能不能提个思路,我的dump文件如下:
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Mini051910-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*d:\symbs*http://msdl.microsoft.com/download/symbols;E:\BigLocal\objchk_wxp_x86\i386;srv*C:\symb\Symbols*http://msdl.microsoft.com/download/symbols Executable search path is: E:\BigLocal\objchk_wxp_x86\i386 Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_rtm.040803-2158 Machine Name: Kernel base = 0x804d8000 PsLoadedModuleList = 0x805541a0 Debug session time: Wed May 19 09:54:51.023 2010 (GMT+8) System Uptime: 0 days 0:02:23.640 Loading Kernel Symbols ............................................................... ................................................................ Loading User Symbols Loading unloaded module list ......... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000000A, {4, 2, 0, 804e4518} Probably caused by : ntkrnlpa.exe ( nt!CcFlushCache+6c ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000004, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 804e4518, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 00000004 CURRENT_IRQL: 2 FAULTING_IP: nt!CcFlushCache+6c 804e4518 8b7004 mov esi,dword ptr [eax+4] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: System LAST_CONTROL_TRANSFER: from 804e4b40 to 804e4518 STACK_TEXT: f7a30ce8 804e4b40 00000000 00000000 00000001 nt!CcFlushCache+0x6c f7a30d2c 804e716a 865b3218 8055b1c0 865b65b8 nt!CcWriteBehind+0xdc f7a30d74 80534dd0 865b3218 00000000 865b65b8 nt!CcWorkerThread+0x126 f7a30dac 805c5a28 865b3218 00000000 00000000 nt!ExpWorkerThread+0x100 f7a30ddc 80541fa2 80534cd0 00000000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: nt!CcFlushCache+6c 804e4518 8b7004 mov esi,dword ptr [eax+4] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!CcFlushCache+6c FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlpa.exe DEBUG_FLR_IMAGE_TIMESTAMP: 41107b0c FAILURE_BUCKET_ID: 0xA_nt!CcFlushCache+6c BUCKET_ID: 0xA_nt!CcFlushCache+6c Followup: MachineOwner --------- kd> lmvm nt start end module name 804d8000 806ce100 nt (pdb symbols) d:\symbs\ntkrnlpa.pdb\BD8F451F3E754ED8A34B50560CEB08E31\ntkrnlpa.pdb Loaded symbol image file: ntkrnlpa.exe Mapped memory image file: d:\symbs\ntkrnlpa.exe\41107B0C1f6100\ntkrnlpa.exe Image path: ntkrnlpa.exe Image name: ntkrnlpa.exe Timestamp: Wed Aug 04 13:58:36 2004 (41107B0C) CheckSum: 001F6612 ImageSize: 001F6100 File version: 5.1.2600.2180 Product version: 5.1.2600.2180 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0804.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft(R) Windows(R) Operating System InternalName: ntkrnlpa.exe OriginalFilename: ntkrnlpa.exe ProductVersion: 5.1.2600.2180 FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) FileDescription: NT Kernel & System LegalCopyright: (C) Microsoft Corporation. All rights reserved. |
|
|
沙发#
发布于:2010-05-27 16:29
把出错的代码贴上来吧!关看这个不清楚哪里错了!
|
|
|
板凳#
发布于:2010-05-28 08:57
回 1楼(dragonltx) 的帖子
我做的是文件过滤,在tooflat中sfilter的基础上改的,过滤u盘的文件正常,过滤硬盘的文件就蓝屏了,不知道是哪出错了, |
|
禁止发言
|
地板#
发布于:2010-05-28 09:02
用户被禁言,该主题自动屏蔽! |
|
地下室#
发布于:2010-05-28 10:58
回 3楼(wanghui219) 的帖子
应该是我的驱动的问题,不是ntkrnlpa.exe的问题 |
|
|
5楼#
发布于:2010-07-18 08:57
和你一样的问题,奇怪的是都是symbols目录下的ntkrnlpa.exe文件。如果谁有答案了,不胜感激!
[QUOTE] Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\Gavin\Desktop\071810-18267-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\websymbols*////msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7600.16539.x86fre.win7_gdr.100226-1909 Machine Name: Kernel base = 0x84248000 PsLoadedModuleList = 0x84390810 Debug session time: Sun Jul 18 07:50:49.962 2010 (UTC + 8:00) System Uptime: 0 days 0:53:16.024 Loading Kernel Symbols ............................................................... ................................................................ ..................... Loading User Symbols Loading unloaded module list ...... 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* ATTEMPTED_SWITCH_FROM_DPC (b8) A wait operation, attach process, or yield was attempted from a DPC routine. This is an illegal operation and the stack track will lead to the offending code and original DPC routine. Arguments: Arg1: 860be5d8, Original thread which is the cause of the failure Arg2: 86316030, New thread Arg3: b0f2dfd0, Stack address of the original thread Arg4: 00000000 Debugging Details: ------------------ FAULTING_THREAD: 860be5d8 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0xB8 PROCESS_NAME: iexplore.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from 842afcfd to 84324d10 STACK_TEXT: 99d17cc0 842afcfd 000000b8 860be5d8 86316030 nt!KeBugCheckEx+0x1e 99d17cec 84216924 99d17d34 86951284 00200006 nt!SwapContext_XRstorEnd+0x105 99d17d00 84216b29 84371c02 99d17d34 30a972d8 hal!HalpDispatchSoftwareInterrupt+0x5e 99d17d18 84216cc3 86d55008 99d17d34 842874f3 hal!HalpCheckForSoftwareInterrupt+0x83 99d17d24 842874f3 00000000 00000092 067cb728 hal!HalEndSystemInterrupt+0x67 99d17d24 6abea617 00000000 00000092 067cb728 nt!KiChainedDispatch+0x73 WARNING: Frame IP not in any known module. Following frames may be wrong. 067cb728 00000000 00000000 00000000 00000000 0x6abea617 STACK_COMMAND: .thread 0xffffffff860be5d8 ; kb FOLLOWUP_IP: nt!SwapContext_XRstorEnd+105 842afcfd c3 ret SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!SwapContext_XRstorEnd+105 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrpamp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cacf FAILURE_BUCKET_ID: 0xB8_nt!SwapContext_XRstorEnd+105 BUCKET_ID: 0xB8_nt!SwapContext_XRstorEnd+105 Followup: MachineOwner --------- 0: kd> lmvm nt start end module name 84248000 84658000 nt (pdb symbols) c:\websymbols\ntkrpamp.pdb\A0D85B412D774C83B08EF4AE749A8B582\ntkrpamp.pdb Loaded symbol image file: ntkrpamp.exe Mapped memory image file: c:\websymbols\ntkrnlpa.exe\4B88CACF410000\ntkrnlpa.exe Image path: ntkrpamp.exe Image name: ntkrpamp.exe Timestamp: Sat Feb 27 15:33:35 2010 (4B88CACF) CheckSum: 003C7867 ImageSize: 00410000 File version: 6.1.7600.16539 Product version: 6.1.7600.16539 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft? Windows? Operating System InternalName: ntkrpamp.exe OriginalFilename: ntkrpamp.exe ProductVersion: 6.1.7600.16539 FileVersion: 6.1.7600.16539 (win7_gdr.100226-1909) FileDescription: NT Kernel & System LegalCopyright: ? Microsoft Corporation. All rights reserved. [/QUOTE] |
|