Benutzer mit den meisten Antworten
H3C CAS 云平台 windows 2003 多次蓝屏
Frage
-
在eventlog 内查看系统多次意外重启(蓝屏)
在4月1日前事件查看器中发现了 相当多的ntfs相关报错! 多达千条 4月之后不再报此错误
截止到8月9日 蓝屏dump 日志如下:
(1)首先之前蓝屏报错体现了如下组件或系统文件有关
1 netkvm.sys
2 某个关于NDIS的组件
3 Pool_Corruption 组件
4 Idle
(2) 此次dump日志内容如下:
Microsoft (R) Windows Debugger Version 10.0.18206.1001 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\okami\Desktop\办公\杀杀杀\Mini080918-05.dmp] Mini Kernel Dump File: Only registers and stack trace are available ************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntkrnlpa.exe *** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible Product: Server, suite: Enterprise TerminalServer SingleUserTS Machine Name: Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8 Debug session time: Thu Aug 9 13:23:33.734 2018 (UTC + 8:00) System Uptime: 0 days 1:16:45.757 Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntkrnlpa.exe *** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe Loading Kernel Symbols ............................................................... .............................................. Loading User Symbols Loading unloaded module list .... ************* Symbol Loading Error Summary ************** Module name Error ntkrnlpa The system cannot find the file specified You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded. You should also verify that your symbol search path (.sympath) is correct. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck C5, {0, d0000002, 1, 808921dd} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ntoskrnl.wrong.symbols.exe ( nt_wrong_symbols!45D69710256000 ) Followup: MachineOwner --------- eax=f772713c ebx=d0000002 ecx=00000001 edx=00000000 esi=f7727120 edi=00000000 eip=8088c963 esp=b8e7e990 ebp=b8e7e9a8 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286 nt+0x8c963: 8088c963 833da0628a8000 cmp dword ptr [nt+0xa62a0 (808a62a0)],0 ds:0023:808a62a0=???????? 1: kd> !anaylez No export anaylez found 1: kd> !anaylez -v No export anaylez found 1: kd> !analyze ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck C5, {0, d0000002, 1, 808921dd} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ntoskrnl.wrong.symbols.exe ( nt_wrong_symbols!45D69710256000 ) Followup: MachineOwner --------- 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_CORRUPTED_EXPOOL (c5) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is caused by drivers that have corrupted the system pool. Run the driver verifier against any new (or suspect) drivers, and if that doesn't turn up the culprit, then use gflags to enable special pool. Arguments: Arg1: 00000000, memory referenced Arg2: d0000002, IRQL Arg3: 00000001, value 0 = read operation, 1 = write operation Arg4: 808921dd, address which referenced memory Debugging Details: ------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_EPROCESS *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KTHREAD *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* KEY_VALUES_STRING: 1 STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 DUMP_CLASS: 1 DUMP_QUALIFIER: 400 SYSTEM_MANUFACTURER: QEMU SYSTEM_PRODUCT_NAME: Standard PC (i440FX + PIIX, 1996) SYSTEM_VERSION: pc-i440fx-2.1 BIOS_VENDOR: SeaBIOS BIOS_VERSION: rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org BIOS_DATE: 04/01/2014 ADDITIONAL_DEBUG_TEXT: You can run '.symfix; .reload' to try to fix the symbol path and load symbols. WRONG_SYMBOLS_TIMESTAMP: 45d69710 WRONG_SYMBOLS_SIZE: 256000 FAULTING_MODULE: 80800000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 45d69710 DUMP_TYPE: 2 BUGCHECK_P1: 0 BUGCHECK_P2: ffffffffd0000002 BUGCHECK_P3: 1 BUGCHECK_P4: ffffffff808921dd BUGCHECK_STR: 45D69710 CURRENT_IRQL: 0 FAULTING_IP: nt+921dd 808921dd ?? ??? CPU_COUNT: 4 CPU_MHZ: 895 CPU_VENDOR: GenuineIntel CPU_FAMILY: f CPU_MODEL: 6 CPU_STEPPING: 3 CPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 1'00000000 (cache) 0'00000000 (init) CUSTOMER_CRASH_COUNT: 5 ANALYSIS_SESSION_HOST: DESKTOP-GOIBQT8 ANALYSIS_SESSION_TIME: 08-09-2018 15:43:41.0410 ANALYSIS_VERSION: 10.0.18206.1001 amd64fre LAST_CONTROL_TRANSFER: from 808921dd to 8088c963 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. b8e7e9a8 808921dd badb0d00 8be51000 8cae9718 nt+0x8c963 b8e7ea54 808928c3 808aeae0 8c32b000 8bed5f00 nt+0x921dd b8e7eaac f720cf14 8bed5f00 63694d46 00000000 nt+0x928c3 b8e7eac8 f720f03f 8bed5f00 00000000 8c2f16f7 fltMgr+0x1f14 b8e7eae0 f720f4f1 8bed5f5c 8c2f1588 b8e7eb20 fltMgr+0x403f b8e7eaf0 8081e103 8ca31020 8c2f1588 8bed5f00 fltMgr+0x44f1 b8e7eb20 f7b501dc e2afa6c8 0000000e b8e7eb94 nt+0x1e103 b8e7eb30 f7b9b678 8c9b4ef8 8c2f1588 00000000 Ntfs+0x61dc b8e7eb94 f7b53fd8 8c9b4ef8 8c2f1588 8caec188 Ntfs+0x51678 b8e7ebfc 8081df65 8cae9718 8c2f1588 8c2f1588 Ntfs+0x9fd8 b8e7ec10 f720fd28 8bed5f00 8cce4638 00000000 nt+0x1df65 b8e7ec3c 8081df65 8caec188 8c2f1588 8c2f1588 fltMgr+0x4d28 b8e7ec50 f720fb25 8ca31020 8c2f1588 8c3cf2c0 nt+0x1df65 b8e7ec74 f720fcf5 b8e7ec94 8ca31020 00000000 fltMgr+0x4b25 b8e7ecac 8081df65 8ca31020 8c2f1588 8c6217a0 fltMgr+0x4cf5 b8e7ecc0 808f1081 b8e7ed64 00f2fac4 808f0ae2 nt+0x1df65 b8e7ed48 8088978c 000006e8 00f2fae8 00f2faf0 nt+0xf1081 b8e7ed64 7c9585ec badb0d00 00f2fab0 00000000 nt+0x8978c b8e7ed68 badb0d00 00f2fab0 00000000 00000000 0x7c9585ec b8e7ed6c 00f2fab0 00000000 00000000 00000000 0xbadb0d00 b8e7ed70 00000000 00000000 00000000 00000000 0xf2fab0 THREAD_SHA1_HASH_MOD_FUNC: c705996dbe96129d1410883bbbe62705772023a0 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ed56162c73778ec7ccfd766145989bd3cf831379 THREAD_SHA1_HASH_MOD: c705996dbe96129d1410883bbbe62705772023a0 FOLLOWUP_IP: nt+921dd 808921dd ?? ??? SYMBOL_STACK_INDEX: 1 FOLLOWUP_NAME: MachineOwner STACK_COMMAND: .thread ; .cxr ; kb EXCEPTION_CODE: (Win32) 0x45d69710 (1171691280) - <Unable to get error code text> EXCEPTION_CODE_STR: 45D69710 EXCEPTION_STR: WRONG_SYMBOLS PROCESS_NAME: ntoskrnl.wrong.symbols.exe IMAGE_NAME: ntoskrnl.wrong.symbols.exe MODULE_NAME: nt_wrong_symbols SYMBOL_NAME: nt_wrong_symbols!45D69710256000 BUCKET_ID: WRONG_SYMBOLS_X86_TIMESTAMP_070217-054800 DEFAULT_BUCKET_ID: WRONG_SYMBOLS_X86_TIMESTAMP_070217-054800 PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_X86_TIMESTAMP_070217-054800_45D69710_nt_wrong_symbols!45D69710256000 TARGET_TIME: 2018-08-09T05:23:33.000Z OSBUILD: 3790 OSSERVICEPACK: 2000 SERVICEPACK_NUMBER: 2 OS_REVISION: 0 SUITE_MASK: 274 PRODUCT_TYPE: 3 OSPLATFORM_TYPE: x86 OSNAME: Windows Server 2003 OSEDITION: Windows Server 2003 Server (Service Pack 2) Enterprise TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2007-02-17 13:48:00 ANALYSIS_SESSION_ELAPSED_TIME: f2 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:wrong_symbols_x86_timestamp_070217-054800_45d69710_nt_wrong_symbols!45d69710256000 FAILURE_ID_HASH: {c9bc7d79-7381-ab81-6881-5d3df90751ad} Followup: MachineOwner ---------
Antworten
-
你的 WinDBG 分析工具没有正确设置 Symbol 因此没有得到准确的分析结果,但是从 0x000000C5 错误提示看,一般是硬件兼容性问题或者硬件设备驱动程序不正确引起,包括虚拟设备驱动。
鉴于之前经常出现 NTFS 报错,怀疑可能是磁盘的问题,看看服务器硬盘灯有没有报警。
Alexis Zhang
http://mvp.microsoft.com/zh-cn/mvp/Jie%20Zhang-4000545
http://blogs.itecn.net/blogs/alexis推荐以 NNTP Bridge 桥接新闻组方式访问论坛。
本帖是回复帖,原帖作者是楼上的 <Fan Yang2011>;
| 在4月1日前事件查看器中发现了 相当多的ntfs相关报错! 多达千条 4月之后不再报此错误
| 截止到8月9日 蓝屏dump 日志如下:- Als Antwort markiert Alexis ZhangMVP, Moderator Freitag, 24. August 2018 14:51
Alle Antworten
-
你的 WinDBG 分析工具没有正确设置 Symbol 因此没有得到准确的分析结果,但是从 0x000000C5 错误提示看,一般是硬件兼容性问题或者硬件设备驱动程序不正确引起,包括虚拟设备驱动。
鉴于之前经常出现 NTFS 报错,怀疑可能是磁盘的问题,看看服务器硬盘灯有没有报警。
Alexis Zhang
http://mvp.microsoft.com/zh-cn/mvp/Jie%20Zhang-4000545
http://blogs.itecn.net/blogs/alexis推荐以 NNTP Bridge 桥接新闻组方式访问论坛。
本帖是回复帖,原帖作者是楼上的 <Fan Yang2011>;
| 在4月1日前事件查看器中发现了 相当多的ntfs相关报错! 多达千条 4月之后不再报此错误
| 截止到8月9日 蓝屏dump 日志如下:- Als Antwort markiert Alexis ZhangMVP, Moderator Freitag, 24. August 2018 14:51
-
这个问题后来解决了吗?
Alexis Zhang
http://mvp.microsoft.com/zh-cn/mvp/Jie%20Zhang-4000545
http://blogs.itecn.net/blogs/alexis推荐以 NNTP Bridge 桥接新闻组方式访问论坛。
本帖是回复帖,原帖作者是楼上的 <Fan Yang2011>;
| 在eventlog 内查看系统多次意外重启(蓝屏)
| 在4月1日前事件查看器中发现了 相当多的ntfs相关报错! 多达千条 4月之后不再报此错误
