none
求助! 多台2008 R2一天内连续蓝屏. RRS feed

  • 问题

  • 大家好, 我公司十几台 曙光 640r-g,windows 2008 R2, Intel(R) Gigabit ET Quad Port Server Adapter 服务器, 在1天内, 多台连续出现蓝屏, 即使没有业务负载的备用服务器也出现蓝屏. linux 机器没有问题. dump简单分析发现崩溃大多集中在与网络相关的内核模块中. 但尚不知道具体原因, 是攻击还是病毒, 是漏洞还是BUG, 防范此问题, 需要做些什么. 希望能够获得一些帮助与指导. 先谢谢!
    贴几个dump分析日志, 有几十个DUMP, 篇幅所限, 只贴3个FULLDUMP分析, 和一个MINIDUMP分析, 希望大家给些意见.

    DUMP1:
    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Kernel Summary Dump File: Only kernel address space is available

    Symbol search path is: srv*d:\symbols*http://msdl.microsoft.com/download/symbols;cache*d:\symbols;SRV*D:\symbols\*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7600 MP (24 procs) Free x64
    Product: Server, suite: Enterprise TerminalServer SingleUserTS
    Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
    Machine Name:
    Kernel base = 0xfffff800`01861000 PsLoadedModuleList = 0xfffff800`01a9ee50
    Debug session time: Tue Jun  9 09:13:49.980 2015 (UTC + 8:00)
    System Uptime: 418 days 6:21:17.901
    Loading Kernel Symbols
    ...............................................................
    ........................................Page 136daa1 not present in the dump file. Type ".hh dbgerr004" for details
    ..Page 748893 not present in the dump file. Type ".hh dbgerr004" for details
    ......................
    ...
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 000007ff`fffd6018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    ................................
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 50, {fffffa8085412000, 1, fffff800018c2631, 0}

    Page 748893 not present in the dump file. Type ".hh dbgerr004" for details
    Page 136daa1 not present in the dump file. Type ".hh dbgerr004" for details
    Probably caused by : HTTP.sys ( HTTP!UlBuildFastRangeCacheMdlChain+3f7 )

    Followup: MachineOwner
    ---------

    6: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: fffffa8085412000, memory referenced.
    Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
    Arg3: fffff800018c2631, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 0000000000000000, (reserved)

    Debugging Details:
    ------------------

    Page 748893 not present in the dump file. Type ".hh dbgerr004" for details
    Page 136daa1 not present in the dump file. Type ".hh dbgerr004" for details

    WRITE_ADDRESS:  fffffa8085412000 Nonpaged pool

    FAULTING_IP: 
    nt!IoBuildPartialMdl+101
    fffff800`018c2631 4889440af8      mov     qword ptr [rdx+rcx-8],rax

    MM_INTERNAL_CODE:  0

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0x50

    PROCESS_NAME:  w3wp.exe

    CURRENT_IRQL:  0

    TRAP_FRAME:  fffff880280bcfa0 -- (.trap 0xfffff880280bcfa0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000020 rbx=0000000000000000 rcx=fffffa80849dabb8
    rdx=0000000000a37450 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800018c2631 rsp=fffff880280bd130 rbp=0000000000000000
     r8=00000000000fcdaf  r9=0000000000000012 r10=fffffa80849c1900
    r11=fffffa80853f8d50 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz na po cy
    nt!IoBuildPartialMdl+0x101:
    fffff800`018c2631 4889440af8      mov     qword ptr [rdx+rcx-8],rax ds:fffffa80`85412000=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff800019521e4 to fffff800018d2f00

    STACK_TEXT:  
    fffff880`280bce38 fffff800`019521e4 : 00000000`00000050 fffffa80`85412000 00000000`00000001 fffff880`280bcfa0 : nt!KeBugCheckEx
    fffff880`280bce40 fffff800`018d0fee : 00000000`00000001 fffffa80`8561f012 fffffa80`8533c700 fffff800`01a5e440 : nt! ?? ::FNODOBFM::`string'+0x42907
    fffff880`280bcfa0 fffff800`018c2631 : 00000000`00000171 fffff880`07b36504 00000000`00000009 fffff880`280bd468 : nt!KiPageFault+0x16e
    fffff880`280bd130 fffff880`07ba94c7 : 00000000`00000000 00000000`0000014e fffffa80`849c1900 fffffa80`0000000a : nt!IoBuildPartialMdl+0x101
    fffff880`280bd170 fffff880`07b8ce82 : fffffa80`853f8bd0 00000000`00000000 fffffa80`853f8bd0 fffff8a0`0f6ab010 : HTTP!UlBuildFastRangeCacheMdlChain+0x3f7
    fffff880`280bd240 fffff880`07b8068f : ffffffff`ffffffff fffffa80`85355010 fffffa80`5232f010 fffff8a0`0f6ab010 : HTTP! ?? ::NNGAKEGL::`string'+0x67b5
    fffff880`280bd330 fffff880`07b80f22 : fffffa80`85355000 fffffa80`00000000 fffff880`00000000 00000000`00000000 : HTTP!UlpCompleteCacheBuildWorker+0x15f
    fffff880`280bd450 fffff880`07b80ca5 : fffffa80`85355010 fffffa80`849b7c80 fffffa80`5713e980 00000000`00000000 : HTTP!UlBuildCacheEntryWorker+0x242
    fffff880`280bd510 fffff880`07b80a0e : fffffa80`84fa2010 fffffa80`5713e980 00000000`00000020 00000000`00000001 : HTTP!UlpBuildCacheEntry+0x255
    fffff880`280bd5c0 fffff880`07b79e67 : fffffa80`84fa2000 fffffa80`84fb00c8 fffffa80`8524f650 00000000`00000001 : HTTP!UlCacheAndSendResponse+0x12e
    fffff880`280bd640 fffff800`01beb3a7 : fffffa80`853849e0 fffffa80`853849e0 fffffa80`853849e0 fffffa80`853849e0 : HTTP!UlSendHttpResponseIoctl+0x17e6
    fffff880`280bda10 fffff800`01bebc06 : fffffa80`7c6d9060 00000000`00000000 00000000`00000000 00000000`0158f558 : nt!IopXxxControlFile+0x607
    fffff880`280bdb40 fffff800`018d2153 : fffffa80`7c6d9060 00000000`00000001 fffffa80`8533c7b0 fffff800`01be6094 : nt!NtDeviceIoControlFile+0x56
    fffff880`280bdbb0 00000000`770dff2a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`02caf678 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x770dff2a


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    HTTP!UlBuildFastRangeCacheMdlChain+3f7
    fffff880`07ba94c7 488b4768        mov     rax,qword ptr [rdi+68h]

    SYMBOL_STACK_INDEX:  4

    SYMBOL_NAME:  HTTP!UlBuildFastRangeCacheMdlChain+3f7

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: HTTP

    IMAGE_NAME:  HTTP.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc1a8

    FAILURE_BUCKET_ID:  X64_0x50_HTTP!UlBuildFastRangeCacheMdlChain+3f7

    BUCKET_ID:  X64_0x50_HTTP!UlBuildFastRangeCacheMdlChain+3f7

    Followup: MachineOwner
    ---------



    DUMP2:
    Symbol search path is: srv*d:\symbols*http://msdl.microsoft.com/download/symbols;cache*d:\symbols;SRV*D:\symbols\*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7600 MP (24 procs) Free x64
    Product: Server, suite: Enterprise TerminalServer SingleUserTS
    Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
    Machine Name:
    Kernel base = 0xfffff800`0180a000 PsLoadedModuleList = 0xfffff800`01a47e50
    Debug session time: Tue Jun  9 09:30:28.397 2015 (UTC + 8:00)
    System Uptime: 0 days 0:07:01.944
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ..
    Loading User Symbols

    Loading unloaded module list
    .....
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 7E, {ffffffffc0000005, fffff880084ff472, fffff8800925f898, fffff8800925f0f0}

    Probably caused by : HTTP.sys ( HTTP!UlpRestartSendHttpResponseIoctl+52 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff880084ff472, The address that the exception occurred at
    Arg3: fffff8800925f898, Exception Record Address
    Arg4: fffff8800925f0f0, Context Record Address

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

    FAULTING_IP: 
    HTTP!UlpRestartSendHttpResponseIoctl+52
    fffff880`084ff472 488b91e8000000  mov     rdx,qword ptr [rcx+0E8h]

    EXCEPTION_RECORD:  fffff8800925f898 -- (.exr 0xfffff8800925f898)
    ExceptionAddress: fffff880084ff472 (HTTP!UlpRestartSendHttpResponseIoctl+0x0000000000000052)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: 00000000000000e8
    Attempt to read from address 00000000000000e8

    CONTEXT:  fffff8800925f0f0 -- (.cxr 0xfffff8800925f0f0)
    rax=fffff88008523980 rbx=fffffa80a6f24860 rcx=0000000000000000
    rdx=0000000000000000 rsi=fffffa80a5524010 rdi=fffffa8049a1a120
    rip=fffff880084ff472 rsp=fffff8800925fad0 rbp=0000000000000001
     r8=000000000000014e  r9=0000000000000460 r10=fffff8000180a000
    r11=0000000000000708 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=fffff880084ff420
    iopl=0         nv up ei ng nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
    HTTP!UlpRestartSendHttpResponseIoctl+0x52:
    fffff880`084ff472 488b91e8000000  mov     rdx,qword ptr [rcx+0E8h] ds:002b:00000000`000000e8=????????????????
    Resetting default scope

    PROCESS_NAME:  System

    CURRENT_IRQL:  0

    ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  00000000000000e8

    READ_ADDRESS:  00000000000000e8 

    FOLLOWUP_IP: 
    HTTP!UlpRestartSendHttpResponseIoctl+52
    fffff880`084ff472 488b91e8000000  mov     rdx,qword ptr [rcx+0E8h]

    BUGCHECK_STR:  0x7E

    DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

    LAST_CONTROL_TRANSFER:  from fffff8800855d73c to fffff880084ff472

    STACK_TEXT:  
    fffff880`0925fad0 fffff880`0855d73c : fffffa80`a6f24860 00000000`00000001 fffffa80`a6f24400 fffffa80`49a1a120 : HTTP!UlpRestartSendHttpResponseIoctl+0x52
    fffff880`0925fb10 fffff880`08523456 : 00000000`00000000 fffff880`00000000 00000000`00000000 00000000`0000014e : HTTP!UlpCompleteCacheBuildWorker+0x20c
    fffff880`0925fc30 fffff880`0859adf5 : fffffa80`a6f24400 00000000`00000000 00000000`00000000 fffffa80`a692e9f0 : HTTP!UlInvokeCompletionRoutine+0x16
    fffff880`0925fc60 fffff880`08549289 : fffffa80`49a58f80 00000000`00000000 00000000`00000003 fffff880`0853b890 : HTTP!UlpCacheMdlReadCompleteWorker+0x105
    fffff880`0925fca0 fffff800`01b1f166 : fffff880`079d61f0 fffffa80`a6b4a660 00000000`00000080 fffffa80`491dd040 : HTTP!UlpThreadPoolWorker+0x279
    fffff880`0925fd40 fffff800`0185a486 : fffff880`023c4180 fffffa80`a6b4a660 fffffa80`a69cbb60 fffff880`0143da90 : nt!PspSystemThreadStartup+0x5a
    fffff880`0925fd80 00000000`00000000 : fffff880`09260000 fffff880`0925a000 fffff880`100f6c70 00000000`00000000 : nt!KxStartSystemThread+0x16


    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  HTTP!UlpRestartSendHttpResponseIoctl+52

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: HTTP

    IMAGE_NAME:  HTTP.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc1a8

    STACK_COMMAND:  .cxr 0xfffff8800925f0f0 ; kb

    FAILURE_BUCKET_ID:  X64_0x7E_HTTP!UlpRestartSendHttpResponseIoctl+52

    BUCKET_ID:  X64_0x7E_HTTP!UlpRestartSendHttpResponseIoctl+52

    Followup: MachineOwner
    ---------


    DUMP3:
    Symbol search path is: srv*d:\symbols*http://msdl.microsoft.com/download/symbols;cache*d:\symbols;SRV*D:\symbols\*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7600 MP (24 procs) Free x64
    Product: Server, suite: Enterprise TerminalServer SingleUserTS
    Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
    Machine Name:
    Kernel base = 0xfffff800`01819000 PsLoadedModuleList = 0xfffff800`01a56e50
    Debug session time: Tue Jun  9 14:26:12.577 2015 (UTC + 8:00)
    System Uptime: 0 days 2:29:04.436
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...
    Loading User Symbols

    Loading unloaded module list
    .......
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck D1, {17ddcda, 2, 1, fffff880034a381b}

    *** ERROR: Module load completed but symbols could not be loaded for e1q62x64.sys
    Probably caused by : e1q62x64.sys ( e1q62x64+2b589 )

    Followup: MachineOwner
    ---------

    4: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 00000000017ddcda, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
    Arg4: fffff880034a381b, address which referenced memory

    Debugging Details:
    ------------------


    WRITE_ADDRESS:  00000000017ddcda 

    CURRENT_IRQL:  2

    FAULTING_IP: 
    afd!AfdTLBufferedSendComplete+2b
    fffff880`034a381b 895130          mov     dword ptr [rcx+30h],edx

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xD1

    PROCESS_NAME:  System

    TRAP_FRAME:  fffff88001f6d8c0 -- (.trap 0xfffff88001f6d8c0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffff000002b11f8d rbx=0000000000000000 rcx=00000000017ddcaa
    rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff880034a381b rsp=fffff88001f6da50 rbp=0000000000000000
     r8=0000000000000534  r9=0000000000000000 r10=fffffa80a6e24020
    r11=fffffa80a6e241a0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na po nc
    afd!AfdTLBufferedSendComplete+0x2b:
    fffff880`034a381b 895130          mov     dword ptr [rcx+30h],edx ds:c2d4:dcda=????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff8000188a469 to fffff8000188af00

    STACK_TEXT:  
    fffff880`01f6d778 fffff800`0188a469 : 00000000`0000000a 00000000`017ddcda 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
    fffff880`01f6d780 fffff800`018890e0 : fffffa80`4baf5010 fffffa80`a6ab3b30 fffffa80`a60375bc fffffa80`a60375c0 : nt!KiBugCheckDispatch+0x69
    fffff880`01f6d8c0 fffff880`034a381b : fffffa80`4baf5010 fffffa80`4a47c470 fffffa80`a6ab3b30 fffffa80`00000004 : nt!KiPageFault+0x260
    fffff880`01f6da50 fffff880`016749f4 : 00000000`00000000 fffffa80`a6ab3b30 00000000`00000000 00000000`00000000 : afd!AfdTLBufferedSendComplete+0x2b
    fffff880`01f6daf0 fffff880`016790ca : fffffa80`49792f00 fffff880`01f6df00 fffffa80`49616a01 00000000`00000000 : tcpip!TcpTcbReceive+0x4f4
    fffff880`01f6dca0 fffff880`01678c17 : fffffa80`4a2679ac 00000000`00000000 00000000`00000000 fffff880`0165c400 : tcpip!TcpMatchReceive+0x1fa
    fffff880`01f6ddf0 fffff880`0165b3c7 : fffffa80`49798000 fffffa80`497b0e30 fffffa80`4979a1b9 00000000`00000000 : tcpip!TcpPreValidatedReceive+0x177
    fffff880`01f6dea0 fffff880`0165b499 : fffff880`01f6e020 fffff880`0176b9a0 fffff880`01f6e030 00000000`00000001 : tcpip!IppDeliverListToProtocol+0x97
    fffff880`01f6df60 fffff880`0165b990 : 00000000`00000000 00000000`00000001 00000000`00000000 fffff880`01f6e020 : tcpip!IppProcessDeliverList+0x59
    fffff880`01f6dfd0 fffff880`0165a821 : 00000000`01765128 fffffa80`49798000 fffff880`0176b9a0 00000000`4a1e8001 : tcpip!IppReceiveHeaderBatch+0x231
    fffff880`01f6e0b0 fffff880`01659272 : fffffa80`4a1eb3b0 00000000`00000000 fffffa80`4a1e8001 00000000`00000001 : tcpip!IpFlcReceivePackets+0x651
    fffff880`01f6e2b0 fffff880`016726ba : fffffa80`4a1e8010 fffff880`01f6e3e0 fffffa80`4a1e8010 00000000`00000000 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x2b2
    fffff880`01f6e390 fffff800`0189a64a : fffffa80`4a1e6030 fffff880`01f69000 00000000`00004800 00000000`00000000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xda
    fffff880`01f6e3e0 fffff880`016720e2 : fffff880`016725e0 fffff880`01f6e4f0 00000000`00000002 fffffa80`497715a0 : nt!KeExpandKernelStackAndCalloutEx+0xda
    fffff880`01f6e4c0 fffff880`00fa70eb : fffffa80`4a1ef010 00000000`00000000 fffffa80`49cbf1a0 00000000`00000003 : tcpip!FlReceiveNetBufferListChain+0xb2
    fffff880`01f6e530 fffff880`00f70fc6 : 00000000`00000004 00000000`00000000 00000000`00000000 00000000`00000000 : NDIS!ndisMIndicateNetBufferListsToOpen+0xdb
    fffff880`01f6e5a0 fffff880`00eeaef1 : fffffa80`49cbf1a0 00000000`00000002 00000000`00000001 00000000`00000004 : NDIS!ndisMDispatchReceiveNetBufferLists+0x1d6
    fffff880`01f6ea20 fffff880`0387e589 : fffffa80`49dd3000 fffffa80`4a1e6030 fffffa80`4a1e5150 00000000`00000001 : NDIS!NdisMIndicateReceiveNetBufferLists+0xc1
    fffff880`01f6ea70 fffff880`0387e740 : 00000000`00000001 fffffa80`4a1e6030 fffffa80`4a1e6030 00000000`00000001 : e1q62x64+0x2b589
    fffff880`01f6eab0 fffff880`0386edc0 : 00000000`00000000 00000000`00000001 fffff880`01f4b400 fffff880`01f6ec70 : e1q62x64+0x2b740
    fffff880`01f6eb30 fffff880`0386eb8f : fffffa80`49c962d0 00000001`00000000 00000001`00000000 fffff880`00f70488 : e1q62x64+0x1bdc0
    fffff880`01f6eb90 fffff880`03870638 : 00000000`00000000 00000001`00000000 fffff880`00000002 00000000`00000000 : e1q62x64+0x1bb8f
    fffff880`01f6ec00 fffff880`00eeada5 : 00000000`00000000 00000000`00000400 00000000`00000000 01d0a27d`2e568092 : e1q62x64+0x1d638
    fffff880`01f6ec40 fffff800`018965dc : fffffa80`4a117998 00000005`00000004 00000000`00000002 fffff880`01f46180 : NDIS!ndisInterruptDpc+0x155
    fffff880`01f6ecd0 fffff800`018936fa : fffff880`01f46180 fffff880`01f514c0 00000000`00000000 fffff880`00eeac50 : nt!KiRetireDpcList+0x1bc
    fffff880`01f6ed80 00000000`00000000 : fffff880`01f6f000 fffff880`01f69000 fffff880`01f6ed40 00000000`00000000 : nt!KiIdleLoop+0x5a


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    e1q62x64+2b589
    fffff880`0387e589 40f6c702        test    dil,2

    SYMBOL_STACK_INDEX:  12

    SYMBOL_NAME:  e1q62x64+2b589

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: e1q62x64

    IMAGE_NAME:  e1q62x64.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4e00d43d

    FAILURE_BUCKET_ID:  X64_0xD1_e1q62x64+2b589

    BUCKET_ID:  X64_0xD1_e1q62x64+2b589

    Followup: MachineOwner
    ---------


    DUMP4:
    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff8800b5dcb70, The address that the exception occurred at
    Arg3: 0000000000000000, Parameter 0 of the exception
    Arg4: 0000000000000000, Parameter 1 of the exception

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

    FAULTING_IP: 
    +3964346364373838
    fffff880`0b5dcb70 98              cwde

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  0000000000000000

    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80001af30e0
     0000000000000000 

    ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

    BUGCHECK_STR:  0x1E_c0000005

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

    PROCESS_NAME:  liveChannelAcc

    CURRENT_IRQL:  2

    EXCEPTION_RECORD:  fffff8800b5dda98 -- (.exr 0xfffff8800b5dda98)
    ExceptionAddress: fffff80001898371 (nt!RtlLookupEntryHashTable+0x0000000000000051)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: ffffffffffffffff
    Attempt to read from address ffffffffffffffff

    TRAP_FRAME:  fffff8800b5ddb40 -- (.trap 0xfffff8800b5ddb40)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=210147f200001000 rbx=0000000000000000 rcx=90a9a4e61b542bef
    rdx=fffffa80a695f1d0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80001898371 rsp=fffff8800b5ddcd0 rbp=0000000000000004
     r8=fffffa80495fcc10  r9=cc11f88221bd0a7e r10=fffff8800b5ddd60
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na pe cy
    nt!RtlLookupEntryHashTable+0x51:
    fffff800`01898371 488b4110        mov     rax,qword ptr [rcx+10h] ds:ce56:90a9a4e6`1b542bff=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff8000194db2b to fffff800018bcf00

    STACK_TEXT:  
    fffff880`0b5dcab8 fffff800`0194db2b : 00000000`0000001e ffffffff`c0000005 fffff880`0b5dcb70 00000000`00000000 : nt!KeBugCheckEx
    fffff880`0b5dcac0 fffff800`01910390 : 00000000`00000000 00001f80`00100200 fffffa80`a6ad2010 fffffa80`49eee708 : nt!KipFatalFilter+0x1b
    fffff880`0b5dcb00 fffff800`018eb4dc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x95d
    fffff880`0b5dcb40 fffff800`018e2bed : fffff800`01a03470 fffff880`0b5de740 00000000`00000000 fffff800`0184b000 : nt!_C_specific_handler+0x8c
    fffff880`0b5dcbb0 fffff800`018ea250 : fffff800`01a03470 fffff880`0b5dcc28 fffff880`0b5dda98 fffff800`0184b000 : nt!RtlpExecuteHandlerForException+0xd
    fffff880`0b5dcbe0 fffff800`018f71b5 : fffff880`0b5dda98 fffff880`0b5dd2f0 fffff880`00000000 00000000`00000000 : nt!RtlDispatchException+0x410
    fffff880`0b5dd2c0 fffff800`018bc542 : fffff880`0b5dda98 fffffa80`4ad57474 fffff880`0b5ddb40 fffffa80`4abd75a0 : nt!KiDispatchException+0x135
    fffff880`0b5dd960 fffff800`018bae4a : fffffa80`49d141a0 fffff880`00eb5a39 00000000`00000046 fffff800`018b8daf : nt!KiExceptionDispatch+0xc2
    fffff880`0b5ddb40 fffff800`01898371 : fffffa80`a6884610 fffffa80`4a09b7c4 ffff0001`00000000 00000000`00000018 : nt!KiGeneralProtectionFault+0x10a
    fffff880`0b5ddcd0 fffff880`0163eb7e : fffffa80`4ad57470 00000000`00000000 00000000`00000004 fffffa80`4abd75a0 : nt!RtlLookupEntryHashTable+0x51
    fffff880`0b5ddd00 fffff880`01633a74 : fffffa80`4abd75a0 fffffa80`a6884610 fffffa80`a6884610 fffffa80`4a09b6e0 : tcpip!WfpAleFastUdpInspection+0x27e
    fffff880`0b5ddfa0 fffff880`0163426d : fffffa80`4ad57380 fffffa80`49a47380 fffff880`0b5de940 00000000`00000000 : tcpip!UdpSendMessagesOnPathCreation+0x404
    fffff880`0b5de320 fffff880`01633ef5 : fffff880`0b5de850 fffff800`ffffd956 fffffa80`00000001 fffffa80`a65c1a70 : tcpip!UdpSendMessages+0x35d
    fffff880`0b5de710 fffff800`018cc64a : 00000000`00000000 fffff6fb`7da00000 fffff6fb`40000040 fffffa80`4b9d1618 : tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15
    fffff880`0b5de740 fffff880`016344b8 : fffff880`01633ee0 fffff880`0b5de850 00000000`00000000 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0xda
    fffff880`0b5de820 fffff880`0350cfef : fffffa80`4960ce30 00000000`00000598 fffff880`0b5deca0 fffffa80`4b889320 : tcpip!UdpTlProviderSendMessages+0x78
    fffff880`0b5de8a0 fffff800`01bd53a7 : fffffa80`4ba1e5b0 fffffa80`4ba1e758 fffffa80`00000598 fffffa80`0000001c : afd!AfdSendDatagram+0x71f
    fffff880`0b5dea10 fffff800`01bd5c06 : fffff880`0b5debf8 00000000`0000044c 00000000`00000001 00000000`00000000 : nt!IopXxxControlFile+0x607
    fffff880`0b5deb40 fffff800`018bc153 : fffff880`0b5deca0 fffffa80`a65c1a70 fffff880`0b5debf8 00000000`7ef7c001 : nt!NtDeviceIoControlFile+0x56
    fffff880`0b5debb0 00000000`74f82dd9 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`02f9f0f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x74f82dd9


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    tcpip!WfpAleFastUdpInspection+27e
    fffff880`0163eb7e 4885c0          test    rax,rax

    SYMBOL_STACK_INDEX:  a

    SYMBOL_NAME:  tcpip!WfpAleFastUdpInspection+27e

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: tcpip

    IMAGE_NAME:  tcpip.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc26e

    FAILURE_BUCKET_ID:  X64_0x1E_c0000005_tcpip!WfpAleFastUdpInspection+27e

    BUCKET_ID:  X64_0x1E_c0000005_tcpip!WfpAleFastUdpInspection+27e

    Followup: MachineOwner
    ---------
    2015年6月12日 2:46

答案

  • 您好,

    从目前这些错误信息来看您的服务器出现过多次内存访问违例,和异常的中断请求,一般情况下可能是由于您的硬件驱动或者防病毒软件造成,请卸载最近安装的新硬件或者更新其驱动到最新,卸载防病毒软件然后再此观察问题是否存在。另外,论坛中来判断蓝屏问题不是最好的支持途径,建议您开一个CSS 案例来进行进一步问题分析。

    您可以从以下页面来联系在线支持:

    Microsoft Professional Support

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607

    谢谢。


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    2015年6月18日 3:20
    版主