我的 Windows 7 计算机在启动后不久就出现蓝屏。
我使用 Windbg 来分析事件的哑文件,但我不确定我是否理解它告诉我的内容。
这些行看起来很有趣:
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: fsgk32.exe
这是否表明问题出在驱动程序中、fsgk32.exe(F-secure 的一部分)中,还是两者兼而有之?
完整结果:
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002ed05ce, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030f7100
GetUlongFromAddress: unable to read from fffff800030f71c0
0000000000000000 Nonpaged pool
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!MiUnlinkPageFromLockedList+36e
fffff800`02ed05ce 49890cc0 mov qword ptr [r8+rax*8],rcx
BUGCHECK_STR: 0x1E_c0000005_R
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: fsgk32.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
LAST_CONTROL_TRANSFER: from fffff80002f0a738 to fffff80002ebfbc0
STACK_TEXT:
fffff880`060eed48 fffff800`02f0a738 : 00000000`0000001e ffffffff`c0000005 fffff800`02ed05ce 00000000`00000000 : nt!KeBugCheckEx
fffff880`060eed50 fffff800`02ebf242 : fffff880`060ef528 fffffa80`0aeff270 fffff880`060ef5d0 fffffa80`0aeff270 : nt! ?? ::FNODOBFM::`string'+0x487ed
fffff880`060ef3f0 fffff800`02ebdb4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0xc2
fffff880`060ef5d0 fffff800`02ed05ce : fffff700`01080000 fffffa80`0aeff270 fffff800`030fa2c0 fffff680`00394f28 : nt!KiGeneralProtectionFault+0x10a
fffff880`060ef760 fffff800`02ef006b : fffffa80`0aeff270 fffffa80`0efb1578 00000000`00000000 00000000`00000000 : nt!MiUnlinkPageFromLockedList+0x36e
fffff880`060ef7e0 fffff800`02edcc8f : 00000000`00000000 00000000`00000000 fffff680`003b5818 fffffa80`0efb1578 : nt!MiResolveTransitionFault+0x16b
fffff880`060ef870 fffff800`02ecc179 : 00000000`00000000 ffffffff`ffffffff fffffa80`0f946060 00000000`00000000 : nt!MiDispatchFault+0x95f
fffff880`060ef980 fffff800`02ebdcee : 00000000`00000000 00000000`001dedf8 fffff880`060efa01 00000000`00000007 : nt!MmAccessFault+0x359
fffff880`060efae0 00000000`772fe2be : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x16e
00000000`0328fa18 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x772fe2be
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiUnlinkPageFromLockedList+36e
fffff800`02ed05ce 49890cc0 mov qword ptr [r8+rax*8],rcx
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!MiUnlinkPageFromLockedList+36e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 531590fb
IMAGE_VERSION: 6.1.7601.18409
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: X64_0x1E_c0000005_R_nt!MiUnlinkPageFromLockedList+36e
BUCKET_ID: X64_0x1E_c0000005_R_nt!MiUnlinkPageFromLockedList+36e
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x1e_c0000005_r_nt!miunlinkpagefromlockedlist+36e
FAILURE_ID_HASH: {3264b3ba-cf19-fae1-16b7-0f69c15b38b9}
Followup: MachineOwner
答案1
我认为,分析蓝屏时需要了解两件重要的事情。
a) 正如你所发现的:PROCESS_NAME: fsgk32.exe
如果无法直接与产品关联,Google 搜索通常会给出一些提示。你找到了 F-Secure,Google 也会提示。
KMODE_EXCEPTION_NOT_HANDLEDb)本例中问题的类型。
这变得有点棘手,因为有些问题会立即导致蓝屏,例如内核模式中的异常(这个),但也有其他问题,例如内存泄漏,这些问题可能会在一段时间内未被发现,然后在稍后崩溃。
就你的情况而言,它立即出现蓝屏,因此进程名称通常是正确的。我猜你已通过在安全模式下卸载来验证了这一点。
在后一种情况下(内存泄漏),列出的进程名称不正确,需要采取其他措施。延迟崩溃可能有不同的方法。我使用 Windows 附带的驱动程序验证程序(Win+R,verifier.exe)。您可能希望在使用它之前阅读有关它的信息,因为如果在启动时导致崩溃,关闭它会很麻烦。