了解 Memory.dmp 文件驱动器故障

了解 Memory.dmp 文件驱动器故障

我有一台 Windows 7 台式电脑,它不断随机重启,因此我查看了事件日志,发现有很多Critical kernel-power事件,后面跟着一个bugcheck事件。

事件查看器中的事件错误

bugcheck事件将我指向C:\windows\MEMORY.dmp文件。打开该文件并在文件上WinDbg运行命令,我得到了以下输出:!analyze -v

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffffffffffffd8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80002c6d25b, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  ffffffffffffffd8 

CURRENT_IRQL:  2

FAULTING_IP: 
nt!ExpScanGeneralLookasideList+a0
fffff800`02c6d25b 418b40d8        mov     eax,dword ptr [r8-28h]

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  System

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

TRAP_FRAME:  fffff880035169b0 -- (.trap 0xfffff880035169b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=00000000000014ca rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c6d25b rsp=fffff88003516b40 rbp=0000000000000001
 r8=0000000000000000  r9=0000000000000004 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po cy
nt!ExpScanGeneralLookasideList+0xa0:
fffff800`02c6d25b 418b40d8        mov     eax,dword ptr [r8-28h] ds:ffffffff`ffffffd8=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80002c78169 to fffff80002c78bc0

STACK_TEXT:  
fffff880`03516868 fffff800`02c78169 : 00000000`0000000a ffffffff`ffffffd8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`03516870 fffff800`02c76de0 : fffff880`00000000 fffff800`02c7d2e0 00000000`00000000 fffff800`02e1e440 : nt!KiBugCheckDispatch+0x69
fffff880`035169b0 fffff800`02c6d25b : 00000000`00000000 fffff800`02eb0c40 00000000`00000000 00000000`00000003 : nt!KiPageFault+0x260
fffff880`03516b40 fffff800`02c62a60 : 00000000`00000001 00000000`00000008 00000000`00000001 fffff800`02eb0c40 : nt!ExpScanGeneralLookasideList+0xa0
fffff880`03516ba0 fffff800`02c62fae : 00000000`00000008 fffff880`03516c10 00000000`00000001 fffffa80`00000000 : nt!ExAdjustLookasideDepth+0x40
fffff880`03516bd0 fffff800`02f1473a : fffffa80`03579530 00000000`00000080 fffffa80`0355b890 00000000`00000001 : nt!KeBalanceSetManager+0x1be
fffff880`03516d40 fffff800`02c698e6 : fffff880`03100180 fffffa80`03579530 fffff880`0310afc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03516d80 00000000`00000000 : fffff880`03517000 fffff880`03511000 fffff880`03516700 00000000`00000000 : nt!KxStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExpScanGeneralLookasideList+a0
fffff800`02c6d25b 418b40d8        mov     eax,dword ptr [r8-28h]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!ExpScanGeneralLookasideList+a0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  531590fb

IMAGE_VERSION:  6.1.7601.18409

FAILURE_BUCKET_ID:  X64_0xA_nt!ExpScanGeneralLookasideList+a0

BUCKET_ID:  X64_0xA_nt!ExpScanGeneralLookasideList+a0

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0xa_nt!expscangenerallookasidelist+a0

FAILURE_ID_HASH:  {2d4aa3ce-d2f6-a1c2-6e10-dc77b60dfba4}

Followup: MachineOwner
---------

正如您所看到的,我的一个驱动程序()有故障DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT,但它没有告诉我哪一个?

我该如何找到有故障的驱动程序?

更新

再次出现蓝屏并重新启动后,没有Bugcheck记录任何事件,但219 (212)记录了一个事件 ID:,内容如下:

The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??
_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626420&1#.

相关内容