我有一台 Windows 7 台式电脑,它不断随机重启,因此我查看了事件日志,发现有很多Critical kernel-power
事件,后面跟着一个bugcheck
事件。
该bugcheck
事件将我指向C:\windows\MEMORY.dmp
文件。打开该文件并在文件上WinDbg
运行命令,我得到了以下输出:!analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffffffffffffd8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80002c6d25b, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: ffffffffffffffd8
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExpScanGeneralLookasideList+a0
fffff800`02c6d25b 418b40d8 mov eax,dword ptr [r8-28h]
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
TRAP_FRAME: fffff880035169b0 -- (.trap 0xfffff880035169b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=00000000000014ca rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c6d25b rsp=fffff88003516b40 rbp=0000000000000001
r8=0000000000000000 r9=0000000000000004 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po cy
nt!ExpScanGeneralLookasideList+0xa0:
fffff800`02c6d25b 418b40d8 mov eax,dword ptr [r8-28h] ds:ffffffff`ffffffd8=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002c78169 to fffff80002c78bc0
STACK_TEXT:
fffff880`03516868 fffff800`02c78169 : 00000000`0000000a ffffffff`ffffffd8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`03516870 fffff800`02c76de0 : fffff880`00000000 fffff800`02c7d2e0 00000000`00000000 fffff800`02e1e440 : nt!KiBugCheckDispatch+0x69
fffff880`035169b0 fffff800`02c6d25b : 00000000`00000000 fffff800`02eb0c40 00000000`00000000 00000000`00000003 : nt!KiPageFault+0x260
fffff880`03516b40 fffff800`02c62a60 : 00000000`00000001 00000000`00000008 00000000`00000001 fffff800`02eb0c40 : nt!ExpScanGeneralLookasideList+0xa0
fffff880`03516ba0 fffff800`02c62fae : 00000000`00000008 fffff880`03516c10 00000000`00000001 fffffa80`00000000 : nt!ExAdjustLookasideDepth+0x40
fffff880`03516bd0 fffff800`02f1473a : fffffa80`03579530 00000000`00000080 fffffa80`0355b890 00000000`00000001 : nt!KeBalanceSetManager+0x1be
fffff880`03516d40 fffff800`02c698e6 : fffff880`03100180 fffffa80`03579530 fffff880`0310afc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03516d80 00000000`00000000 : fffff880`03517000 fffff880`03511000 fffff880`03516700 00000000`00000000 : nt!KxStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExpScanGeneralLookasideList+a0
fffff800`02c6d25b 418b40d8 mov eax,dword ptr [r8-28h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!ExpScanGeneralLookasideList+a0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 531590fb
IMAGE_VERSION: 6.1.7601.18409
FAILURE_BUCKET_ID: X64_0xA_nt!ExpScanGeneralLookasideList+a0
BUCKET_ID: X64_0xA_nt!ExpScanGeneralLookasideList+a0
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0xa_nt!expscangenerallookasidelist+a0
FAILURE_ID_HASH: {2d4aa3ce-d2f6-a1c2-6e10-dc77b60dfba4}
Followup: MachineOwner
---------
正如您所看到的,我的一个驱动程序()有故障DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
,但它没有告诉我哪一个?
我该如何找到有故障的驱动程序?
更新
再次出现蓝屏并重新启动后,没有Bugcheck
记录任何事件,但219 (212)
记录了一个事件 ID:,内容如下:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??
_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626420&1#.