我的一位同事刚刚遇到了以下 BSOD(WinDbg 转储分析):
Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Moser.jun\Desktop\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
Machine Name:
Kernel base = 0xfffff801`20085000 PsLoadedModuleList = 0xfffff801`20357650
Debug session time: Wed Jan 3 09:45:46.515 2018 (UTC + 1:00)
System Uptime: 19 days 23:37:19.924
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C5, {8, 2, 0, fffff80120321210}
Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+210 )
Followup: Pool_corruption
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 0000000000000008, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80120321210, address which referenced memory
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 9600.18821.amd64fre.winblue_ltsb.170914-0600
SYSTEM_MANUFACTURER: System manufacturer
SYSTEM_PRODUCT_NAME: System Product Name
SYSTEM_SKU: SKU
SYSTEM_VERSION: System Version
BIOS_VENDOR: American Megatrends Inc.
BIOS_VERSION: 3404
BIOS_DATE: 07/10/2017
BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.
BASEBOARD_PRODUCT: H170M-PLUS
BASEBOARD_VERSION: Rev X.0x
DUMP_TYPE: 1
BUGCHECK_P1: 8
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff80120321210
BUGCHECK_STR: 0xC5_2
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExDeferredFreePool+210
fffff801`20321210 49394208 cmp qword ptr [r10+8],rax
CPU_COUNT: 4
CPU_MHZ: e70
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA'00000000 (cache) BA'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: ENTENHAUSEN
ANALYSIS_SESSION_TIME: 01-03-2018 10:39:38.0787
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
TRAP_FRAME: ffffd0013b971260 -- (.trap 0xffffd0013b971260)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe00011451010 rbx=0000000000000000 rcx=ffffe00011451000
rdx=ffffe0000e488cc0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80120321210 rsp=ffffd0013b9713f0 rbp=0000000000000006
r8=ffffe00011451110 r9=0000000000000000 r10=0000000000000000
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
nt!ExDeferredFreePool+0x210:
fffff801`20321210 49394208 cmp qword ptr [r10+8],rax ds:00000000`00000008=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff801201de6e9 to fffff801201d2ba0
STACK_TEXT:
ffffd001`3b971118 fffff801`201de6e9 : 00000000`0000000a 00000000`00000008 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd001`3b971120 fffff801`201dcf3a : 00000000`00000000 00000000`00000000 ffffd001`3b971300 ffffd001`3b971480 : nt!KiBugCheckDispatch+0x69
ffffd001`3b971260 fffff801`20321210 : ffffe000`0971fe50 00000000`00000000 fffff800`1c8b8010 fffff800`1c8b8010 : nt!KiPageFault+0x23a
ffffd001`3b9713f0 fffff801`20321cde : ffffe000`0f6116b0 ffffe000`0db07ee0 00000000`00000000 00000000`00000002 : nt!ExDeferredFreePool+0x210
ffffd001`3b971470 fffff800`1c899ec7 : 00000000`00000000 00000000`00000705 00000000`00000000 ffffe000`00000012 : nt!ExFreePoolWithTag+0x84e
ffffd001`3b971560 fffff801`204e28ab : 00000000`00000000 fffff801`20171950 00000000`00000001 00000000`00000705 : fltmgr!ExFreeToNPagedLookasideList+0x3f
ffffd001`3b971590 fffff800`1d1b4fc9 : ffffc001`ff6dbc30 ffffe000`0db07ef8 ffffe000`05e6b180 00000000`00000706 : nt!FsRtlTeardownPerStreamContexts+0x53
ffffd001`3b971600 fffff800`1d1aa359 : ffffc001`f95b0705 ffffc001`f95be9b0 00000000`01010000 ffffe000`0af92d00 : Ntfs!NtfsDeleteScb+0x399
ffffd001`3b9716b0 fffff800`1d1047ff : ffffe000`0af92e68 ffffc001`ff6dbc30 ffffe000`06d7cbc0 ffffc001`ff6dbc30 : Ntfs!NtfsRemoveScb+0x99
ffffd001`3b9716f0 fffff800`1d1ad880 : ffffc001`ff6dbb00 ffffd001`3b971940 ffffc001`ff6dbb00 ffffc001`f95bed80 : Ntfs!NtfsPrepareFcbForRemoval+0xd0
ffffd001`3b971730 fffff800`1d10b680 : ffffe000`1141d708 ffffc001`ff6dbb00 ffffc001`ff6dbed0 ffffc001`ff6dbb00 : Ntfs!NtfsTeardownStructures+0x90
ffffd001`3b9717b0 fffff800`1d1cab24 : ffffd001`3b971978 ffffd001`3b971940 ffffc001`ff6dbb00 ffffc001`00000009 : Ntfs!NtfsDecrementCloseCounts+0xd4
ffffd001`3b9717f0 fffff800`1d1b587d : ffffe000`1141d708 ffffc001`ff6dbc30 ffffc001`ff6dbb00 ffffe000`05e6b180 : Ntfs!NtfsCommonClose+0x3a4
ffffd001`3b9718c0 fffff801`200b916f : fffff800`1d0f6d00 fffff800`1d1b5af0 fffff801`20366810 00000000`00000000 : Ntfs!NtfsFspCloseInternal+0x1bd
ffffd001`3b971a50 fffff801`2017f0ec : 00000000`00000000 ffffe000`11a8c880 00000000`00000080 ffffe000`11a8c880 : nt!ExpWorkerThread+0x69f
ffffd001`3b971b00 fffff801`201d91c6 : ffffd001`38bdc180 ffffe000`11a8c880 ffffe000`1042c080 ffffc001`ded34b00 : nt!PspSystemThreadStartup+0x58
ffffd001`3b971b60 00000000`00000000 : ffffd001`3b972000 ffffd001`3b96b000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 91bc5dcc2f28788287498b51b1431a5b38f43a69
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: e412af08c052f9f9f437c10866c305ce52bc5b31
THREAD_SHA1_HASH_MOD: e60d1a6255db43ff4391f6046183a99a712d0945
FOLLOWUP_IP:
nt!ExDeferredFreePool+210
fffff801`20321210 49394208 cmp qword ptr [r10+8],rax
FAULT_INSTR_CODE: 8423949
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!ExDeferredFreePool+210
FOLLOWUP_NAME: Pool_corruption
IMAGE_NAME: Pool_Corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: Pool_Corruption
BUCKET_ID_FUNC_OFFSET: 210
FAILURE_BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool
BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool
PRIMARY_PROBLEM_CLASS: 0xC5_2_nt!ExDeferredFreePool
TARGET_TIME: 2018-01-03T08:45:46.000Z
OSBUILD: 9600
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-09-14 15:34:00
BUILDDATESTAMP_STR: 170914-0600
BUILDLAB_STR: winblue_ltsb
BUILDOSVER_STR: 6.3.9600.18821.amd64fre.winblue_ltsb.170914-0600
ANALYSIS_SESSION_ELAPSED_TIME: 53f
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xc5_2_nt!exdeferredfreepool
FAILURE_ID_HASH: {0e971f5b-bd0d-a80e-a2c0-cd331176cf49}
Followup: Pool_corruption
---------
通常,我期望堆栈跟踪包含一些第三方驱动程序,以便指出问题的根源(驱动程序或驱动程序控制的硬件)。但是,在这种情况下,我只看到文件系统方法(为方便起见,在此重复):
nt!KeBugCheckEx
nt!KiBugCheckDispatch+0x69
nt!KiPageFault+0x23a
nt!ExDeferredFreePool+0x210
nt!ExFreePoolWithTag+0x84e
fltmgr!ExFreeToNPagedLookasideList+0x3f
nt!FsRtlTeardownPerStreamContexts+0x53
Ntfs!NtfsDeleteScb+0x399
Ntfs!NtfsRemoveScb+0x99
Ntfs!NtfsPrepareFcbForRemoval+0xd0
Ntfs!NtfsTeardownStructures+0x90
Ntfs!NtfsDecrementCloseCounts+0xd4
Ntfs!NtfsCommonClose+0x3a4
Ntfs!NtfsFspCloseInternal+0x1bd
nt!ExpWorkerThread+0x69f
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
可以从中推断出有关问题原因的任何信息吗(例如,由于涉及 NTFS,因此 SSD 存在问题)?
(排除常见的嫌疑:最近没有进行任何硬件、软件或驱动程序更改。除了 Windows Defender 定义更新外,过去两周也没有安装任何 Windows 更新。)