前言 & 工具准备
今天室友的电脑蓝屏了… 虽然以前就经常发生
所以我们来康康是怎么回事!
工欲善其事,必先利其器
在 Microsoft Store 上获取 windbg
简明操作流程
- 在 WinDbg 界面上的 文件 菜单中选择 Settings
- 在 Debugging settings 选项卡的 Symbol path 栏中输入
SRV*c:\temp*http://msdl.microsoft.com/download/symbols
- 接着 文件 菜单中选择 open dump file
- 然后浏览并选择打开 minidump 目录下的文件,一般路径为:
C:\Windows\Minidump\XXXXXX-XXXX-XX.dmp
- 等待系统下载 Symbol 并分析完毕
- 当出现
Use !analyze -v to get detailed debugging information
时,在下面输入框:!analyze –v
或直接点击 !analyze –v
此时会出现类似如下的信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff8289b2e75b90, memory referenced.
Arg2: 0000000000000011, value 0 = read operation, 1 = write operation.
Arg3: ffff8289b2e75b90, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on ELUXWORKSTATION
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 2
Key : Analysis.Memory.CommitPeak.Mb
Value: 90
Key : Analysis.System
Value: CreateObject
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
BUGCHECK_CODE: 50
BUGCHECK_P1: ffff8289b2e75b90
BUGCHECK_P2: 11
BUGCHECK_P3: ffff8289b2e75b90
BUGCHECK_P4: 2
WRITE_ADDRESS: fffff8057fd733b8: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8057fc2a3c8: Unable to get Flags value from nt!KdVersionBlock
fffff8057fc2a3c8: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
ffff8289b2e75b90
MM_INTERNAL_CODE: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: LEDKeeper.exe
TRAP_FRAME: ffffd48056b48300 -- (.trap 0xffffd48056b48300)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000c000000d rbx=0000000000000000 rcx=0000000080000000
rdx=000000000000004e rsi=0000000000000000 rdi=0000000000000000
rip=ffff8289b2e75b90 rsp=ffffd48056b48498 rbp=fffff8057fea711b
r8=0000000000000000 r9=ffffd48056b48438 r10=0000000000000011
r11=0000000000000011 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po nc
ffff8289`b2e75b90 fe ???
Resetting default scope
STACK_TEXT:
ffffd480`56b48058 fffff805`7f9e35d6 : 00000000`00000050 ffff8289`b2e75b90 00000000`00000011 ffffd480`56b48300 : nt!KeBugCheckEx
ffffd480`56b48060 fffff805`7f872eef : ffffa404`f90f6c50 00000000`00000011 00000000`00000000 ffff8289`b2e75b90 : nt!MiSystemFault+0x1d6866
ffffd480`56b48160 fffff805`7f9cf520 : 00000000`00000001 fffff805`7fe1feb3 00000000`000000cb 00000000`00000001 : nt!MmAccessFault+0x34f
ffffd480`56b48300 ffff8289`b2e75b90 : fffff805`7fdebe01 00000000`00000000 ffff8289`00000000 ffff8289`00000800 : nt!KiPageFault+0x360
ffffd480`56b48498 fffff805`7fdebe01 : 00000000`00000000 ffff8289`00000000 ffff8289`00000800 fffff805`7ff89b00 : 0xffff8289`b2e75b90
ffffd480`56b484a0 00000000`00000000 : 00000000`00000000 ffff8289`00000000 00000000`00000000 00000000`00000000 : nt!ObpIncrementHandleCountEx+0x271
SYMBOL_NAME: nt!MiSystemFault+1d6866
MODULE_NAME: nt
IMAGE_VERSION: 10.0.18362.476
STACK_COMMAND: .thread ; .cxr ; kb
IMAGE_NAME: memory_corruption
BUCKET_ID_FUNC_OFFSET: 1d6866
FAILURE_BUCKET_ID: AV_INVALID_nt!MiSystemFault
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {8a33c6b1-a9f1-4efe-025b-a861cc33d6e2}
Followup: MachineOwner
---------
|
通常情况下,我们只需要关注
这一行即可大致确定引起系统蓝屏的原因。
比如本次分析中蓝屏是由 LEDKeeper.exe 所引起。
通过搜索我们可以得知它属于 MSI MysticLight。
这是一个微星主板的灯光控制软件,没啥子用。直接卸载!
到这里,基本上已经分析结束了。要么解决问题,要么果断放弃。
更详细的信息可以输入 !process
来查看:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
5: kd> !process
PROCESS ffff8289b44c4080
SessionId: none Cid: 1d10 Peb: 00734000 ParentCid: 0578
DirBase: 130af8000 ObjectTable: ffffa404def9bc00 HandleCount: <Data Not Accessible>
Image: LEDKeeper.exe
VadRoot ffff8289b79cbb70 Vads 325 Clone 0 Private 5560. Modified 5514. Locked 485.
DeviceMap ffffa404da1d3190
Token ffffa404df09a770
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
fffff78000000000: Unable to get shared data
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 610016
QuotaPoolUsage[NonPagedPool] 47632
Working Set Sizes (now,min,max) (5089, 50, 345) (20356KB, 200KB, 1380KB)
PeakWorkingSetSize 15214
VirtualSize 429 Mb
PeakVirtualSize 460 Mb
PageFaultCount 33009
MemoryPriority BACKGROUND
BasePriority 6
CommitCharge 12664
Job ffff8289b304f060
*** Error in reading nt!_ETHREAD @ ffff8289b4473080
|