Windows 蓝屏分析简明教程

前言 & 工具准备

今天室友的电脑蓝屏了... 虽然以前就经常发生
所以我们来康康是怎么回事!

工欲善其事,必先利其器

在 Microsoft Store 上获取 windbg

简明操作流程

  1. 在 WinDbg 界面上的 文件 菜单中选择 Settings
  2. Debugging settings 选项卡的 Symbol path 栏中输入SRV*c:\temp*http://msdl.microsoft.com/download/symbols
  3. 接着 文件 菜单中选择 open dump file
  4. 然后浏览并选择打开 minidump 目录下的文件,一般路径为:C:\Windows\Minidump\XXXXXX-XXXX-XX.dmp
  5. 等待系统下载 Symbol 并分析完毕
  6. 当出现 Use !analyze -v to get detailed debugging information 时,在下面输入框:!analyze –v 或直接点击 !analyze –v

此时会出现类似如下的信息:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff8289b2e75b90, memory referenced.
Arg2: 0000000000000011, value 0 = read operation, 1 = write operation.
Arg3: ffff8289b2e75b90, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 2

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on ELUXWORKSTATION

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 2

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 90

    Key  : Analysis.System
    Value: CreateObject


DUMP_FILE_ATTRIBUTES: 0x8
  Kernel Generated Triage Dump

BUGCHECK_CODE:  50

BUGCHECK_P1: ffff8289b2e75b90

BUGCHECK_P2: 11

BUGCHECK_P3: ffff8289b2e75b90

BUGCHECK_P4: 2

WRITE_ADDRESS: fffff8057fd733b8: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8057fc2a3c8: Unable to get Flags value from nt!KdVersionBlock
fffff8057fc2a3c8: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
 ffff8289b2e75b90 

MM_INTERNAL_CODE:  2

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  LEDKeeper.exe

TRAP_FRAME:  ffffd48056b48300 -- (.trap 0xffffd48056b48300)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000c000000d rbx=0000000000000000 rcx=0000000080000000
rdx=000000000000004e rsi=0000000000000000 rdi=0000000000000000
rip=ffff8289b2e75b90 rsp=ffffd48056b48498 rbp=fffff8057fea711b
 r8=0000000000000000  r9=ffffd48056b48438 r10=0000000000000011
r11=0000000000000011 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac po nc
ffff8289`b2e75b90 fe              ???
Resetting default scope

STACK_TEXT:  
ffffd480`56b48058 fffff805`7f9e35d6 : 00000000`00000050 ffff8289`b2e75b90 00000000`00000011 ffffd480`56b48300 : nt!KeBugCheckEx
ffffd480`56b48060 fffff805`7f872eef : ffffa404`f90f6c50 00000000`00000011 00000000`00000000 ffff8289`b2e75b90 : nt!MiSystemFault+0x1d6866
ffffd480`56b48160 fffff805`7f9cf520 : 00000000`00000001 fffff805`7fe1feb3 00000000`000000cb 00000000`00000001 : nt!MmAccessFault+0x34f
ffffd480`56b48300 ffff8289`b2e75b90 : fffff805`7fdebe01 00000000`00000000 ffff8289`00000000 ffff8289`00000800 : nt!KiPageFault+0x360
ffffd480`56b48498 fffff805`7fdebe01 : 00000000`00000000 ffff8289`00000000 ffff8289`00000800 fffff805`7ff89b00 : 0xffff8289`b2e75b90
ffffd480`56b484a0 00000000`00000000 : 00000000`00000000 ffff8289`00000000 00000000`00000000 00000000`00000000 : nt!ObpIncrementHandleCountEx+0x271


SYMBOL_NAME:  nt!MiSystemFault+1d6866

MODULE_NAME: nt

IMAGE_VERSION:  10.0.18362.476

STACK_COMMAND:  .thread ; .cxr ; kb

IMAGE_NAME:  memory_corruption

BUCKET_ID_FUNC_OFFSET:  1d6866

FAILURE_BUCKET_ID:  AV_INVALID_nt!MiSystemFault

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {8a33c6b1-a9f1-4efe-025b-a861cc33d6e2}

Followup:     MachineOwner
---------

通常情况下,我们只需要关注

PROCESS_NAME:  XXXXXXX

这一行即可大致确定引起系统蓝屏的原因。
比如本次分析中蓝屏是由 LEDKeeper.exe 所引起。
通过搜索我们可以得知它属于 MSI MysticLight
这是一个微星主板的灯光控制软件,没啥子用。直接卸载!
到这里,基本上已经分析结束了。要么解决问题,要么果断放弃。

更详细的信息可以输入 !process 来查看:

5: kd> !process
PROCESS ffff8289b44c4080
    SessionId: none  Cid: 1d10    Peb: 00734000  ParentCid: 0578
    DirBase: 130af8000  ObjectTable: ffffa404def9bc00  HandleCount: <Data Not Accessible>
    Image: LEDKeeper.exe
    VadRoot ffff8289b79cbb70 Vads 325 Clone 0 Private 5560. Modified 5514. Locked 485.
    DeviceMap ffffa404da1d3190
    Token                             ffffa404df09a770
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
fffff78000000000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         610016
    QuotaPoolUsage[NonPagedPool]      47632
    Working Set Sizes (now,min,max)  (5089, 50, 345) (20356KB, 200KB, 1380KB)
    PeakWorkingSetSize                15214
    VirtualSize                       429 Mb
    PeakVirtualSize                   460 Mb
    PageFaultCount                    33009
    MemoryPriority                    BACKGROUND
    BasePriority                      6
    CommitCharge                      12664
    Job                               ffff8289b304f060

        *** Error in reading nt!_ETHREAD @ ffff8289b4473080
本文链接: https://blog.frostmiku.com/archives/12/
1 + 7 =
快来做第一个评论的人吧~