crackback
27-11-2022, 23:12
Привет, есть пара дамп файлов в которых некоторым людям видно что мол ОЗУ подошёл конец и летят синие экраны смерти собственно,
так вот вопрос установил Windows DBG и когда запускаю его внутри пишет следующее:
Microsoft (R) Windows Debugger Version 10.0.22621.755 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\vovan\OneDrive\Рабочий стол\111122-7968-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*%systemdrive%\symbols*http://msdl.microsoft.com/download/symbols
Deferred symsrv*symsrv.dll*c:\symbols* http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*%systemdrive%\symbols*http://msdl.microsoft.com/download/symbols;symsrv*symsrv.dll*c:\symbols* http://msdl.microsoft.com/download/symbols
Executable search path is:
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff804`36600000 PsLoadedModuleList = 0xfffff804`3722a290
Debug session time: Fri Nov 11 20:46:26.280 2022 (UTC + 3:00)
System Uptime: 0 days 0:09:13.928
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
Loading Kernel Symbols
.
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
..............................................................
................................................................
................................................................
...............
Loading User Symbols
Loading unloaded module list
.......
For analysis of this file, run !analyze -v
Собственно меня беспокоит строка:
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
типо нету связи с сервером или что не так?
если запустить анализ там так же
6: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001d, An RTL_BALANCED_NODE RBTree entry has been corrupted.
Arg2: fffff60971519b00, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff60971519a58, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4968
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 7439
Key : Analysis.Init.CPU.mSec
Value: 4437
Key : Analysis.Init.Elapsed.mSec
Value: 261712
Key : Analysis.Memory.CommitPeak.Mb
Value: 89
Key : FailFast.Name
Value: INVALID_BALANCED_TREE
Key : FailFast.Type
Value: 29
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
FILE_IN_CAB: 111122-7968-01.dmp
BUGCHECK_CODE: 139
BUGCHECK_P1: 1d
BUGCHECK_P2: fffff60971519b00
BUGCHECK_P3: fffff60971519a58
BUGCHECK_P4: 0
TRAP_FRAME: fffff60971519b00 -- (.trap 0xfffff60971519b00)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
rdx=ffff81064b52cfb8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80436a24d2f rsp=fffff60971519c98 rbp=000000000000009a
r8=ffff8106481ca008 r9=0000000000000000 r10=0000000000000000
r11=ffff81064aa2cfb8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac po cy
nt!RtlRbRemoveNode+0x1feaff:
fffff804`36a24d2f cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffff60971519a58 -- (.exr 0xfffff60971519a58)
ExceptionAddress: fffff80436a24d2f (nt!RtlRbRemoveNode+0x00000000001feaff)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001d
Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: msedge.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - . .
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000001d
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffff609`715197d8 fffff804`36a0af69 : 00000000`00000139 00000000`0000001d fffff609`71519b00 fffff609`71519a58 : nt!KeBugCheckEx
fffff609`715197e0 fffff804`36a0b390 : 00000000`00000004 00000000`00000000 00000000`00000000 fffff804`3a3e8e32 : nt!KiBugCheckDispatch+0x69
fffff609`71519920 fffff804`36a09723 : fffff804`3a3d3048 00000000`00000000 00000000`00000004 00000000`00000016 : nt!KiFastFailDispatch+0xd0
fffff609`71519b00 fffff804`36a24d2f : 00000045`00030000 00010003`009a0001 fffff804`36825ff0 00000000`0000009a : nt!KiRaiseSecurityCheckFailure+0x323
fffff609`71519c98 fffff804`36825ff0 : 00000000`0000009a ffff8106`4b52cfe0 00000000`00000000 ffff8106`4b52cfb0 : nt!RtlRbRemoveNode+0x1feaff
fffff609`71519cb0 fffff804`36825a38 : ffff8106`37c02280 ffff8106`4b524000 ffff8106`37c02280 fffff609`71519db8 : nt!RtlpHpVsChunkCoalesce+0xb0
fffff609`71519d10 fffff804`368243c4 : ffff8106`00000000 ffff8106`00000000 00000000`00000000 ffff8106`00000000 : nt!RtlpHpVsContextFree+0x188
fffff609`71519db0 fffff804`36fb2019 : ffff8106`000002d0 00000000`00000238 00000000`00000000 01000000`00100000 : nt!ExFreeHeapPool+0x4d4
fffff609`71519e90 fffff804`50e8220c : 000000c2`1f9fe450 00000000`00000000 000000c2`1f9fe450 00000000`00000000 : nt!ExFreePool+0x9
fffff609`71519ec0 fffff804`50e82738 : 00000000`00000000 ffff8106`4c6f8c90 ffff8106`4c6f8bc0 000000c2`1f9fe450 : nsiproxy!NsippGetAllParameters+0x36c
fffff609`7151a0b0 fffff804`3682a6b5 : 00000000`00000002 00000000`00000000 ffff8106`4cc3c9d0 ffff8106`385c5850 : nsiproxy!NsippDispatch+0xd8
fffff609`7151a100 fffff804`36c14848 : ffff8106`4c6f8bc0 00000000`00000000 00000000`00000000 00000000`00000068 : nt!IofCallDriver+0x55
fffff609`7151a140 fffff804`36c14647 : 00000000`00000000 fffff609`7151a480 00000000`00040800 fffff609`7151a480 : nt!IopSynchronousServiceTail+0x1a8
fffff609`7151a1e0 fffff804`36c139c6 : 00000000`00000001 00000000`000004c0 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xc67
fffff609`7151a320 fffff804`36a0a9b5 : ffff8106`4896f080 000000c2`1f9fe268 fffff609`7151a3a8 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
fffff609`7151a390 00007fff`2ec0d0e4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000c2`1f9fe2f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`2ec0d0e4
SYMBOL_NAME: nsiproxy!NsippGetAllParameters+36c
MODULE_NAME: nsiproxy
IMAGE_NAME: nsiproxy.sys
IMAGE_VERSION: 10.0.19041.546
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 36c
FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nsiproxy!NsippGetAllParameters
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {c2bafe47-ad53-38ea-8e04-206ba485bd57}
Followup: MachineOwner
---------
У правильно настроенного WinDBG должно показывать что то вроде:
MODULE_NAME: memory_corruption
Если что на моём ноуте Windows 10 Home x64(лицензия)
так вот вопрос установил Windows DBG и когда запускаю его внутри пишет следующее:
Microsoft (R) Windows Debugger Version 10.0.22621.755 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\vovan\OneDrive\Рабочий стол\111122-7968-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*%systemdrive%\symbols*http://msdl.microsoft.com/download/symbols
Deferred symsrv*symsrv.dll*c:\symbols* http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*%systemdrive%\symbols*http://msdl.microsoft.com/download/symbols;symsrv*symsrv.dll*c:\symbols* http://msdl.microsoft.com/download/symbols
Executable search path is:
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff804`36600000 PsLoadedModuleList = 0xfffff804`3722a290
Debug session time: Fri Nov 11 20:46:26.280 2022 (UTC + 3:00)
System Uptime: 0 days 0:09:13.928
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
Loading Kernel Symbols
.
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
..............................................................
................................................................
................................................................
...............
Loading User Symbols
Loading unloaded module list
.......
For analysis of this file, run !analyze -v
Собственно меня беспокоит строка:
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
типо нету связи с сервером или что не так?
если запустить анализ там так же
6: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001d, An RTL_BALANCED_NODE RBTree entry has been corrupted.
Arg2: fffff60971519b00, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff60971519a58, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
DBGHELP: %systemdrive%\symbols*http://msdl.microsoft.com/download/symbols is not a valid store
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4968
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 7439
Key : Analysis.Init.CPU.mSec
Value: 4437
Key : Analysis.Init.Elapsed.mSec
Value: 261712
Key : Analysis.Memory.CommitPeak.Mb
Value: 89
Key : FailFast.Name
Value: INVALID_BALANCED_TREE
Key : FailFast.Type
Value: 29
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
FILE_IN_CAB: 111122-7968-01.dmp
BUGCHECK_CODE: 139
BUGCHECK_P1: 1d
BUGCHECK_P2: fffff60971519b00
BUGCHECK_P3: fffff60971519a58
BUGCHECK_P4: 0
TRAP_FRAME: fffff60971519b00 -- (.trap 0xfffff60971519b00)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
rdx=ffff81064b52cfb8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80436a24d2f rsp=fffff60971519c98 rbp=000000000000009a
r8=ffff8106481ca008 r9=0000000000000000 r10=0000000000000000
r11=ffff81064aa2cfb8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac po cy
nt!RtlRbRemoveNode+0x1feaff:
fffff804`36a24d2f cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffff60971519a58 -- (.exr 0xfffff60971519a58)
ExceptionAddress: fffff80436a24d2f (nt!RtlRbRemoveNode+0x00000000001feaff)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001d
Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: msedge.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - . .
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000001d
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffff609`715197d8 fffff804`36a0af69 : 00000000`00000139 00000000`0000001d fffff609`71519b00 fffff609`71519a58 : nt!KeBugCheckEx
fffff609`715197e0 fffff804`36a0b390 : 00000000`00000004 00000000`00000000 00000000`00000000 fffff804`3a3e8e32 : nt!KiBugCheckDispatch+0x69
fffff609`71519920 fffff804`36a09723 : fffff804`3a3d3048 00000000`00000000 00000000`00000004 00000000`00000016 : nt!KiFastFailDispatch+0xd0
fffff609`71519b00 fffff804`36a24d2f : 00000045`00030000 00010003`009a0001 fffff804`36825ff0 00000000`0000009a : nt!KiRaiseSecurityCheckFailure+0x323
fffff609`71519c98 fffff804`36825ff0 : 00000000`0000009a ffff8106`4b52cfe0 00000000`00000000 ffff8106`4b52cfb0 : nt!RtlRbRemoveNode+0x1feaff
fffff609`71519cb0 fffff804`36825a38 : ffff8106`37c02280 ffff8106`4b524000 ffff8106`37c02280 fffff609`71519db8 : nt!RtlpHpVsChunkCoalesce+0xb0
fffff609`71519d10 fffff804`368243c4 : ffff8106`00000000 ffff8106`00000000 00000000`00000000 ffff8106`00000000 : nt!RtlpHpVsContextFree+0x188
fffff609`71519db0 fffff804`36fb2019 : ffff8106`000002d0 00000000`00000238 00000000`00000000 01000000`00100000 : nt!ExFreeHeapPool+0x4d4
fffff609`71519e90 fffff804`50e8220c : 000000c2`1f9fe450 00000000`00000000 000000c2`1f9fe450 00000000`00000000 : nt!ExFreePool+0x9
fffff609`71519ec0 fffff804`50e82738 : 00000000`00000000 ffff8106`4c6f8c90 ffff8106`4c6f8bc0 000000c2`1f9fe450 : nsiproxy!NsippGetAllParameters+0x36c
fffff609`7151a0b0 fffff804`3682a6b5 : 00000000`00000002 00000000`00000000 ffff8106`4cc3c9d0 ffff8106`385c5850 : nsiproxy!NsippDispatch+0xd8
fffff609`7151a100 fffff804`36c14848 : ffff8106`4c6f8bc0 00000000`00000000 00000000`00000000 00000000`00000068 : nt!IofCallDriver+0x55
fffff609`7151a140 fffff804`36c14647 : 00000000`00000000 fffff609`7151a480 00000000`00040800 fffff609`7151a480 : nt!IopSynchronousServiceTail+0x1a8
fffff609`7151a1e0 fffff804`36c139c6 : 00000000`00000001 00000000`000004c0 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xc67
fffff609`7151a320 fffff804`36a0a9b5 : ffff8106`4896f080 000000c2`1f9fe268 fffff609`7151a3a8 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
fffff609`7151a390 00007fff`2ec0d0e4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000c2`1f9fe2f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`2ec0d0e4
SYMBOL_NAME: nsiproxy!NsippGetAllParameters+36c
MODULE_NAME: nsiproxy
IMAGE_NAME: nsiproxy.sys
IMAGE_VERSION: 10.0.19041.546
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 36c
FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nsiproxy!NsippGetAllParameters
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {c2bafe47-ad53-38ea-8e04-206ba485bd57}
Followup: MachineOwner
---------
У правильно настроенного WinDBG должно показывать что то вроде:
MODULE_NAME: memory_corruption
Если что на моём ноуте Windows 10 Home x64(лицензия)