artem63ru
22-01-2014, 18:32
Я сначала анализировал дампы с помощью БлюСкринВью, в нем 2 предпоследних ссылаются на ntoskrl.sys, а последний на ntfs.sys, но во всех как возможная проблема присутствует klif.sys. Потом поставил Windbg, он сразу указывает на klif.sys, но после выполнения kd> !analyze -v там касперским и не пахнет. Вот листинг
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini011114-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sat Jan 11 10:17:14.920 2014 (UTC + 4:00)
System Uptime: 24 days 14:43:50.966
Loading Kernel Symbols
............................................................ ...
........................................................
Loading User Symbols
Loading unloaded module list
..................................................
************************************************************ *******************
* *
* Bugcheck Analysis *
* *
************************************************************ *******************
Use !analyze -v to get detailed debugging information.
BugCheck F4, {3, 899083b8, 8990852c, 805d2970}
Unable to load image klif.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
Probably caused by : hardware_disk
Followup: MachineOwner
---------
3: kd> !analyze -v
************************************************************ *******************
* *
* Bugcheck Analysis *
* *
************************************************************ *******************
CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 899083b8, Terminating object
Arg3: 8990852c, Process image file name
Arg4: 805d2970, Explanatory message (ascii)
Debugging Details:
------------------
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
PROCESS_OBJECT: 899083b8
IMAGE_NAME: hardware_disk
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAULTING_MODULE: 00000000
PROCESS_NAME: csrss.exe
EXCEPTION_RECORD: b984d9d8 -- (.exr 0xffffffffb984d9d8)
ExceptionAddress: 75b4b3b9
ExceptionCode: c0000006 (In-page I/O error)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000008
Parameter[1]: 75b4b3b9
Parameter[2]: c000009a
Inpage operation failed at 75b4b3b9, due to I/O error c000009a
EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - <Unable to get error code text>
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
ERROR_CODE: (NTSTATUS) 0xc0000006 - <Unable to get error code text>
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 75b4b3b9
EXCEPTION_PARAMETER3: c000009a
IO_ERROR: (NTSTATUS) 0xc000009a - <Unable to get error code text>
EXCEPTION_STR: 0xc0000006_c000009a
FAULTING_IP:
+38a2faf00ffdfc0
75b4b3b9 ?? ???
BUGCHECK_STR: 0xF4_IOERR_C000009A
STACK_TEXT:
b984d4fc 805d1ab9 000000f4 00000003 899083b8 nt!KeBugCheckEx+0x1b
b984d520 805d2a1b 805d2970 899083b8 8990852c nt!PspCatchCriticalBreak+0x75
b984d550 a8d37967 89908600 c0000006 b984d604 nt!NtTerminateProcess+0x7d
WARNING: Stack unwind information not available. Following frames may be wrong.
b984d574 8054161c ffffffff c0000006 b984d9b0 klif+0xe967
b984d574 80501151 ffffffff c0000006 b984d9b0 nt!KiFastCallEntry+0xfc
b984d5f4 804fe806 ffffffff c0000006 b984d9f8 nt!ZwTerminateProcess+0x11
b984d9b0 805028bf b984d9d8 00000000 b984dd64 nt!KiDispatchException+0x3a0
b984dd34 80544ee7 006afbe8 006afc08 00000000 nt!KiRaiseException+0x175
b984dd50 8054161c 006afbe8 006afc08 00000000 nt!NtRaiseException+0x33
b984dd50 75b4b3b9 006afbe8 006afc08 00000000 nt!KiFastCallEntry+0xfc
006afff4 00000000 00000000 00000000 00000000 0x75b4b3b9
STACK_COMMAND: kb
FOLLOWUP_IP:
+38a2faf00ffdfc0
75b4b3b9 ?? ???
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hardware_disk
FAILURE_BUCKET_ID: 0xF4_IOERR_C000009A_IMAGE_hardware_disk
BUCKET_ID: 0xF4_IOERR_C000009A_IMAGE_hardware_disk
Followup: MachineOwner
---------
Забыл сказать перед тем как вылетает синий экран, в журнале событий за минут 10-15 (всегда по разному) вылетает
ошибка id 2019 источник Srv (нет возможности выделить память из невыгружаемого пула памяти т.к. он пуст)
и
ошибка id 10000 источник DCOM (Не удается запустить сервер DCOM)
т.е. если это все таки касперский значит у него утечка памяти, он забивает невыгружаемый пул, а все остальное это уже следствие. Так?
Утечку проверить сложно т.к. синий экран появляется очень редко, но на всякий случай poolmon поставил.
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini011114-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sat Jan 11 10:17:14.920 2014 (UTC + 4:00)
System Uptime: 24 days 14:43:50.966
Loading Kernel Symbols
............................................................ ...
........................................................
Loading User Symbols
Loading unloaded module list
..................................................
************************************************************ *******************
* *
* Bugcheck Analysis *
* *
************************************************************ *******************
Use !analyze -v to get detailed debugging information.
BugCheck F4, {3, 899083b8, 8990852c, 805d2970}
Unable to load image klif.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
Probably caused by : hardware_disk
Followup: MachineOwner
---------
3: kd> !analyze -v
************************************************************ *******************
* *
* Bugcheck Analysis *
* *
************************************************************ *******************
CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 899083b8, Terminating object
Arg3: 8990852c, Process image file name
Arg4: 805d2970, Explanatory message (ascii)
Debugging Details:
------------------
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
PROCESS_OBJECT: 899083b8
IMAGE_NAME: hardware_disk
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAULTING_MODULE: 00000000
PROCESS_NAME: csrss.exe
EXCEPTION_RECORD: b984d9d8 -- (.exr 0xffffffffb984d9d8)
ExceptionAddress: 75b4b3b9
ExceptionCode: c0000006 (In-page I/O error)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000008
Parameter[1]: 75b4b3b9
Parameter[2]: c000009a
Inpage operation failed at 75b4b3b9, due to I/O error c000009a
EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - <Unable to get error code text>
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
ERROR_CODE: (NTSTATUS) 0xc0000006 - <Unable to get error code text>
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 75b4b3b9
EXCEPTION_PARAMETER3: c000009a
IO_ERROR: (NTSTATUS) 0xc000009a - <Unable to get error code text>
EXCEPTION_STR: 0xc0000006_c000009a
FAULTING_IP:
+38a2faf00ffdfc0
75b4b3b9 ?? ???
BUGCHECK_STR: 0xF4_IOERR_C000009A
STACK_TEXT:
b984d4fc 805d1ab9 000000f4 00000003 899083b8 nt!KeBugCheckEx+0x1b
b984d520 805d2a1b 805d2970 899083b8 8990852c nt!PspCatchCriticalBreak+0x75
b984d550 a8d37967 89908600 c0000006 b984d604 nt!NtTerminateProcess+0x7d
WARNING: Stack unwind information not available. Following frames may be wrong.
b984d574 8054161c ffffffff c0000006 b984d9b0 klif+0xe967
b984d574 80501151 ffffffff c0000006 b984d9b0 nt!KiFastCallEntry+0xfc
b984d5f4 804fe806 ffffffff c0000006 b984d9f8 nt!ZwTerminateProcess+0x11
b984d9b0 805028bf b984d9d8 00000000 b984dd64 nt!KiDispatchException+0x3a0
b984dd34 80544ee7 006afbe8 006afc08 00000000 nt!KiRaiseException+0x175
b984dd50 8054161c 006afbe8 006afc08 00000000 nt!NtRaiseException+0x33
b984dd50 75b4b3b9 006afbe8 006afc08 00000000 nt!KiFastCallEntry+0xfc
006afff4 00000000 00000000 00000000 00000000 0x75b4b3b9
STACK_COMMAND: kb
FOLLOWUP_IP:
+38a2faf00ffdfc0
75b4b3b9 ?? ???
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hardware_disk
FAILURE_BUCKET_ID: 0xF4_IOERR_C000009A_IMAGE_hardware_disk
BUCKET_ID: 0xF4_IOERR_C000009A_IMAGE_hardware_disk
Followup: MachineOwner
---------
Забыл сказать перед тем как вылетает синий экран, в журнале событий за минут 10-15 (всегда по разному) вылетает
ошибка id 2019 источник Srv (нет возможности выделить память из невыгружаемого пула памяти т.к. он пуст)
и
ошибка id 10000 источник DCOM (Не удается запустить сервер DCOM)
т.е. если это все таки касперский значит у него утечка памяти, он забивает невыгружаемый пул, а все остальное это уже следствие. Так?
Утечку проверить сложно т.к. синий экран появляется очень редко, но на всякий случай poolmon поставил.