Dear ALL:
刚才Win7无辜蓝屏。
重启后安装Windbg,找到dump,分析后结论显示进程为dwm.exe, 然后就是lnsfw.sys驱动错误。lnsfw是look n stop 防火墙的驱动。至于是dwm.exe如何与lns防火墙产生冲突的,我就看不懂了,求高手帮忙分析。代码如下:
————————————————————————————
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\090712-17019-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
WARNING: Inaccessible path: 'C:\MyCodesSymbols'
WARNING: Whitespace at start of path element
Symbol search path is: C:\MyCodesSymbols; SRV*C:\MyLocalSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.x86fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0x84400000 PsLoadedModuleList = 0x84548810
Debug session time: Fri Sep 7 10:18:04.617 2012 (UTC + 8:00)
System Uptime: 0 days 18:47:57.944
Loading Kernel Symbols
...............................................................
................................................................
.............................
Loading User Symbols
Loading unloaded module list
...................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {8078b17a, 2, 0, 94212dee}
Unable to load image \SystemRoot\system32\DRIVERS\lnsfw.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for lnsfw.sys
*** ERROR: Module load completed but symbols could not be loaded for lnsfw.sys
Probably caused by : lnsfw.sys ( lnsfw+5dee )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 8078b17a, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 94212dee, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 84568718
Unable to read MiSystemVaType memory at 84548160
8078b17a
CURRENT_IRQL: 2
FAULTING_IP:
lnsfw+5dee
94212dee 0fb611 movzx edx,byte ptr [ecx]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: dwm.exe
TRAP_FRAME: 8078a3ac -- (.trap 0xffffffff8078a3ac)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=8078b17a edx=888200ec esi=8829821e edi=8078a516
eip=94212dee esp=8078a420 ebp=8078a428 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
lnsfw+0x5dee:
94212dee 0fb611 movzx edx,byte ptr [ecx] ds:0023:8078b17a=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 94212dee to 844467eb
STACK_TEXT:
8078a3ac 94212dee badb0d00 888200ec 8078a474 nt!KiTrap0E+0x2cf
WARNING: Stack unwind information not available. Following frames may be wrong.
8078a428 94213457 888200dc 888200ec 8078b17a lnsfw+0x5dee
8078a470 9420ff9f 888200b0 8078a4ec 0000000e lnsfw+0x6457
8078ab14 8d582487 88820000 87d2aca4 00000082 lnsfw+0x2f9f
8078ab40 8d58230a 8078ab60 8078ab60 00000000 ndis!ndisMSendPacketsXToMiniport+0xe4
8078aba8 8d51a474 882420e0 89f75b00 00000000 ndis!ndisMSendNetBufferListsToPackets+0x84
8078abd4 8d57ed8c 882420e0 89f75b00 00000000 ndis!ndisSendNBLToFilter+0xf2
8078ac04 8d9059e9 871fb008 89f75b00 00000000 ndis!NdisSendNetBufferLists+0x162
8078ac4c 8d9055a7 8745c708 00000000 00000806 tcpip!FlpSendPacketsHelper+0x3f6
8078ac88 8d9055d0 89f75b00 887fe034 899050b0 tcpip!Fl48pSendArpPacket+0x116
8078aca8 8d905eb7 8078acbc 89905020 8078ad24 tcpip!Fl48SendNeighborSolicitation+0x1d
8078acd0 8d90530b 00000001 872024a0 874ffc20 tcpip!Ipv4pSendNeighborSolicitation+0x67
8078ad04 8d91c6af 00000001 8d983d98 887fd0a4 tcpip!IppSendNeighborSolicitation+0x5c
8078ada4 8d91f466 8078ad4c 00000000 8d9864ac tcpip!IppNeighborSetTimeout+0x18a
8078adc4 8d91ee91 87de97c0 8452c500 8452c500 tcpip!Ipv4pInterfaceSetTimeout+0xa1
8078adf0 8d91e952 8d983d98 00000000 8078ae4c tcpip!IppCompartmentSetTimeout+0x8a
8078ae00 8d91e928 8d983d98 8446a04d 8d994b00 tcpip!IppProtocolTimeout+0xf
8078ae08 8446a04d 8d994b00 00000000 034545ab tcpip!IppTimeout+0x3c
8078ae4c 84469ff1 84529d20 8078af78 00000001 nt!KiProcessTimerDpcTable+0x50
8078af38 84469eae 84529d20 8078af78 00000000 nt!KiProcessExpiredTimerList+0x101
8078afac 8446820e 0042327d a2c2fd34 00000000 nt!KiTimerExpiration+0x25c
8078aff4 844679dc a2c2fce4 00000000 00000000 nt!KiRetireDpcList+0xcb
8078aff8 a2c2fce4 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c
844679dc 00000000 0000001a 00d6850f bb830000 0xa2c2fce4
STACK_COMMAND: kb
FOLLOWUP_IP:
lnsfw+5dee
94212dee 0fb611 movzx edx,byte ptr [ecx]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: lnsfw+5dee
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: lnsfw
IMAGE_NAME: lnsfw.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ac71763
FAILURE_BUCKET_ID: 0xD1_lnsfw+5dee
BUCKET_ID: 0xD1_lnsfw+5dee
Followup: MachineOwner
--------- |