蓝屏了，360电脑专家蓝屏修复没分析出原因

显示全部楼层 · 发表于 2013-7-26 22:21:45

蓝屏了，360电脑专家蓝屏修复没分析出原因

求大牛分析

显示全部楼层 · 发表于 2013-7-26 23:50:45

周末了

估计要等等

显示全部楼层 · 发表于 2013-7-27 12:27:56

本帖最后由 xxm2011 于 2013-7-27 12:29 编辑

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C2, {7, cd4, 0, 89428e58}
*** WARNING: Unable to verify timestamp for Hookport.sys
*** ERROR: Module load completed but symbols could not be loaded for Hookport.sys
GetUlongFromAddress: unable to read from 80562f50
GetUlongFromAddress: unable to read from 80566d50
Probably caused by : wdmaud.sys ( wdmaud!AudioFreeMemory+5d )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 00000000, Memory contents of the pool block
Arg4: 89428e58, Address of the block of pool being deallocated
Debugging Details:
------------------
GetUlongFromAddress: unable to read from 80566d50
POOL_ADDRESS: 89428e58
BUGCHECK_STR: 0xc2_7
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: QQ.exe
LAST_CONTROL_TRANSFER: from 8054c583 to 804fafa3
STACK_TEXT:
a915ba68 8054c583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
a915bab8 a974d4a8 89428e58 00000000 00000000 nt!ExFreePoolWithTag+0x2a3
a915bad0 a9751820 ffffffff a915baf0 00000001 wdmaud!AudioFreeMemory+0x5d
a915baf8 a9750a83 00000092 0000000e 8a9220e8 wdmaud!OpenWavePin+0x3ef
a915bb24 a9750382 8965c1f8 8a9220e8 00000000 wdmaud!Dispatch_OpenPin+0xb7
a915bb4c 804f01f9 00000010 88fc8000 806e8410 wdmaud!SoundDispatch+0x430
a915bb5c 805809a0 8965c28c 8961cac0 8965c1f8 nt!IopfCallDriver+0x31
a915bb70 8058182f 8996cf10 8965c1f8 8961cac0 nt!IopSynchronousServiceTail+0x70
a915bc0c 8057a292 00000d14 00001c64 00000000 nt!IopXxxControlFile+0x5c5
a915bc40 b7ef116d 00000d14 00001c64 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
a915bd34 805427e8 00000d14 00001c64 00000000 Hookport+0x416d
a915bd34 7c92e514 00000d14 00001c64 00000000 nt!KiSystemServicePostCall
0012d4d0 00000000 00000000 00000000 00000000 0x7c92e514
STACK_COMMAND: kb
FOLLOWUP_IP:
wdmaud!AudioFreeMemory+5d
a974d4a8 5e pop esi
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: wdmaud!AudioFreeMemory+5d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: wdmaud
IMAGE_NAME: wdmaud.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48025c3e
FAILURE_BUCKET_ID: 0xc2_7_wdmaud!AudioFreeMemory+5d
BUCKET_ID: 0xc2_7_wdmaud!AudioFreeMemory+5d
Followup: MachineOwner
---------

复制代码

貌似是声卡驱动。

显示全部楼层 · 发表于 2013-7-27 14:07:51

各位看下我提取的对吗？

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\Administrator\Desktop\Mini072613-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.          *
* Use .symfix to have the debugger choose a symbol path.                *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                *
* The Symbol Path can be set by:                                  *
* using the _NT_SYMBOL_PATH environment variable.                *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+                                  *
*********************************************************************
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Fri Jul 26 22:17:12.140 2013 (GMT+8)
System Uptime: 0 days 3:11:26.836
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                *
* The Symbol Path can be set by:                                  *
* using the _NT_SYMBOL_PATH environment variable.                *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+                                  *
*********************************************************************
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
Loading unloaded module list
........................
*******************************************************************************
*                                                                            *
*                      Bugcheck Analysis                                  *
*                                                                            *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, cd4, 0, 89428e58}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** WARNING: Unable to verify timestamp for wdmaud.sys
*** ERROR: Module load completed but symbols could not be loaded for wdmaud.sys
*** WARNING: Unable to verify timestamp for Hookport.sys
*** ERROR: Module load completed but symbols could not be loaded for Hookport.sys
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!PVOID                                     ***
***                                                                ***
*************************************************************************
unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_POOL_HEADER                            ***
***                                                                ***
*************************************************************************
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_POOL_HEADER                            ***
***                                                                ***
*************************************************************************
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_POOL_TRACKER_BIG_PAGES                   ***
***                                                                ***
*************************************************************************
Cannot get _POOL_TRACKER_BIG_PAGES type size
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_KPRCB                                  ***
***                                                                ***
*************************************************************************
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_KPRCB                                  ***
***                                                                ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                *
* The Symbol Path can be set by:                                  *
* using the _NT_SYMBOL_PATH environment variable.                *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+                                  *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                *
* The Symbol Path can be set by:                                  *
* using the _NT_SYMBOL_PATH environment variable.                *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+                                  *
*********************************************************************
Probably caused by : wdmaud.sys ( wdmaud+4a8 )

Followup: MachineOwner
---------

1: kd>
1: kd>
1: kd>
1: kd>

显示全部楼层 · 发表于 2013-7-27 14:47:25

内存破坏，从DUMP 上看不到原因。

如果总是发生的话，可以开一下驱动校验器看看。

显示全部楼层 · 发表于 2013-7-27 14:55:24

本帖最后由 ssama 于 2013-7-28 15:25 编辑

Hookport.sys+f126ed34
0xb7eed000 0xb7efd780 0x00010780 0x51c94b14
ntoskrnl.exe+22fa3
0x804d8000 0x806e6000 0x0020e000 0x518306ed
wdmaud.sys+42e8
0xa974d000 0xa9761480 0x00014480 0x48025c3e

显示全部楼层 · 发表于 2013-7-27 21:26:45

ssama 发表于 2013-7-27 14:55
Hookport.sys+f126ed34
0xb7eed000 0xb7efd780 0x00010780 0x51c94b14
ntoskrnl.exe+22fa3

冤枉360了

显示全部楼层 · 发表于 2013-7-28 00:47:28

ssama 发表于 2013-7-27 14:55
Hookport.sys+f126ed34
0xb7eed000 0xb7efd780 0x00010780 0x51c94b14
ntoskrnl.exe+22fa3

半瓶醋看不懂DUMP，你就别说什么冲突了，就你这样还吐槽？

显示全部楼层 · 发表于 2013-7-28 09:55:22

淡淡玉发表于 2013-7-27 21:26
冤枉360了

玉哥，你看我4楼提取的对吗？怎么和3楼的不一样？提取用的软件不一样吗？还是同样的软件选择的地方不同？

显示全部楼层 · 发表于 2013-7-28 11:23:53

沧桑浪子发表于 2013-7-28 09:55
玉哥，你看我4楼提取的对吗？怎么和3楼的不一样？提取用的软件不一样吗？还是同样的软件选择的地方不同？

因为你没配置符号

[求助] 蓝屏了，360电脑专家蓝屏修复没分析出原因

本帖子中包含更多资源