XP3，蓝屏，附蓝屏文件，求分析，求解决

显示全部楼层 · 发表于 2013-9-27 13:29:46

本帖最后由卡朗于 2013-9-27 15:35 编辑

蓝屏文件：http://pan.baidu.com/s/1HXrh

==================================

这个是用WinDbg分析DMP蓝屏文件的结果。

Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [D:\软件\蓝屏信息查看诊断\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.          *
* Use .symfix to have the debugger choose a symbol path.                *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                *
* The Symbol Path can be set by:                                  *
* using the _NT_SYMBOL_PATH environment variable.                *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+                                  *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe -
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.130704-0421
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Fri Sep 27 12:06:03.234 2013 (GMT+8)
System Uptime: 0 days 0:00:14.765
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                *
* The Symbol Path can be set by:                                  *
* using the _NT_SYMBOL_PATH environment variable.                *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+                                  *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe -
Loading Kernel Symbols
...............................................................
.....................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd800c).  Type ".hh dbgerr001" for details
Loading unloaded module list
......
*******************************************************************************
*                                                                            *
*                      Bugcheck Analysis                                  *
*                                                                            *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, 8054c96b, b9b27b88, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_KPRCB                                  ***
***                                                                ***
*************************************************************************
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!KPRCB                                     ***
***                                                                ***
*************************************************************************
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_KPRCB                                  ***
***                                                                ***
*************************************************************************
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!KPRCB                                     ***
***                                                                ***
*************************************************************************
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_KPRCB                                  ***
***                                                                ***
*************************************************************************
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_KPRCB                                  ***
***                                                                ***
*************************************************************************
*************************************************************************
***                                                                ***
***                                                                ***
*** Your debugger is not using the correct symbols                ***
***                                                                ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information.    ***
***                                                                ***
*** Certain .pdb files (such as the public OS symbols) do not    ***
*** contain the required information.  Contact the group that    ***
*** provided you with these symbols if you need this command to ***
*** work.                                                       ***
***                                                                ***
*** Type referenced: nt!_KPRCB                                  ***
***                                                                ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                *
* The Symbol Path can be set by:                                  *
* using the _NT_SYMBOL_PATH environment variable.                *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+                                  *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                *
* The Symbol Path can be set by:                                  *
* using the _NT_SYMBOL_PATH environment variable.                *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+                                  *
*********************************************************************
Probably caused by : ntkrpamp.exe ( nt!ExAllocatePoolWithTag+3 )

Followup: MachineOwner
---------

用蓝屏文件查看工具得到的信息：

ntkrnlpa.exe的哈希值

文件: C:\WINDOWS\system32\ntkrnlpa.exe
大小: 2028032 字节
文件版本: 5.1.2600.6419 (xpsp_sp3_qfe.130704-0421)
修改时间: 2013年7月4日, 下午 3:33:55
MD5: 277194E8946C875DFA31C9F8BFF6DB65
SHA1: 148B789E5ECE9DC0251E62EBBC11582322BB2149
CRC32: E44FB6CB

系统信息：

补丁已打全：

昨天晚上关机时有一个现象，就是AsSysCtrlService.exe这个程序在关机时弹出一个对话框，说了一大堆内容，说什么调试、终止的，给出两个按钮，要么“确定”，要么“取消”。然后今天就蓝屏了。刚刚关机时也有出现这个对话框。

显示全部楼层 · 发表于 2013-9-27 13:42:51

我刚安装完系统时，曾安装过360安全卫士进行系统优化，优化完后已经卸载了。

刚刚查看了Program Files文件夹，发现居然有一个360的空文件夹，记得明明当时卸载时已经没了，为什么刚刚发现还有的，现在又把这个空文件夹删了。

显示全部楼层 · 发表于 2013-9-27 14:32:55

只看到一堆驱动对内核的回调然后就中断了……
我更加纳闷是否偶尔一次蓝屏~~你现在都能开机来截图了按道理应该是没什么大问题了

显示全部楼层 · 发表于 2013-9-27 15:11:22

已查看，你的windbg没有加symbol，啥都看不到
我初略分析了下
蓝屏所在进程是MPSVC2.exe 微点主动防御软件的必要进程程序
崩溃点是nt!ExAllocatePoolWithTag+3，应该是微点的bug，升级一下吧或者回复旧版本

显示全部楼层 · 发表于 2013-9-27 15:17:59

本帖最后由卡朗于 2013-9-27 15:19 编辑

virus_kf 发表于 2013-9-27 15:11
已查看，你的windbg没有加symbol，啥都看不到
我初略分析了下
蓝屏所在进程是MPSVC2.exe 微点主动防御软 ...

symbol是什么？加了与不加有什么不同？

XP SP3，微点应该对这个系统兼容得很好才对的吧。

昨天晚上关机时有一个现象，就是AsSysCtrlService.exe这个程序在关机时弹出一个对话框，说了一大堆内容，给出两个按钮，要么“调试”，要么“终止”。然后今天就蓝屏了。刚刚关机时也有出现这个对话框。

显示全部楼层 · 发表于 2013-9-27 15:25:43

symbol是符号文件，包含了系统dll的符号，调试更方便
查了下AsSysCtrlService.exe， http://www.wenjian.cn/xijie/assysctrlservice.exe.html，不知道原因
可否截图看看

很常见的弹框错误时，内存溢出等等，那个连接说这个不是系统文件，可以卸载

显示全部楼层 · 发表于 2013-9-27 15:35:10

virus_kf 发表于 2013-9-27 15:25
symbol是符号文件，包含了系统dll的符号，调试更方便
查了下AsSysCtrlService.exe， http://www.wenjian.c ...

这个截不了图，那个对话框是在点了关机后，XP退出桌面，进入关机程序显示”正在注销“那些界面时才弹出的。

好像那个对话框说是内存不能read，记不清楚了，当时我是点了确定的。

当时安装完系统，我用360安全卫士禁止了一些进程的启动，觉得应该用不着。不知道跟这个有没有关系？那个360安全卫士用来优化系统后就删了。

显示全部楼层 · 发表于 2013-9-27 15:43:49

那就是内存访问违例了
应该没啥关系，360禁用这个还是可以的，一般不出啥问题
你现在能找到AsSysCtrlService.exe，直接卸载试试

显示全部楼层 · 发表于 2013-9-27 15:54:44

virus_kf 发表于 2013-9-27 15:43
那就是内存访问违例了
应该没啥关系，360禁用这个还是可以的，一般不出啥问题
你现在能找到AsSysCtrlServ ...

不是360主动禁用的，是我看到360扫描过后，看到有好像有90%以上的人禁止启动，那就把它禁用了，360提供的这个百分比是不是真的？

内存访问违例的产生是什么原因？属于什么问题？？

显示全部楼层 · 发表于 2013-9-27 16:02:22

是的，我知道禁用那个意思，一般都是真的，你知道360会收集用户数据的

内存访问违例，一般就是程序bug，访问字符串或者数据组之类的越界，访问了不可以用内存

[系统] XP3，蓝屏，附蓝屏文件，求分析，求解决

本帖子中包含更多资源