Win7X64旗舰版蓝屏，求帮忙看看是什么原因

显示全部楼层 · 发表于 2019-7-29 15:52:09

公司同事的电脑win7X64系统，偶尔打开软件时会蓝屏，我虽然用windbg、BlueScreenView看了一下日志，但还是不知道具体问题出在哪里，大佬指导一下吧！！！

蓝屏详细信息：
A problem has been detected and Windows has been shut down to prevent damage
to your computer.

The problem seems to be caused by the following file: ntoskrnl.exe

APC_INDEX_MISMATCH

If this is the first time you've seen this stop error screen,
restart your computer. If this screen appears again, follow
these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer
for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware
or software. Disable BIOS memory options such as caching or shadowing.
If you need to use safe mode to remove or disable components, restart
your computer, press F8 to select Advanced Startup Options, and then
select Safe Mode.

Technical Information:

*** STOP: 0x00000001 (0xfffff8000432ed06, 0x0000000000000000, 0x000000000000ffff,
0x0000000000000000)

*** ntoskrnl.exe - Address 0xfffff800040e6ca0 base at 0xfffff80004053000 DateStamp
0x5d010ddc

windbg看的：

Loading Dump File [D:\新建文件夹\072619-7831-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24499.amd64fre.win7sp1_ldr.190612-0600
Machine Name:
Kernel base = 0xfffff800`04053000 PsLoadedModuleList = 0xfffff800`0428cc90
Debug session time: Fri Jul 26 16:24:29.053 2019 (UTC + 8:00)
System Uptime: 0 days 8:00:17.286
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
....................................
Loading User Symbols
Loading unloaded module list
.......

************* Symbol Loading Error Summary **************
Module name          Error
ntoskrnl             The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
Unable to add extension DLL: kdexts
Unable to add extension DLL: kext
Unable to add extension DLL: exts
The call to LoadLibrary(ext) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
The call to LoadLibrary(ext) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
*******************************************************************************
*                                                                            *
*                      Bugcheck Analysis                                  *
*                                                                            *
*******************************************************************************
Bugcheck code 00000001
Arguments fffff800`0432ed06 00000000`00000000 00000000`0000ffff 00000000`00000000

# RetAddr          : Args to Child                                                          : Call Site
00 fffff800`040e9d5b : 00000000`00000001 fffff800`0432ed06 00000000`00000000 00000000`0000ffff : nt+0x93ca0
01 00000000`00000001 : fffff800`0432ed06 00000000`00000000 00000000`0000ffff 00000000`00000000 : nt+0x96d5b
02 fffff800`0432ed06 : 00000000`00000000 00000000`0000ffff 00000000`00000000 00000000`00001605 : 0x1
03 00000000`00000000 : 00000000`0000ffff 00000000`00000000 00000000`00001605 00000000`00000000 : nt+0x2dbd06

显示全部楼层 · 发表于 2019-7-29 16:14:31

本帖最后由 nmyh 于 2019-7-29 16:22 编辑

我用的最新版windbg，跟你的分析内容有些不一样，部份内容为：

For analysis of this file, run !analyze -v
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
APC_INDEX_MISMATCH (1)
This is a kernel internal error. The most common reason to see this
bugcheck is when a filesystem or a driver has a mismatched number of
calls to disable and re-enable APCs. The key data item is the
Thread->CombinedApcDisable field. This consists of two separate 16-bit
fields, the SpecialApcDisable and the KernelApcDisable. A negative value
of either indicates that a driver has disabled special or normal APCs
(respectively) without re-enabling them; a positive value indicates that
a driver has enabled special or normal APCs (respectively) too many times.
Arguments:
Arg1: fffff8000432ed06, Address of system call function or worker routine
Arg2: 0000000000000000, Thread->ApcStateIndex
Arg3: 000000000000ffff, (Thread->SpecialApcDisable << 16) | Thread->KernelApcDisable
Arg4: 0000000000000000, Call type (0 - system call, 1 - worker routine)
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for 360Box64.sys
GetUlongPtrFromAddress: unable to read from fffff800042f0300
KEY_VALUES_STRING: 1

复制代码

前面的分析内容我也不清楚说的啥，只看到了“360Box64.sys”的警告内容。

官方最新版windbg获取地址：https://developer.microsoft.com/ ... oads/windows-10-sdk
把下载的iso文件解压出来，里面有两个30M左右的“X64 Debuggers And Tools-x64_en-us.msi”、“X86 Debuggers And Tools-x86_en-us.msi”安装包，安装完找到windbg.exe运行就可以了。

显示全部楼层 · 发表于 2019-7-30 18:05:58

大概率跟360Box64有关系，造成蓝屏的调用是nt!KeUserModeCallback+0xe6这个，而触发它的操作是360Box64的。

显示全部楼层 · 发表于 2019-7-30 18:08:45

nmyh 发表于 2019-7-29 16:14
我用的最新版windbg，跟你的分析内容有些不一样，部份内容为：前面的分析内容我也不清楚说的啥，只看到了“ ...

这个Warning：Uable to verify timestamp没有什么特别意义，只是你本地即没有pdb也没有这个驱动文件导致的。

显示全部楼层 · 发表于 2019-7-30 18:52:53

蜀黍冷发表于 2019-7-30 18:08
这个Warning：Uable to verify timestamp没有什么特别意义，只是你本地即没有pdb也没有这个驱动文件导致 ...

你是看的这三行内容？

FAILURE_BUCKET_ID: X64_0x1_SysCallNum_11d4_nt!KeUserModeCallback+e6
BUCKET_ID: X64_0x1_SysCallNum_11d4_nt!KeUserModeCallback+e6
PRIMARY_PROBLEM_CLASS: X64_0x1_SysCallNum_11d4_nt!KeUserModeCallback+e6

复制代码

然后在STACK_TEXT下查询“nt!KeUserModeCallback+0xe6”，在其位置下一行就是“360Box64+0x26bad”，这里的“bad”就说明是“360Box64”的问题了？

显示全部楼层 · 发表于 2019-7-31 08:39:52

nmyh 发表于 2019-7-30 18:52
你是看的这三行内容？
然后在STACK_TEXT下查询“nt!KeUserModeCallback+0xe6”，在其位置下一行就是“36 ...

额，不不不。0x26bad是一个整体，是偏移，16进制的数字而已，纯粹的巧合。就是说这个执行的是360Box64的偏移0x26bad处的指令。但是因为我们也不会有360Box64这个的符号文件，无法显示出具体的指令，只能定位到偏移。

显示全部楼层 · 发表于 2019-7-31 09:37:22

蜀黍冷发表于 2019-7-31 08:39
额，不不不。0x26bad是一个整体，是偏移，16进制的数字而已，纯粹的巧合。就是说这个执行的是360Box64的 ...

哦，虽然完全不懂还是谢谢你了

显示全部楼层 · 发表于 2019-7-31 16:13:17

nmyh 发表于 2019-7-31 09:37
哦，虽然完全不懂还是谢谢你了

现在系统是Win10 1803教育版原版，下载安装了1803、1903的SDK，打开蓝屏日志都提示如图内容是怎么回事呢？

显示全部楼层 · 发表于 2019-7-31 19:03:40

蜀黍冷发表于 2019-7-31 08:39
额，不不不。0x26bad是一个整体，是偏移，16进制的数字而已，纯粹的巧合。就是说这个执行的是360Box64的 ...

如果是ntoskrnl.exe - Address 0xfffff800040e6ca0 base at 0xfffff80004053000 DateStamp
0x5d010ddc 引起的蓝屏，又和什么有关呢？

显示全部楼层 · 发表于 2019-7-31 19:18:09

到俺碗里来发表于 2019-7-31 16:13
现在系统是Win10 1803教育版原版，下载安装了1803、1903的SDK，打开蓝屏日志都提示如图内容是怎么回事呢 ...

只管等待，第一次运行会久一些，另外还需要联网哦
出现“For analysis of this file, run !analyze -v”就直接点击“!analyze -v”链接，会自动进行分析。
当显示了“Followup: MachineOwner ---------”就表示分析完了，可以全选复制到记事本里面。

[系统] Win7X64旗舰版蓝屏，求帮忙看看是什么原因

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

[系统] Win7X64旗舰版 蓝屏，求帮忙看看是什么原因

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

[系统] Win7X64旗舰版蓝屏，求帮忙看看是什么原因