您好
感谢您在微软论坛上的发帖!
从您所提供的dump信息来看,报错代码为0XD1,这个报错代码表有一个Kernel Mode的驱动在当前IRQL Level 下尝试存取一不该存取的内存位置。这样的问题通常来说Stack中显示的驱动应该为主要原因。但是很遗憾,您收集的dump文件中显示为unknown module,这种情况有可能是内存损坏或BIOS老旧导致。您可以尝试进行硬件检查或更新BIOS来尝试排错。
Best Regard
Zack Lu
最近一次关机连内存转储文件都没有,这里只能提供上一次的MEMORY .DMP
下面是windbg分析求帮忙看看问题出在哪里:
Mini Kernel Dump File: Only registers and stack trace are available
Invalid directory table base value 0x0
Symbol search path is: srv*
Executable search path is:
Unable to load image Unknown_Module_00000000`00000000, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_00000000`00000000
Unable to add module at 00000000`00000000
WARNING: .reload failed, module list may be incomplete
Debugger can not determine kernel base address
Windows 10 Kernel Version 14393 MP (8 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Edition build lab: 14393.6451.amd64fre.rs1_release.231103-1737
Machine Name:
Kernel base = 0xfffff800bbc11000 PsLoadedModuleList = 0xfffff800
bbf16cb0
Debug session time: Wed Dec 13 09:53:08.728 2023 (UTC + 8:00)
System Uptime: 27 days 15:45:09.661
Unable to load image Unknown_Module_00000000`00000000, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_00000000`00000000
Unable to add module at 00000000`00000000
WARNING: .reload failed, module list may be incomplete
Debugger can not determine kernel base address
Loading Kernel Symbols
.Unable to load image Unknown_Module_00000000`00000000, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_00000000`00000000
Unable to add module at 00000000`00000000
Loading User Symbols
For analysis of this file, run !analyze -v
5: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff809508f1318, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff809501fd530, address which referenced memory
Debugging Details:
***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057.
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 15
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 20
Key : Analysis.Init.CPU.mSec
Value: 2015
Key : Analysis.Init.Elapsed.mSec
Value: 179665
Key : Analysis.Memory.CommitPeak.Mb
Value: 47
Key : WER.CorruptModuleList
Value: 1
Key : WER.OS.Branch
Value: rs1\_release
Key : WER.OS.Timestamp
Value: 2023-11-03T17:37:00Z
Key : WER.OS.Version
Value: 10.0.14393.6451
FILE_IN_CAB: 121323-44796-01.dmp
BUGCHECK_CODE: d1
BUGCHECK_P1: fffff809508f1318
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff809501fd530
READ_ADDRESS: Unable to get size of nt!_MMPTE - probably bad symbols
fffff809508f1318
CUSTOMER_CRASH_COUNT: 1
STACK_TEXT:
ffffb9016d8f3ff8 fffff800
bbd808a9 : 000000000000000a fffff809
508f1318 0000000000000002 00000000
00000000 : 0xfffff800`bbd6e650
ffffb9016d8f4000 00000000
0000000a : fffff809508f1318 00000000
00000002 0000000000000000 fffff809
501fd530 : 0xfffff800`bbd808a9
ffffb9016d8f4008 fffff809
508f1318 : 0000000000000002 00000000
00000000 fffff809501fd530 ffffda0d
e6468960 : 0xa
ffffb9016d8f4010 00000000
00000002 : 0000000000000000 fffff809
501fd530 ffffda0de6468960 00000000
00000000 : 0xfffff809`508f1318
ffffb9016d8f4018 00000000
00000000 : fffff809501fd530 ffffda0d
e6468960 0000000000000000 00000000
00000000 : 0x2
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
STACK_COMMAND: .cxr; .ecxr ; kb
FAILURE_BUCKET_ID: CORRUPT_MODULELIST_AV
OS_VERSION: 10.0.14393.6451
BUILDLAB_STR: rs1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {fc259191-ef0c-6215-476f-d32e5dcaf1b7}
Followup: MachineOwner
锁定的问题。 此问题已从 Microsoft 支持社区迁移。 你可投票决定它是否有用,但不能添加评论或回复,也不能关注问题。 为了保护隐私,对于已迁移的问题,用户个人资料是匿名的。
您好
感谢您在微软论坛上的发帖!
从您所提供的dump信息来看,报错代码为0XD1,这个报错代码表有一个Kernel Mode的驱动在当前IRQL Level 下尝试存取一不该存取的内存位置。这样的问题通常来说Stack中显示的驱动应该为主要原因。但是很遗憾,您收集的dump文件中显示为unknown module,这种情况有可能是内存损坏或BIOS老旧导致。您可以尝试进行硬件检查或更新BIOS来尝试排错。
Best Regard
Zack Lu
感谢你的回复,但是这台设备是部署在Hyper-v上的服务器,不知道是否跟硬件相关,我发现在23年7月1日后更新了KB4589210后当天便出现了第一次自动关机(在此之前服务器已稳定运行2年),之后后又出现多次自动关机,每次捕捉的dump文件都显示unknown module。但是23年7月1日第一次出现时捕捉的dump不同,请帮忙看看:
Loading Dump File [C:\Windows\Minidump\070123-31578-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 14393 MP (8 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Edition build lab: 14393.2248.amd64fre.rs1_release.180427-1804
Machine Name:
Kernel base = 0xfffff801d7c0d000 PsLoadedModuleList = 0xfffff801
d7f14160
Debug session time: Sat Jul 1 14:44:16.912 2023 (UTC + 8:00)
System Uptime: 244 days 20:39:25.908
Loading Kernel Symbols
...............................................................
................................................................
.................................
Loading User Symbols
Loading unloaded module list
....................
For analysis of this file, run !analyze -v
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff80ed32dbbb0, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80ed2eccc20, address which referenced memory
Debugging Details:
*** WARNING: Unable to verify timestamp for hrwfpdrv_win10.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3139
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 4544
Key : Analysis.Init.CPU.mSec
Value: 1780
Key : Analysis.Init.Elapsed.mSec
Value: 10761
Key : Analysis.Memory.CommitPeak.Mb
Value: 75
Key : Dump.Attributes.InsufficientDumpfileSize
Value: 1
Key : Dump.Attributes.RequiredDumpfileSize
Value: 0x1f779ac0a
Key : WER.OS.Branch
Value: rs1\_release
Key : WER.OS.Timestamp
Value: 2018-04-27T18:04:00Z
Key : WER.OS.Version
Value: 10.0.14393.2248
FILE_IN_CAB: 070123-31578-01.dmp
VIRTUAL_MACHINE: HyperV
DUMP_FILE_ATTRIBUTES: 0xc
Insufficient Dumpfile Size
Kernel Generated Triage Dump
BUGCHECK_CODE: d1
BUGCHECK_P1: fffff80ed32dbbb0
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff80ed2eccc20
READ_ADDRESS: fffff801d7fb6338: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff80ed32dbbb0
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
TRAP_FRAME: ffffd48180699250 -- (.trap 0xffffd48180699250)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000000000a7 rbx=0000000000000000 rcx=0000000000008d48
rdx=0000000000008000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80ed2eccc20 rsp=ffffd481806993e0 rbp=0000000000000000
r8=ffff9f875eb0f909 r9=fffff80ed2ed7560 r10=0000000000000000
r11=fffff80ed32dbbb0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
hrwfpdrv_win10+0xcc20:
fffff80ed2eccc20 66413913 cmp word ptr [r11],dx ds:fffff80e
d32dbbb0=????
Resetting default scope
STACK_TEXT:
ffffd48180699108 fffff801
d7d7a029 : 000000000000000a fffff80e
d32dbbb0 0000000000000002 00000000
00000000 : nt!KeBugCheckEx
ffffd48180699110 fffff801
d7d76c8e : ffff9f872725c350 49d205ca
128672c0 ffff9f876891bda8 ffff9f87
26746120 : nt!KiBugCheckDispatch+0x69
ffffd48180699250 fffff80e
d2eccc20 : ffff9f8768910002 ffffd481
80699840 0000000000000003 ffffd481
80699850 : nt!KiPageFault+0x48e
ffffd481806993e0 ffff9f87
68910002 : ffffd48180699840 00000000
00000003 ffffd48180699850 ff00ff02
ff000004 : hrwfpdrv_win10+0xcc20
ffffd481806993e8 ffffd481
80699840 : 0000000000000003 ffffd481
80699850 ff00ff02ff000004 ffffd481
80699860 : 0xffff9f87`68910002
ffffd481806993f0 00000000
00000003 : ffffd48180699850 ff00ff02
ff000004 ffffd48180699860 00000000
00000174 : 0xffffd481`80699840
ffffd481806993f8 ffffd481
80699850 : ff00ff02ff000004 ffffd481
80699860 0000000000000174 ffff9f87
5eb0fad0 : 0x3
ffffd48180699400 ff00ff02
ff000004 : ffffd48180699860 00000000
00000174 ffff9f875eb0fad0 ffff9f87
93e17058 : 0xffffd481`80699850
ffffd48180699408 ffffd481
80699860 : 0000000000000174 ffff9f87
5eb0fad0 ffff9f8793e17058 00000000
00000173 : 0xff00ff02`ff000004
ffffd48180699410 00000000
00000174 : ffff9f875eb0fad0 ffff9f87
93e17058 0000000000000173 ffff9f87
5eb0fa4f : 0xffffd481`80699860
ffffd48180699418 ffff9f87
5eb0fad0 : ffff9f8793e17058 00000000
00000173 ffff9f875eb0fa4f fffff80e
d2ecd0f0 : 0x174
ffffd48180699420 ffff9f87
93e17058 : 0000000000000173 ffff9f87
5eb0fa4f fffff80ed2ecd0f0 ffff9f87
34ef84f0 : 0xffff9f87`5eb0fad0
ffffd48180699428 00000000
00000173 : ffff9f875eb0fa4f fffff80e
d2ecd0f0 ffff9f8734ef84f0 0000159c
073a9459 : 0xffff9f87`93e17058
ffffd48180699430 ffff9f87
5eb0fa4f : fffff80ed2ecd0f0 ffff9f87
34ef84f0 0000159c073a9459 ffff9f87
5eb0f689 : 0x173
ffffd48180699438 fffff80e
d2ecd0f0 : ffff9f8734ef84f0 0000159c
073a9459 ffff9f875eb0f689 00000000
00000173 : 0xffff9f87`5eb0fa4f
ffffd48180699440 ffff9f87
34ef84f0 : 0000159c073a9459 ffff9f87
5eb0f689 0000000000000173 ffffd481
80699488 : hrwfpdrv_win10+0xd0f0
ffffd48180699448 0000159c
073a9459 : ffff9f875eb0f689 00000000
00000173 ffffd48180699488 ffff9f87
5eb0fa4f : 0xffff9f87`34ef84f0
ffffd48180699450 ffff9f87
5eb0f689 : 0000000000000173 ffffd481
80699488 ffff9f875eb0fa4f ffff9f87
5eb0f689 : 0x0000159c`073a9459
ffffd48180699458 00000000
00000173 : ffffd48180699488 ffff9f87
5eb0fa4f ffff9f875eb0f689 fffff80e
d2ece20e : 0xffff9f87`5eb0f689
ffffd48180699460 ffffd481
80699488 : ffff9f875eb0fa4f ffff9f87
5eb0f689 fffff80ed2ece20e ffff9f87
5eb0f668 : 0x173
ffffd48180699468 ffff9f87
5eb0fa4f : ffff9f875eb0f689 fffff80e
d2ece20e ffff9f875eb0f668 00000000
ffffffff : 0xffffd481`80699488
ffffd48180699470 ffff9f87
5eb0f689 : fffff80ed2ece20e ffff9f87
5eb0f668 00000000ffffffff ffff9f87
5eb0fa4f : 0xffff9f87`5eb0fa4f
ffffd48180699478 fffff80e
d2ece20e : ffff9f875eb0f668 00000000
ffffffff ffff9f875eb0fa4f 00000000
00000001 : 0xffff9f87`5eb0f689
ffffd48180699480 ffff9f87
5eb0f668 : 00000000ffffffff ffff9f87
5eb0fa4f 0000000000000001 ffff9f87
5eb0fad0 : hrwfpdrv_win10+0xe20e
ffffd48180699488 00000000
ffffffff : ffff9f875eb0fa4f 00000000
00000001 ffff9f875eb0fad0 00000000
00000014 : 0xffff9f87`5eb0f668
ffffd48180699490 ffff9f87
5eb0fa4f : 0000000000000001 ffff9f87
5eb0fad0 0000000000000014 00000000
00000000 : 0xffffffff
ffffd48180699498 00000000
00000001 : ffff9f875eb0fad0 00000000
00000014 0000000000000000 fffff80e
d2ec2484 : 0xffff9f87`5eb0fa4f
ffffd481806994a0 ffff9f87
5eb0fad0 : 0000000000000014 00000000
00000000 fffff80ed2ec2484 ffff9f87
5eb0f7c9 : 0x1
ffffd481806994a8 00000000
00000014 : 0000000000000000 fffff80e
d2ec2484 ffff9f875eb0f7c9 00000000
00000174 : 0xffff9f87`5eb0fad0
ffffd481806994b0 00000000
00000000 : fffff80ed2ec2484 ffff9f87
5eb0f7c9 0000000000000174 00000000
00000000 : 0x14
SYMBOL_NAME: hrwfpdrv_win10+cc20
MODULE_NAME: hrwfpdrv_win10
IMAGE_NAME: hrwfpdrv_win10.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: cc20
FAILURE_BUCKET_ID: AV_hrwfpdrv_win10!unknown_function
OS_VERSION: 10.0.14393.2248
BUILDLAB_STR: rs1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {fc640dcb-fed1-b2cd-7721-20d6592333e4}
Followup: MachineOwner
您好
感谢您的回复!
从您所上传的dump信息中看,是由hrwfpdrv_win10这个驱动导致PageFault,即内存出错的。经查此驱动为火绒杀毒驱动,您可能需要更新/卸载此驱动以观察是否能解决问题。
Best Regard
Zack Lu