hyper-v上的服务器莫名关机、自动重启,

匿名
2023-12-14T11:05:23+00:00

最近一次关机连内存转储文件都没有,这里只能提供上一次的MEMORY .DMP

下面是windbg分析求帮忙看看问题出在哪里:

Mini Kernel Dump File: Only registers and stack trace are available

Invalid directory table base value 0x0

Symbol search path is: srv*

Executable search path is:

Unable to load image Unknown_Module_00000000`00000000, Win32 error 0n2

*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000

*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_00000000`00000000

Unable to add module at 00000000`00000000

WARNING: .reload failed, module list may be incomplete

Debugger can not determine kernel base address

Windows 10 Kernel Version 14393 MP (8 procs) Free x64

Product: Server, suite: TerminalServer SingleUserTS

Edition build lab: 14393.6451.amd64fre.rs1_release.231103-1737

Machine Name:

Kernel base = 0xfffff800bbc11000 PsLoadedModuleList = 0xfffff800bbf16cb0

Debug session time: Wed Dec 13 09:53:08.728 2023 (UTC + 8:00)

System Uptime: 27 days 15:45:09.661

Unable to load image Unknown_Module_00000000`00000000, Win32 error 0n2

*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000

*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_00000000`00000000

Unable to add module at 00000000`00000000

WARNING: .reload failed, module list may be incomplete

Debugger can not determine kernel base address

Loading Kernel Symbols

.Unable to load image Unknown_Module_00000000`00000000, Win32 error 0n2

*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000

*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_00000000`00000000

Unable to add module at 00000000`00000000

Loading User Symbols

For analysis of this file, run !analyze -v

5: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: fffff809508f1318, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000000, value 0 = read operation, 1 = write operation

Arg4: fffff809501fd530, address which referenced memory

Debugging Details:


***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057.

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec 

Value: 15 

Key  : Analysis.DebugAnalysisManager 

Value: Create 

Key  : Analysis.Elapsed.mSec 

Value: 20 

Key  : Analysis.Init.CPU.mSec 

Value: 2015 

Key  : Analysis.Init.Elapsed.mSec 

Value: 179665 

Key  : Analysis.Memory.CommitPeak.Mb 

Value: 47 

Key  : WER.CorruptModuleList 

Value: 1 

Key  : WER.OS.Branch 

Value: rs1\_release 

Key  : WER.OS.Timestamp 

Value: 2023-11-03T17:37:00Z 

Key  : WER.OS.Version 

Value: 10.0.14393.6451 

FILE_IN_CAB: 121323-44796-01.dmp

BUGCHECK_CODE: d1

BUGCHECK_P1: fffff809508f1318

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff809501fd530

READ_ADDRESS: Unable to get size of nt!_MMPTE - probably bad symbols

fffff809508f1318

CUSTOMER_CRASH_COUNT: 1

STACK_TEXT:

ffffb9016d8f3ff8 fffff800bbd808a9 : 000000000000000a fffff809508f1318 0000000000000002 0000000000000000 : 0xfffff800`bbd6e650

ffffb9016d8f4000 000000000000000a : fffff809508f1318 0000000000000002 0000000000000000 fffff809501fd530 : 0xfffff800`bbd808a9

ffffb9016d8f4008 fffff809508f1318 : 0000000000000002 0000000000000000 fffff809501fd530 ffffda0de6468960 : 0xa

ffffb9016d8f4010 0000000000000002 : 0000000000000000 fffff809501fd530 ffffda0de6468960 0000000000000000 : 0xfffff809`508f1318

ffffb9016d8f4018 0000000000000000 : fffff809501fd530 ffffda0de6468960 0000000000000000 0000000000000000 : 0x2

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

STACK_COMMAND: .cxr; .ecxr ; kb

FAILURE_BUCKET_ID: CORRUPT_MODULELIST_AV

OS_VERSION: 10.0.14393.6451

BUILDLAB_STR: rs1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {fc259191-ef0c-6215-476f-d32e5dcaf1b7}

Followup: MachineOwner


Windows 适用于 IT 专业人员的 Windows 客户端性能和维护系统性能

锁定的问题。 此问题已从 Microsoft 支持社区迁移。 你可投票决定它是否有用,但不能添加评论或回复,也不能关注问题。 为了保护隐私,对于已迁移的问题,用户个人资料是匿名的。

0 个注释 无注释
{count} 票

3 个答案

排序依据: 非常有帮助
  1. 匿名
    2023-12-18T07:19:28+00:00

    您好

    感谢您在微软论坛上的发帖!

    从您所提供的dump信息来看,报错代码为0XD1,这个报错代码表有一个Kernel Mode的驱动在当前IRQL Level 下尝试存取一不该存取的内存位置。这样的问题通常来说Stack中显示的驱动应该为主要原因。但是很遗憾,您收集的dump文件中显示为unknown module,这种情况有可能是内存损坏或BIOS老旧导致。您可以尝试进行硬件检查或更新BIOS来尝试排错。

    Best Regard

    Zack Lu

    0 个注释 无注释
  2. 匿名
    2023-12-18T08:26:40+00:00

    感谢你的回复,但是这台设备是部署在Hyper-v上的服务器,不知道是否跟硬件相关,我发现在23年7月1日后更新了KB4589210后当天便出现了第一次自动关机(在此之前服务器已稳定运行2年),之后后又出现多次自动关机,每次捕捉的dump文件都显示unknown module。但是23年7月1日第一次出现时捕捉的dump不同,请帮忙看看:
    Loading Dump File [C:\Windows\Minidump\070123-31578-01.dmp]

    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv*

    Executable search path is:

    Windows 10 Kernel Version 14393 MP (8 procs) Free x64

    Product: Server, suite: TerminalServer SingleUserTS

    Edition build lab: 14393.2248.amd64fre.rs1_release.180427-1804

    Machine Name:

    Kernel base = 0xfffff801d7c0d000 PsLoadedModuleList = 0xfffff801d7f14160

    Debug session time: Sat Jul 1 14:44:16.912 2023 (UTC + 8:00)

    System Uptime: 244 days 20:39:25.908

    Loading Kernel Symbols

    ...............................................................

    ................................................................

    .................................

    Loading User Symbols

    Loading unloaded module list

    ....................

    For analysis of this file, run !analyze -v

    4: kd> !analyze -v

    *******************************************************************************

    * *

    * Bugcheck Analysis *

    * *

    *******************************************************************************

    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

    An attempt was made to access a pageable (or completely invalid) address at an

    interrupt request level (IRQL) that is too high. This is usually

    caused by drivers using improper addresses.

    If kernel debugger is available get stack backtrace.

    Arguments:

    Arg1: fffff80ed32dbbb0, memory referenced

    Arg2: 0000000000000002, IRQL

    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation

    Arg4: fffff80ed2eccc20, address which referenced memory

    Debugging Details:


    *** WARNING: Unable to verify timestamp for hrwfpdrv_win10.sys

    KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec 
    
    Value: 3139 
    
    Key  : Analysis.DebugAnalysisManager 
    
    Value: Create 
    
    Key  : Analysis.Elapsed.mSec 
    
    Value: 4544 
    
    Key  : Analysis.Init.CPU.mSec 
    
    Value: 1780 
    
    Key  : Analysis.Init.Elapsed.mSec 
    
    Value: 10761 
    
    Key  : Analysis.Memory.CommitPeak.Mb 
    
    Value: 75 
    
    Key  : Dump.Attributes.InsufficientDumpfileSize 
    
    Value: 1 
    
    Key  : Dump.Attributes.RequiredDumpfileSize 
    
    Value: 0x1f779ac0a 
    
    Key  : WER.OS.Branch 
    
    Value: rs1\_release 
    
    Key  : WER.OS.Timestamp 
    
    Value: 2018-04-27T18:04:00Z 
    
    Key  : WER.OS.Version 
    
    Value: 10.0.14393.2248 
    

    FILE_IN_CAB: 070123-31578-01.dmp

    VIRTUAL_MACHINE: HyperV

    DUMP_FILE_ATTRIBUTES: 0xc

    Insufficient Dumpfile Size

    Kernel Generated Triage Dump

    BUGCHECK_CODE: d1

    BUGCHECK_P1: fffff80ed32dbbb0

    BUGCHECK_P2: 2

    BUGCHECK_P3: 0

    BUGCHECK_P4: fffff80ed2eccc20

    READ_ADDRESS: fffff801d7fb6338: Unable to get MiVisibleState

    Unable to get NonPagedPoolStart

    Unable to get NonPagedPoolEnd

    Unable to get PagedPoolStart

    Unable to get PagedPoolEnd

    fffff80ed32dbbb0

    CUSTOMER_CRASH_COUNT: 1

    PROCESS_NAME: System

    TRAP_FRAME: ffffd48180699250 -- (.trap 0xffffd48180699250)

    NOTE: The trap frame does not contain all registers.

    Some register values may be zeroed or incorrect.

    rax=00000000000000a7 rbx=0000000000000000 rcx=0000000000008d48

    rdx=0000000000008000 rsi=0000000000000000 rdi=0000000000000000

    rip=fffff80ed2eccc20 rsp=ffffd481806993e0 rbp=0000000000000000

    r8=ffff9f875eb0f909 r9=fffff80ed2ed7560 r10=0000000000000000

    r11=fffff80ed32dbbb0 r12=0000000000000000 r13=0000000000000000

    r14=0000000000000000 r15=0000000000000000

    iopl=0 nv up ei ng nz na pe nc

    hrwfpdrv_win10+0xcc20:

    fffff80ed2eccc20 66413913 cmp word ptr [r11],dx ds:fffff80ed32dbbb0=????

    Resetting default scope

    STACK_TEXT:

    ffffd48180699108 fffff801d7d7a029 : 000000000000000a fffff80ed32dbbb0 0000000000000002 0000000000000000 : nt!KeBugCheckEx

    ffffd48180699110 fffff801d7d76c8e : ffff9f872725c350 49d205ca128672c0 ffff9f876891bda8 ffff9f8726746120 : nt!KiBugCheckDispatch+0x69

    ffffd48180699250 fffff80ed2eccc20 : ffff9f8768910002 ffffd48180699840 0000000000000003 ffffd48180699850 : nt!KiPageFault+0x48e

    ffffd481806993e0 ffff9f8768910002 : ffffd48180699840 0000000000000003 ffffd48180699850 ff00ff02ff000004 : hrwfpdrv_win10+0xcc20

    ffffd481806993e8 ffffd48180699840 : 0000000000000003 ffffd48180699850 ff00ff02ff000004 ffffd48180699860 : 0xffff9f87`68910002

    ffffd481806993f0 0000000000000003 : ffffd48180699850 ff00ff02ff000004 ffffd48180699860 0000000000000174 : 0xffffd481`80699840

    ffffd481806993f8 ffffd48180699850 : ff00ff02ff000004 ffffd48180699860 0000000000000174 ffff9f875eb0fad0 : 0x3

    ffffd48180699400 ff00ff02ff000004 : ffffd48180699860 0000000000000174 ffff9f875eb0fad0 ffff9f8793e17058 : 0xffffd481`80699850

    ffffd48180699408 ffffd48180699860 : 0000000000000174 ffff9f875eb0fad0 ffff9f8793e17058 0000000000000173 : 0xff00ff02`ff000004

    ffffd48180699410 0000000000000174 : ffff9f875eb0fad0 ffff9f8793e17058 0000000000000173 ffff9f875eb0fa4f : 0xffffd481`80699860

    ffffd48180699418 ffff9f875eb0fad0 : ffff9f8793e17058 0000000000000173 ffff9f875eb0fa4f fffff80ed2ecd0f0 : 0x174

    ffffd48180699420 ffff9f8793e17058 : 0000000000000173 ffff9f875eb0fa4f fffff80ed2ecd0f0 ffff9f8734ef84f0 : 0xffff9f87`5eb0fad0

    ffffd48180699428 0000000000000173 : ffff9f875eb0fa4f fffff80ed2ecd0f0 ffff9f8734ef84f0 0000159c073a9459 : 0xffff9f87`93e17058

    ffffd48180699430 ffff9f875eb0fa4f : fffff80ed2ecd0f0 ffff9f8734ef84f0 0000159c073a9459 ffff9f875eb0f689 : 0x173

    ffffd48180699438 fffff80ed2ecd0f0 : ffff9f8734ef84f0 0000159c073a9459 ffff9f875eb0f689 0000000000000173 : 0xffff9f87`5eb0fa4f

    ffffd48180699440 ffff9f8734ef84f0 : 0000159c073a9459 ffff9f875eb0f689 0000000000000173 ffffd48180699488 : hrwfpdrv_win10+0xd0f0

    ffffd48180699448 0000159c073a9459 : ffff9f875eb0f689 0000000000000173 ffffd48180699488 ffff9f875eb0fa4f : 0xffff9f87`34ef84f0

    ffffd48180699450 ffff9f875eb0f689 : 0000000000000173 ffffd48180699488 ffff9f875eb0fa4f ffff9f875eb0f689 : 0x0000159c`073a9459

    ffffd48180699458 0000000000000173 : ffffd48180699488 ffff9f875eb0fa4f ffff9f875eb0f689 fffff80ed2ece20e : 0xffff9f87`5eb0f689

    ffffd48180699460 ffffd48180699488 : ffff9f875eb0fa4f ffff9f875eb0f689 fffff80ed2ece20e ffff9f875eb0f668 : 0x173

    ffffd48180699468 ffff9f875eb0fa4f : ffff9f875eb0f689 fffff80ed2ece20e ffff9f875eb0f668 00000000ffffffff : 0xffffd481`80699488

    ffffd48180699470 ffff9f875eb0f689 : fffff80ed2ece20e ffff9f875eb0f668 00000000ffffffff ffff9f875eb0fa4f : 0xffff9f87`5eb0fa4f

    ffffd48180699478 fffff80ed2ece20e : ffff9f875eb0f668 00000000ffffffff ffff9f875eb0fa4f 0000000000000001 : 0xffff9f87`5eb0f689

    ffffd48180699480 ffff9f875eb0f668 : 00000000ffffffff ffff9f875eb0fa4f 0000000000000001 ffff9f875eb0fad0 : hrwfpdrv_win10+0xe20e

    ffffd48180699488 00000000ffffffff : ffff9f875eb0fa4f 0000000000000001 ffff9f875eb0fad0 0000000000000014 : 0xffff9f87`5eb0f668

    ffffd48180699490 ffff9f875eb0fa4f : 0000000000000001 ffff9f875eb0fad0 0000000000000014 0000000000000000 : 0xffffffff

    ffffd48180699498 0000000000000001 : ffff9f875eb0fad0 0000000000000014 0000000000000000 fffff80ed2ec2484 : 0xffff9f87`5eb0fa4f

    ffffd481806994a0 ffff9f875eb0fad0 : 0000000000000014 0000000000000000 fffff80ed2ec2484 ffff9f875eb0f7c9 : 0x1

    ffffd481806994a8 0000000000000014 : 0000000000000000 fffff80ed2ec2484 ffff9f875eb0f7c9 0000000000000174 : 0xffff9f87`5eb0fad0

    ffffd481806994b0 0000000000000000 : fffff80ed2ec2484 ffff9f875eb0f7c9 0000000000000174 0000000000000000 : 0x14

    SYMBOL_NAME: hrwfpdrv_win10+cc20

    MODULE_NAME: hrwfpdrv_win10

    IMAGE_NAME: hrwfpdrv_win10.sys

    STACK_COMMAND: .cxr; .ecxr ; kb

    BUCKET_ID_FUNC_OFFSET: cc20

    FAILURE_BUCKET_ID: AV_hrwfpdrv_win10!unknown_function

    OS_VERSION: 10.0.14393.2248

    BUILDLAB_STR: rs1_release

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    FAILURE_ID_HASH: {fc640dcb-fed1-b2cd-7721-20d6592333e4}

    Followup: MachineOwner


    0 个注释 无注释
  3. 匿名
    2023-12-21T02:11:46+00:00

    您好

    感谢您的回复!

    从您所上传的dump信息中看,是由hrwfpdrv_win10这个驱动导致PageFault,即内存出错的。经查此驱动为火绒杀毒驱动,您可能需要更新/卸载此驱动以观察是否能解决问题。

    Best Regard

    Zack Lu

    0 个注释 无注释