从Windows 2008 R2 SP1分析BSOD转储文件

我在使用VMWare运行的虚拟Windows Server 2008 R2 SP1服务器时遇到问题。 服务器正在运行Citrix,并且还安装了Symantec Endpoint Protection。 它随机崩溃,并去BSOD。

调查事件日志没有提供任何有关坠机原因的有用信息。 我运行windowsdebugging并生成如下所示的报告。 显然它指向一个失败的驱动程序。 问题是我无法确定驱动程序是由什么造成的。 我想知道是否有人可以提供一些帮助。

---------- ## Bugcheck Analysis ## SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff9600008744d, Address of the instruction which caused the bugcheck Arg3: fffff88007ba3de0, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ Page 125923 not present in the dump file. Type ".hh dbgerr004" for details EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: win32k!xxxInternalInvalidate+7d fffff960`0008744d f6473208 test byte ptr [rdi+32h],8 CONTEXT: fffff88007ba3de0 -- (.cxr 0xfffff88007ba3de0) rax=0000000000000000 rbx=0000000000010485 rcx=0000000000000000 rdx=0000000000000b02 rsi=0000000000000000 rdi=0000000000000000 rip=fffff9600008744d rsp=fffff88007ba47c0 rbp=0000000000000000 r8=0000000000010485 r9=0000000000000000 r10=fffff900000004c0 r11=fffff900c26eac30 r12=0000000000000000 r13=0000000000000001 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246 win32k!xxxInternalInvalidate+0x7d: fffff960`0008744d f6473208 test byte ptr [rdi+32h],8 ds:002b:00000000`00000032=?? Resetting default scope DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x3B PROCESS_NAME: csrss.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff960001351a2 to fffff9600008744d STACK_TEXT: fffff880`07ba47c0 fffff960`001351a2 : 00000000`00000000 00000000`00000040 fffffa80`0678d330 00000000`00000000 : win32k!xxxInternalInvalidate+0x7d fffff880`07ba4840 fffff960`001352a2 : fffffa80`0678d330 00000000`00000000 fffff880`07ba4ca0 fffffa80`06109ab0 : win32k!xxxInternalUserChangeDisplaySettings+0x486 fffff880`07ba4900 fffff960`001330e3 : 00000000`00000000 00000000`00000000 fffff900`c0f9ead0 fffff900`00000040 : win32k!xxxUserChangeDisplaySettings+0x92 fffff880`07ba49f0 fffff960`00115cba : 00000000`00000001 00000000`00aff960 00000000`00000000 ffffffff`ffffffff : win32k!xxxRemoteReconnect+0x6d7 fffff880`07ba4bf0 fffff800`016d9ed3 : fffffa80`06f66b00 fffff880`07ba4ca0 00000000`00000000 00000000`00000000 : win32k!NtUserCallOneParam+0x4e fffff880`07ba4c20 000007fe`fd1b2aea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000`00aff918 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x000007fe`fd1b2aea FOLLOWUP_IP: win32k!xxxInternalInvalidate+7d fffff960`0008744d f6473208 test byte ptr [rdi+32h],8 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: win32k!xxxInternalInvalidate+7d FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 50e64bda STACK_COMMAND: .cxr 0xfffff88007ba3de0 ; kb FAILURE_BUCKET_ID: X64_0x3B_win32k!xxxInternalInvalidate+7d BUCKET_ID: X64_0x3B_win32k!xxxInternalInvalidate+7d Followup: MachineOwner --------- 

这看起来像下面的知识库文章中描述的问题:

https://support.microsoft.com/en-us/kb/2359223

“0x0000003B”当应用程序或服务执行GUI相关操作时,Windows Server 2008 R2和Windows 7中出现停止错误

我认为这是在修复程序中描述的问题的原因是因为它专门调用了win32k.sys驱动程序。 此外,转储中也显示的CSRSS.exe进程用于用户模式GUI操作和内核之间的进程间通信,这也表示修补程序(参考: https:// en)中描述的问题。 wikipedia.org/wiki/Client/Server_Runtime_Subsystem )。

我build议在知识库文章中应用此修复程序,并监视是否继续停止错误。