利用windbg分析windows xp蓝屏的问题

62 阅读 0 评论 41 点赞

我是靠谱客的博主老迟到冷风，最近开发中收集的这篇文章主要介绍利用windbg分析windows xp蓝屏的问题，觉得挺不错的，现在分享给大家，希望可以做个参考。

概述

首先下载windebug

http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

说下debug方法
1. 我的电脑，属性->高级->启动，最下面的内存调试选最后一项的全部，确定后重新启动
2. 蓝屏后不要急着重启，系统会保存整个内存内容，然后会自动重启
3. 找到C:/WINDOWS/Minidump/Mini121708-02.dmp
4. 下载安装windwos 的 debug tools, 我这有下载地址，或微软网站
http://public.hshh.org/SysTools/debug/dbg_x86_6.6.07.5.exe
5. 安装后创建一个临时目录，例如 c:/temp
6. 启动 windbg
7. windbg界面: file->symbol file path (ctrl+s) 输入:
SRV*c:/temp*http://msdl.microsoft.com/download/symbols
然后确定
8. windbg界面: file->open crash dump(ctrl+d)，打开C:/WINDOWS/Minidump/Mini121708-02.dmp
9. 打开后，等待提示
当出现 Use !analyze -v to get detailed debugging information. 字样后，在下面输入框
!analyze -v
10. 等待分析完毕，可以知道什么导致的出错
11. windbg使用中需要网上下载调试内容，这个速度嘛，取决于你的网络了。

————————————————————————————————

得到的结果：

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {8, 2, 0, f702ec10}

Unable to load image e100b325.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for e100b325.sys
*** ERROR: Module load completed but symbols could not be loaded for e100b325.sys
Probably caused by : klim5.sys ( klim5+2a94 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000008, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f702ec10, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: 00000008

CURRENT_IRQL: 2

FAULTING_IP:
NDIS!ndisMSendCompleteX+71
f702ec10 8b7808 mov edi,dword ptr [eax+8]

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: Idle

LAST_CONTROL_TRANSFER: from f7889a94 to f702ec10

STACK_TEXT:
80552348 f7889a94 898e6ad0 88c7f4e0 00000000 NDIS!ndisMSendCompleteX+0x71
WARNING: Stack unwind information not available. Following frames may be wrong.
80552364 f702ec2c 89776b08 88f92f30 00000000 klim5+0x2a94
80552388 f57a26ba 89a0b9d8 88f92f30 00000000 NDIS!ndisMSendCompleteX+0x8d
805523c4 f57a2fdd 01ffc000 01fffb60 00000020 e100b325+0x186ba
805523ec f5794a36 00000000 89a0b9d8 897a53f0 e100b325+0x18fdd
80552410 f7031e99 007a5008 8055d0c0 ffdff9c0 e100b325+0xaa36
80552428 80546e7f 897a5404 897a53f0 00000000 NDIS!ndisMDpcX+0x21
80552450 80546d64 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61
80552454 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28

STACK_COMMAND: kb

FOLLOWUP_IP:
klim5+2a94
f7889a94 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: klim5+2a94

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: klim5

IMAGE_NAME: klim5.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 461384b8

FAILURE_BUCKET_ID: 0xD1_klim5+2a94

BUCKET_ID: 0xD1_klim5+2a94

Followup: MachineOwner
---------

==》应该是