ntkrnlpa.exe引起的蓝屏问题
各位老师们帮看一下,谢谢!!!
最近有两台服务器经常蓝屏,均是由这个ntkrnlpa.exe程序引起的,有windbg查看一下minidump文件内容如下:
A 服务器 IBM 3200 win 2003 sp2
差不多10天蓝屏一次(近2个月)
2012-11-9的minidump文件内容
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Nov 9 16:08:57.244 2012 (UTC + 8:00)
System Uptime: 10 days 7:51:23.093
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Loading Kernel Symbols
...............................................................
...................................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {a8c0a704, 0, 80934a5d, 0}
Could not read faulting driver name
Probably caused by : memory_corruption ( nt!MiRemoveWsle+20b )
Followup: MachineOwner
---------
0: kd> !analyz -v
No export analyz found
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: a8c0a704, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80934a5d, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: a8c0a704
FAULTING_IP:
nt!MiRemoveWsle+20b
80934a5d ?? ???
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x50
PROCESS_NAME: dllhost.exe
CURRENT_IRQL: 1
LAST_CONTROL_TRANSFER: from 8085ed87 to 80827cb3
STACK_TEXT:
a9d53bb0 8085ed87 00000050 a8c0a704 00000000 nt!IopFreeIrp+0x19d
a9d53c28 8088c870 00000000 a8c0a704 00000000 nt!MiFreeWsleList+0x861
a9d53c40 80934a5d badb0d00 a9d53ce8 a9d53c60 nt!MiDeletePageTablesForPhysicalRange+0xd60
a9d53cb4 80934c5f 8b5b0830 8a9d2870 a9d53ce8 nt!MiRemoveWsle+0x20b
a9d53cdc 809345ae 8a9d2870 00000000 8bd49ad0 nt!MiRepointWsleHashIndex+0x1e7
a9d53d04 80934648 e3dec358 8b5b0848 00000ab8 nt!MiLocateWsle+0xc
a9d53d48 80934765 00000ab8 00000001 a9d53d64 nt!MiLocateWsle+0xa6
a9d53d58 8088983c 00000ab8 038afeb0 7c95845c nt!MiLocateWsle+0x1c3
a9d53d64 7c95845c badb0d00 038afe4c 00000000 nt!MiRemoveUnusedSegments+0xbd4
WARNING: Frame IP not in any known module. Following frames may be wrong.
a9d53d68 badb0d00 038afe4c 00000000 00000000 0x7c95845c
a9d53d6c 038afe4c 00000000 00000000 00000000 0xbadb0d00
a9d53d70 00000000 00000000 00000000 00000000 0x38afe4c
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiRemoveWsle+20b
80934a5d ?? ???
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!MiRemoveWsle+20b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 503382ff
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x50_nt!MiRemoveWsle+20b
BUCKET_ID: 0x50_nt!MiRemoveWsle+20b
Followup: MachineOwner
---------
2012-10-26 minidump 文件内容:
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini102612-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Oct 26 08:16:21.724 2012 (UTC + 8:00)
System Uptime: 14 days 2:15:38.921
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Loading Kernel Symbols
...............................................................
...................................................
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 19, {20, 8b370ef0, 8b370f08, a030015}
Probably caused by : memory_corruption ( nt!MiInsertImageSectionObject+b5 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 8b370ef0, The pool entry we were looking for within the page.
Arg3: 8b370f08, The next pool entry.
Arg4: 0a030015, (reserved)
Debugging Details:
------------------
BUGCHECK_STR: 0x19_20
POOL_ADDRESS: 8b370ef0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: System
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 808927bb to 80827cb3
STACK_TEXT:
f78d6cc4 808927bb 00000019 00000020 8b370ef0 nt!IopFreeIrp+0x19d
f78d6d2c 80892b6f 8b370ef8 00000000 f78d6d80 nt!MiInsertImageSectionObject+0xb5
f78d6d3c 80812890 8b370ef8 8c765020 808ae5c0 nt!MiRemoveImageSectionObject+0x1a3
f78d6d80 808804eb 8c75f1b0 00000000 8c765020 nt!CcSetDirtyInMask+0x12c
f78d6dac 80949c7e 8c75f1b0 00000000 00000000 nt!MmProbeAndLockSelectedPages+0x24ff
f78d6ddc 8088e132 80880400 00000000 00000000 nt!MiCloneProcessAddressSpace+0x489c
f78d6fb4 00000000 00000000 00000000 00000000 nt!NtAllocateVirtualMemory+0xbc4
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiInsertImageSectionObject+b5
808927bb ?? ???
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!MiInsertImageSectionObject+b5
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 503382ff
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x19_20_nt!MiInsertImageSectionObject+b5
BUCKET_ID: 0x19_20_nt!MiInsertImageSectionObject+b5
Followup: MachineOwner
---------
[解决办法]
从这个dump文件的结果来看,看不出是ntkrnlpa.exe引起的吧.
它只提示这个:
Probably caused by : memory_corruption ( nt!MiRemoveWsle+20b )
google到一个类似的帖子,可能对你有帮助.里面的回贴提到用driver verifier这个工具.
http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/70294dd8-bd5e-4620-b7aa-46b6c3e786d1/
