kernel dump file分析

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/humanof/article/details/72528448

正对蓝屏使用windebug分析。

1.获取kernel dump file

Ø  First: (If you cannot find this, please create one REG under this path withvalue set to be 1)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

REG_DWORD: AlwaysKeepMemoryDump

Value: 1

Ø  Second:

2.调试指令

============================================================

3: kd> vertarget

Windows 8 KernelVersion 14393 MP (4procs) Free x86 compatible

Product: WinNt,suite: TerminalServer SingleUserTS Personal

Built by:14393.1066.x86fre.rs1_release_sec.170327-1835

Machine Name:

Kernel base =0x81a7f000 PsLoadedModuleList = 0x81c94178

Debug session time:Fri May  5 18:40:14.550 2017 (UTC + 8:00)

System Uptime: 0days 4:46:43.085

3: kd> kvnL

# ChildEBPRetAddr  Args toChild             

00 84fdeaf881c408b0 0000009f 00000003 8c6835b0 nt!KeBugCheckEx

01 84fdeb3c81c407b5 00000000 81c91fb8 00000002 nt!PopIrpWatchdogBugcheck+0xf5 (FPO:[Non-Fpo])

02 84fdeb5081ac8f0a 8c6a4820 8c6a47d8 fac4edc9 nt!PopIrpWatchdog+0x1d (FPO: [Non-Fpo])

03 84fdec1081ac8ac9 84fdec68 00000000 be9786c0 nt!KiExecuteAllDpcs+0x20a (FPO: [Non-Fpo])

04 84fded4481bbaa5c 00000000 00000000 00000000 nt!KiRetireDpcList+0xd9 (FPO: [0,69,4])

05 84fded4800000000 00000000 00000000 00000000 nt!KiIdleLoop+0x38 (FPO: [0,0,0])

3: kd> !irp8c4aa008

Irp is active with12 stacks 10 is current (= 0x8c4aa1bc)

No Mdl: No SystemBuffer: Thread 00000000:  Irp stack trace. 

     cmd flg cl Device   File     Completion-Context

[  0,0]   0  0 00000000 00000000 00000000-00000000   

 

                              Args: 00000000 00000000 00000000 00000000

[  0,0]   0  0 00000000 00000000 00000000-00000000   

 

                               Args: 00000000 00000000 00000000 00000000

[  0,0]   0  0 00000000 00000000 00000000-00000000   

 

                               Args: 00000000 00000000 00000000 00000000

[  0,0]   0  0 00000000 00000000 00000000-00000000   

 

                               Args: 00000000 00000000 00000000 00000000

[  0,0]   0  0 00000000 00000000 00000000-00000000   

 

                               Args: 00000000 00000000 00000000 00000000

[  0,0]   0  0 00000000 00000000 00000000-00000000   

 

                               Args: 00000000 00000000 00000000 00000000

[  0, 0]  0  0 00000000 00000000 00000000-00000000   

 

                               Args: 00000000 00000000 00000000 00000000

[  0,0]   0  0 00000000 00000000 00000000-00000000   

 

                               Args: 00000000 00000000 00000000 00000000

[  0,0]   0  0 00000000 00000000 00000000-00000000   

 

                               Args: 00000000 00000000 00000000 00000000

>[ 16,2]   0 e1 8c6835b0 00000000 00000000-00000000    pending

                 \Driver\USBXHCI

                               Args: 00051100 00000001 00000001 00000002

[ 16,2]   0 e1 8c67cc80 00000000 81b8df3e-8c6a47d8 Success Error Cancelpending

                \Driver\USBHUB3      nt!PopRequestCompletion

                               Args: 00051100 00000001 00000001 00000002

[  0,0]   0  0 00000000 00000000 00000000-8c6a47d8   

 

                               Args: 00000000 00000000 00000000 00000000 **//

 

From the parameterthere is a device object has been blocking an IRP for too long a time.

3:kd> !mex.di

Dump Name:MEMORY.DMP

Computer Name:DESKTOP-BRM22GC

Windows 10Kernel Version 14393 MP (4 procs) Free x86 compatible

Product: WinNt,suite: TerminalServer SingleUserTS Personal

Built by: 14393.0.x86fre.rs1_release.160715-1616

Kernel base =0x8167e000 PsLoadedModuleList = 0x81896158

Debug sessiontime: Fri May  5 13:44:02.556 2017 (UTC + 8:00)

System Uptime: 0 days 1:00:02.053

SystemManufacturer= Acer

SystemProductName= One S1003

Processor:Intel(R) Atom(TM) x5-Z8350  CPU @ 1.44GHz

Bugcheck: 9F (3,FFFFFFFF84DFF030, FFFFFFFF86E5DB20, FFFFFFFF99AA9008)

Kernel SummaryDump File: Kernel address space is available, User address space may not be available.

 

BugCheck 9F, {3,84dff030, 86e5db20, 99aa9008}

Probably causedby : ACPI.sys

DRIVER_POWER_STATE_FAILURE(9f)

A driver hasfailed to complete a power IRP within a specific time.

Arguments:

Arg1: 00000003,A device object has been blocking an Irp for too long a time

Arg2: 84dff030,Physical Device Object of the stack

Arg3: 86e5db20,nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Objectof the stack

Arg4: 99aa9008,The blocked IRP

 

3:kd> !mirp 99aa9008

 

Irp Details:99aa9008 [ verbose | !ddt | !winde.io | !irp ]

   Frame Count

   ===========

             7

Irp StackFrame(s)

     # Driver           MajorMinor Dispatch Routine      Flg Ctrl Status Completion Invoker(s)  Device   File   Context       CompletionRoutine               Args                      

    =================== ===== ===== ===================== === ==== ============================= ======== ====== =============================================== ===================================

   ->5 \Driver\ACPI     POWER     2ACPI!ACPIDispatchIrp    0   e1 Pending Cancel,Success, Error 84dff030 (null) 99a59a78(Devi) portcls!PowerIrpCompletionRoutine00051100 00000001 00000001 00000002

     6 \Driver\IntelSST POWER     2portcls!DispatchPower   0   e1 Pending Cancel, Success,Error 99a599c0 (null) 99a8f208(PFXM) nt!PopRequestCompletion          00051100 00000001 00000001 00000002

 

3: kd> !usb3kd.usbanalyze-v

USB BugcheckAnalysis

--------------------------------------------

AnalyzingBUGCHECK_9F_POWER for Win8-948631

PDO context:ffffffff8d3e8d88(IntelSST)

Parent Devnode:ffffffff8dd93ad0(pci)

HubPDO:ffffffff8ddb6a18

Now followingAttachedDevice to get the HubFDO

      AttachedDevice: ffffffff84dfa710(DriverName: \Driver\pci)

AnalyzingBUGCHECK_9F_POWER for Win8-899634

Current IRP:ffffffff99aa9008(PowerState: DevicePowerState/PowerDeviceD0)

DeviceNode:IntelSST

       

AnalyzingBUGCHECK_9F_POWER for HubProcessingD0_XHCIAssumingDx

could notretrieve constant name of -1925278752 in enum USBHUB3!_HSM_STATE, hr 0x80004005

       

AnalyzingBUGCHECK_9F_POWER for 9F_POWER_HubSuspend_DeadlockOnPortDetachDevice

could notretrieve constant name of -1925278752 in enum USBHUB3!_HSM_STATE, hr 0x80004005

       

AnalyzingBUGCHECK_9F_POWER for DisplayLinkUsbIo_x64 driver issue

       Analyzing BUGCHECK_9F_POWER for client drivers holding the Power IRP

       

Usb3Kd DetectedKNOWN_ISSUE_9F_POWER_Client_Driver_Holding_Power_IRP(ACPI) 14393

3: kd> !mirp e8134008

Irp Details: e8134008 [ verbose | !ddt |!winde.io | !irp ]

    Frame Count

    ===========

            19

Irp Stack Frame(s)

       #Driver          Major MinorDispatch Routine          Flg CtrlStatus  Completion Invoker(s)  Device   File  Context        CompletionRoutine             Args                      

    ==== ==================== ===== ========================= === ==== ======= ============================== ====== ============== ==================================================================

    ->16 \Driver\usbccgpPOWER     2usbccgp!USBC_Dispatch       0   e1 Pending Cancel, Success,Error e814a1e0(null)               hidusb!HumPowerCompletion       00051100 0000000100000001 00000002

      17\Driver\HidUsb  POWER     2HIDCLASS!HidpMajorHandler   0   e0 None   Cancel, Success, Error e81f3030 (null) e81f30e8(Devi)HIDCLASS!HidpFdoPowerCompletion 00051100 00000001 00000001 00000002

      18\Driver\HidUsb  POWER     2HIDCLASS!HidpMajorHandler   0   e1 Pending Cancel, Success,Error e81f3030 (null) 971730e8(PFXM)nt!PopRequestCompletion        00051100 00000001 00000001 00000002

IOStatus: 0xc00000bb (The request is not supported.)

罗列当时的电源操作，我发现当时系统正在执行S3状态。

但是，这个IRP却是对某一个设备设置D0状态。

3: kd> !poaction

PopAction: 81889a40

  State..........: 3 - Set System State

  Updates........: 0

  Action.........: Sleep

  Lightest State.: Hibernate

  Flags..........: 8000000cOverrideApps|Critical

  Irp minor......: SetPower

  System State...: Hibernate

  Hiber Context..: 921f2b40

Allocated power irps (PopIrpList - 81889fc0)

  IRP: ce756d50 (wait-wake/S-1), PDO:9b1ad9a0

  IRP: a14722d8 (wait-wake/S4), PDO:9ee8bc98

  IRP: 906909e8 (set/D0,), PDO: 9ee8bc98,CURRENT: 9ee8bc98

  IRP: 8c7a77a8 (set/D0,), PDO: e81de030,CURRENT: e81de030

  IRP: e8134008 (set/D0,),PDO: e814a1e0, CURRENT: e814a1e0 

  

Level 3 (ba3725ec) 72/86  Paged, PnP

  WaitSleep:

     9c8b7664: 00000000\Driver\usbccgp \Device\000000d8

通过这个命令我找到了一些和IRP相关的线程。

Irp worker threads (PopIrpThreadList - 81889098)

  THREAD: 897e2b00 (static)

  THREAD: 897f9040 (static)

  THREAD: ca172480 (dynamic)

  THREAD: 9719d900 (dynamic)

  THREAD: 9caf61c0 (dynamic)

  THREAD: dc1ff840 (dynamic)

  THREAD: d05dd040 (dynamic)

  THREAD: 9c84fb40 (dynamic)

  THREAD: 97158180 (dynamic)

  THREAD: e0d23b40 (dynamic)

  THREAD: ce6991c0 (dynamic)

  THREAD: 9eebc880 (dynamic)

  THREAD: 9c9a2b40 (dynamic)

  THREAD: e0c2eb40 (dynamic)

  THREAD: 9c816b40 (dynamic)

3: kd> !mex.t 897e2b00

3: kd> !devstack e814a1e0

 

3: kd> !devobj e814a1e0

3: kd> !drvobj \Driver\usbccgp

 

3: kd> !devstack 84dff030

3: kd> !poaction

3: kd> !winde.io 99aa9008

3:kd> !amli lc