Antywirus i bluescreen - Demo72 - 02.07.2015 19:21
Szanowni Forumowicze
Dane:
Laptop: ASUS N71VG Intel Core 2Duo P7450, 4GB RAM, GeForce GT 220M
System: 64bit Win7 Home Premium z SP1 + zalecane łatki.
Antywirus: Arcabit Internet Security
Opis problemu
Nie wiem co jest tego powodem, dlatego też u Was szukam porady, co jest lub, co może być przyczyną pojawiającego się bluescreenu z każdą próbą uruchomienia pełnego skanu komputera programem antywirusowym Arcabit.
Próbowałem odczytać poprzez WinDbg (X64) zrzucony dump, lecz brakuje mi symboli.
Info z pliku dmp "Symbol search path is: *** Invalid ***"
Dodam jeszcze tylko, że dwa dni temu postawiłem nowy system, mając nadzieję, iż może mój problem zniknie.
Niestety jednak zarówno na poprzednim (kilkuletnim systemie stawianym w 2011r), jak i tym świeżym - za każdym razem - przy próbie skanowania systemu - ten sam bluscrenn.
Kierując się sugestią z bluescren'a dotyczącą sprawdzenia czystej i uprzednio sformatowanej partycji F uruchomiłem chkdsk/f, lecz diagnoza nie wykazała żadnych błędów (załączam screen).
1. Jak załączyć (dograć) symbole do systemu, by móc w pełni odczytać plik dmp?
2. Co powoduje konflikt i prowadzi do bluescreenu?
Będę wdzięczny za wskazówki.
Zawartość pliku dmp w pliku txt
https://drive.google.com/file/d/0B3FL-tgGZggubUZHUjBENWF5Wk0/view?usp=sharing
bluescreen (JPG)
https://drive.google.com/file/d/0B3FL-tgGZgguZF9CcnFlYk5zTWc/view?usp=sharing
Plik dmp
https://drive.google.com/open?id=0B3FL-tgGZgguRFZTcFdqVllUS0U
screen z chkdsk/F(JPG)
https://drive.google.com/file/d/0B3FL-tgGZgguWHZxVWRJQl9DNjQ/view?usp=sharing Panowie
Jak zainstalować symbole, by w pełni odczytać plik dmp?
Zamiast edytować post skorzystałem z dodaj odpowiedź, by "świeżyć" post.
Demo72
RE: Antywirus i bluescreen - Demo72 - 05.07.2015 16:20
Znalazłem plik instalacyjny poszukiwanych przeze mnie symboli.
https://msdn.microsoft.com/pl-pl/windows/hardware/gg463028
Po ich zainstalowaniu ustawię w WinDbg (X64) ścieżkę do symboli i zobaczę, co mi wygeneruje.
Kod:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [G: \070215-28267-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: F: \Symbols
Executable search path is:
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Machine Name:
Kernel base = 0xfffff800`02c09000 PsLoadedModuleList = 0xfffff800`02e4e650
Debug session time: Thu Jul 2 18: 45: 22.429 2015 (UTC + 2: 00)
System Uptime: 0 days 0: 19: 16.146
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
................................................................
.......................
Loading User Symbols
Loading unloaded module list
........
*** WARNING: Unable to verify timestamp for Ntfs.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1904fb, fffff88006a0e8d8, fffff88006a0e130, fffff80002f9c3fe}
*** WARNING: Unable to verify timestamp for iaStor.sys
*** ERROR: Module load completed but symbols could not be loaded for iaStor.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : iaStor.sys ( iaStor+4be16 )
Followup: MachineOwner
---------
RE: Antywirus i bluescreen - thermalfake - 05.07.2015 23:12
Dziś już jestem wyeksploatowany ale po kolei:
Cytat:1. Jak załączyć (dograć) symbole do systemu, by móc w pełni odczytać plik dmp?
Symboli się nie dogrywa, nie załącza się. Konfiguruje się ścieżkę folderu do symboli, które na bieżąco będą ściągane podczas debugowania z serwera MS. Oznacza to tyle, że jeśli znajdzie nowe nie istniejące na dysku to je ściągnie. W miarę debugów tych symboli na dysku będzie coraz więcej. We wszelkich tutorialach pisze aby wrzucić ścieżkę symboli do WinDbg. Jest to o kant tyłka potłuc - trzeba to robić za każdym razem. Lepiej wrzucić systemową zmienną środowiskową.
Nazwa zmiennej
_NT_SYMBOL_PATH
Wartość
symsrv*symsrv.dll*c:\symb*http://msdl.microsoft.com/download/symbols
Gdzie
c:\symb oznacza mój folder z symbolami.
Cytat:Po ich zainstalowaniu ustawię w WinDbg (X64) ścieżkę do symboli i zobaczę, co mi wygeneruje.
Bezużyteczne a ponadto widzę iż to już inny dump bo inna zawartość. To co wrzuciłeś wskazywało na ntfs.sys z tego co pamiętam. Ale.... (tu wkraczamy do pytania nr 2) no właśnie to jest tyko debugger a sztuka debugowania jest trudna i wymusza dużą wiedzę, doświadczenie na temat architektury systemów. Dlatego 99% populacji nie potrafi nic ponadto jak wcisnąć lub wydać komendę !analyze -v i na tej podstawie potem piszą bzdury, że przyczyną jest np ntoskrnl.exe (jądro systemowe). Dlatego muszę przygasić optymizm. Bardzo proste błędy zdradzające jednoznacznie przyczyny zdarzają się rzadko - wiem bo każdy dmp tu przechodzi przez moje ręce. A ten Twój który widziałem to już wyższa szkoła jazdy i podejdę do niego w tygodniu jak czas pozwoli. WIndbg jest zaawansowanym narzędziem pozwalającym nie tyko na analizę plików zrzutów pamięci (wycinek przed pojawieniem się bsoda jak i po) jądra systemowego.
RE: Antywirus i bluescreen - Demo72 - 06.07.2015 16:17
Witam thermalfake
Bardzo dziękuję za Twoje zainteresowanie moim problemem.
Wstrzymaj się jednak z analizą. Znalazłem jeszcze jeden, a właściwie dwa problemy w moim laptopie - sprzętowe.
Wpierw muszę wymienić pamięć, potem "podreperować" HDD.
Wtedy zobaczę co się będzie działo.
23:15
Dysk wydaje się jednak OK. Pamięć wymieniam jutro.
Pamięć wymieniłem. Memtest86 pełny cykl - wszystko OK.
Dyski twarde przeleciałem SeeTools i też jest OK.
Uruchomiłem Arcabit i wybrałem pełne skanowanie systemu. Znowu BSOD.
Wynik ostatniego dmp - poniżej.
Kod:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C: \Windows\Minidump\070915-38017-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: symsrv*symsrv.dll*c: \symb*http: //msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18869.amd64fre.win7sp1_gdr.150525-0603
Machine Name:
Kernel base = 0xfffff800`02e5e000 PsLoadedModuleList = 0xfffff800`030a5730
Debug session time: Thu Jul 9 00: 47: 17.059 2015 (UTC + 2: 00)
System Uptime: 0 days 0: 02: 58.776
Loading Kernel Symbols
............................................................................................................................................................
Loading User Symbols
Loading unloaded module list
...
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {ffffffffc0000005, fffff80002ec9530, fffff88002fd2368, fffff88002fd1bc0}
Probably caused by : fileinfo.sys ( fileinfo!FIStreamLog+1be )
Followup: MachineOwner
---------
Po kliknięciu linku !analyze -v pojawiło się to co poniżej.
Kod:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C: \Windows\Minidump\070915-38017-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: symsrv*symsrv.dll*c: \symb*http: //msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18869.amd64fre.win7sp1_gdr.150525-0603
Machine Name:
Kernel base = 0xfffff800`02e5e000 PsLoadedModuleList = 0xfffff800`030a5730
Debug session time: Thu Jul 9 00: 47: 17.059 2015 (UTC + 2: 00)
System Uptime: 0 days 0: 02: 58.776
Loading Kernel Symbols
...............................................................
................................................................
.............................
Loading User Symbols
Loading unloaded module list
...
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {ffffffffc0000005, fffff80002ec9530, fffff88002fd2368, fffff88002fd1bc0}
Probably caused by : fileinfo.sys ( fileinfo!FIStreamLog+1be )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002ec9530, The address that the exception occurred at
Arg3: fffff88002fd2368, Exception Record Address
Arg4: fffff88002fd1bc0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
FAULTING_IP:
nt!memcpy+250
fffff800`02ec9530 488b440af8 mov rax,qword ptr [rdx+rcx-8]
EXCEPTION_RECORD: fffff88002fd2368 -- (.exr 0xfffff88002fd2368)
ExceptionAddress: fffff80002ec9530 (nt!memcpy+0x0000000000000250)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffff88002fd1bc0 -- (.cxr 0xfffff88002fd1bc0)
rax=fffffa8004b76ba0 rbx=fffff88002fd2801 rcx=fffffa8004b76c08
rdx=006505edfbb194b9 rsi=0000000000000001 rdi=0000000000000060
rip=fffff80002ec9530 rsp=fffff88002fd25a8 rbp=0000000000000002
r8=0000000000000060 r9=0000000000000003 r10=0000000000401802
r11=fffffa8004b76ba8 r12=fffffa800472f440 r13=fffffa8004b76ba8
r14=fffff80002e5e000 r15=fffff88002fd2698
iopl=0 nv up ei ng nz na po cy
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00010287
nt!memcpy+0x250:
fffff800`02ec9530 488b440af8 mov rax,qword ptr [rdx+rcx-8] ds: 002b: 0065006e`006900b9=???
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8000310f100
GetUlongFromAddress: unable to read from fffff8000310f1c0
ffffffffffffffff
FOLLOWUP_IP:
fileinfo!FIStreamLog+1be
fffff880`0106b692 4c8d9c24c0000000 lea r11,[rsp+0C0h]
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from fffff80002fbdb24 to fffff80002ec9530
STACK_TEXT:
fffff880`02fd25a8 fffff800`02fbdb24 : fffff800`00020000 fffff880`02fd2801 fffff8a0`03424670 fffff880`02fd25e8 : nt!memcpy+0x250
fffff880`02fd25b0 fffff800`02fd067f : fffff880`02fd2800 00000000`00000000 fffffa80`00000002 fffff880`02fd2850 : nt!EtwpLogKernelEvent+0x2a4
fffff880`02fd2650 fffff880`0106b692 : 00000000`00000000 fffffa80`0ab72af0 fffff880`02fd2800 00000000`00000000 : nt!EtwpTraceFileName+0x15f
fffff880`02fd26e0 fffff880`0106c43b : fffff8a0`00000030 fffff8a0`03a8d4b0 00000000`00000002 fffffa80`04e14c00 : fileinfo!FIStreamLog+0x1be
fffff880`02fd27b0 fffff880`01069563 : fffffa80`0ab72af0 fffffa80`0ab72af0 fffffa80`0ab72a0c fffffa80`0ab72af0 : fileinfo!FIEnumerate+0x117
fffff880`02fd2830 fffff880`0106960b : fffff8a0`0e8329d0 fffff880`02fd29c0 00000000`00000000 fffff880`02fd29c0 : fileinfo!FIControlDispatchSystemControl+0x73
fffff880`02fd2870 fffff800`03168e68 : fffffa80`047279c0 fffffa80`0ab72a0c fffffa80`0ab72af0 fffffa80`0ab72a0c : fileinfo!FIControlDispatch+0x4b
fffff880`02fd28b0 fffff800`032a32b6 : 00000000`0000000c 00000000`0000000c 00000000`00000001 fffffa80`0ab72af0 : nt!WmipForwardWmiIrp+0x16c
fffff880`02fd2930 fffff800`032a3ddb : fffff880`02fd2a98 fffffa80`0472f601 00000000`0000000c 00000000`00000000 : nt!WmipSendWmiIrpToTraceDeviceList+0xe6
fffff880`02fd2990 fffff800`032b0c54 : fffffa80`0472f400 00000000`00000001 fffff8a0`0e8329d0 fffffa80`0472f440 : nt!WmiTraceRundownNotify+0x6b
fffff880`02fd29e0 fffff800`03323fac : 00000000`00401802 fffffa80`0472f6e8 fffffa80`0472f440 fffff800`02eed832 : nt!EtwpKernelTraceRundown+0xc4
fffff880`02fd2a10 fffff800`033240af : fffffa80`0472f440 00000000`00000002 fffff8a0`03e398d0 fffffa80`0472f400 : nt!EtwpUpdateLoggerGroupMasks+0x22c
fffff880`02fd2b10 fffff800`0312d3d9 : 00000000`00000000 fffff8a0`03e398d0 00000000`00000000 fffff800`02ee68e6 : nt!EtwpStopLoggerInstance+0x4f
fffff880`02fd2b50 fffff800`03174973 : 00000000`00000000 00000000`00000001 fffffa80`0472f440 ffffffff`88ca6c00 : nt!EtwpStopTrace+0x129
fffff880`02fd2bc0 fffff800`0334c695 : ffffffff`ffffffff 00000000`00000001 ffffffff`000000b4 fffff800`030857c8 : nt!NtTraceControl+0x263
fffff880`02fd2c30 fffff800`02edc4b5 : fffff800`0307c200 fffff800`0334c4d0 fffff800`0307c2d8 fffffa80`03ce5660 : nt!PerfDiagpProxyWorker+0x1c5
fffff880`02fd2c70 fffff800`0316c456 : 00000000`00000000 fffffa80`03ce5660 00000000`00000080 fffffa80`03cd2870 : nt!ExpWorkerThread+0x111
fffff880`02fd2d00 fffff800`02ec42c6 : fffff880`009e7180 fffffa80`03ce5660 fffff880`009f1f40 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`02fd2d40 00000000`00000000 : fffff880`02fd3000 fffff880`02fcd000 fffff880`02fd21b0 00000000`00000000 : nt!KxStartSystemThread+0x16
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: fileinfo!FIStreamLog+1be
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fileinfo
IMAGE_NAME: fileinfo.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc481
STACK_COMMAND: .cxr 0xfffff88002fd1bc0 ; kb
FAILURE_BUCKET_ID: X64_0x7E_fileinfo!FIStreamLog+1be
BUCKET_ID: X64_0x7E_fileinfo!FIStreamLog+1be
Followup: MachineOwner
---------
RE: Antywirus i bluescreen - Demo72 - 10.07.2015 08:34
Dzisiaj podjąłem próbę przeskanowania pojedynczego folderu. Efekt zakończył się kolejnym BSOD.
Kod:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C: \Windows\Minidump\071015-34788-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: symsrv*symsrv.dll*c: \symb*http: //msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18869.amd64fre.win7sp1_gdr.150525-0603
Machine Name:
Kernel base = 0xfffff800`02e0b000 PsLoadedModuleList = 0xfffff800`03052730
Debug session time: Fri Jul 10 09: 23: 20.738 2015 (UTC + 2: 00)
System Uptime: 0 days 8: 53: 43.455
Loading Kernel Symbols
...............................................................
Loading User Symbols
Loading unloaded module list
.....................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck BE, {fffff8a006dfb000, 199e2820, fffff88009fa74b0, e}
*** WARNING: Unable to verify timestamp for AsDsm.sys
*** ERROR: Module load completed but symbols could not be loaded for AsDsm.sys
Probably caused by : AsDsm.sys ( AsDsm+23d2 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff8a006dfb000, Virtual address for the attempted write.
Arg2: 00000000199e2820, PTE contents.
Arg3: fffff88009fa74b0, (reserved)
Arg4: 000000000000000e, (reserved)
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xBE
PROCESS_NAME: ArcaMainSV.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff88009fa74b0 -- (.trap 0xfffff88009fa74b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=006b00530020002d rbx=0000000000000000 rcx=fffff8a006dfb010
rdx=000001dffd4b58e4 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880011d63d2 rsp=fffff88009fa7648 rbp=fffffa80042af014
r8=000000000000190e r9=0000000000000001 r10=0077006f006e0061
r11=fffff8a006df9730 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
AsDsm+0x23d2:
fffff880`011d63d2 ? ?
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002e1a689 to fffff80002e7f8c0
STACK_TEXT:
fffff880`09fa7348 fffff800`02e1a689 : 00000000`000000be fffff8a0`06dfb000 00000000`199e2820 fffff880`09fa74b0 : nt!KeBugCheckEx
fffff880`09fa7350 fffff800`02e7d9ee : 00000000`00000001 fffff8a0`06dfb000 00000000`00000000 fffff8a0`1164e1f0 : nt! ? : FNODOBFM: `string'+0x4184f
fffff880`09fa74b0 fffff880`011d63d2 : fffff880`011d5724 fffffa80`04c9eea0 fffff8a0`1164e1f0 fffffa80`04fc88c0 : nt!KiPageFault+0x16e
fffff880`09fa7648 fffff880`011d5724 : fffffa80`04c9eea0 fffff8a0`1164e1f0 fffffa80`04fc88c0 fffff8a0`1164e1f0 : AsDsm+0x23d2
fffff880`09fa7650 fffffa80`04c9eea0 : fffff8a0`1164e1f0 fffffa80`04fc88c0 fffff8a0`1164e1f0 fffff880`011d8140 : AsDsm+0x1724
fffff880`09fa7658 fffff8a0`1164e1f0 : fffffa80`04fc88c0 fffff8a0`1164e1f0 fffff880`011d8140 fffff880`09fa76b0 : 0xfffffa80`04c9eea0
fffff880`09fa7660 fffffa80`04fc88c0 : fffff8a0`1164e1f0 fffff880`011d8140 fffff880`09fa76b0 fffff880`011d81c0 : 0xfffff8a0`1164e1f0
fffff880`09fa7668 fffff8a0`1164e1f0 : fffff880`011d8140 fffff880`09fa76b0 fffff880`011d81c0 fffffa80`04c9eea0 : 0xfffffa80`04fc88c0
fffff880`09fa7670 fffff880`011d8140 : fffff880`09fa76b0 fffff880`011d81c0 fffffa80`04c9eea0 fffffa80`045ade60 : 0xfffff8a0`1164e1f0
fffff880`09fa7678 fffff880`09fa76b0 : fffff880`011d81c0 fffffa80`04c9eea0 fffffa80`045ade60 fffffa80`04fc88c0 : AsDsm+0x4140
fffff880`09fa7680 fffff880`011d81c0 : fffffa80`04c9eea0 fffffa80`045ade60 fffffa80`04fc88c0 fffffa80`04fc8a10 : 0xfffff880`09fa76b0
fffff880`09fa7688 fffffa80`04c9eea0 : fffffa80`045ade60 fffffa80`04fc88c0 fffffa80`04fc8a10 fffff880`011db9ff : AsDsm+0x41c0
fffff880`09fa7690 fffffa80`045ade60 : fffffa80`04fc88c0 fffffa80`04fc8a10 fffff880`011db9ff fffff8a0`1164e101 : 0xfffffa80`04c9eea0
fffff880`09fa7698 fffffa80`04fc88c0 : fffffa80`04fc8a10 fffff880`011db9ff fffff8a0`1164e101 fffffa80`06137260 : 0xfffffa80`045ade60
fffff880`09fa76a0 fffffa80`04fc8a10 : fffff880`011db9ff fffff8a0`1164e101 fffffa80`06137260 fffffa80`06137690 : 0xfffffa80`04fc88c0
fffff880`09fa76a8 fffff880`011db9ff : fffff8a0`1164e101 fffffa80`06137260 fffffa80`06137690 fffff8a0`06df9730 : 0xfffffa80`04fc8a10
fffff880`09fa76b0 fffff8a0`1164e101 : fffffa80`06137260 fffffa80`06137690 fffff8a0`06df9730 fffff880`09fa7710 : AsDsm+0x79ff
fffff880`09fa76b8 fffffa80`06137260 : fffffa80`06137690 fffff8a0`06df9730 fffff880`09fa7710 fffff800`02e9667f : 0xfffff8a0`1164e101
fffff880`09fa76c0 fffffa80`06137690 : fffff8a0`06df9730 fffff880`09fa7710 fffff800`02e9667f 00000000`00000000 : 0xfffffa80`06137260
fffff880`09fa76c8 fffff8a0`06df9730 : fffff880`09fa7710 fffff800`02e9667f 00000000`00000000 fffffa80`06137260 : 0xfffffa80`06137690
fffff880`09fa76d0 fffff880`09fa7710 : fffff800`02e9667f 00000000`00000000 fffffa80`06137260 fffffa80`0bd721e0 : 0xfffff8a0`06df9730
fffff880`09fa76d8 fffff800`02e9667f : 00000000`00000000 fffffa80`06137260 fffffa80`0bd721e0 fffffa80`045adef8 : 0xfffff880`09fa7710
fffff880`09fa76e0 fffff800`0317db4b : 00000000`00001568 00000000`00000005 00000000`00000040 fffffa80`045adef8 : nt!RtlCopyUnicodeString+0x3f
fffff880`09fa7710 fffff800`03179b5e : fffffa80`04ca19d0 00000000`00000000 fffffa80`0b23db10 00000000`00000001 : nt!IopParseDevice+0x14e2
fffff880`09fa7870 fffff800`0317a646 : 00000000`00000000 fffff880`09fa79f0 00000000`00000040 fffffa80`03ce08a0 : nt!ObpLookupObjectName+0x784
fffff880`09fa7970 fffff800`0317bf4c : fffffa80`04a81060 00000000`00000000 fffffa80`04a81001 ffffffff`ffffffff : nt!ObOpenObjectByName+0x306
fffff880`09fa7a40 fffff800`03187574 : 00000000`0449db18 fffff8a0`80100080 00000000`0449db68 00000000`0449db28 : nt!IopCreateFile+0x2bc
fffff880`09fa7ae0 fffff800`02e7eb53 : ffffffff`ffffffff 0000007f`ffffffff fffffa80`00000000 00000980`00000000 : nt!NtCreateFile+0x78
fffff880`09fa7b70 00000000`77c3e10a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0449da98 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77c3e10a
STACK_COMMAND: kb
FOLLOWUP_IP:
AsDsm+23d2
fffff880`011d63d2 ? ?
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: AsDsm+23d2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: AsDsm
IMAGE_NAME: AsDsm.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49950fc2
FAILURE_BUCKET_ID: X64_0xBE_AsDsm+23d2
BUCKET_ID: X64_0xBE_AsDsm+23d2
Followup: MachineOwner
---------
Problem z BSOD rozwiązany.
Natchnął mnie dostani plik dmp (AsDsm.sys) i artykuł na stronie
http://support.kaspersky.com/pl/7123, gdyż kiedyś miałem Kaspersky i ten sam problem.
Problemem był zainstalowany ASUS Data Security Manager.
Po jego odinstalowaniu Arcabit działa bez problemu i nie powoduje BSOD.
Pozdrawiam,
Demo72
|