这段时间经常出现蓝屏,分析dump文件有如下结果:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini052408-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
Debug session time: Sat May 24 18:41:28.146 2008 (GMT+8)
System Uptime: 0 days 1:24:13.756
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
.............................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {4, 2, 0, 8083e3cc}
Probably caused by : memory_corruption ( nt!MiRemovePageByColor+7e )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 8083e3cc, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000004
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiRemovePageByColor+7e
8083e3cc 8b4a04 mov ecx,dword ptr [edx+4]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xA
PROCESS_NAME: RavMonD.exe
LAST_CONTROL_TRANSFER: from 80845d3c to 8083e3cc
STACK_TEXT:
f60ebd10 80845d3c 0686a000 06540f78 00000000 nt!MiRemovePageByColor+0x7e
f60ebd4c 808264ca 00000001 0686a000 00000001 nt!MmAccessFault+0xbdb
f60ebd4c 05ddc749 00000001 0686a000 00000001 nt!KiTrap0E+0x118
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0x5ddc749
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiRemovePageByColor+7e
8083e3cc 8b4a04 mov ecx,dword ptr [edx+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MiRemovePageByColor+7e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 45ec146a
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0xA_nt!MiRemovePageByColor+7e
BUCKET_ID: 0xA_nt!MiRemovePageByColor+7e
Followup: MachineOwner
---------
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; MyIE2; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
