Co jakiś czas trafia do mnie komputer 'z problemami'. Dziś krótka historia przypadku laptopa z pojawiającym się BSOD-em, a że tego typu historie są dosyć częste, to kilka słów czego można się z nich dowiedzieć.
Zaczynamy od załadowania denata do WinDbg i przeprowadzenia podstawowej analizy.
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80003083bb6, The address that the exception occurred at
Arg3: fffff88003baef78, Exception Record Address
Arg4: fffff88003bae7d0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
FAULTING_IP:
nt!KeSetEvent+16
fffff800`03083bb6 f6037f test byte ptr [rbx],7Fh
EXCEPTION_RECORD: fffff88003baef78 -- (.exr 0xfffff88003baef78)
ExceptionAddress: fffff80003083bb6 (nt!KeSetEvent+0x0000000000000016)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000038
Attempt to read from address 0000000000000038
CONTEXT: fffff88003bae7d0 -- (.cxr 0xfffff88003bae7d0)
rax=0000000000000000 rbx=0000000000000038 rcx=0000000000000001
rdx=0000000000000000 rsi=fffffa80042df480 rdi=fffffa8003d575b0
rip=fffff80003083bb6 rsp=fffff88003baf1b0 rbp=fffffa8007850960
r8=0000000000000000 r9=000000000000000f r10=fffffa80039dce80
r11=fffffa8003a03040 r12=fffffa800a4ad520 r13=fffffa800686de18
r14=fffffa8003d57460 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
nt!KeSetEvent+0x16:
fffff800`03083bb6 f6037f test byte ptr [rbx],7Fh ds:002b:00000000`00000038=??
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000038
READ_ADDRESS: 0000000000000038
FOLLOWUP_IP:
nusb3hub+74a7
fffff880`04da14a7 e9d2000000 jmp nusb3hub+0x757e (fffff880`04da157e)
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LOCK_ADDRESS: fffff8000327eb80 -- (!locks fffff8000327eb80)
Resource @ nt!PiEngineLock (0xfffff8000327eb80) Exclusively owned
Contention Count = 12
Threads: fffffa8003a03040-01<*>
1 total locks, 1 locks currently held
PNP_TRIAGE:
Lock address : 0xfffff8000327eb80
Thread Count : 1
Thread address: 0xfffffa8003a03040
Thread wait : 0x2ba7
LAST_CONTROL_TRANSFER: from fffff800033ecf44 to fffff8000307fc40
STACK_TEXT:
fffff880`03baf1b0 fffff880`04da14a7 : fffff880`03baf378 00000000`00000000 00000000`00000000 fffffa80`03d57460 : nt!KeSetEvent+0x16
fffff880`03baf220 fffff880`04d9be0b : fffffa80`03d575b0 fffffa80`03d57460 fffffa80`042df480 fffffa80`042df480 : nusb3hub+0x74a7
fffff880`03baf250 fffff880`04d9b1cb : fffffa80`03d575b0 00000000`00000000 fffff8a0`01afcb00 fffffa80`00780078 : nusb3hub+0x1e0b
fffff880`03baf280 fffff880`04d9b137 : 00000000`00000000 fffffa80`03d57460 fffffa80`0686de18 fffffa80`03d57460 : nusb3hub+0x11cb
fffff880`03baf2b0 fffff880`036adf53 : fffffa80`03d57460fffffa80`03d57460 00000000`00000000 fffff800`032ef328 : nusb3hub+0x1137
fffff880`03baf2e0 fffff880`036ae1ef : fffffa80`03d57460 00000000`004e004c fffff880`03baf3d0 00000000`00180018 : klfltdev+0x7f53
fffff880`03baf370 fffff880`036addb9 : 00000000`00000078 fffff8a0`0c3e0a50 fffff8a0`0c3e0a50 00000000`000007ff : klfltdev+0x81ef
fffff880`03baf460 fffff880`036b34d6 : 00000000`00000000 00000000`00010110 ffff0000`092f49c7 00000000`00000018 : klfltdev+0x7db9
fffff880`03baf520 fffff800`0317be06 : fffffa80`06a12060 fffff880`0a95b6d8 fffffa80`0686dc80 fffffa80`0686ddd0 : klfltdev+0xd4d6
fffff880`03baf5a0 fffff800`03462fe5 : 00000000`00000000 fffffa80`06a12060 00000000`00000004 fffffa80`03c06970 : nt!PpvUtilCallAddDevice+0x36
fffff880`03baf5e0 fffff800`0346a511 : fffffa80`069fba10 fffffa80`03c06970 fffff8a0`01a191c0 fffff8a0`01a191c0 : nt!PnpCallAddDevice+0xd5
fffff880`03baf660 fffff800`0346baa2 : fffffa80`03c06970fffffa80`03c06970 00000000`00000000 fffffa80`03d57460 : nt!PipCallDriverAddDevice+0x661
fffff880`03baf810 fffff800`0346c018 : fffff800`0327c500 00000000`00000000 00000000`00000001 fffff800`032e9814 : nt!PipProcessDevNodeTree+0x2b2
fffff880`03bafa80 fffff800`0317c8e7 : 00000001`00000003 00000000`00000000 00000000`00000001 00000000`00000000 : nt!PiProcessReenumeration+0x98
fffff880`03bafad0 fffff800`0308a001 : fffff800`0317c5c0 fffff800`03376901 fffffa80`03a03000 fffffa80`03a03040 : nt!PnpDeviceActionWorker+0x327
fffff880`03bafb70 fffff800`0331afee : 00000000`00000000 fffffa80`03a03040 00000000`00000080 fffffa80`03967890 : nt!ExpWorkerThread+0x111
fffff880`03bafc00 fffff800`030715e6 : fffff880`039d7180 fffffa80`03a03040 fffff880`039e1fc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03bafc40 00000000`00000000 : fffff880`03bb0000 fffff880`03baa000 fffff880`03bad950 00000000`00000000 : nt!KiStartSystemThread+0x16
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nusb3hub+74a7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nusb3hub
IMAGE_NAME: nusb3hub.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4d01b19b
STACK_COMMAND: .cxr 0xfffff88003bae7d0 ; kb
FAILURE_BUCKET_ID: X64_0x7E_nusb3hub+74a7
BUCKET_ID: X64_0x7E_nusb3hub+74a7
Followup: MachineOwner
---------
Ok, wygląda więc na to, że BSOD nastąpił w momencie podłączania jakiegoś urządzenia do portu USB (USB3). Spróbujmy znaleźć to urządzenie. Zacznijmy jednak od wyjaśnienia paru miejsc.
W powyższym zrzucie, we fragmencie zawierającym stos wywołań zaznaczyłem na brązowo ramki z nusbhub, na pomarańczowo - z klfltdev. Szybko sprawdzamy, że
0: kd> lmvm klfltdev
start end module name
fffff880`036a6000 fffff880`036b9000 klfltdev (no symbols)
Loaded symbol image file: klfltdev.sys
Image path: \SystemRoot\system32\DRIVERS\klfltdev.sys
Image name: klfltdev.sys
Timestamp: Wed Aug 31 16:04:34 2011 (4E5E3F72)
CheckSum: 0001AEBC
ImageSize: 00013000
File version: 8.9.1.17
Product version: 8.9.1.17
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Kaspersky Lab
ProductName: Kaspersky™ Anti-Virus ®
InternalName: KLFLTDEV
OriginalFilename: KLFLTDEV
ProductVersion: 8.9.1.17
FileVersion: 8.9.1.17 built by: WinDDK
FileDescription: Klfltdev Pnp device filter [fre_wlh_AMD64]
LegalCopyright: Copyright © Kaspersky Lab 1996-2011.
to sterownik filtra pochodzący z pakietu antywirusa Kaspersky'ego (nieco starawy) (jak będą chętni, to kiedyś coś napiszę o górnych i dolnych filtrach sterowników), natomiast nusb3hub to:
0: kd> lmvm nusb3hub
start end module name
fffff880`04d9a000 fffff880`04db3000 nusb3hub (no symbols)
Loaded symbol image file: nusb3hub.sys
Image path: \SystemRoot\system32\DRIVERS\nusb3hub.sys
Image name: nusb3hub.sys
Timestamp: Fri Dec 10 05:50:35 2010 (4D01B19B)
CheckSum: 00021D4F
ImageSize: 00019000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
a więc też wszystko jasne :). Nie? to zawsze możemy jeszcze zrobić zrzut nagłówka modułu (!dh), albo całego modułu (db fffff880`04d9a000 19000) i poszukać więcej informacji w samym module.
Dalej, na jasno zielono zamarkowałem adres obiektu reprezentującego urządzenie (_DEVICE_OBJECT), natomiast na 'akwamarynowo' adres obiektu reprezentującego węzeł urządzenia (czy jak to przetłumaczyć?) (_DEVICE_NODE).
Robimy zrzut stosu dla obiektu urządzenia:
0: kd> !devstack fffffa80`03d57460
!DevObj !DrvObj !DevExt ObjectName
fffffa80069fba10 \Driver\USBSTOR fffffa80069fbb60 00000097
> fffffa8003d57460 \Driver\nusb3hub fffffa8003d575b0 00000096
!DevNode fffffa8003c06970 :
DeviceInst is "USB\VID_19D2&PID_2004\MF60__ZTED010000"
ServiceName is "USBSTOR"
po czym dla samego urządzenia:
0: kd> !devobj fffffa80`03d57460
Device object (fffffa8003d57460) is for:
00000096 \Driver\nusb3hub DriverObject fffffa80078561b0
Current Irp 00000000 RefCount 0 Type 00000022 Flags 00003040
Dacl fffff9a10009a731 DevExt fffffa8003d575b0 DevObjExt fffffa8003d577a0 DevNode fffffa8003c06970
ExtensionFlags (0x00000810) DOE_START_PENDING, DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000180) FILE_AUTOGENERATED_DEVICE_NAME, FILE_DEVICE_SECURE_OPEN
AttachedDevice (Upper) fffffa80069fba10 \Driver\USBSTOR
Device queue is not busy.
Dalej sprawdzamy powiązany _DEVICE_NODE (adres zaznaczony na 'akwamarynowo'):
0: kd> !devnode fffffa80`03c06970
DevNode 0xfffffa8003c06970 for PDO 0xfffffa8003d57460
Parent 0xfffffa800784aa60 Sibling 0000000000 Child 0000000000
InstancePath is "USB\VID_19D2&PID_2004\MF60__ZTED010000"
ServiceName is "USBSTOR"
State = DeviceNodeDriversAdded (0x303)
Previous State = DeviceNodeInitialized (0x302)
StateHistory[01] = DeviceNodeInitialized (0x302)
StateHistory[00] = DeviceNodeUninitialized (0x301)
StateHistory[19] = Unknown State (0x0)
StateHistory[18] = Unknown State (0x0)
StateHistory[17] = Unknown State (0x0)
StateHistory[16] = Unknown State (0x0)
StateHistory[15] = Unknown State (0x0)
StateHistory[14] = Unknown State (0x0)
StateHistory[13] = Unknown State (0x0)
StateHistory[12] = Unknown State (0x0)
StateHistory[11] = Unknown State (0x0)
StateHistory[10] = Unknown State (0x0)
StateHistory[09] = Unknown State (0x0)
StateHistory[08] = Unknown State (0x0)
StateHistory[07] = Unknown State (0x0)
StateHistory[06] = Unknown State (0x0)
StateHistory[05] = Unknown State (0x0)
StateHistory[04] = Unknown State (0x0)
StateHistory[03] = Unknown State (0x0)
StateHistory[02] = Unknown State (0x0)
Flags (0x2c000030) DNF_ENUMERATED, DNF_IDS_QUERIED,
DNF_NO_LOWER_DEVICE_FILTERS, DNF_NO_LOWER_CLASS_FILTERS,
DNF_NO_UPPER_DEVICE_FILTERS
CapabilityFlags (0x00001453) DeviceD1, DeviceD2,
Removable, UniqueID,
WakeFromD0, WakeFromD2
i na końcu wiemy już jakież to urządzenie było wsuwane do portu USB3 (MF60__ZTED010000), czyli modem (ruter) MF60 ZTE.
No cóż, skoro już wszystko jasne, to zasugerowałem, żeby jednak używać portu USB 2.0 przy podłączaniu tego modemu, lub jeszcze lepiej korzystać poprzez WiFi, no i oczywiście zaktualizować AV :)