Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\morenice\Desktop\Mini010511-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt
Machine Name:
Kernel base = 0x804d9000 PsLoadedModuleList = 0x805654c0
Debug session time: Wed Jan 5 09:09:04.830 2011 (GMT+9)
System Uptime: 0 days 0:28:09.619
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
......
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {e552f000, 0, 804dc2c0, 1}
*** WARNING: Unable to verify timestamp for mssmbios.sys
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Probably caused by : ntoskrnl.exe ( nt+32c0 )
Followup: MachineOwner
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\morenice\Desktop\Mini010511-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\Windows\symbols
Executable search path is:
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt
Machine Name:
Kernel base = 0x804d9000 PsLoadedModuleList = 0x805654c0
Debug session time: Wed Jan 5 09:09:04.830 2011 (GMT+9)
System Uptime: 0 days 0:28:09.619
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
......
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {e552f000, 0, 804dc2c0, 1}
*** WARNING: Unable to verify timestamp for mssmbios.sys
Could not read faulting driver name
Probably caused by : ntoskrnl.exe ( nt!strlen+3a )
Followup: MachineOwner
분석을 위한 간단한 명령어는
analyze -v 이다.
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e552f000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804dc2c0, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: e552f000
FAULTING_IP:
nt!strlen+3a
804dc2c0 ?? ???
MM_INTERNAL_CODE: 1
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
LAST_CONTROL_TRANSFER: from 8052b1b8 to 805396ba
STACK_TEXT:
97310aec 8052b1b8 00000050 e552f000 00000000 nt!MiRemoveUnusedSegments+0x423
97310b3c 804e2956 00000000 e552f000 00000000 nt!GUID_DOCK_INTERFACE+0x2b8
97310b54 804dc2c0 badb0d00 97310bd8 00000000 nt!Dr_kitb_a+0x19
97310b58 badb0d00 97310bd8 00000000 00000000 nt!strlen+0x3a
WARNING: Frame IP not in any known module. Following frames may be wrong.
97310be4 806377bf 884ec7e0 00000de0 97310c24 0xbadb0d00
97310c04 805fedfc 884ec7e0 00000de0 97310c24 nt!RtlpSysVolCheckOwnerAndSecurity+0x25c
97310c48 8058edb4 89ea8bd0 03a40000 97310d18 nt!RtlpAddIntersectingRanges+0xff
97310ca4 8057caa8 00000018 8855bba8 97310d18 nt!CmpMapCmView+0x208
97310d34 804df99f 0000026c ffffffff 0013ca14 nt!IopXxxControlFile+0x1a6
97310d64 7c93e514 badb0d00 0013c9d0 00000000 nt!ZwSetSystemPowerState+0xf
97310d74 00000000 00000000 00000000 00000000 0x7c93e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!strlen+3a
804dc2c0 ?? ???
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!strlen+3a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4bd6eda6
FAILURE_BUCKET_ID: 0x50_nt!strlen+3a
BUCKET_ID: 0x50_nt!strlen+3a
Followup: MachineOwner
드라이버 모듈에서 잘못된 메모리를 참조해서 생긴 문제를 확인하였다.
어떤 모듈이 왜 이런 결과를 낳았는지는 사용법을 더 숙지해봐야 알수 있을듯 하다.