Allion Labs / Joseph Lin
BSOD (Blue Screen of Death) 指的是微軟Windows操作系統(tǒng)在無法從一個(gè)系統(tǒng)錯(cuò)誤中恢復(fù)過來時(shí)所顯示的屏幕圖像。藍(lán)屏死機(jī)出現(xiàn)時(shí),通常代表Windows操作系統(tǒng)已經(jīng)達(dá)到無法正常運(yùn)作的狀態(tài)。造成藍(lán)屏死機(jī)的原因有許多的可能性,例如硬件故障、驅(qū)動(dòng)程序問題或是關(guān)鍵程序異常終止。
下圖為Windows 10中常見的藍(lán)屏死機(jī)畫面:
雖然藍(lán)屏死機(jī)是Windows操作系統(tǒng)中,常見的故障畫面,但是要由藍(lán)屏死機(jī)發(fā)生當(dāng)下的藍(lán)色畫面得出故障的原因,是很困難的。但若能將下圖中的設(shè)定值改為Complete memory dump,那于藍(lán)屏死機(jī)發(fā)生后,就可由系統(tǒng)中取得完整的內(nèi)存轉(zhuǎn)儲(chǔ) (Memory dump)。透過這個(gè)內(nèi)存轉(zhuǎn)儲(chǔ) (Memory dump),便能尋找藍(lán)屏死機(jī)發(fā)生的原因。
將圖中的設(shè)定改為Complete memory dump,就可由系統(tǒng)中取得完整的記憶體傾印檔(Memory dump)。
-
Windows BSOD memory dump解析
取得藍(lán)屏死機(jī)的內(nèi)存轉(zhuǎn)儲(chǔ)文件后,可使用微軟所提供的WinDbg工具來協(xié)助找尋藍(lán)屏死機(jī)發(fā)生的原因。
WinDbg是微軟Windows上的多用途除錯(cuò)(Debug)工具,可從微軟網(wǎng)站上免費(fèi)下載安裝使用。除錯(cuò)(Debug)是發(fā)現(xiàn)和解決系統(tǒng)錯(cuò)誤的過程。WinDbg可用于除錯(cuò)用戶模式(user mode)下的應(yīng)用程序、驅(qū)動(dòng)程序,以及內(nèi)核模式(kernel mode)的操作系統(tǒng)自身。WinDbg執(zhí)行后的接口請(qǐng)參考下圖:
WinDbg 執(zhí)行畫面
百佳泰多年來,與各家PC品牌大廠皆有長期且深入的合作,累積了豐富的WinDbg BSOD memory dump 分析經(jīng)驗(yàn),歸納下來,造成Windows操作系統(tǒng)產(chǎn)生BSOD可分為以下幾類:
- 設(shè)備驅(qū)動(dòng)程序 (Device drivers issue)
- 應(yīng)用程序錯(cuò)誤 (Application issue)
- 硬件錯(cuò)誤 (Hardware device issue)
- Windows操作系統(tǒng) (Windows OS issue)
百佳泰能協(xié)助分析Windows 藍(lán)屏死機(jī)(BSOD)發(fā)生的成因,并提供解決問題的方向及建議。
BSoD occurs on shutdown stress test, BSOD code is 0x9f
「Root Cause」: “Windows was waiting for the Intel Wireless Bluetooth Driver to transfer to next power state. Base on the analysis, we can know the device driver didn’t transfer to next power state.
So that BSOD happened after the IRP pending.
「Detailed」:By checking the dump files, we confirmed all BSOD were caused by Intel Wireless Bluetooth Driver didn’t transfer to next power state. So that BSOD happened after the IRP pending.
>[IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)]
0 e1 ffff8508e793ee10 00000000 00000000-00000000??? pending
DriverACPI
Args: 00000000 00000001 00000001 00000000
————————————————————————————————–
Windows was waiting for the device to transfer to next power state.
Base on above log, we can know the device didn’t transfer to next power state.
So that BSOD happened after the pending.
————————————————————————————————–
2: kd> !devstack ffff8508e6f2db90
!DevObj?????????? !DrvObj??????????? !DevExt?????????? ObjectName
ffff8508e6f30d50? DriverBTHUSB???? ffff8508e7991eb0
ffff8508e6f318d0? Driveribtusb???? ffff8508e71da310
ffff8508e793ee10? DriverACPI?????? ffff8508d32e7010
> ffff8508e6f2db90? DriverUSBHUB3??? ffff8508e715e310? USBPDO-4
!DevNode ffff8508e79516b0 :
DeviceInst is “USBVID_8087&PID_00265&c5fc33b&0&10”
ServiceName is “BTHUSB”
————————————————————————————————–
USBVID_8087&PID_00265&c5fc33b&0&10
=>Intel Wireless Bluetooth Driver
————————————————————————————————–
REG_DWORD?????????? UBR?????????????????????????? 184
————————————————————————————————–
Windows 10 Pro 2004 (19041.388)
————————————————————————————————–
2: kd> lmvm UsbHub3
Browse full module list
start???????????? end???????????????? module name
fffff800`332d0000 fffff800`33373000?? UsbHub3??? (pdb symbols)????????? d:symbolusbhub3.pdbFEB0212F8C4FD77DDEEBF0678FB00EA21usbhub3.pdb
Loaded symbol image file: UsbHub3.sys
Image path: SystemRootSystem32driversUsbHub3.sys
Image name: UsbHub3.sys
Browse all global symbols? functions? data
Image was built with /Brepro flag.
Timestamp:??????? FDA30E83 (This is a reproducible build file hash, not a timestamp)
CheckSum:???????? 000AC346
ImageSize:??????? 000A3000
File version:???? 10.0.19041.264
Product version:? 10.0.19041.264
————————————————————————————————–
UsbHub3.sys version is 10.0.19041.264
This version is the same with the version used in latest MSFT QFE 2020.08B
————————————————————————————————–
2: kd> lmvm bthusb
Browse full module list
start???????????? end???????????????? module name
fffff800`38b70000 fffff800`38b91000?? BTHUSB???? (pdb symbols)????????? d:symbolbthusb.pdbBE8B332932B8B19471111557BE5095DA1bthusb.pdb
Loaded symbol image file: BTHUSB.sys
Image path: SystemRootSystem32driversBTHUSB.sys
Image name: BTHUSB.sys
Browse all global symbols? functions? data
Image was built with /Brepro flag.
Timestamp:??????? 4B55908C (This is a reproducible build file hash, not a timestamp)
CheckSum:???????? 000279B2
ImageSize:??????? 00021000
Translations:???? 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
————————————————————————————————–
[Allion]Can’t see the file version of BTHUSB.sys
But we can see the Windows version on BSOD machine is Windows 10 2004 (19041.388)
The latest version of BTHUSB.sys in MSFT QFE 2020.08B is 10.0.19041.423
————————————————————————————————–
2: kd> !reg querykey REGISTRYMACHINESYSTEMCONTROLSET001SERVICESibtusb
Sorry <REGISTRYMACHINESYSTEMCONTROLSET001SERVICESibtusb> is not cached
=============================================================
Falling back to traversing the tree of nodes.
Hive???????? ffffe70f12c72000
KeyNode????? ffffe70f176db5dc
[SubKeyAddr]???????? [SubKeyName]ffffe70f176db8f4???? Parameters
[SubKeyAddr]???????? [VolatileSubKeyName]ffffe70f17efe664???? Enum
Use ‘!reg keyinfo ffffe70f12c72000 <SubKeyAddr>’ to dump the subkey details
[ValueType]???????? [ValueName]?????????????????? [ValueData]REG_DWORD?????????? Type????????????????????????? 1
REG_DWORD?????????? Start???????????????????????? 3
REG_DWORD?????????? ErrorControl????????????????? 1
REG_DWORD??? ???????Tag?????????????????????????? a
REG_EXPAND_SZ?????? ImagePath???????????????????? SystemRootSystem32DriverStoreFileRepositoryibtusb.inf_amd64_b9506ba89bf1aa17ibtusb.sys
REG_SZ????????????? DisplayName?????????????????? @oem55.inf,%ibtusb.SVCDESC_IBT%;インテル(R) ワイヤレス Bluetooth(R)
REG_SZ????????????? Group???????????????????????? PNP Filter
REG_MULTI_SZ??????? Owners??????????????????????? oem55.inf?
————————————————————————————————–
[Allion]=>Intel Wireless Bluetooth Driver
————————————————————————————————–
「Recommend」:
Suggest to replace the Intel wireless bluetooth driver or report issue to Intel.