Main-Debug Consultant, System文章, 技術文庫

藍屏當機 (BSOD) 怎麼辦?談Microsoft Windows dump file解析

百佳泰 Allion Labs > Main-Debug Consultant > 藍屏當機 (BSOD) 怎麼辦?談Microsoft Windows dump file解析

Allion Labs / Joseph Lin

 

造成藍屏當機 (BSOD)的原因為何,如何解決?

BSOD (Blue Screen of Death) 指的是微軟Windows作業系統在無法從一個系統錯誤中恢復過來時所顯示的螢幕圖像。BSOD出現時,通常代表Windows作業系統已經達到無法正常運作的狀態。造成BSOD的原因有許多的可能性,例如硬體故障、驅動程式問題或是關鍵程式異常終止。

下圖為Windows 10中常見的BSOD畫面:

Windows 10中常見的BSOD畫面

 

雖然BSOD是Windows作業系統中,常見的故障畫面,但是要由BSOD發生當下的藍色畫面得出故障的原因,是很困難的。但若能將下圖中的設定值改為Complete memory dump,那於BSOD發生後,就可由系統中取得完整的記憶體傾印檔(Memory dump)。透過這個記憶體傾印檔(Memory dump),便能找尋BSOD發生的原因。

將圖中的設定改為Complete memory dump,就可由系統中取得完整的記憶體傾印檔(Memory dump)。

將圖中的設定改為Complete memory dump,就可由系統中取得完整的記憶體傾印檔(Memory dump)。

 

Windows BSOD memory dump解析

取得BSOD的memory dump檔案後,可使用微軟所提供的WinDbg工具來協助找尋BSOD發生的原因。

WinDbg是微軟Windows上的多用途除錯(Debug)工具,可從微軟網站上免費下載安裝使用。除錯(Debug)是發現和解決系統錯誤的過程。WinDbg可用於除錯使用者模式(user mode)下的應用程式、驅動程式,以及核心模式(kernel mode)的作業系統自身。WinDbg執行後的介面請參考下圖:

WinDbg是微軟Windows上的多用途除錯(Debug)工具,可用於除錯使用者模式(user mode)下的應用程式、驅動程式,以及核心模式(kernel mode)的作業系統自身。

WinDbg 執行畫面

 

百佳泰多年來,與各家PC品牌大廠皆有長期且深入的合作,累積了豐富的WinDbg BSOD memory dump 分析經驗,歸納下來,造成Windows作業系統產生BSOD可分為以下幾類:

  • 設備驅動程式 (Device drivers issue)
  • 應用程式錯誤 (Application issue)
  • 硬體錯誤 (Hardware device issue)
  • Windows作業系統 (Windows OS issue)

 

百佳泰能協助分析Windows BSOD發生的成因,並提供解決問題的方向及建議。

• 百佳泰實際BSOD memory dump解析案例

 

BSoD occurs on shutdown stress test, BSOD code is 0x9f

「Root Cause」: “Windows was waiting for the Intel Wireless Bluetooth® Driver to transfer to next power state. Base on the analysis, we can know the device driver didn’t transfer to next power state.
So that BSOD happened after the IRP pending.

「Detailed」:By checking the dump files, we confirmed all BSOD were caused by Intel Wireless Bluetooth® Driver didn’t transfer to next power state. So that BSOD happened after the IRP pending.

[IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)] 0 e1 ffff8508e793ee10 00000000 00000000-00000000    pending
DriverACPI
Args: 00000000 00000001 00000001 00000000
————————————————————————————————–
Windows was waiting for the device to transfer to next power state.
Base on above log, we can know the device didn’t transfer to next power state.
So that BSOD happened after the pending.
————————————————————————————————–

2: kd> !devstack ffff8508e6f2db90
!DevObj           !DrvObj            !DevExt           ObjectName
ffff8508e6f30d50  DriverBTHUSB     ffff8508e7991eb0
ffff8508e6f318d0  Driveribtusb     ffff8508e71da310
ffff8508e793ee10  DriverACPI       ffff8508d32e7010
> ffff8508e6f2db90  DriverUSBHUB3    ffff8508e715e310  USBPDO-4
!DevNode ffff8508e79516b0 :
DeviceInst is “USBVID_8087&PID_00265&c5fc33b&0&10”
ServiceName is “BTHUSB”

————————————————————————————————–
USBVID_8087&PID_00265&c5fc33b&0&10
=>Intel Wireless Bluetooth® Driver
————————————————————————————————–

REG_DWORD           UBR                           184
————————————————————————————————–
Windows 10 Pro 2004 (19041.388)
————————————————————————————————–

2: kd> lmvm UsbHub3
Browse full module list
start             end                 module name
fffff800`332d0000 fffff800`33373000   UsbHub3    (pdb symbols)          d:symbolusbhub3.pdbFEB0212F8C4FD77DDEEBF0678FB00EA21usbhub3.pdb
Loaded symbol image file: UsbHub3.sys
Image path: SystemRootSystem32driversUsbHub3.sys
Image name: UsbHub3.sys
Browse all global symbols  functions  data
Image was built with /Brepro flag.
Timestamp:        FDA30E83 (This is a reproducible build file hash, not a timestamp)
CheckSum:         000AC346
ImageSize:        000A3000
File version:     10.0.19041.264
Product version:  10.0.19041.264
————————————————————————————————–
UsbHub3.sys version is 10.0.19041.264
This version is the same with the version used in latest MSFT QFE 2020.08B
————————————————————————————————–

2: kd> lmvm bthusb
Browse full module list
start             end                 module name
fffff800`38b70000 fffff800`38b91000   BTHUSB     (pdb symbols)          d:symbolbthusb.pdbBE8B332932B8B19471111557BE5095DA1bthusb.pdb
Loaded symbol image file: BTHUSB.sys
Image path: SystemRootSystem32driversBTHUSB.sys
Image name: BTHUSB.sys
Browse all global symbols  functions  data
Image was built with /Brepro flag.
Timestamp:        4B55908C (This is a reproducible build file hash, not a timestamp)
CheckSum:         000279B2
ImageSize:        00021000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

————————————————————————————————–
[Allion] Can’t see the file version of BTHUSB.sys
But we can see the Windows version on BSOD machine is Windows 10 2004 (19041.388)
The latest version of BTHUSB.sys in MSFT QFE 2020.08B is 10.0.19041.423
————————————————————————————————–

2: kd> !reg querykey REGISTRYMACHINESYSTEMCONTROLSET001SERVICESibtusb

Sorry <REGISTRYMACHINESYSTEMCONTROLSET001SERVICESibtusb> is not cached

=============================================================
Falling back to traversing the tree of nodes.

Hive         ffffe70f12c72000
KeyNode      ffffe70f176db5dc

[SubKeyAddr]         [SubKeyName] ffffe70f176db8f4     Parameters

[SubKeyAddr]         [VolatileSubKeyName] ffffe70f17efe664     Enum

Use ‘!reg keyinfo ffffe70f12c72000 <SubKeyAddr>’ to dump the subkey details

[ValueType]         [ValueName]                   [ValueData] REG_DWORD           Type                          1
REG_DWORD           Start                         3
REG_DWORD           ErrorControl                  1
REG_DWORD           Tag                           a
REG_EXPAND_SZ       ImagePath                     SystemRootSystem32DriverStoreFileRepositoryibtusb.inf_amd64_b9506ba89bf1aa17ibtusb.sys
REG_SZ              DisplayName                   @oem55.inf,%ibtusb.SVCDESC_IBT%;インテル(R) ワイヤレス Bluetooth®
REG_SZ              Group                         PNP Filter
REG_MULTI_SZ        Owners                        oem55.inf

「Recommend」:
Suggest to replace the Intel wireless Bluetooth® driver or report issue to Intel.

 

 

Post Views: 25,443