初步看到stack信息来看,可能与tdi接口层的第三方软件有关,但是根据dump如下信息,没有思路找出那个驱动导致的,请张老师提供分析思路,谢谢。
Loading User Symbols******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {dcff5b9c, 2, 0, 96ecdb52}
Probably caused by : tcpip.sys ( tcpip!TcpCompleteClientReceiveRequest+1c )
Followup: MachineOwner---------
0: kd> !analyze -v******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)An attempt was made to access a pageable (or completely invalid) address at aninterrupt request level (IRQL) that is too high. This is usuallycaused by drivers using improper addresses.If kernel debugger is available get stack backtrace.Arguments:Arg1: dcff5b9c, memory referencedArg2: 00000002, IRQLArg3: 00000000, value 0 = read operation, 1 = write operationArg4: 96ecdb52, address which referenced memory
Debugging Details:------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 81976718Unable to read MiSystemVaType memory at 81956160 dcff5b9c
CURRENT_IRQL: 2
FAULTING_IP: +5d262faf02bedb3896ecdb52 ?? ???
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
TRAP_FRAME: bc5cb2fc -- (.trap 0xffffffffbc5cb2fc)ErrCode = 00000000eax=dce0100c ebx=818b23dc ecx=00000013 edx=00000c10 esi=001f4980 edi=00000212eip=96ecdb52 esp=bc5cb370 ebp=00000013 iopl=0 nv up ei ng nz na po nccs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=0001028296ecdb52 ?? ???Resetting default scope
LAST_CONTROL_TRANSFER: from 96ecdb52 to 8185482b
STACK_TEXT: bc5cb2fc 96ecdb52 badb0d00 00000c10 84ca7030 nt!KiTrap0E+0x2cfWARNING: Frame IP not in any known module. Following frames may be wrong.bc5cb36c 84994158 96ecf65b 00000c10 b26f10e8 0x96ecdb52bc5cb394 81876c73 859b3240 850c1008 e1adec98 0x84994158bc5cb3f4 8c279bfe 020c1048 00000000 00000013 nt!IopfCompleteRequest+0x128bc5cb46c 8c26e76e c76aa4a0 00000000 bc00aa88 tcpip!TcpCompleteClientReceiveRequest+0x1cbc5cb5c0 8c288060 bc00aa88 00000000 bc00ab80 tcpip!TcpSatisfyReceiveRequests+0x59fbc5cb65c 8c2889dd bc00aa88 bc00ab80 bc5cb698 tcpip!TcpDeliverDataToClient+0x79bc5cb6b0 8c28d6e9 bc00aa88 bc00ab80 87335828 tcpip!TcpDeliverReceive+0x96bc5cb700 8c28c926 bc00aa88 bc5cb724 bc5cb75c tcpip!TcpTcbFastDatagram+0x304bc5cb768 8c28cd2c 8550c428 bc00aa88 005cb7dc tcpip!TcpTcbReceive+0x142bc5cb7d0 8c27bebd 851cfd30 85546000 00000000 tcpip!TcpMatchReceive+0x237bc5cb820 8c27bc1f 8550c428 85546000 0000c2f9 tcpip!TcpPreValidatedReceive+0x293bc5cb83c 8c2815ef 8550c428 85546000 bc5cb878 tcpip!TcpReceive+0x2dbc5cb84c 8c2b3914 bc5cb860 c000023e 00000000 tcpip!TcpNlClientReceiveDatagrams+0x12bc5cb878 8c2b36d7 8c313f88 bc5cb8cc c000023e tcpip!IppDeliverListToProtocol+0x49bc5cb898 8c2b33ac 8c313d98 00000006 bc5cb8cc tcpip!IppProcessDeliverList+0x2abc5cb8f0 8c2b0feb 8c313d98 00000006 00000000 tcpip!IppReceiveHeaderBatch+0x1f2bc5cb984 8c2aff7c 85edf938 00000000 00000001 tcpip!IpFlcReceivePackets+0xbe5bc5cba00 8c2b00ed 85ee64c8 87335828 00000000 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x746bc5cba34 8189e0ea 87335828 923f776f 85506510 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x11ebc5cba9c 8c2b0175 8c2affcf bc5cbac4 00000000 nt!KeExpandKernelStackAndCalloutEx+0x132bc5cbad8 8c11018d 85ee6402 87335800 00000000 tcpip!FlReceiveNetBufferListChain+0x7cbc5cbb10 8c0fe670 85dcb4c0 87335828 00000000 ndis!ndisMIndicateNetBufferListsToOpen+0x188bc5cbb38 8c0fe5e7 00000000 85c0b0e0 85c0b0e0 ndis!ndisIndicateSortedNetBufferLists+0x4abc5cbcb4 8c0c6b02 85c0b0e0 00000000 00000000 ndis!ndisMDispatchReceiveNetBufferLists+0x129bc5cbce8 8c0c6c12 00000002 87335828 85c0bd8c ndis!ndisDoPeriodicReceivesIndication+0x125bc5cbd10 8c0c6976 850103e0 00000000 84ca7030 ndis!ndisPeriodicReceivesWorker+0x5bbc5cbd50 81a1cad1 00000000 923f7063 00000000 ndis!ndisReceiveWorkerThread+0xebbc5cbd90 818ce239 8c0c688b 00000000 00000000 nt!PspSystemThreadStartup+0x9e00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
STACK_COMMAND: kb
FOLLOWUP_IP: tcpip!TcpCompleteClientReceiveRequest+1c8c279bfe 8b4510 mov eax,dword ptr [ebp+10h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: tcpip!TcpCompleteClientReceiveRequest+1c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: tcpip
IMAGE_NAME: tcpip.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4f756aff
FAILURE_BUCKET_ID: 0xD1_tcpip!TcpCompleteClientReceiveRequest+1c
BUCKET_ID: 0xD1_tcpip!TcpCompleteClientReceiveRequest+1c
0: kd> lmstart end module name816a2000 816aa000 kdcom (deferred) 8180e000 81c1e000 nt (pdb symbols) d:\dump\ntkrpamp.pdb\FF3B78F7823245CEB7AA9BF77047B22C2\ntkrpamp.pdb81c1e000 81c55000 hal (deferred) 81e00000 81e0e000 WDFLDR (deferred) 81e11000 81e89000 mcupdate_GenuineIntel (deferred) 81e89000 81e9a000 PSHED (deferred) 81e9a000 81ea2000 BOOTVID (deferred) 81ea2000 81ee4000 CLFS (deferred) 81ee4000 81f8f000 CI (deferred) 81f8f000 82000000 Wdf01000 (deferred) 8bc20000 8bc35000 xenpci (deferred) 8bc35000 8bc7d000 ACPI (deferred) 8bc7d000 8bc86000 WMILIB (deferred) 8bc86000 8bc8e000 msisadrv (deferred) 8bc8e000 8bcb8000 pci (deferred) 8bcb8000 8bcc3000 vdrvroot (deferred) 8bcc3000 8bcd4000 partmgr (deferred) 8bcd4000 8bce4000 volmgr (deferred) 8bce4000 8bd2f000 volmgrx (deferred) 8bd2f000 8bd36000 intelide (deferred) 8bd36000 8bd44000 PCIIDEX (deferred) 8bd44000 8bd4d000 xenvbd (deferred) 8bd4d000 8bd94000 storport (deferred) 8bd94000 8bdaa000 mountmgr (deferred) 8bdaa000 8bdb3000 atapi (deferred) 8bdb3000 8bdd6000 ataport (deferred) 8bdd6000 8bddf000 amdxata (deferred) 8be28000 8be5c000 fltmgr (deferred) 8be5c000 8be6d000 fileinfo (deferred) 8be6d000 8bf9c000 Ntfs (deferred) 8bf9c000 8bfc7000 msrpc (deferred) 8bfc7000 8bfda000 ksecdd (deferred) 8bfda000 8bfff000 CLASSPNP (deferred) 8c000000 8c032000 fvevol (deferred) 8c034000 8c091000 cng (deferred) 8c091000 8c09f000 pcw (deferred) 8c09f000 8c0a8000 Fs_Rec (deferred) 8c0a8000 8c15f000 ndis (pdb symbols) d:\dump\ndis.pdb\A445ECC2161F497081DA301D4F6F13BB2\ndis.pdb8c15f000 8c19d000 NETIO (deferred) 8c19d000 8c1c2000 ksecpkg (deferred) 8c1c2000 8c1ef000 rdyboost (deferred) 8c200000 8c210000 mup (deferred) 8c210000 8c218000 hwpolicy (deferred) 8c218000 8c229000 disk (deferred) 8c229000 8c373000 tcpip (pdb symbols) d:\dump\tcpip.pdb\49DC4FA05F484849B923CEAF2D9D71442\tcpip.pdb8c373000 8c3a4000 fwpkclnt (deferred) 8c3a4000 8c3ac380 vmstorfl (deferred) 8c3ad000 8c3ec000 volsnap (deferred) 8c3ec000 8c3f4000 spldr (deferred)
tcpip在调用某个驱动设置的“完成回调”时出的问题,原因可能有两个,一个是回调函数地址依然完好,但是对应的驱动unload了,另一个可能是记录回调函数的IRP被覆盖了。无论哪一种,都可以启用verifier验证来帮助抓一下。