原创 蓝屏死机（BSOD）怎么办？谈Microsoft Windows dump file解析

BSOD (Blue Screen of Death) 指的是微软Windows操作系统在无法从一个系统错误中恢复过来时所显示的屏幕图像。蓝屏死机出现时，通常代表Windows操作系统已经达到无法正常运作的状态。造成蓝屏死机的原因有许多的可能性，例如硬件故障、驱动程序问题或是关键程序异常终止。

下图为Windows 10中常见的蓝屏死机画面：

虽然蓝屏死机是Windows操作系统中，常见的故障画面，但是要由蓝屏死机发生当下的蓝色画面得出故障的原因，是很困难的。但若能将下图中的设定值改为Complete memory dump，那于蓝屏死机发生后，就可由系统中取得完整的内存转储 (Memory dump)。透过这个内存转储 (Memory dump)，便能寻找蓝屏死机发生的原因。

将图中的设定改为Complete memory dump，就可由系统中取得完整的内存转储档(Memory dump)。

取得蓝屏死机的内存转储文件后，可使用微软所提供的WinDbg工具来协助找寻蓝屏死机发生的原因。WinDbg是微软Windows上的多用途除错(Debug)工具，可从微软网站上免费下载安装使用。除错(Debug)是发现和解决系统错误的过程。WinDbg可用于除错用户模式(user mode)下的应用程序、驱动程序，以及内核模式(kernel mode)的操作系统自身。WinDbg执行后的接口请参考下图：

WinDbg 执行画面

百佳泰多年来，与各家PC品牌大厂皆有长期且深入的合作，累积了丰富的WinDbg BSOD memory dump 分析经验，归纳下来，造成Windows操作系统产生BSOD可分为以下几类：

百佳泰能协助分析Windows 蓝屏死机（BSOD）发生的成因，并提供解决问题的方向及建议。

百佳泰实际BSO Dmemory dump解析案例

BSoD occurs on shutdown stress test,BSOD code is 0x9f

「Root Cause」:“Windows was waiting for the Intel Wireless Bluetooth Driver to transfer tonext power state. Base on the analysis, we can know the device driver didn’t transfer to next power state.

               So that BSOD happened after the IRP pending.

「Detailed」:Bychecking the dump files, we confirmed all BSOD were caused by Intel WirelessBluetooth Driver didn’t transfer to next power state. So that BSOD happened after the IRP pending.

>[IRP_MJ_POWER(16),IRP_MN_SET_POWER(2)]

           0 e1 ffff8508e793ee10 00000000 00000000-00000000    pending

              DriverACPI

                       Args: 00000000 00000001 00000001 00000000

————————————————————————————————–

Windows was waiting for the device totransfer to next power state.

Base on above log, we can know the device didn’t transfer to next power state.

So that BSOD happened after thepending.

————————————————————————————————–

2: kd> !devstack ffff8508e6f2db90

 !DevObj          !DrvObj           !DevExt           ObjectName

  ffff8508e6f30d50 DriverBTHUSB     ffff8508e7991eb0 

  ffff8508e6f318d0 Driveribtusb     ffff8508e71da310 

  ffff8508e793ee10 DriverACPI       ffff8508d32e7010 

> ffff8508e6f2db90 DriverUSBHUB3    ffff8508e715e310  USBPDO-4

!DevNode ffff8508e79516b0 :

  DeviceInst is“USBVID_8087&PID_00265&c5fc33b&0&10”

  ServiceName is “BTHUSB”

————————————————————————————————–

USBVID_8087&PID_00265&c5fc33b&0&10

=>Intel Wireless Bluetooth Driver

————————————————————————————————–

REG_DWORD          UBR                          184

————————————————————————————————–

Windows 10 Pro 2004 (19041.388)

————————————————————————————————–

2: kd> lmvm UsbHub3

Browse full module list

start            end                module name

fffff800`332d0000fffff800`33373000   UsbHub3    (pdbsymbols)         d:symbolusbhub3.pdbFEB0212F8C4FD77DDEEBF0678FB00EA21usbhub3.pdb

    Loaded symbolimage file: UsbHub3.sys

    Image path:SystemRootSystem32driversUsbHub3.sys

    Image name:UsbHub3.sys

    Browse all globalsymbols  functions  data

    Image was builtwith /Brepro flag.

    Timestamp:       FDA30E83 (This is a reproducible build file hash, not a timestamp)

   CheckSum:         000AC346

   ImageSize:        000A3000

    Fileversion:     10.0.19041.264

    Productversion:  10.0.19041.264

————————————————————————————————–

UsbHub3.sys version is 10.0.19041.264

This version is the same with theversion used in latest MSFT QFE 2020.08B

————————————————————————————————–

2: kd> lmvm bthusb

Browse full module list

start            end                module name

fffff800`38b70000fffff800`38b91000   BTHUSB     (pdbsymbols)         d:symbolbthusb.pdbBE8B332932B8B19471111557BE5095DA1bthusb.pdb

    Loaded symbolimage file: BTHUSB.sys

    Image path:SystemRootSystem32driversBTHUSB.sys

    Image name:BTHUSB.sys

    Browse all globalsymbols  functions  data

    Image was builtwith /Brepro flag.

   Timestamp:        4B55908C (This is areproducible build file hash, not a timestamp)

   CheckSum:         000279B2

   ImageSize:        00021000

   Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

    Information fromresource tables:

————————————————————————————————–

[Allion]

Can’t see the file version ofBTHUSB.sys

But we can see the Windows version onBSOD machine is Windows 10 2004 (19041.388)

The latest version of BTHUSB.sys inMSFT QFE 2020.08B is 10.0.19041.423

————————————————————————————————–

2: kd> !reg querykeyREGISTRYMACHINESYSTEMCONTROLSET001SERVICESibtusb

Sorry is not cached

=============================================================

Falling back to traversing the treeof nodes.

Hive        ffffe70f12c72000

KeyNode     ffffe70f176db5dc

[SubKeyAddr]        [SubKeyName]

ffffe70f176db8f4    Parameters

[SubKeyAddr]        [VolatileSubKeyName]

ffffe70f17efe664    Enum

 Use ‘!reg keyinfoffffe70f12c72000 ’ to dump the subkey details

[ValueType]        [ValueName]                  [ValueData]

REG_DWORD          Type                         1

REG_DWORD          Start                        3

REG_DWORD          ErrorControl                 1

REG_DWORD          Tag                          a

REG_EXPAND_SZ      ImagePath                    SystemRootSystem32DriverStoreFileRepositoryibtusb.inf_amd64_b9506ba89bf1aa17ibtusb.sys

REG_SZ             DisplayName                  @oem55.inf,%ibtusb.SVCDESC_IBT%;インテル(R) ワイヤレスBluetooth(R)

REG_SZ             Group                        PNP Filter

REG_MULTI_SZ       Owners                       oem55.inf

————————————————————————————————–

[Allion]

=>Intel Wireless Bluetooth Driver

————————————————————————————————–

「Recommend」:

Suggest to replace the Intel wireless bluetooth driver or report issue to Intel.