2. 科技
  3. 360Hvm64.sys导致系统蓝屏

360Hvm64.sys导致系统蓝屏

it2022-05-05  316

今天生产服务器突然中断重启,刚开始以为 天热 机房温度高导致,启动后查看时间日志,发现蓝屏重启。找到 C:\Windows\Minidump文件夹下 蓝屏日志,使用windbg打开查看分析:

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Documents and Settings\Administrator\桌面\071819-27019-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe - Windows 7 Kernel Version 7601 (Service Pack 1) MP (16 procs) Free x64 Product: Server, suite: Enterprise TerminalServer SingleUserTS Built by: 7601.23677.amd64fre.win7sp1_ldr.170209-0600 Machine Name: Kernel base = 0xfffff800`02c02000 PsLoadedModuleList = 0xfffff800`02e44730 Debug session time: Thu Jul 18 11:10:20.372 2019 (UTC + 8:00) System Uptime: 7 days 22:34:23.934 Loading Kernel Symbols ............................................................... ................................................................ ........................ Loading User Symbols Loading unloaded module list ........ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1E, {ffffffffc0000005, fffff80002cd0374, 0, 7ffffff0000} Unable to load image 360Hvm64.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for 360Hvm64.sys *** ERROR: Module load completed but symbols could not be loaded for 360Hvm64.sys Probably caused by : 360Hvm64.sys ( 360Hvm64+33444 ) Followup: MachineOwner --------- 4: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KMODE_EXCEPTION_NOT_HANDLED (1e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: ffffffffc0000005, The exception code that was not handled Arg2: fffff80002cd0374, The address that the exception occurred at Arg3: 0000000000000000, Parameter 0 of the exception Arg4: 000007ffffff0000, Parameter 1 of the exception Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0xlx" FAULTING_IP: nt! ?? ::FNODOBFM::`string'+b381 fffff800`02cd0374 8a01 mov al,byte ptr [rcx] EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: 000007ffffff0000 READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002eae100 000007ffffff0000 ERROR_CODE: (NTSTATUS) 0xc0000005 - "0xlx" BUGCHECK_STR: 0x1E_c0000005 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP PROCESS_NAME: VoipService.ex CURRENT_IRQL: 1 TRAP_FRAME: fffff8800b468e10 -- (.trap 0xfffff8800b468e10) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=000007ffffff0000 rbx=0000000000000000 rcx=000007ffffff0000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80002cd0374 rsp=fffff8800b468fa0 rbp=000007fef9647a4c r8=0000000000000000 r9=000007fef9f0813c r10=fffff8800b469ae8 r11=000007fef9630000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc nt! ?? ::FNODOBFM::`string'+0xb381: fffff800`02cd0374 8a01 mov al,byte ptr [rcx] ds:000007ff`ffff0000=?? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80002cf27b2 to fffff80002c71440 STACK_TEXT: fffff880`0b468588 fffff800`02cf27b2 : 00000000`0000001e ffffffff`c0000005 fffff800`02cd0374 00000000`00000000 : nt!KeBugCheckEx fffff880`0b468590 fffff800`02c70ac2 : fffff880`0b468d68 fffff880`0b4690c0 fffff880`0b468e10 00000000`00000007 : nt! ?? ::FNODOBFM::`string'+0x40e5d fffff880`0b468c30 fffff800`02c6f63a : 00000000`00000000 000007ff`ffff0000 fffffa80`231f7800 fffff880`0b4690c0 : nt!KiExceptionDispatch+0xc2 fffff880`0b468e10 fffff800`02cd0374 : fffff880`0b467004 fffff880`0b4690a8 fffff880`0b4690a0 fffff800`02c07f2a : nt!KiPageFault+0x23a fffff880`0b468fa0 fffff800`02f690d1 : fffff880`00000000 000007fe`f9630000 fffff880`00000000 fffff880`00000000 : nt! ?? ::FNODOBFM::`string'+0xb381 fffff880`0b469030 fffff800`02c63f21 : 00000000`00000000 fffff880`0d5273b0 00000000`00000004 fffff880`0b46a000 : nt!PspGetSetContextInternal+0x265 fffff880`0b4695d0 fffff800`02c65443 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!PspGetSetContextSpecialApc+0xa1 fffff880`0b4696e0 fffff800`02c7697d : fffffa80`2594f120 00000000`00000000 00000000`00000000 fffffa80`2594f060 : nt!KiDeliverApc+0x1e3 fffff880`0b469760 fffff800`02c78f9f : fffffa80`00000000 00000000`00000004 fffffa80`00000000 fffff800`02f6e506 : nt!KiCommitThreadWait+0x3dd fffff880`0b4697f0 fffff800`02c647e4 : 00000000`00000000 00000000`00000005 00000000`00000000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f fffff880`0b469890 fffff800`02c6547d : fffffa80`2594f060 fffff880`0b469950 00000000`00000000 00000000`00000000 : nt!KiSuspendThread+0x54 fffff880`0b4698d0 fffff800`02cbd0a7 : 00000000`2f9ae9f0 00000000`00000000 fffff800`02c64790 00000000`00000000 : nt!KiDeliverApc+0x21d fffff880`0b469950 fffff880`058b0444 : 000007fe`f9647a4c fffff880`0b469b60 00000000`00000000 000007fe`99eb3c10 : nt!KiApcInterrupt+0xd7 fffff880`0b469ae0 000007fe`f9647a4c : fffff880`0b469b60 00000000`00000000 000007fe`99eb3c10 00000000`00000000 : 360Hvm64+0x33444 fffff880`0b469ae8 fffff880`0b469b60 : 00000000`00000000 000007fe`99eb3c10 00000000`00000000 00001fa0`02010000 : 0x7fe`f9647a4c fffff880`0b469af0 00000000`00000000 : 000007fe`99eb3c10 00000000`00000000 00001fa0`02010000 000007fe`f9ce39b0 : 0xfffff880`0b469b60 STACK_COMMAND: kb FOLLOWUP_IP: 360Hvm64+33444 fffff880`058b0444 ?? ??? SYMBOL_STACK_INDEX: d SYMBOL_NAME: 360Hvm64+33444 FOLLOWUP_NAME: MachineOwner MODULE_NAME: 360Hvm64 IMAGE_NAME: 360Hvm64.sys DEBUG_FLR_IMAGE_TIMESTAMP: 5cad60c4 FAILURE_BUCKET_ID: X64_0x1E_c0000005_360Hvm64+33444 BUCKET_ID: X64_0x1E_c0000005_360Hvm64+33444 Followup: MachineOwner ---------

发现为360安全卫士 360Hvm64.sys 驱动导致,果断卸载360安全卫士,更换火绒。

 

专利

最新回复(0)