Bluescreen analisa com WhoCrashed, BlueScreenView e WinDbg - resultados diferentes

3

Estamos investigando BSODs em um servidor de terminal do Windows 2008 R2.

Descobrimos que os resultados de WinDbg e BlueScreenView estavam inconsistentes Então, tentamos WhoCrashed Home e WhoCrashed Pro . (Sempre as versões mais recentes).

Estes são os resultados:

BlueScreenView

WhoCrashedHome

WhoCrashed Pro

OWhoCrashedProeoWinDbgtêmmenoscontradições.

OWinDbggeralmentenãoconseguedeterminarodrivercausador,porissousamosoBlueScreenViewnopassado.Masparecequenenhumadasferramentaspodeconfirmarisso.

Qualéacausadessasdiferenças?

Asferramentasestãofazendomaisdoqueapenasandarnapilhaeresolversímbolosdediferentesfontes(comoqualquertipodeanáliseheurística),quepodemestarcertas,masnemsempresãoconfiáveis?

Editar
Osdetalhes

DetalheBlueScreenView

Detalhe WhoCrashed Home

crash dump file: C:\Windows\Minidump1014-20841-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x75BC0) 
Bugcheck code: 0xFC (0xFFFFF880009C6FB8, 0x800000000292F963, 0xFFFFF8800D2F8EB0, 0x2)
Error: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System

Bug check description: This indicates that an attempt was made to execute non-executable memory. This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules. There is a possibility this problem was caused by a virus or other malware. The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.

Detalhe WhoCrashed Pro

Crash dump file:        C:\ZZAnalyze\BAIL\Minidump1014-20841-01.dmp
Date/time:              10.11.2014 08:45:04 GMT
Uptime:                 9 days, 15:04:22
Machine:                VMW7X64
Bug check name:         ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
Bug check code:         0xFC
Bug check parm 1:       0xFFFFF880009C6FB8
Bug check parm 2:       0x800000000292F963
Bug check parm 3:       0xFFFFF8800D2F8EB0
Bug check parm 4:       0x2
Probably caused by:     mfehidk.sys
Driver description:     
Driver product:         
Driver company:         
OS build:               Built by: 7601.18409.amd64fre.win7sp1_gdr.140303-2144
Architecture:           x64 (64 bit)
CPU count:              4
Page size:              4096

Bug check description: 
This indicates that an attempt was made to execute non-executable memory.

Comments: This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules. There is a possibility this problem was caused by a virus or other malware. A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: mfehidk.sys.

    
por boboes 08.01.2015 / 20:15

0 respostas

Tags