1查看系統事件發現有 1076 事件id 記錄如下
用戶 xxx爲這臺機器上一次意外的關機提供的原因是: 系統故障: 停止錯誤
原因代碼: 0x805000f
錯誤 ID:
錯誤檢查字符: 0x0000007e (0xc0000005, 0x00000000, 0xf1fac17c, 0xf1fabe78)
註釋: 0x0000007e (0xc0000005, 0x00000000, 0xf1fac17c, 0xf1fabe78)
0x0000007e只能大概知道爲硬件兼容,驅動及服務問題,軟件衝突導致
2遂用windbg工具open crash dump查看memory.dmp文件內容如下
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 3790.srv03_sp2_gdr.101019-0340
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Sat Apr 30 12:06:03.781 2011 (UTC + 8:00)
System Uptime: 13 days 0:32:16.166
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Loading Kernel Symbols
...............................................................
......................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 0, f1fac17c, f1fabe78}
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for termdd.sys -
*** ERROR: Module load completed but symbols could not be loaded for RDPWD.SYS
*** ERROR: Module load completed but symbols could not be loaded for TDTCP.SYS
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : rdpdr.sys ( rdpdr+10c93 )
Followup: MachineOwner
3 google上查rdpdr.sys與系統重啓相關資料 可能正確的解釋爲rdpdr.sys漏洞導致遠程用戶重定向本地磁盤驅動後在從重定向本地驅動器複製文件時可能導致系統重啓,需更新補丁kb960652更新rdpdr.sys文件