本「
IT談話館」一般公開記事は、10年以上の実務経験を持つ上級Windowsエンジニアを想定しています。
本館は、Windowsカーネル深層を解析し、クラッシュ原因をはじめとするシステム内の「異様な動き」を検出・分析する
超高度な技術と実績を保有しています。
Windowsシステムクラッシュとシステム概要の把握
WindowsはSaaSとして提供される時代に入り、その内部は頻繁に更新されています。更新内容の多くは、いろいろな事情から、公にされることはほとんどありません。
本稿は前編「Windowsシステムクラッシュとメモリダンプ解析技術」の内容を前提に起草されています。
本「IT談話館」」へクラッシュダンプ解析を依頼する組織の多くは、ベンダーサポート窓口相談や基礎解析を自力で済ませています。本館は解析依頼者からクラッシュダンプをお預かりすると、まず、クラッシュ発生当時のシステム概要を把握すると同時に、解析依頼者側の技量と依頼背景を評価・把握する必要から、独自の解析コードを実行し、次のような情報を収集します。
Analyze info
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
component can usually be identified with a stack trace.
Arg2: 0000000000000000, The DPC time count (in ticks).
Arg3: 0000000000000000, The DPC time allotment (in ticks).
Arg4: 0000000000000000, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
additional information regarding this single DPC timeout
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 133, {0, 501, 500, 0}
Probably caused by : netr28ux.sys ( netr28ux+8bd3 )
Followup: MachineOwner
---------
Memory
fffff802`50b4e6e0 00000000`00000133
fffff802`50b4e6e8 00000000`00000000
fffff802`50b4e6f0 00000000`00000501
fffff802`50b4e6f8 00000000`00000500
fffff802`50b4e700 00000000`00000000
fffff802`50b4e708 00000000`00000000
fffff802`50b4e710 00000000`00000000
fffff802`50b4e718 00000000`00000000
fffff802`50b4e720 00000000`00000000
fffff802`50b4e728 00000000`00000000
fffff802`50b4e730 ffffe001`91e829f0
fffff802`50b4e738 fffff802`50b27e00 nt!EtwpBugCheckCallback
fffff802`50b4e740 fffff802`50b4e740 nt!KeBugCheckAddPagesCallbackListHead
fffff802`50b4e748 fffff802`50b4e740 nt!KeBugCheckAddPagesCallbackListHead
fffff802`50b4e750 00000000`00000000
fffff802`50b4e758 00000000`00000000
metacommand
Bugcheck code 00000133
Arguments 00000000`00000000 00000000`00000501 00000000`00000500 00000000`00000000
Inter-processor Interrupt
IPI State for Processor 0
TargetCount 0 PacketBarrier 0 IpiFrozen 0 [Running]
IPI State for Processor 1
TargetCount 0 PacketBarrier 0 IpiFrozen 2 [Frozen]
IPI State for Processor 2
TargetCount 0 PacketBarrier 0 IpiFrozen 2 [Frozen]
IPI State for Processor 3
TargetCount 0 PacketBarrier 0 IpiFrozen 2 [Frozen]
eProcesses
Processed 256 entries ffffe00192823be8 ffffe001978e7be8
Processed 512 entries ffffe0019792abe8 ffffe00197929be8
Processed 768 entries ffffe0019274c528 ffffe00197c0c368
Processed 1024 entries ffffe00197fe3368 ffffe00197fa5368
Processed 1280 entries ffffe001978ea368 ffffe00197c11368
Processed 1536 entries ffffe00197e7c368 ffffe00197eca368
Processed 1792 entries ffffe0019879abe8 ffffe00198638be8
Processed 2048 entries ffffe001985bcbe8 ffffe001985ca368
Processed 2304 entries ffffe00198831be8 ffffe0019882abe8
Processed 2560 entries ffffe001988f5368 ffffe00195babbe8
Found list end after 2590 entries
kProcesses
Found list end after 87 entries
Verifier
Verify Flags Level 0x0002092b
STANDARD FLAGS:
[X] (0x00000000) Automatic Checks
[X] (0x00000001) Special pool
[X] (0x00000002) Force IRQL checking
[X] (0x00000008) Pool tracking
[ ] (0x00000010) I/O verification
[X] (0x00000020) Deadlock detection
[ ] (0x00000080) DMA checking
[X] (0x00000100) Security checks
[X] (0x00000800) Miscellaneous checks
[X] (0x00020000) DDI compliance checking
ADDITIONAL FLAGS:
[ ] (0x00000004) Randomized low resources simulation
[ ] (0x00000200) Force pending I/O requests
[ ] (0x00000400) IRP logging
[ ] (0x00002000) Invariant MDL checking for stack
[ ] (0x00004000) Invariant MDL checking for driver
[ ] (0x00008000) Power framework delay fuzzing
[ ] (0x00010000) Port/miniport interface checking
[ ] (0x00040000) Systematic low resources simulation
[ ] (0x00080000) DDI compliance checking (additional)
[ ] (0x00200000) NDIS/WIFI verification
[ ] (0x00800000) Kernel synchronization delay fuzzing
[ ] (0x01000000) VM switch verification
[ ] (0x02000000) Code integrity checks
[X] Indicates flag is enabled
Summary of All Verifier Statistics
RaiseIrqls 0x6308c4
AcquireSpinLocks 0xeaa213
Synch Executions 0x0
Trims 0x565085
Pool Allocations Attempted 0x97cf64
Pool Allocations Succeeded 0x97cf64
Pool Allocations Succeeded SpecialPool 0x97cf64
Pool Allocations With NO TAG 0x24
Pool Allocations Failed 0x0
Current paged pool allocations 0x11a for 0019F2C6 bytes
Peak paged pool allocations 0x12f for 003A098E bytes
Current nonpaged pool allocations 0x5d87 for 01DF534B bytes
Peak nonpaged pool allocations 0x95c3 for 020D6667 bytes
Kernel Logs
(WmiTrace) StrDump Generic
LoggerContext Array @ 0xFFFFF80250B28720 [64 Elements]
Logger Id 0x02 @ 0xFFFFE00196C7BC00 Named 'Circular Kernel Context Logger'
Logger Id 0x03 @ 0xFFFFE001917BF040 Named 'Eventlog-Security'
Logger Id 0x04 @ 0xFFFFE00191758C00 Named 'AITEventLog'
Logger Id 0x05 @ 0xFFFFE0019175AC40 Named 'Audio'
Logger Id 0x06 @ 0xFFFFE0019175DC40 Named 'DiagLog'
Logger Id 0x07 @ 0xFFFFE0019175D840 Named 'EventLog-Application'
Logger Id 0x08 @ 0xFFFFE001917BE040 Named 'EventLog-Microsoft-Windows-WorkFolders-WHC'
Logger Id 0x09 @ 0xFFFFE001917BF440 Named 'EventLog-System'
Logger Id 0x0a @ 0xFFFFE00191A8C780 Named 'FamilySafetyAOT'
Logger Id 0x0b @ 0xFFFFE00191A96040 Named 'LwtNetLog'
Logger Id 0x0c @ 0xFFFFE00191B172C0 Named 'NtfsLog'
Logger Id 0x0d @ 0xFFFFE0019779AC40 Named 'Steam Event Tracing'
Logger Id 0x0e @ 0xFFFFE00191B1B040 Named 'SQMLogger'
Logger Id 0x0f @ 0xFFFFE00191B2D040 Named 'UBPM'
Logger Id 0x10 @ 0xFFFFE00191B30040 Named 'WdiContextLog'
Logger Id 0x12 @ 0xFFFFE00195ABD040 Named 'WFP-IPsec Diagnostics'
Logger Id 0x13 @ 0xFFFFE00195E29680 Named 'MpWppTracing-11062014-002959-00000003-ffffffff'
0*: Current->0xfffff80250bcaa00 Irql->0x0d PreIrql->0 Rip->00000000`00000000 nLevel->2 TF->0x0000000000000000
Process->0xfffff80250bca300 Name->Idle
State->0x2 WaitReason->25
0: Next->0xffffe001946c3880
Process->0xffffe0019161f040 Name->System
State->0x3 WaitReason->32
0: Idle->0xfffff80250bcaa00
Process->0xfffff80250bca300 Name->Idle
State->0x2 WaitReason->25
1: Current->0xffffe001973c3080 Irql->0x00
Process->0xffffe00191ea1080 Name->RustClient.exe
State->0x2 WaitReason->31
1: Next->***
1: Idle->0xffffd000d41d92c0
Process->0xfffff80250bca300 Name->Idle
State->0x2 WaitReason->00
2: Current->0xffffe00193ecf880 Irql->0x00
Process->0xffffe0019161f040 Name->System
State->0x2 WaitReason->00
2: Next->***
2: Idle->0xffffd000d43552c0
Process->0xfffff80250bca300 Name->Idle
State->0x2 WaitReason->00
3: Current->0xffffe00191e44040 Irql->0x00
Process->0xffffe0019161f040 Name->System
State->0x2 WaitReason->00
3: Next->***
3: Idle->0xffffd000d43d32c0
Process->0xfffff80250bca300 Name->Idle
State->0x2 WaitReason->00
Cores:4
この実行結果は、一見すると、収集量過多の印象を受けますが、このレベルの情報は解析作業のスケジュールや費用を見積もったり、解析依頼者側の技術レベルを把握する上できわめて重要です。解析作業はあくまでもビジネスであり、作業の依頼者が存在します。赤色データはいろいろなヒントを与えてくれます。