「Windowsメモリダンプ解析サービス」のご案内
豊田孝の「IT談話館」 Windowsメモリダンプ解析を依頼する WinDbgとシステム分析




 本「IT談話館」一般公開記事は、10年以上の実務経験を持つ上級Windowsエンジニアを想定しています。
 本館は、Windowsカーネル深層を解析し、クラッシュ原因をはじめとするシステム内の「異様な動き」を検出・分析する
超高度な技術と実績を保有しています。



Windowsシステムクラッシュとシステム概要の把握


 WindowsはSaaSとして提供される時代に入り、その内部は頻繁に更新されています。更新内容の多くは、いろいろな事情から、公にされることはほとんどありません。

 本稿は前編「Windowsシステムクラッシュとメモリダンプ解析技術」の内容を前提に起草されています。

 本「IT談話館」」へクラッシュダンプ解析を依頼する組織の多くは、ベンダーサポート窓口相談や基礎解析を自力で済ませています。本館は解析依頼者からクラッシュダンプをお預かりすると、まず、クラッシュ発生当時のシステム概要を把握すると同時に、解析依頼者側の技量と依頼背景を評価・把握する必要から、独自の解析コードを実行し、次のような情報を収集します。
Analyze info
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
	component can usually be identified with a stack trace.
Arg2: 0000000000000000, The DPC time count (in ticks).
Arg3: 0000000000000000, The DPC time allotment (in ticks).
Arg4: 0000000000000000, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
	additional information regarding this single DPC timeout
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 133, {0, 501, 500, 0}

Probably caused by : netr28ux.sys ( netr28ux+8bd3 )

Followup:     MachineOwner
---------


Memory
fffff802`50b4e6e0  00000000`00000133
fffff802`50b4e6e8  00000000`00000000
fffff802`50b4e6f0  00000000`00000501
fffff802`50b4e6f8  00000000`00000500
fffff802`50b4e700  00000000`00000000
fffff802`50b4e708  00000000`00000000
fffff802`50b4e710  00000000`00000000
fffff802`50b4e718  00000000`00000000
fffff802`50b4e720  00000000`00000000
fffff802`50b4e728  00000000`00000000
fffff802`50b4e730  ffffe001`91e829f0
fffff802`50b4e738  fffff802`50b27e00 nt!EtwpBugCheckCallback
fffff802`50b4e740  fffff802`50b4e740 nt!KeBugCheckAddPagesCallbackListHead
fffff802`50b4e748  fffff802`50b4e740 nt!KeBugCheckAddPagesCallbackListHead
fffff802`50b4e750  00000000`00000000
fffff802`50b4e758  00000000`00000000

metacommand
Bugcheck code 00000133
Arguments 00000000`00000000 00000000`00000501 00000000`00000500 00000000`00000000

Inter-processor Interrupt
IPI State for Processor 0
    TargetCount          0  PacketBarrier        0  IpiFrozen     0 [Running]


IPI State for Processor 1
    TargetCount          0  PacketBarrier        0  IpiFrozen     2 [Frozen]


IPI State for Processor 2
    TargetCount          0  PacketBarrier        0  IpiFrozen     2 [Frozen]


IPI State for Processor 3
    TargetCount          0  PacketBarrier        0  IpiFrozen     2 [Frozen]



eProcesses
Processed 256 entries ffffe00192823be8 ffffe001978e7be8
Processed 512 entries ffffe0019792abe8 ffffe00197929be8
Processed 768 entries ffffe0019274c528 ffffe00197c0c368
Processed 1024 entries ffffe00197fe3368 ffffe00197fa5368
Processed 1280 entries ffffe001978ea368 ffffe00197c11368
Processed 1536 entries ffffe00197e7c368 ffffe00197eca368
Processed 1792 entries ffffe0019879abe8 ffffe00198638be8
Processed 2048 entries ffffe001985bcbe8 ffffe001985ca368
Processed 2304 entries ffffe00198831be8 ffffe0019882abe8
Processed 2560 entries ffffe001988f5368 ffffe00195babbe8
Found list end after 2590 entries

kProcesses
Found list end after 87 entries

Verifier

Verify Flags Level 0x0002092b

  STANDARD FLAGS:
    [X] (0x00000000) Automatic Checks
    [X] (0x00000001) Special pool
    [X] (0x00000002) Force IRQL checking
    [X] (0x00000008) Pool tracking
    [ ] (0x00000010) I/O verification
    [X] (0x00000020) Deadlock detection
    [ ] (0x00000080) DMA checking
    [X] (0x00000100) Security checks
    [X] (0x00000800) Miscellaneous checks
    [X] (0x00020000) DDI compliance checking

  ADDITIONAL FLAGS:
    [ ] (0x00000004) Randomized low resources simulation
    [ ] (0x00000200) Force pending I/O requests
    [ ] (0x00000400) IRP logging
    [ ] (0x00002000) Invariant MDL checking for stack
    [ ] (0x00004000) Invariant MDL checking for driver
    [ ] (0x00008000) Power framework delay fuzzing
    [ ] (0x00010000) Port/miniport interface checking
    [ ] (0x00040000) Systematic low resources simulation
    [ ] (0x00080000) DDI compliance checking (additional)
    [ ] (0x00200000) NDIS/WIFI verification
    [ ] (0x00800000) Kernel synchronization delay fuzzing
    [ ] (0x01000000) VM switch verification
    [ ] (0x02000000) Code integrity checks

    [X] Indicates flag is enabled


Summary of All Verifier Statistics

  RaiseIrqls           0x6308c4
  AcquireSpinLocks     0xeaa213
  Synch Executions     0x0
  Trims                0x565085

  Pool Allocations Attempted             0x97cf64
  Pool Allocations Succeeded             0x97cf64
  Pool Allocations Succeeded SpecialPool 0x97cf64
  Pool Allocations With NO TAG           0x24
  Pool Allocations Failed                0x0

  Current paged pool allocations         0x11a for 0019F2C6 bytes
  Peak paged pool allocations            0x12f for 003A098E bytes
  Current nonpaged pool allocations      0x5d87 for 01DF534B bytes
  Peak nonpaged pool allocations         0x95c3 for 020D6667 bytes


Kernel Logs
(WmiTrace) StrDump Generic
  LoggerContext Array @ 0xFFFFF80250B28720 [64 Elements]
    Logger Id 0x02 @ 0xFFFFE00196C7BC00 Named 'Circular Kernel Context Logger'
    Logger Id 0x03 @ 0xFFFFE001917BF040 Named 'Eventlog-Security'
    Logger Id 0x04 @ 0xFFFFE00191758C00 Named 'AITEventLog'
    Logger Id 0x05 @ 0xFFFFE0019175AC40 Named 'Audio'
    Logger Id 0x06 @ 0xFFFFE0019175DC40 Named 'DiagLog'
    Logger Id 0x07 @ 0xFFFFE0019175D840 Named 'EventLog-Application'
    Logger Id 0x08 @ 0xFFFFE001917BE040 Named 'EventLog-Microsoft-Windows-WorkFolders-WHC'
    Logger Id 0x09 @ 0xFFFFE001917BF440 Named 'EventLog-System'
    Logger Id 0x0a @ 0xFFFFE00191A8C780 Named 'FamilySafetyAOT'
    Logger Id 0x0b @ 0xFFFFE00191A96040 Named 'LwtNetLog'
    Logger Id 0x0c @ 0xFFFFE00191B172C0 Named 'NtfsLog'
    Logger Id 0x0d @ 0xFFFFE0019779AC40 Named 'Steam Event Tracing'
    Logger Id 0x0e @ 0xFFFFE00191B1B040 Named 'SQMLogger'
    Logger Id 0x0f @ 0xFFFFE00191B2D040 Named 'UBPM'
    Logger Id 0x10 @ 0xFFFFE00191B30040 Named 'WdiContextLog'
    Logger Id 0x12 @ 0xFFFFE00195ABD040 Named 'WFP-IPsec Diagnostics'
    Logger Id 0x13 @ 0xFFFFE00195E29680 Named 'MpWppTracing-11062014-002959-00000003-ffffffff'


0*: Current->0xfffff80250bcaa00	Irql->0x0d	PreIrql->0	Rip->00000000`00000000	nLevel->2	TF->0x0000000000000000
	Process->0xfffff80250bca300	Name->Idle
	State->0x2	WaitReason->25
0: Next->0xffffe001946c3880
	Process->0xffffe0019161f040	Name->System
	State->0x3	WaitReason->32
0: Idle->0xfffff80250bcaa00
	Process->0xfffff80250bca300	Name->Idle
	State->0x2	WaitReason->25

1: Current->0xffffe001973c3080	Irql->0x00
	Process->0xffffe00191ea1080	Name->RustClient.exe
	State->0x2	WaitReason->31
1: Next->***
1: Idle->0xffffd000d41d92c0
	Process->0xfffff80250bca300	Name->Idle
	State->0x2	WaitReason->00

2: Current->0xffffe00193ecf880	Irql->0x00
	Process->0xffffe0019161f040	Name->System
	State->0x2	WaitReason->00
2: Next->***
2: Idle->0xffffd000d43552c0
	Process->0xfffff80250bca300	Name->Idle
	State->0x2	WaitReason->00

3: Current->0xffffe00191e44040	Irql->0x00
	Process->0xffffe0019161f040	Name->System
	State->0x2	WaitReason->00
3: Next->***
3: Idle->0xffffd000d43d32c0
	Process->0xfffff80250bca300	Name->Idle
	State->0x2	WaitReason->00

Cores:4
 この実行結果は、一見すると、収集量過多の印象を受けますが、このレベルの情報は解析作業のスケジュールや費用を見積もったり、解析依頼者側の技術レベルを把握する上できわめて重要です。解析作業はあくまでもビジネスであり、作業の依頼者が存在します。赤色データはいろいろなヒントを与えてくれます。

Windowsシステムクラッシュ情報とデータ分析」へ



ビジネスメニュー




「Windowsメモリダンプ解析サービス」のご案内
Windowsメモリダンプ解析技術

Copyright©豊田孝 2004- 2024
本日は2024-03-29です。