系统版本:windows Sever2012R2 Datacenter
提取到蓝屏碎片记忆文件,并使用WinDbg进行调试,期间已参考官方解决方案尝试解决:
- https://learn.microsoft.com/zh-cn/windows-hardware/drivers/debugger/bug-check-0x133-dpc-watchdog-violation 调试参考
结果如下:
Loading Dump File [C:\011821-44687-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srvF:\symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 9600 MP (32 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 9600.19913.amd64fre.winblue_ltsb_escrow.201207-1920
Machine Name:
Kernel base = 0xfffff8028f415000 PsLoadedModuleList = 0xfffff802
8f6da5d0
Debug session time: Mon Jan 18 15:01:07.114 2021 (UTC + 8:00)
System Uptime: 2 days 11:12:30.254
Loading Kernel Symbols
...............................................................
................................................................
.........
Loading User Symbols
Loading unloaded module list
...................
ERROR: FindPlugIns 8007052e
**
Bugcheck Analysis
**
Use !analyze -v to get detailed debugging information.
BugCheck 133, {1, 1e00, 0, 0}
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+5690 )
Followup: MachineOwner
---------
16: kd> !analyze -v
ERROR: FindPlugIns 8007052e
**
Bugcheck Analysis
**
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000001, The system cumulatively spent an extended period of time at
DISPATCH_LEVEL or above. The offending component can usually be
identified with a stack trace.
Arg2: 0000000000001e00, The watchdog period.
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x133
PROCESS_NAME: System
CURRENT_IRQL: d
LAST_CONTROL_TRANSFER: from fffff8028f56f8c0 to fffff8028f5554c0
STACK_TEXT:
ffffd000710dbc88 fffff802
8f56f8c0 : 0000000000000133 00000000
00000001 0000000000001e00 00000000
00000000 : nt!KeBugCheckEx
ffffd000710dbc90 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt! ?? ::FNODOBFM::`string'+0x5690
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::string'+5690 fffff802
8f56f8c0 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+5690
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5fd01caa
FAILURE_BUCKET_ID: X64_0x133_nt!??::FNODOBFM::string+5690
BUCKET_ID: X64_0x133_nt!??::FNODOBFM::string+5690
Followup: MachineOwner
---------
16: kd> !analyze -v
ERROR: FindPlugIns 8007052e
**
Bugcheck Analysis
**
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000001, The system cumulatively spent an extended period of time at
DISPATCH_LEVEL or above. The offending component can usually be
identified with a stack trace.
Arg2: 0000000000001e00, The watchdog period.
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x133
PROCESS_NAME: System
CURRENT_IRQL: d
LAST_CONTROL_TRANSFER: from fffff8028f56f8c0 to fffff8028f5554c0
STACK_TEXT:
ffffd000710dbc88 fffff802
8f56f8c0 : 0000000000000133 00000000
00000001 0000000000001e00 00000000
00000000 : nt!KeBugCheckEx
ffffd000710dbc90 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt! ?? ::FNODOBFM::`string'+0x5690
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::string'+5690 fffff802
8f56f8c0 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+5690
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5fd01caa
FAILURE_BUCKET_ID: X64_0x133_nt!??::FNODOBFM::string+5690
BUCKET_ID: X64_0x133_nt!??::FNODOBFM::string+5690
Followup: MachineOwner
---------
PS:试图进行第二步kd>k
16: kd> k
Child-SP RetAddr Call Site
ffffd000710dbc88 fffff802
8f56f8c0 nt!KeBugCheckEx
ffffd000710dbc90 00000000
00000000 nt! ?? ::FNODOBFM::`string'+0x5690 //分析卡在此处
接着通过内存位置查询分析,结果如下(卡住无果,无法按命令继续分析)
16: kd> ub fffff8028f56f8c0 nt! ?? ::FNODOBFM::
string'+0x566a:
fffff8028f56f89a 44383dff3d1700 cmp byte ptr [nt!KdDebuggerEnabled (fffff802
8f6e36a0)],r15b
fffff8028f56f8a1 751e jne nt! ?? ::FNODOBFM::
string'+0x5691 (fffff8028f56f8c1) fffff802
8f56f8a3 4c638368580000 movsxd r8,dword ptr [rbx+5868h]
fffff8028f56f8aa 4533c9 xor r9d,r9d fffff802
8f56f8ad b933010000 mov ecx,133h
fffff8028f56f8b2 418d5101 lea edx,[r9+1] fffff802
8f56f8b6 4c897c2420 mov qword ptr [rsp+20h],r15
fffff8028f56f8bb e8005cfeff call nt!KeBugCheckEx (fffff802
8f5554c0)
希望各位工程师大大帮忙继续分析下(是否某硬件或者网络DDOS攻击造成,近期只架设wingFTP服务对外开启21端口),上传该dump文件onedrive链接:请下载查看
https://1drv.ms/u/s!AqPWKmP0YUlbiyBr3hoRWfI_M8cR?e=AxySsq
- 翻到官方支持页相关问题:
https://support.microsoft.com/zh-cn/help/3013791/dpc-watchdog-violation-0x133-stop-error-when-there-s-faulty-hardware-i
尝试安装补丁,发现系统早已有该补丁,无需更新。尝试无果。
- 查阅相关资料,查看系统日志,并无异常征兆,可排除某些软件问题,猜测大概率为硬件或网络攻击。另附上bluescreenview结果,
烦请工程师帮忙确定原因处理,谢谢!