windows Sever2012R2 Datacenter 偶发蓝屏关机重启,代码0x133:DPC_WATCHDOG_VIOLATION&hal.dll和内核故障情况

Bruce hu 1 Reputation point
2021-01-18T12:05:25.24+00:00

系统版本:windows Sever2012R2 Datacenter

提取到蓝屏碎片记忆文件,并使用WinDbg进行调试,期间已参考官方解决方案尝试解决:

  1. https://learn.microsoft.com/zh-cn/windows-hardware/drivers/debugger/bug-check-0x133-dpc-watchdog-violation 调试参考

结果如下:

Loading Dump File [C:\011821-44687-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srvF:\symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 9600 MP (32 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 9600.19913.amd64fre.winblue_ltsb_escrow.201207-1920
Machine Name:
Kernel base = 0xfffff8028f415000 PsLoadedModuleList = 0xfffff8028f6da5d0
Debug session time: Mon Jan 18 15:01:07.114 2021 (UTC + 8:00)
System Uptime: 2 days 11:12:30.254
Loading Kernel Symbols
...............................................................
................................................................
.........
Loading User Symbols
Loading unloaded module list
...................
ERROR: FindPlugIns 8007052e

**

Bugcheck Analysis

**

Use !analyze -v to get detailed debugging information.

BugCheck 133, {1, 1e00, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+5690 )

Followup: MachineOwner
---------

16: kd> !analyze -v
ERROR: FindPlugIns 8007052e

**

Bugcheck Analysis

**

DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000001, The system cumulatively spent an extended period of time at
DISPATCH_LEVEL or above. The offending component can usually be
identified with a stack trace.
Arg2: 0000000000001e00, The watchdog period.
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

------------------

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0x133

PROCESS_NAME: System

CURRENT_IRQL: d

LAST_CONTROL_TRANSFER: from fffff8028f56f8c0 to fffff8028f5554c0

STACK_TEXT:
ffffd000710dbc88 fffff8028f56f8c0 : 0000000000000133 0000000000000001 0000000000001e00 0000000000000000 : nt!KeBugCheckEx
ffffd000710dbc90 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt! ?? ::FNODOBFM::`string'+0x5690

STACK_COMMAND: kb

FOLLOWUP_IP:
nt! ?? ::FNODOBFM::string'+5690 fffff8028f56f8c0 cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+5690

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 5fd01caa

FAILURE_BUCKET_ID: X64_0x133_nt!??::FNODOBFM::string+5690

BUCKET_ID: X64_0x133_nt!??::FNODOBFM::string+5690

Followup: MachineOwner
---------

16: kd> !analyze -v
ERROR: FindPlugIns 8007052e

**

Bugcheck Analysis

**

DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000001, The system cumulatively spent an extended period of time at
DISPATCH_LEVEL or above. The offending component can usually be
identified with a stack trace.
Arg2: 0000000000001e00, The watchdog period.
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

------------------

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0x133

PROCESS_NAME: System

CURRENT_IRQL: d

LAST_CONTROL_TRANSFER: from fffff8028f56f8c0 to fffff8028f5554c0

STACK_TEXT:
ffffd000710dbc88 fffff8028f56f8c0 : 0000000000000133 0000000000000001 0000000000001e00 0000000000000000 : nt!KeBugCheckEx
ffffd000710dbc90 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt! ?? ::FNODOBFM::`string'+0x5690

STACK_COMMAND: kb

FOLLOWUP_IP:
nt! ?? ::FNODOBFM::string'+5690 fffff8028f56f8c0 cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+5690

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 5fd01caa

FAILURE_BUCKET_ID: X64_0x133_nt!??::FNODOBFM::string+5690

BUCKET_ID: X64_0x133_nt!??::FNODOBFM::string+5690

Followup: MachineOwner
---------

PS:试图进行第二步kd>k

16: kd> k
Child-SP RetAddr Call Site
ffffd000710dbc88 fffff8028f56f8c0 nt!KeBugCheckEx
ffffd000710dbc90 0000000000000000 nt! ?? ::FNODOBFM::`string'+0x5690 //分析卡在此处

接着通过内存位置查询分析,结果如下(卡住无果,无法按命令继续分析)

16: kd> ub fffff8028f56f8c0 nt! ?? ::FNODOBFM::string'+0x566a:
fffff8028f56f89a 44383dff3d1700 cmp byte ptr [nt!KdDebuggerEnabled (fffff8028f6e36a0)],r15b
fffff8028f56f8a1 751e jne nt! ?? ::FNODOBFM::string'+0x5691 (fffff8028f56f8c1) fffff8028f56f8a3 4c638368580000 movsxd r8,dword ptr [rbx+5868h]
fffff8028f56f8aa 4533c9 xor r9d,r9d fffff8028f56f8ad b933010000 mov ecx,133h
fffff8028f56f8b2 418d5101 lea edx,[r9+1] fffff8028f56f8b6 4c897c2420 mov qword ptr [rsp+20h],r15
fffff8028f56f8bb e8005cfeff call nt!KeBugCheckEx (fffff8028f5554c0)
希望各位工程师大大帮忙继续分析下(是否某硬件或者网络DDOS攻击造成,近期只架设wingFTP服务对外开启21端口),上传该dump文件onedrive链接:请下载查看

https://1drv.ms/u/s!AqPWKmP0YUlbiyBr3hoRWfI_M8cR?e=AxySsq

  1. 翻到官方支持页相关问题:

https://support.microsoft.com/zh-cn/help/3013791/dpc-watchdog-violation-0x133-stop-error-when-there-s-faulty-hardware-i

尝试安装补丁,发现系统早已有该补丁,无需更新。尝试无果。

57576-e7bfb5604edf8339da3bc520cbe5e86.png

  1. 查阅相关资料,查看系统日志,并无异常征兆,可排除某些软件问题,猜测大概率为硬件或网络攻击。另附上bluescreenview结果,

烦请工程师帮忙确定原因处理,谢谢!

57577-%E5%BE%AE%E4%BF%A1%E6%88%AA%E5%9B%BE-20210118195609.png

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,536 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,207 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SChalakov 10,266 Reputation points MVP
    2021-01-18T13:04:39.893+00:00

    Hi,

    I have just approved your post, but would like to kindly ask you to translate the parts from the posts that are not in English. Q&A is a English forum and you will hget much bigger success rate in getting an answer here if your post is in English.

    Thank you for your understanding!

    Regards,
    Stoyan

    1 person found this answer helpful.
    0 comments
  2. AliceYang-MSFT 2,081 Reputation points
    2021-01-19T07:53:55.747+00:00

    Hi,

    Sorry but we don't support log analysis. If you need someone to help you with log analysis, you can call Global Customer Service or ask Microsoft Support for business for help.

    You can try Troubleshoot blue screen errors or follow the solutions in BSOD win 10 with error " Bug Check 0x133 DPC_WATCHDOG_VIOLATION" to troubleshoot.

    The update provided in "DPC_WATCHDOG_VIOLATION (0x133)" Stop error when there's faulty hardware in Windows 8.1 or Windows Server 2012 R2 should work. Have you tried uninstall the update and reinstall it?

    Please note

    Prerequisites
    To install this update, you must have April 2014, update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed in Windows 8.1 or Windows Server 2012 R2.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments