Читаем Windows® Internals, Sixth Edition, Part 2 полностью

The other potentially useful information in a verbose analysis is the stack trace of the thread that was executing on the processor that crashed at the time of the crash. Here’s what it looks like for the same complete dump:STACK_TEXT: 93cdbb3c 91df15ab badb0d00 84f3e380 946ad800 nt!KiTrap0E+0x2cf WARNING: Stack unwind information not available. Following frames may be wrong. 93cdbbb8 91df19db 86d77900 93cdbbfc 91df1b26 myfault+0x5ab 93cdbbc4 91df1b26 85e38488 00000001 00000000 myfault+0x9db 93cdbbfc 8284b593 86c9a510 86d77900 86d77900 myfault+0xb26 93cdbc14 82a3f99f 85e38488 86d77900 86d77970 nt!IofCallDriver+0x63 93cdbc34 82a42b71 86c9a510 85e38488 00000000 nt!IopSynchronousServiceTail+0x1f8 93cdbcd0 82a893f4 86c9a510 86d77900 00000000 nt!IopXxxControlFile+0x6aa 93cdbd04 828521ea 000000c4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 93cdbd04 77af70b4 000000c4 00000000 00000000 nt!KiFastCallEntry+0x12a 0009f370 77af5864 75cb989d 000000c4 00000000 ntdll!KiFastSystemCallRet 0009f374 75cb989d 000000c4 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc 0009f3d4 77a1a671 000000c4 83360018 00000000 KERNELBASE!DeviceIoControl+0xf6 0009f400 00c421f9 000000c4 83360018 00000000 kernel32!DeviceIoControlImplementation+0x80 0009f4a0 7749c4e7 000201ec 00000111 000003f9 NotMyfault+0x21f9

The preceding stack shows that the Notmyfault executable image, shown at the bottom, invoked the DeviceIoControlImplementation function in Kernel32.dll, which in turn invoked DeviceIoControl in Kernelbase.dll, and so on, until finally the system crashed with the execution of an instruction in the Myfault image. A stack trace like this can be useful because crashes sometimes occur as the result of one driver passing another one data that is improperly formatted or corrupt or contains illegal parameters. The driver that’s passed the invalid data might cause a crash and get the blame in an analysis, when the stack reveals that another driver was involved. In this sample trace, no driver other than Myfault is listed. (The module “nt” is Ntoskrnl.)

If the driver singled out by an analysis is unfamiliar to you, use the lm (list modules) command to look at the driver’s version information. Add the k (kernel modules) and v (verbose) options along with the m (match) option followed by the name of the driver:0: kd> lm kv m myfault start end module name 91df1000 91df2880 myfault (no symbols) Loaded symbol image file: myfault.sys Image path: \??\C:\Windows\system32\drivers\myfault.sys Image name: myfault.sys Timestamp: Sat Apr 07 09:34:40 2012 (4F806CA0) CheckSum: 00003871 ImageSize: 00001880 File version: 4.0.0.0 Product version: 4.0.0.0 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.7 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Sysinternals ProductName: Sysinternals Myfault InternalName: myfault.sys OriginalFilename: myfault.sys ProductVersion: 4.0 FileVersion: 4.0 (sysinternals.com) FileDescription: Crash Test Driver LegalCopyright: Copyright © 2002-2012 Mark Russinovich

Before you spend additional time and energy further analyzing crashes, you should ensure that your system’s kernel and drivers are the most recent available by using the services of Windows Update and third-party driver support sites.

In addition to using the description to identify the purpose of a driver, you can also use the file and product version numbers to see whether the version installed is the most up-to-date version available. If version information isn’t present (because it might have been paged out of physical memory at the time of the crash), look at the driver image file’s properties in Windows Explorer on the system that crashed.

To use Windows Update to check for a newer version of a driver, open Device Manager and locate the device that the driver is associated with. Right-click on the device, and select Update Driver Software. If Windows Update reports that no newer version of the driver is available for download, it may be worthwhile checking the website of the original equipment manufacturer (OEM) for the system. Finally, since both Windows Update and the OEM may not have the latest drivers, also check the website of the actual driver author for a newer version.

Using Crash Troubleshooting Tools