XP无法正常关机和重启

东方蜘蛛

第三次的－－Mini040910-03.dmp

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8053ba1e, The address that the exception occurred at
Arg3: a7a90bf0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:
nt!memmove+16e
8053ba1e 8807            mov     byte ptr [edi],al

TRAP_FRAME:  a7a90bf0 -- (.trap 0xffffffffa7a90bf0)
ErrCode = 00000002
eax=a7a90c5c ebx=00000000 ecx=00000000 edx=00000002 esi=a7a90cb4 edi=00000000
eip=8053ba1e esp=a7a90c64 ebp=a7a90c6c iopl=0         nv up ei ng nz ac po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010293
nt!memmove+0x16e:
8053ba1e 8807            mov     byte ptr [edi],al          ds:0023:00000000=??
Resetting default scope

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  tvt_reg_monitor

LAST_CONTROL_TRANSFER:  from 8052cb27 to 8053ba1e

STACK_TEXT:  
a7a90c6c 8052cb27 00000000 a7a90cb4 00000002 nt!memmove+0x16e
a7a90c8c ba10bac0 89ebac68 00000002 a7131cb0 nt!RtlAppendUnicodeStringToString+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
a7a90ce0 ba10bbe4 00000040 86328de0 a7a90d1c PROCMON20+0x3ac0
a7a90cfc ba10c73a 00000001 000000f8 00000000 PROCMON20+0x3be4
a7a90d2c ba10c7c3 00000000 00020019 000000f8 PROCMON20+0x473a
a7a90d50 8054263c 007362bc 00020019 0182fc98 PROCMON20+0x47c3
a7a90d50 7c92e514 007362bc 00020019 0182fc98 nt!KiFastCallEntry+0xfc
0182fcd8 00000000 00000000 00000000 00000000 0x7c92e514


STACK_COMMAND:  kb

FOLLOWUP_IP:
PROCMON20+3ac0
ba10bac0 ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  PROCMON20+3ac0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PROCMON20

IMAGE_NAME:  PROCMON20.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4aeb76fe

FAILURE_BUCKET_ID:  0x8E_PROCMON20+3ac0

BUCKET_ID:  0x8E_PROCMON20+3ac0

Followup: MachineOwner
---------

东方蜘蛛

第二次的－－－Mini040910-02.dmp

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8053ba1e, The address that the exception occurred at
Arg3: a7bb4bf0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:
nt!memmove+16e
8053ba1e 8807            mov     byte ptr [edi],al

TRAP_FRAME:  a7bb4bf0 -- (.trap 0xffffffffa7bb4bf0)
ErrCode = 00000002
eax=a7bb4c5c ebx=00000000 ecx=00000000 edx=00000002 esi=a7bb4cb4 edi=00000000
eip=8053ba1e esp=a7bb4c64 ebp=a7bb4c6c iopl=0         nv up ei ng nz ac po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010293
nt!memmove+0x16e:
8053ba1e 8807            mov     byte ptr [edi],al          ds:0023:00000000=??
Resetting default scope

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  tvt_reg_monitor

LAST_CONTROL_TRANSFER:  from 8052cb27 to 8053ba1e

STACK_TEXT:  
a7bb4c6c 8052cb27 00000000 a7bb4cb4 00000002 nt!memmove+0x16e
a7bb4c8c ba10bac0 88eba228 00000002 a7015cf7 nt!RtlAppendUnicodeStringToString+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
a7bb4ce0 ba10bbe4 0000002a 88e13780 a7bb4d1c PROCMON20+0x3ac0
a7bb4cfc ba10c73a 00000001 000000f8 00000000 PROCMON20+0x3be4
a7bb4d2c ba10c7c3 00000000 00020019 000000f8 PROCMON20+0x473a
a7bb4d50 8054263c 00736cb4 00020019 0192fc98 PROCMON20+0x47c3
a7bb4d50 7c92e514 00736cb4 00020019 0192fc98 nt!KiFastCallEntry+0xfc
0192fcd8 00000000 00000000 00000000 00000000 0x7c92e514


STACK_COMMAND:  kb

FOLLOWUP_IP:
PROCMON20+3ac0
ba10bac0 ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  PROCMON20+3ac0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PROCMON20

IMAGE_NAME:  PROCMON20.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4aeb76fe

FAILURE_BUCKET_ID:  0x8E_PROCMON20+3ac0

BUCKET_ID:  0x8E_PROCMON20+3ac0

Followup: MachineOwner
---------

东方蜘蛛

第一次的－－－Mini040910-01.dmp

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8053ba1e, The address that the exception occurred at
Arg3: a7858bf0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:
nt!memmove+16e
8053ba1e 8807            mov     byte ptr [edi],al

TRAP_FRAME:  a7858bf0 -- (.trap 0xffffffffa7858bf0)
ErrCode = 00000002
eax=a7858c5c ebx=00000000 ecx=00000000 edx=00000002 esi=a7858cb4 edi=00000000
eip=8053ba1e esp=a7858c64 ebp=a7858c6c iopl=0         nv up ei ng nz ac po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010293
nt!memmove+0x16e:
8053ba1e 8807            mov     byte ptr [edi],al          ds:0023:00000000=??
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  tvt_reg_monitor

LAST_CONTROL_TRANSFER:  from 8052cb27 to 8053ba1e

STACK_TEXT:  
a7858c6c 8052cb27 00000000 a7858cb4 00000002 nt!memmove+0x16e
a7858c8c ba10bac0 8a4e9cd8 00000002 a73f9cbf nt!RtlAppendUnicodeStringToString+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
a7858ce0 ba10bbe4 0000002a 892e30d8 a7858d1c PROCMON20+0x3ac0
a7858cfc ba10c73a 00000001 000000f8 00000000 PROCMON20+0x3be4
a7858d2c ba10c7c3 00000000 00020019 000000f8 PROCMON20+0x473a
a7858d50 8054263c 00736934 00020019 01d2fc98 PROCMON20+0x47c3
a7858d50 7c92e514 00736934 00020019 01d2fc98 nt!KiFastCallEntry+0xfc
01d2fcd8 00000000 00000000 00000000 00000000 0x7c92e514


STACK_COMMAND:  kb

FOLLOWUP_IP:
PROCMON20+3ac0
ba10bac0 ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  PROCMON20+3ac0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PROCMON20

IMAGE_NAME:  PROCMON20.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4aeb76fe

FAILURE_BUCKET_ID:  0x8E_PROCMON20+3ac0

BUCKET_ID:  0x8E_PROCMON20+3ac0

Followup: MachineOwner
---------

东方蜘蛛

我好像能看出点端倪了，是不是这个导致的：PROCESS_NAME:  tvt_reg_monitor

名称：tvt_reg_monitor_svc.exe
可信认证：安全
PID：820
路径：c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
描述：IBM ThinkPad 笔记本电脑注册表监控服务(Registry Monitor Service)相关进程。

难道这个有问题？

东方蜘蛛

我看了启动项里面了，好像没有这个进程的启动项哦？

emperor

procmon导致蓝屏？ 要么你还是直接跑procmon收集点日志看吧，别整boot mode了，就滤32bit的架构。。。。。。。。。。

东方蜘蛛

在服务里面把tvt_reg_monitor_svc.exe停掉了，但是重启还是老样子。。。。怎么用procmon收集日志啊。。。。

emperor

打开procmon，出现过滤界面，我建议你过滤下金山的进程，然后apply再然后点那个save就ok了。。。。。

emperor

这个文档比较短,但基本够用了........

东方蜘蛛

怎么看logfile啊？