今天同事报winxp登录进去的时候就报:winlogon.exe应用程序错误,关掉错误框后机器就蓝屏.
但是用其他的用户登录进去是好的,说明不是硬件问题.
把 dump的文件winlogon.exe.hdmp等拷贝到自己机器上,开windbg分析:
!analyze -v
*** ERROR: Symbol file could not be found. Defaulted to export symbols for faultrep.dll -
Unable to load image C:\WINDOWS\system32\PCANotify.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for PCANotify.dll
*** ERROR: Module load completed but symbols could not be loaded for PCANotify.dll
Unable to load image C:\Program Files\ShiQiang\wnime\dll32\wnupdate.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for wnupdate.dll
*** ERROR: Module load completed but symbols could not be loaded for wnupdate.dll
Unable to load image C:\Program Files\ShiQiang\wnime\dll32\wnpy_Query.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for wnpy_Query.dll
*** ERROR: Module load completed but symbols could not be loaded for wnpy_Query.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for wlnotify.dll -
*** WARNING: Unable to verify timestamp for WgaLogon.dll
*** ERROR: Module load completed but symbols could not be loaded for WgaLogon.dll
GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/winlogon_exe/5_1_2600_5512/wnpy_StatusWnd_dll/2008_7_11_1/000027a2.htm?Retriage=1
FAULTING_IP:
wnpy_StatusWnd+27a2
699027a2 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 699027a2 (wnpy_StatusWnd+0x000027a2)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
PROCESS_NAME: winlogon.exe
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4a31ce4c
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
wnpy_StatusWnd+27a2
699027a2 ?? ???
MOD_LIST: <ANALYSIS/>
FAULTING_THREAD: 0000029c
BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ
DEFAULT_BUCKET_ID: NULL_POINTER_READ
IP_ON_HEAP: 150100d0
FRAME_ONE_INVALID: 1
LAST_CONTROL_TRANSFER: from 150100d0 to 699027a2
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0006d914 150100d0 69924b00 01010074 00000016 wnpy_StatusWnd+0x27a2
0006d918 69924b00 01010074 00000016 00000005 0x150100d0
0006d91c 01010074 00000016 00000005 00000019 wnpy_StatusWnd+0x24b00
0006d920 00000000 00000005 00000019 00000016 winlogon+0x10074
STACK_COMMAND: ~0s; .ecxr ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: wnpy_StatusWnd+27a2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: wnpy_StatusWnd
IMAGE_NAME: wnpy_StatusWnd.dll
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_wnpy_StatusWnd.dll!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/winlogon_exe/5_1_2600_5512/48027549/wnpy_StatusWnd_dll/2008_7_11_1 /4a31ce4c/c0000005/000027a2.htm?Retriage=1
Followup: MachineOwner
---------
发现是这个动态库wnpy_StatusWnd.dll 内抛得AV.
C:\Program Files\ShiQiang\wnime\Dll32\wnpy_StatusWnd.dll
卸载掉后就好了.