18,124
社区成员
发帖
与我相关
我的任务
分享诡异的蓝屏问题求助
小弟新来的,分不多,求大神帮忙,先谢了。
先介绍一下背景,有一台笔记本电脑A,进不了win7系统了,每次开机到window画面就重启,用PE启动也是到window画面重启,无法重装系统。但是把硬盘拆了可以用PE启动。(系统都是win7 x64)
网上搜了半天怀疑是中了病毒硬盘被逻辑锁了,遂将A的硬盘拿下,用转接口连到另一台完好的电脑B上,想要格式化一下。但是A硬盘连上B电脑后,当B电脑的右下角显示USB设备驱动装好后马上就蓝屏了(截图后面附1)。而且我试过好几台电脑,都这样,连上A硬盘就蓝屏。
根据蓝屏信息找到dump文件,用windbg查看信息如附2
实在没碰到过这样妖怪的问题,求大神帮助
附1:
附2,windbg的!analyze -v信息
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {fffff98014d00000, 0, fffff8800144cc75, 0}
Probably caused by : Ntfs.sys ( Ntfs+ec75 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff98014d00000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8800144cc75, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: Ntfs
FAULTING_MODULE: fffff80002062000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 52e1be8a
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
fffff98014d00000
FAULTING_IP:
Ntfs+ec75
fffff880`0144cc75 488b440af0 mov rax,qword ptr [rdx+rcx-10h]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80002152217 to fffff800020d63c0
STACK_TEXT:
fffff880`02199208 fffff800`02152217 : 00000000`00000050 fffff980`14d00000 00000000`00000000 fffff880`02199370 : nt+0x743c0
fffff880`02199210 00000000`00000050 : fffff980`14d00000 00000000`00000000 fffff880`02199370 00000000`00000000 : nt+0xf0217
fffff880`02199218 fffff980`14d00000 : 00000000`00000000 fffff880`02199370 00000000`00000000 fffff880`02199370 : 0x50
fffff880`02199220 00000000`00000000 : fffff880`02199370 00000000`00000000 fffff880`02199370 00000000`00000000 : 0xfffff980`14d00000
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
Ntfs+ec75
fffff880`0144cc75 488b440af0 mov rax,qword ptr [rdx+rcx-10h]
SYMBOL_NAME: Ntfs+ec75
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: Ntfs.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
2: kd> lmvm nt
start end module name
fffff800`02062000 fffff800`0264e000 nt T (no symbols)
Loaded symbol image file: ntoskrnl.exe
Image path: ntoskrnl.exe
Image name: ntoskrnl.exe
Timestamp: Fri Jan 22 13:06:31 2016 (56A1B8D7)
CheckSum: 00550B0D
ImageSize: 005EC000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
先介绍一下背景,有一台笔记本电脑A,进不了win7系统了,每次开机到window画面就重启,用PE启动也是到window画面重启,无法重装系统。但是把硬盘拆了可以用PE启动。(系统都是win7 x64)
网上搜了半天怀疑是中了病毒硬盘被逻辑锁了,遂将A的硬盘拿下,用转接口连到另一台完好的电脑B上,想要格式化一下。但是A硬盘连上B电脑后,当B电脑的右下角显示USB设备驱动装好后马上就蓝屏了(截图后面附1)。而且我试过好几台电脑,都这样,连上A硬盘就蓝屏。
根据蓝屏信息找到dump文件,用windbg查看信息如附2
实在没碰到过这样妖怪的问题,求大神帮助
附1:
附2,windbg的!analyze -v信息
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {fffff98014d00000, 0, fffff8800144cc75, 0}
Probably caused by : Ntfs.sys ( Ntfs+ec75 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff98014d00000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8800144cc75, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: Ntfs
FAULTING_MODULE: fffff80002062000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 52e1be8a
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
fffff98014d00000
FAULTING_IP:
Ntfs+ec75
fffff880`0144cc75 488b440af0 mov rax,qword ptr [rdx+rcx-10h]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80002152217 to fffff800020d63c0
STACK_TEXT:
fffff880`02199208 fffff800`02152217 : 00000000`00000050 fffff980`14d00000 00000000`00000000 fffff880`02199370 : nt+0x743c0
fffff880`02199210 00000000`00000050 : fffff980`14d00000 00000000`00000000 fffff880`02199370 00000000`00000000 : nt+0xf0217
fffff880`02199218 fffff980`14d00000 : 00000000`00000000 fffff880`02199370 00000000`00000000 fffff880`02199370 : 0x50
fffff880`02199220 00000000`00000000 : fffff880`02199370 00000000`00000000 fffff880`02199370 00000000`00000000 : 0xfffff980`14d00000
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
Ntfs+ec75
fffff880`0144cc75 488b440af0 mov rax,qword ptr [rdx+rcx-10h]
SYMBOL_NAME: Ntfs+ec75
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: Ntfs.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
2: kd> lmvm nt
start end module name
fffff800`02062000 fffff800`0264e000 nt T (no symbols)
Loaded symbol image file: ntoskrnl.exe
Image path: ntoskrnl.exe
Image name: ntoskrnl.exe
Timestamp: Fri Jan 22 13:06:31 2016 (56A1B8D7)
CheckSum: 00550B0D
ImageSize: 005EC000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
...全文
请发表友善的回复…
发表回复
snoopy2015 2016-03-10
- 打赏
- 举报
谢谢回复,已经解决了。
之前的做的PE没有工具箱,之后重做了一个有工具箱的用硬盘工具格了就好了。
怀疑是中了什么病毒,只能用PE工具箱里的不基于window的工具才能读取硬盘,其他只要在window环境下读取硬盘都重启或蓝屏(包括PE引导进PE的window也重启)
snoopy2015 2016-03-10
- 打赏
- 举报
谢谢你,我原来做的PE是不带各种硬盘工具的,经你提醒重新做了一个带工具的,用acronis把c盘格了,就能用PE启动了。
感觉是中了什么厉害的病毒
夜鹰 2016-03-09
- 打赏
- 举报
多问一下,A机进不了系统之前做了些什麽?
还有挂在B机上不要用USB转接线,直接接到SATA口上能格式化吗?
zara 2016-03-09
- 打赏
- 举报
看 stop 0x00000050 的解释和你的故障描述,应该是硬盘 ntfs 分区文件结构上出大问题了吧。
如果硬盘上没有必需的东西,用集成类的 PE 里的硬盘维护模块启动如 MHDD,直接清洗了它;如果有需要的,就麻烦了,恐怕只能先清了分区表,然后用 DiskGenius 这样的分区恢复软件恢复你所需要数据所在分区,然后看看是不是可以正常加载。
如果硬盘上没有必需的东西,用集成类的 PE 里的硬盘维护模块启动如 MHDD,直接清洗了它;如果有需要的,就麻烦了,恐怕只能先清了分区表,然后用 DiskGenius 这样的分区恢复软件恢复你所需要数据所在分区,然后看看是不是可以正常加载。
