[2k8R2] Windbg wil symbols niet laden

Pagina: 1
Acties:

  • FastFred
  • Registratie: Maart 2009
  • Laatst online: 23:10
Hallo,

Hebben een server met 2008R2 die af en toe bluescreens geeft, nu in totaal zo'n 5 á 6 keer gehad de laatste 3 weken.

De bugcheck is 0x000000F4 'Critical Object Termination'

Ik heb de dump file uitgelezen met Bluescreenview van Nirsoft, hier komt niets interessants uit, geen file of driver die als schuldige aangewezen wordt.

Heb me vervolgens ingelezen in de debugger uit de Windows SDK. Geinstalleerd, symbols erbij gezocht en geinstalleerd, symbol path ingesteld en de dumb file ingelezen.

code:
1
2
3
4
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols



De symbols die ik geinstalleerd heb zijn hier te vinden.

Ik heb de volgende symbols gedownload en beide geinstalleerd, maar inmiddels ook apart van elkaar geprobeerd zonder resultaat.
Windows 7 Service Pack 1 x64 retail symbols, all languages (File size: 287 MB)
Windows 7 Service Pack 1 x64 checked symbols, all languages (File size: 262 MB)

Als ik een analyse uitvoer terwijl hij deze foutmeldingen krijg dan komt er csrss.exe als oorzaak uit, maar dat is natuurlijk niet zeker omdat de symbols niet correct geladen worden, om wat voor reden dan ook.

Ik heb nu onder de setting Symbol File Path het volgende ingesteld: SRV*C:\symbols*http://msdl.microsoft.com/download/symbols. Vervolgens heb ik .reload gegeven en zit nu te wachten op activiteit, hij geeft al zo'n anderhalf uur *BUSY* aan, maar er lijkt niets te gebeuren. Ja de server heeft verbinding met internet.

Iemand een oplossing of mogelijk een hint richting de oorzaak van de bluescreens?

De server draait op een 3 maand oude DL360 gen8, samen met ruim 30 andere VM's onder de laatste versie van VMware ESX. Geen enkele andere VM op deze machine geeft problemen.

[ Voor 12% gewijzigd door FastFred op 18-09-2014 11:58 ]


  • Meekoh
  • Registratie: April 2005
  • Laatst online: 17:11
Hoe groot is je dump? .reload kan soms een tijdje duren, vooral als hij alle symbols gaat downloaden.
Als csrss.exe de oorzaak is, dan hoef je de oorzaak niet in missende symbols te zoeken.
De symbols worden alleen gebruikt om de stacktrace een beetje normaal (leesbaar) te kunnen weergeven.
windbg heeft ze in principe niet nodig om vast te stellen waar een fout zit.
!analyze bekijkt waar de laatste exception vandaan komt

edit: Wat is de volledige uitkomst van !analyze -v?
Critical Object Termination betekent dat er een proces welke kritisch is voor het werken van Windows is gekilled/gecrashed whatever. Dat heeft als gevolg dat Windows een Blue screen forceerd om te rebooten en dat proces weer terug te krijgen.

[ Voor 25% gewijzigd door Meekoh op 18-09-2014 12:27 ]

Computer says no


  • FastFred
  • Registratie: Maart 2009
  • Laatst online: 23:10
De meest recente dump is 284kb groot.

EDIT: dat verklaart waarom het niet opschoot, de debugger is op de achtergrond vastgelopen...

Debugger geherstart, dit is de uitkomst van !analyze -v

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 0000000000000003, Process
Arg2: fffffa8005a8f060, Terminating object
Arg3: fffffa8005a8f340, Process image file name
Arg4: fffff800019d3270, Explanatory message (ascii)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

----- ETW minidump data unavailable-----
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************

ADDITIONAL_DEBUG_TEXT:  
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

MODULE_NAME: csrss

FAULTING_MODULE: 0000000000000000 

DEBUG_FLR_IMAGE_TIMESTAMP:  0

PROCESS_OBJECT: fffffa8005a8f060

IMAGE_NAME:  csrss.exe

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT_SERVER

BUGCHECK_STR:  0xF4

CURRENT_IRQL:  0

STACK_TEXT:  
fffff880`067339c8 fffff800`01a5bab2 : 00000000`000000f4 00000000`00000003 fffffa80`05a8f060 fffffa80`05a8f340 : nt+0x75bc0
fffff880`067339d0 00000000`000000f4 : 00000000`00000003 fffffa80`05a8f060 fffffa80`05a8f340 fffff800`019d3270 : nt+0x403ab2
fffff880`067339d8 00000000`00000003 : fffffa80`05a8f060 fffffa80`05a8f340 fffff800`019d3270 fffff800`019c51f4 : 0xf4
fffff880`067339e0 fffffa80`05a8f060 : fffffa80`05a8f340 fffff800`019d3270 fffff800`019c51f4 fffffa80`05a8f060 : 0x3
fffff880`067339e8 fffffa80`05a8f340 : fffff800`019d3270 fffff800`019c51f4 fffffa80`05a8f060 fffff800`01a06abb : 0xfffffa80`05a8f060
fffff880`067339f0 fffff800`019d3270 : fffff800`019c51f4 fffffa80`05a8f060 fffff800`01a06abb ffffffff`ffffffff : 0xfffffa80`05a8f340
fffff880`067339f8 fffff800`019c51f4 : fffffa80`05a8f060 fffff800`01a06abb ffffffff`ffffffff fffffa80`05aec060 : nt+0x37b270
fffff880`06733a00 fffffa80`05a8f060 : fffff800`01a06abb ffffffff`ffffffff fffffa80`05aec060 fffffa80`05a8f060 : nt+0x36d1f4
fffff880`06733a08 fffff800`01a06abb : ffffffff`ffffffff fffffa80`05aec060 fffffa80`05a8f060 fffffa80`05a8f060 : 0xfffffa80`05a8f060
fffff880`06733a10 ffffffff`ffffffff : fffffa80`05aec060 fffffa80`05a8f060 fffffa80`05a8f060 ffffffff`ffffffff : nt+0x3aeabb
fffff880`06733a18 fffffa80`05aec060 : fffffa80`05a8f060 fffffa80`05a8f060 ffffffff`ffffffff 00000000`00000008 : 0xffffffff`ffffffff
fffff880`06733a20 fffffa80`05a8f060 : fffffa80`05a8f060 ffffffff`ffffffff 00000000`00000008 fffffa80`05a8f060 : 0xfffffa80`05aec060
fffff880`06733a28 fffffa80`05a8f060 : ffffffff`ffffffff 00000000`00000008 fffffa80`05a8f060 00000000`c0000005 : 0xfffffa80`05a8f060
fffff880`06733a30 ffffffff`ffffffff : 00000000`00000008 fffffa80`05a8f060 00000000`c0000005 fffffa80`05aec060 : 0xfffffa80`05a8f060
fffff880`06733a38 00000000`00000008 : fffffa80`05a8f060 00000000`c0000005 fffffa80`05aec060 fffff800`01985f04 : 0xffffffff`ffffffff
fffff880`06733a40 fffffa80`05a8f060 : 00000000`c0000005 fffffa80`05aec060 fffff800`01985f04 ffffffff`ffffffff : 0x8
fffff880`06733a48 00000000`c0000005 : fffffa80`05aec060 fffff800`01985f04 ffffffff`ffffffff 00000000`00000001 : 0xfffffa80`05a8f060
fffff880`06733a50 fffffa80`05aec060 : fffff800`01985f04 ffffffff`ffffffff 00000000`00000001 fffffa80`05a8f060 : 0xc0000005
fffff880`06733a58 fffff800`01985f04 : ffffffff`ffffffff 00000000`00000001 fffffa80`05a8f060 00000000`00000008 : 0xfffffa80`05aec060
fffff880`06733a60 ffffffff`ffffffff : 00000000`00000001 fffffa80`05a8f060 00000000`00000008 fffffa80`746c6644 : nt+0x32df04
fffff880`06733a68 00000000`00000001 : fffffa80`05a8f060 00000000`00000008 fffffa80`746c6644 fffff880`06733ae0 : 0xffffffff`ffffffff
fffff880`06733a70 fffffa80`05a8f060 : 00000000`00000008 fffffa80`746c6644 fffff880`06733ae0 00000000`00000000 : 0x1
fffff880`06733a78 00000000`00000008 : fffffa80`746c6644 fffff880`06733ae0 00000000`00000000 fffffa80`05a8f060 : 0xfffffa80`05a8f060
fffff880`06733a80 fffffa80`746c6644 : fffff880`06733ae0 00000000`00000000 fffffa80`05a8f060 00000000`00b2e430 : 0x8
fffff880`06733a88 fffff880`06733ae0 : 00000000`00000000 fffffa80`05a8f060 00000000`00b2e430 000007fe`fcba0000 : 0xfffffa80`746c6644
fffff880`06733a90 00000000`00000000 : fffffa80`05a8f060 00000000`00b2e430 000007fe`fcba0000 00000000`000053fc : 0xfffff880`06733ae0


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------

[ Voor 98% gewijzigd door FastFred op 18-09-2014 13:16 ]


Acties:
  • 0 Henk 'm!

  • Meekoh
  • Registratie: April 2005
  • Laatst online: 17:11
OK, dit is niet nadat je de symbols gefixt hebt.
Open de dump in windbg voer dan uit:
code:
1
2
.sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
.reload


probeer daarna nog eens !analyze -v.
Als je machine verbonden is met het Internet gaat hij de juiste symbols ophalen bij microsoft.

Computer says no