Debugview

[phifou]

Je suis entierement d'accord avec toi, tu dois bien imaginé que si je me complique la vie ainsi c'est que le probléme est ardu.

 

Un Mvp m'aide a rechercher le probléme.

 

Le fait c'est que le pc plante de maniére aléatoire avec un laps de temps aléatoire.

 

Ce phénoméne ne se produit que quand le pc est connecté au w3.

 

J'ai changer de firewall, pour outpost, looknstop, za, c'est toujour le Fw qui fait planté Xp.

 

J'ai formatter le pc sans résultat, j'ai installer une version différente de celle livré avec le pc idem.

 

Tout mes drivers sont à jour, bios, chipset ....

 

Toujours ces foutu écran bleu.

 

ça fait 5 mois que je cherche d'où viens se probléme.

 

Dés que j'ai un dump correct je le poste.

 

Je te remercie du temps que tu m'a accordé.

[bigbernie]

Pas nécessite de remerciements pour une tentative de solution qui peut arriver à tout le monde en plus.

Il y a quelques mois j'ai eu, au shutdown et de maniere aleatoire un IRQ NOT LESS. Sans creation de dump evidemment sinon j'aurais trouve dans les minutes qui suivaient.

Concernant ce BSOD j'ai la totale question explications et solutions possibles, pour celui la comme pour les autres. Eh bien je n'ai jamais trouve en 3 mois.

Je n'avais rien installe comme driver ou periphs. Comme ça me le faisait une fois sur deux au shutdown et comme je coupe chaque semaine, aucune gene. J'aurais pu tenir 10 ans ! Bien evidemment aucune trace nulle part, tous les logs etaient parfaits.

Comme je devais changer de materiel j'ai patiente 2 mois et c'est parti avec le nouveau.

Si tu as un BSOD de cree tu auras une certaine chance. Il ne se creera que si c'est une application qui le cgénère. Si c'est kernel bernique!

Dans les cas ultimes il faut reunir 2 PC en reseau local (ou meme a distance) chaque PC etant munuidu debogueur XP en veille. Lors du prochain plantage, meme kernel, le PC a distance va capturer le dump du PC crashe.

 

Je te signale quand meme que la cause du plantage donnee dans ton log BSOD est

un driver de firewall.

Modifié le 17 juin 2005 par bigbernie

[phifou]

Je sais que c'est un driver de firewall, mais le probléme c'est que tous les firewall testé Outpost 2.6, Kpf 4.1.2, Looknstop , Sygate cause le mêm message.

 

C'est toujours un driver de Firewall, c'est tout simplement impossible.

 

Un je veux bien 2 passe encore mais tous impossible.

 

Quand à changer de Pc il est tout neufdonc j'hésite fortement.

 

amicalement

[bigbernie]

Quand meme pas changer de pc !

Un fichier systeme ou un process a du etre modifie par un de tes firewalls et maintenant il fait planter.

Par exemple dans le temps AOL avait l'habitude de modifier Winsock afin d'emmerder les concurrents lorsqu'un abonne voulait supprimer AOL. Le fait de mettre n'importe quel provider apres AOL et paf !

A noter que de nos jours c'est un peu pareil. AOL pas bon du tout pour s'en debarrasser.

Sans oublier le boisseau de puces de Norton !

Il faut donc tracer le BSOD de maniere a voir ce que ce driver a modifie comme processus. Une fois le .exe connu ça sera plus facile

Comme ce driver ne fait pas partie de XP il ne figure pas dans les bases et pas moyen de savoir a quoi il est relie.

Par exemple si je sais que mon antispy Microsoft qui s'appelle dans l'intimite GCAS me cause des problemes eh bien je vais le tracer et ça va me donner tout ce qu'il utilise. Je peux egalement partir de la dll ou du driver et remonter. Comme tu peux voir dans la capture plus bas.

Mais pour ton driver pas question de faire ça car il est inconnu.

 

[phifou]

Attends il vient de planté je te tonne le lien du Dump.

 

http://cjoint.com/?grq4tlHWqg

 

Message BSOD

 

 

 

Fwdrv.sys – Address F17A0084 base at F1794000, Date Stamp 3cbaab4f

 

 

 

Message Windows

 

 

 

Type de l'événement : Informations

 

Source de l'événement : Save Dump

 

Catégorie de l'événement : Aucun

 

ID de l'événement : 1001

 

Date : 17/06/2005

 

Heure : 16:33:48

 

Utilisateur : N/A

 

Ordinateur : WORKSTATION

 

Description :

 

L'ordinateur a redémarré après une vérification d'erreur. La vérification d'erreur était : 0x1000008e (0xc0000005, 0xf17a0084, 0xeb5e251c, 0x00000000). Un vidage a été enregistré dans : C:\WINDOWS\Minidump\Mini061705-01.dmp.

 

 

Alors une piste???

[bigbernie]

Voici l'analyse complete.

Tu as le nom du driver responsable ( ça apparait parfois dans le BSOD sans avoir besoin de l'analyser )

 

Si tu supprimes ce driver ça devrait aller non ?

 

A noter que l'equivalence des symboles = la traduction binaire, Microsoft en a refuse une bonne partie.

Je me demande quelle sorte de PC tu as ?

 

Microsoft ® Windows Debugger Version 6.3.0017.0

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [G:\Downloads\grq4tlHWqg_Mini061705-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is: SRV*c:\Symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -

Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Built by: 2600.xpsp_sp2_gdr.050301-1519

Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0

Debug session time: Fri Jun 17 16:30:47 2005

System Uptime: 0 days 3:59:03.568

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -

Loading Kernel Symbols

................................................................................................................................

Loading unloaded module list

............

Loading User Symbols

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 1000008E, {c0000005, f17a0084, eb5e251c, 0}

 

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

 

Unable to load image fwdrv.sys, Win32 error 2

*** WARNING: Unable to verify timestamp for fwdrv.sys

*** ERROR: Module load completed but symbols could not be loaded for fwdrv.sys

Unable to load image klmc.sys, Win32 error 2

*** WARNING: Unable to verify timestamp for klmc.sys

*** ERROR: Module load completed but symbols could not be loaded for klmc.sys

Probably caused by : fwdrv.sys ( fwdrv+c084 )

 

Followup: MachineOwner

---------

 

0: kd> analyze -v

*** WARNING: Unable to verify timestamp for nv4_disp.dll

*** ERROR: Module load completed but symbols could not be loaded for nv4_disp.dll

*** WARNING: Unable to verify timestamp for ATMFD.DLL

*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL

*** WARNING: Unable to verify timestamp for PfModNT.sys

*** ERROR: Module load completed but symbols could not be loaded for PfModNT.sys

*** ERROR: Module load completed but symbols could not be loaded for srv.sys

*** WARNING: Unable to verify timestamp for adiusbaw.sys

*** ERROR: Module load completed but symbols could not be loaded for adiusbaw.sys

*** WARNING: Unable to verify timestamp for dump_iaStor.sys

*** ERROR: Module load completed but symbols could not be loaded for dump_iaStor.sys

*** WARNING: Unable to verify timestamp for klif.sys

Modifié le 17 juin 2005 par bigbernie

[bigbernie]

Suite

 

Avec les codes j'ai retrouve ton type d'erreur. Voici ce que dit Microsoft pour ton erreur qui est

 

!chkimg

 

 

The !chkimg extension detects corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository.

 

Syntax

!chkimg [Options] [-mmw LogFile LogOptions] [Module]

Parameters

Options

Can include any combination of the following options:

-p SearchPath

If this is used, the debugger will recursively search SearchPath for the file before accessing the symbol server.

-f

Fixes errors in the image. Whenever the scan detects differences between the file on the symbol store and the image in memory, the contents of the file on the symbol store are copied over the image. If you are performing live debugging, you may wish to create a dump file before executing the !chkimg -f extension.

-nar

Prevents the mapped image of the file on the symbol server from being relocated. By default, once the copy of the file is located on the symbol server and mapped into memory, !chkimg applies relocations to the image of the file on the symbol server. If the -nar option is used, the image of the file from the server is not relocated. Note that the executable image already in memory — the one being scanned — will always have been relocated, because the debugger always applies relocations to images it loads. It is unlikely you will need to use this switch.

-ss SectionName

Limits the scan to those sections whose names contain the string SectionName. The scan will include any non-discardable section whose name contains this string. SectionName is case-sensitive and cannot exceed eight characters.

-as

Causes the scan to include all sections of the image except for discardable sections. By default (if neither -as nor -ss is included), the scan will skip sections that are writeable, sections that are not executable, and sections that have "PAGE" in their name, as well as discardable sections.

-r StartAddress EndAddress

Limits the scan to the memory range beginning with StartAddress and ending with EndAddress. Within this range, any sections that would normally be scanned will be scanned. If a section partially overlaps with this range, only that portion of the section that overlaps with this range will be scanned. The scan will be limited to this range even if the -as or -ss switches are used as well.

-nospec

Causes the scan to include the reserved sections of hal.dll and ntoskrnl.dll. By default, certain parts of these files are not checked by !chkimg.

-noplock

Causes correspondences between a byte value of 0x90 (a nop instruction) and a byte value of 0xF0 (a lock instruction) to be displayed as a mismatch. The default is not to display these correspondences.

-d

Causes the debugger to display a summary of all mismatched areas while the scan is occurring. For a description of this summary text, see the Comments section.

-v

Causes verbose information to be displayed.

-mmw

Creates a log file and records the activity of !chkimg in this file. Each line of the log file will represent a single mismatch.

LogFile

Specifies the full path and filename of the log file. If a relative path is specified it is taken to be relative to the current path.

LogOptions

Specifies the contents of the log file. LogOptions is a string made from a concatenation of various letters. Each line in the log file will contain a number of columns, separated by commas; these columns will include the items specified by the following option letters, in the order the letters appear in the LogOptions string. The following options can be included more than once, and at least one option must be included: Log option Information included in log file

v The virtual address of the mismatch

r The offset (relative address) of the mismatch within the module

s The symbol corresponding to the address of the mismatch

S The name of the section containing the mismatch

e The correct value that was expected at the mismatch location

w The incorrect value that actually was at the mismatch location

 

 

LogOptions can also include some or none of the following additional options: Log option Effect

o If a file with the name LogFile already exists, it will be overwritten. The default is to append new information to the end of any existing file.

tString Adds an extra column to the log file. Each entry in this column will contain String. The tString option is useful if you are appending new information to an existing log file and you wish to be able to distinguish the new records from the old. There can be no space between the t and String. If this option is used, it must be the final option in LogOptions, because String will be taken to include all characters present before the next space.

 

 

 

For example, if LogOptions is rSewo, each line of the log file will contain the relative address and section name of the mismatch location, the expected and the actual values at that location, and any previous file will be overwritten. You can use the -mmw switch multiple times if you want several log files to be created with different options. Up to ten simultaneous log files can be created.

 

Module

Specifies the module to be checked. Module can be the name of the module, the starting address of the module, or any address contained in the module. If Module is omitted, the module containing the current instruction pointer is used.

DLL

Windows NT 4.0 ext.dll

Windows 2000 ext.dll

Windows XP and later ext.dll

 

 

This extension command can only be used with an x86 target computer.

 

Comments

When !chkimg is used, it compares the image of an executable file in memory to the copy of the file residing on a symbol store.

 

All sections of the file are compared, except for sections that are discardable, sections that are writeable, sections that are not executable, and sections that have "PAGE" in their name. This behavior can be altered by using the -ss, -as, or -r switches.

 

Any mismatch between the image and the file will be displayed by !chkimg as an image error, with the following exceptions:

 

Addresses occupied by the Import Address Table (IAT) are not checked.

Certain specific addresses within hal.dll and ntoskrnl.exe are not checked, because certain changes occur when these sections are loaded. If you wish to check these addresses, you should specify the -nospec option.

If the byte value 0x90 is present in the file, and the value 0xF0 is present in the corresponding byte of the image — or vice-versa — this is considered to be a match. The reason for this is that often the symbol server will hold a single version of a binary that exists in both uniprocessor and multiprocessor versions. On an x86 processor, the lock instruction is 0xF0, and this corresponds to a nop (0x90) instruction in the uniprocessor version. If you want !chkimg to display this as a mismatch, you should specify the -noplock option.

Note If you use the -f option to fix image mismatches, !chkimg will fix only those mismatches which it considers to be errors. For example, it will not change an 0x90 byte to an 0xF0 byte unless -noplock is specified.

 

When the -d options is used, !chkimg will display a summary of all mismatched areas while the scan is occurring. Each mismatch will be displayed on two lines. The first line includes the start of the range, the end of the range, the size of the range, the symbol name and offset corrsponding to the start of the range, and the number of bytes since the last error (in parentheses). The second line is enclosed in brackets, and includes the hexadecimal byte values that were expected, a colon, and then the hexadecimal byte values that were actually encountered in the image. If the range is longer than eight bytes, only the first eight bytes are shown before the colon and after the colon. Here is an example:

 

be000015-be000016 2 bytes - win32k!VeryUsefulFunction+15 (0x8)

[ 85 dd:95 23 ]

 

Sometimes a driver can alter part of the Windows kernel by using hooks, redirection, or other methods. Even a driver that is no longer on the stack may have altered part of the kernel. The !chkimg extension can be used as a file comparison tool to determine which parts of the Windows kernel (or any other image) are being altered by drivers, and exactly how they are being changed. This is most effective on full dump files.

 

You can also combine !chkimg with the !for_each_module extension to check the image of each loaded module:

[phifou]

Je ne peux pas supprimer ce driver c'est celui de mon parefeu.

 

Autre chose, désolé d'être lourd mais je ne comprends rien à ce que tu as posté, je ne parle pas anglais.

 

Si tu peux me dire ce que je dois télécharger ou remplacer en français je préférerais.

 

Je suis heureux de voir une lueur d'espoir dans cette m...de.

 

Merci

[bigbernie]

Ecoute, tu as un droiver de pare feu qui te cause des tas d'emmerdes et tu ne veux pas le supprimer. C'est ton probleme.

Supprime tous tes pare feux et utilise celui de XP.

C'est ce que je fais. Il arrete absolument toutes les tentatives d'intrusion et toutes les attaques. Jamais il n'a permis quoi que ce soit lorsque je me fais attaquer pour tester mes ports.

La seule difference avec certains pare feux pro c'est qu'il laisse sortir les trojans qui seraient rentres.

A partir du moment ou ça n'entre pas ou est le probleme ?

Tu connais la raison et la solution depuis ton premier post et tu ne veux pas l'appliquer.

J'espere pour toi que le pare feu de XP ne va pas deconner car alors la !!!!

Ce pare feu est totalement efficace et totalement suffisant.

Il laisse sortir ! Rien a cirer !

[phifou]

Pas besoin de s'ennerver, j'ai compris.

 

Je pensais simplement que vu ton post rallongé il y avait une solution donné par Ms ce qui m'aurait permis de garder mon Fw.

 

Je vais donc m'orienté en premier lieu vers la version Outpost 2.7 avant de prendre le Fw de MS, car je veux filtrer le out.

 

Je ne suis pas le seul a utiliser ce pc.

 

Merci