http://www.fergo.co/2011/11/windows-crash-dump-analysis.html
I went on a quest to see if I could find a way to reproduce bug check 0xc0000135 STATUS_DLL_NOT_FOUND and I met a couple of interesting bug checks along the way. The first is 0x0000006B PROCESS1_INITIALIZATION_FAILED. This is a pretty rare bug check on the Windows platform (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8), I've never seen it appear in the forums and the Google keyword tool indicates that it is not searched for very often.
This is a bug check that is caused by missing system file (in my case, I deleted ntdll.dll with a LiveCD). The analysis of the dump yields only 1 piece of information... that a DLL was not loaded on the kernel's call to PsLocateSystemDlls. Parameter 1 lists the exception code (I show it here with more information):
# for hex 0xc0000034 / decimal -1073741772 :
STATUS_OBJECT_NAME_NOT_FOUND ntstatus.h
# Object Name not found.
# 1 matches found for "c0000034"
From the minidump it is impossible to tell what was missing,...
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PROCESS1_INITIALIZATION_FAILED (6b)
Arguments:
Arg1: ffffffffc0000034, Indicates the NT status code that caused the failure.
Arg2: 0000000000000002, (reserved)
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x6B
PROCESS_NAME: System
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80002ac231d to fffff8000267df00
STACK_TEXT:
... : nt!KeBugCheckEx
... : nt!PsLocateSystemDlls+0xbd
... : nt!IoInitSystem+0x85d
... : nt!Phase1InitializationDiscard+0x1290
... : nt!Phase1Initialization+0x9
... : nt!PspSystemThreadStartup+0x5a
... : nt!KxStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PsLocateSystemDlls+bd
fffff800`02ac231d cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!PsLocateSystemDlls+bd
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600
FAILURE_BUCKET_ID: X64_0x6B_nt!PsLocateSystemDlls+bd
BUCKET_ID: X64_0x6B_nt!PsLocateSystemDlls+bd
Followup: MachineOwner
---------
The fix was easy, running startup repair fixed the problem fairly immediately:
Startup Repair diagnosis and repair log
---------------------------
Last successful boot time: 12/30/2011 9:24:54 PM (GMT)
Number of repair attempts: 1
Session details
---------------------------
System Disk = \Device\Harddisk0
Windows directory = D:\Windows
AutoChk Run = 0
Number of root causes = 1
Test Performed:
---------------------------
Name: Check for updates
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: System disk test
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Disk failure diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Disk metadata test
Result: Completed successfully. Error code = 0x0
Time taken = 47 ms
Test Performed:
---------------------------
Name: Target OS test
Result: Completed successfully. Error code = 0x0
Time taken = 31 ms
Test Performed:
---------------------------
Name: Volume content check
Result: Completed successfully. Error code = 0x0
Time taken = 188 ms
Test Performed:
---------------------------
Name: Boot manager diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 62 ms
Test Performed:
---------------------------
Name: System boot log diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Event log diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 94 ms
Test Performed:
---------------------------
Name: Internal state check
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Boot status test
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Setup state check
Result: Completed successfully. Error code = 0x0
Time taken = 453 ms
Test Performed:
---------------------------
Name: Registry hives test
Result: Completed successfully. Error code = 0x0
Time taken = 3453 ms
Test Performed:
---------------------------
Name: Windows boot log diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 16 ms
Test Performed:
---------------------------
Name: Bugcheck analysis
Result: Completed successfully. Error code = 0x0
Time taken = 828 ms
Root cause found:
---------------------------
Bugcheck 6b. Parameters = 0xffffffffc0000034, 0x2, 0x0, 0x0.
Boot critical file d:\windows\system32\ntdll.dll is missing.
Repair action: File repair
Result: Completed successfully. Error code = 0x0
Time taken = 6469 ms
---------------------------
---------------------------
For other cases, it may be necessary to perform further analysis as to why the file disappeared (possibly due to memory or hard drive issues). For most cases, running startup repair or an offline integrity verification should be enough to restore the file and get the system running again.
See Also,
Windows Crash Dump AnalysisAny source
No comments:
Post a Comment