Автор: netspysv
Дата сообщения: 27.01.2009 12:29
Народ помогите пожалуйста! На нескольких машинах ~80 шт. установлен набор Acronis True Image Echo Workstation 9.5.8163 Rus + Agent (из комплекта) и Disk Director SUITE 10.2169 Rus. Проблема в периодическом появлении BSOD 10000050 (реже 1000007F) на нескольких пк (~ 20), анализ минидампа показал что виноват (Acronis) snapman.sys:
_______________________________________________________________________________
WinDbg: BSOD 10000050
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Jan 26 11:30:53.014 2009 (GMT+2)
System Uptime: 2 days 17:29:59.878
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
................................................................................................................................
Loading User Symbols
Loading unloaded module list
...........................
Unable to load image snapman.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for snapman.sys
*** ERROR: Module load completed but symbols could not be loaded for snapman.sys
BugCheck 10000050, {9df0b084, 0, 804ef19b, 0}
Could not read faulting driver name
Probably caused by : snapman.sys ( snapman+14e8f )
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 9df0b084, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804ef19b, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: 9df0b084
FAULTING_IP:
nt!IoSynchronousPageWrite+b5
804ef19b ff548638 call dword ptr [esi+eax*4+38h]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: TrueImage.exe
LAST_CONTROL_TRANSFER: from ba592e8f to 804ef19b
STACK_TEXT:
b31beb18 ba592e8f 00074004 00000000 00000000 nt!IoSynchronousPageWrite+0xb5
WARNING: Stack unwind information not available. Following frames may be wrong.
b31beb30 00000000 00000000 00000000 81b858f8 snapman+0x14e8f
STACK_COMMAND: kb
FOLLOWUP_IP:
snapman+14e8f
ba592e8f ?? ???
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: snapman+14e8f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: snapman
IMAGE_NAME: snapman.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 47f29815
FAILURE_BUCKET_ID: 0x50_snapman+14e8f
BUCKET_ID: 0x50_snapman+14e8f
Followup: MachineOwner
_______________________________________________________________________________
WinDbg: BSOD 1000007F
BugCheck 1000007F, {8, 80042000, 0, 0}
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
BUGCHECK_STR: 0x7f_8
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: TrueImageServic
UNALIGNED_STACK_POINTER: a1ba9b21
LAST_CONTROL_TRANSFER: from 00000000 to ccccccd8
STACK_TEXT:
848bef40 00000000 81f5a644 81f5a644 00000001 0xccccccd8
STACK_COMMAND: kb
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID: ZEROED_STACK
Followup: MachineOwner
_______________________________________________________________________________
Причем сбой происходит либо при подключении по RDP при активном консольном сеансе (активирован TS-Free-1.1), но не всегда либо тоже не всегда при запланированном задании по бэкапу раздела. C железом вроде как все ок, кроме выше указанных сбоев проблем нет. Пробовал удалять Agent и DiskDirector c последующей чисткой реестра - непомогло, хотя субъективно проблем стала возникать реже. Помогает только полное удаление продуктов Acronis. Из используемого ПО:
Windows XP SP3 Rus Corp
NOD32 2.7
COMODO Firewall 3 либо COMODO Internet Security 3.5
GFI EndPointSecurity Agent
DameWare Remote Control Agent
еще раз прошу помощи, может кто сталкивался с подобной ситуацией ?
