上周遇到的系统重启问题，得到Dump求分析~

Question

Microsoft (R) Windows Debugger  Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\Michelle\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Kernel Version 7601 (Service Pack 1) MP (64 procs) Free x64
Product: Server, suite: Enterprise TerminalServer
Built by: 7601.23677.amd64fre.win7sp1_ldr.170209-0600
Kernel base = 0xfffff800`02604000 PsLoadedModuleList = 0xfffff800`02846730
Debug session time: Fri Nov 30 16:20:38.309 2018 (GMT+8)
System Uptime: 386 days 22:42:18.097
Loading Kernel Symbols
.................................................................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd8018).  Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff88009fcee54, fffff88023f78d40, 0}

Probably caused by : rdpdr.sys ( rdpdr!CTransportVC::CloseChannels+18 )

Followup: MachineOwner
---------

48: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff88009fcee54, Address of the exception record for the exception that caused the bugcheck
Arg3: fffff88023f78d40, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%p

FAULTING_IP:
rdpdr!CTransportVC::CloseChannels+18
fffff880`09fcee54 488b4148        mov     rax,qword ptr [rcx+48h]

CONTEXT:  fffff88023f78d40 -- (.cxr 0xfffff88023f78d40)
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000001 rsi=0000000000000000 rdi=fffffa803388c0b0
rip=fffff88009fcee54 rsp=fffff88023f79720 rbp=0000000000000001
 r8=0000000000000000  r9=0000000000000000 r10=002d005000440052
r11=fffff88023f79880 r12=000000000000493a r13=0000000000000000
r14=000000000000493a r15=0000000000000003
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
rdpdr!CTransportVC::CloseChannels+0x18:
fffff880`09fcee54 488b4148        mov     rax,qword ptr [rcx+48h] ds:002b:00000000`00000048=????????????????
Resetting default scope

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff88009fcbd7b to fffff88009fcee54

STACK_TEXT: 
fffff880`23f79720 fffff880`09fcbd7b : 00000000`00000000 00000000`00000001 00000000`00000000 fffff880`09fcb6d5 : rdpdr!CTransportVC::CloseChannels+0x18
fffff880`23f79760 fffff880`09fcb5c9 : 00000000`00000000 fffffa80`20c0ef50 00000000`00000000 00000000`0000493a : rdpdr!CVCSession::Disconnect+0x7b
fffff880`23f797b0 fffff880`09fcb43b : 00000000`00000000 fffff880`23f79880 fffffa80`3388c0b0 fffffa80`20c0ef50 : rdpdr!CDynVC::NotifySessionDisconnected+0x71
fffff880`23f797e0 fffff880`09fcd0fc : 00000000`00003020 fffffa80`20c04870 00000000`0233e280 fffffa80`4e814cc8 : rdpdr!CDynVC::NotifySessionConnected+0x47
fffff880`23f79830 fffff880`09fcb020 : 00000000`00003924 fffff8a0`09e10afe fffffa80`23297860 fffff880`23f79920 : rdpdr!CFileVC::DeviceIoControl+0x15c
fffff880`23f79910 fffff880`09fbaa19 : fffffa80`23297860 fffff8a0`09e10af0 00000000`00000000 fffffa80`19ae84b0 : rdpdr!DYNVC_Dispatch+0x70
fffff880`23f79940 fffff800`029832ca : 00000000`00000002 00000000`00000002 fffffa80`24c06110 fffffa80`23297860 : rdpdr!DrPeekDispatch+0x61
fffff880`23f79990 fffff800`0299756a : fffffa80`24c06110 fffffa80`24c06110 fffffa80`24c06110 fffff880`03516180 : nt!IopSynchronousServiceTail+0xfa
fffff880`23f79a00 fffff800`02997606 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xc27
fffff880`23f79b40 fffff800`026726d3 : 00000000`00000018 00000000`0233ea50 00000000`0233e770 00000000`01e0fc40 : nt!NtDeviceIoControlFile+0x56
fffff880`23f79bb0 00000000`777abdaa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0233e0f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x777abdaa

FOLLOWUP_IP:
rdpdr!CTransportVC::CloseChannels+18
fffff880`09fcee54 488b4148        mov     rax,qword ptr [rcx+48h]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  rdpdr!CTransportVC::CloseChannels+18

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: rdpdr

IMAGE_NAME:  rdpdr.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7abc1

STACK_COMMAND:  .cxr 0xfffff88023f78d40 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_rdpdr!CTransportVC::CloseChannels+18

BUCKET_ID:  X64_0x3B_rdpdr!CTransportVC::CloseChannels+18

Followup: MachineOwner
---------

48: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff88009fcee54, Address of the exception record for the exception that caused the bugcheck
Arg3: fffff88023f78d40, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%p

FAULTING_IP:
rdpdr!CTransportVC::CloseChannels+18
fffff880`09fcee54 488b4148        mov     rax,qword ptr [rcx+48h]

CONTEXT:  fffff88023f78d40 -- (.cxr 0xfffff88023f78d40)
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000001 rsi=0000000000000000 rdi=fffffa803388c0b0
rip=fffff88009fcee54 rsp=fffff88023f79720 rbp=0000000000000001
 r8=0000000000000000  r9=0000000000000000 r10=002d005000440052
r11=fffff88023f79880 r12=000000000000493a r13=0000000000000000
r14=000000000000493a r15=0000000000000003
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
rdpdr!CTransportVC::CloseChannels+0x18:
fffff880`09fcee54 488b4148        mov     rax,qword ptr [rcx+48h] ds:002b:00000000`00000048=????????????????
Resetting default scope

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff88009fcbd7b to fffff88009fcee54

STACK_TEXT: 
fffff880`23f79720 fffff880`09fcbd7b : 00000000`00000000 00000000`00000001 00000000`00000000 fffff880`09fcb6d5 : rdpdr!CTransportVC::CloseChannels+0x18
fffff880`23f79760 fffff880`09fcb5c9 : 00000000`00000000 fffffa80`20c0ef50 00000000`00000000 00000000`0000493a : rdpdr!CVCSession::Disconnect+0x7b
fffff880`23f797b0 fffff880`09fcb43b : 00000000`00000000 fffff880`23f79880 fffffa80`3388c0b0 fffffa80`20c0ef50 : rdpdr!CDynVC::NotifySessionDisconnected+0x71
fffff880`23f797e0 fffff880`09fcd0fc : 00000000`00003020 fffffa80`20c04870 00000000`0233e280 fffffa80`4e814cc8 : rdpdr!CDynVC::NotifySessionConnected+0x47
fffff880`23f79830 fffff880`09fcb020 : 00000000`00003924 fffff8a0`09e10afe fffffa80`23297860 fffff880`23f79920 : rdpdr!CFileVC::DeviceIoControl+0x15c
fffff880`23f79910 fffff880`09fbaa19 : fffffa80`23297860 fffff8a0`09e10af0 00000000`00000000 fffffa80`19ae84b0 : rdpdr!DYNVC_Dispatch+0x70
fffff880`23f79940 fffff800`029832ca : 00000000`00000002 00000000`00000002 fffffa80`24c06110 fffffa80`23297860 : rdpdr!DrPeekDispatch+0x61
fffff880`23f79990 fffff800`0299756a : fffffa80`24c06110 fffffa80`24c06110 fffffa80`24c06110 fffff880`03516180 : nt!IopSynchronousServiceTail+0xfa
fffff880`23f79a00 fffff800`02997606 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xc27
fffff880`23f79b40 fffff800`026726d3 : 00000000`00000018 00000000`0233ea50 00000000`0233e770 00000000`01e0fc40 : nt!NtDeviceIoControlFile+0x56
fffff880`23f79bb0 00000000`777abdaa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0233e0f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x777abdaa

FOLLOWUP_IP:
rdpdr!CTransportVC::CloseChannels+18
fffff880`09fcee54 488b4148        mov     rax,qword ptr [rcx+48h]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  rdpdr!CTransportVC::CloseChannels+18

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: rdpdr

IMAGE_NAME:  rdpdr.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7abc1

STACK_COMMAND:  .cxr 0xfffff88023f78d40 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_rdpdr!CTransportVC::CloseChannels+18

BUCKET_ID:  X64_0x3B_rdpdr!CTransportVC::CloseChannels+18

Followup: MachineOwner
---------

Answer 1

0x0000003B 错误表示一个从没有权限的代码传送至有权限的代码时遇到了例外的错误，一般是软件兼容性问题引起页面库占用过多，或者用户模式的显示驱动传送了不正确的代码。

因为涉及到 RDPDR.SYS，请问你的问题是不是只在使用 RDP 远程桌面的时候出现呢？

---

Alexis Zhang

http://mvp.microsoft.com/zh-cn/mvp/Jie%20Zhang-4000545
http://blogs.itecn.net/blogs/alexis

推荐以 NNTP Bridge 桥接新闻组方式访问论坛。

本帖是回复帖，原帖作者是楼上的 <Mier06>；原帖链接：

| BugCheck 3B, {c0000005, fffff88009fcee54, fffff88023f78d40, 0}
| Probably caused by : rdpdr.sys ( rdpdr!CTransportVC::CloseChannels+18 )