http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html
I went on a quest to see if I could find a way to reproduce bug check 0xc0000135 STATUS_DLL_NOT_FOUND and I met a couple of interesting bug checks along the way. The first is 0x0000006B PROCESS1_INITIALIZATION_FAILED. This is a pretty rare bug check on the Windows platform (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8), I've never seen it appear in the forums and the Google keyword tool indicates that it is not searched for very often.
This is a bug check that is caused by missing system file (in my case, I deleted ntdll.dll with a LiveCD). The analysis of the dump yields only 1 piece of information... that a DLL was not loaded on the kernel's call to PsLocateSystemDlls. Parameter 1 lists the exception code (I show it here with more information):
# for hex 0xc0000034 / decimal -1073741772 : STATUS_OBJECT_NAME_NOT_FOUND ntstatus.h # Object Name not found. # 1 matches found for "c0000034"
From the minidump it is impossible to tell what was missing,...
kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PROCESS1_INITIALIZATION_FAILED (6b) Arguments: Arg1: ffffffffc0000034, Indicates the NT status code that caused the failure. Arg2: 0000000000000002, (reserved) Arg3: 0000000000000000 Arg4: 0000000000000000 Debugging Details: ------------------ CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x6B PROCESS_NAME: System CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff80002ac231d to fffff8000267df00 STACK_TEXT: ... : nt!KeBugCheckEx ... : nt!PsLocateSystemDlls+0xbd ... : nt!IoInitSystem+0x85d ... : nt!Phase1InitializationDiscard+0x1290 ... : nt!Phase1Initialization+0x9 ... : nt!PspSystemThreadStartup+0x5a ... : nt!KxStartSystemThread+0x16 STACK_COMMAND: kb FOLLOWUP_IP: nt!PsLocateSystemDlls+bd fffff800`02ac231d cc int 3 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!PsLocateSystemDlls+bd FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600 FAILURE_BUCKET_ID: X64_0x6B_nt!PsLocateSystemDlls+bd BUCKET_ID: X64_0x6B_nt!PsLocateSystemDlls+bd Followup: MachineOwner ---------
The fix was easy, running startup repair fixed the problem fairly immediately:
Startup Repair diagnosis and repair log --------------------------- Last successful boot time: 12/30/2011 9:24:54 PM (GMT) Number of repair attempts: 1 Session details --------------------------- System Disk = \Device\Harddisk0 Windows directory = D:\Windows AutoChk Run = 0 Number of root causes = 1 Test Performed: --------------------------- Name: Check for updates Result: Completed successfully. Error code = 0x0 Time taken = 0 ms Test Performed: --------------------------- Name: System disk test Result: Completed successfully. Error code = 0x0 Time taken = 0 ms Test Performed: --------------------------- Name: Disk failure diagnosis Result: Completed successfully. Error code = 0x0 Time taken = 0 ms Test Performed: --------------------------- Name: Disk metadata test Result: Completed successfully. Error code = 0x0 Time taken = 47 ms Test Performed: --------------------------- Name: Target OS test Result: Completed successfully. Error code = 0x0 Time taken = 31 ms Test Performed: --------------------------- Name: Volume content check Result: Completed successfully. Error code = 0x0 Time taken = 188 ms Test Performed: --------------------------- Name: Boot manager diagnosis Result: Completed successfully. Error code = 0x0 Time taken = 62 ms Test Performed: --------------------------- Name: System boot log diagnosis Result: Completed successfully. Error code = 0x0 Time taken = 0 ms Test Performed: --------------------------- Name: Event log diagnosis Result: Completed successfully. Error code = 0x0 Time taken = 94 ms Test Performed: --------------------------- Name: Internal state check Result: Completed successfully. Error code = 0x0 Time taken = 0 ms Test Performed: --------------------------- Name: Boot status test Result: Completed successfully. Error code = 0x0 Time taken = 0 ms Test Performed: --------------------------- Name: Setup state check Result: Completed successfully. Error code = 0x0 Time taken = 453 ms Test Performed: --------------------------- Name: Registry hives test Result: Completed successfully. Error code = 0x0 Time taken = 3453 ms Test Performed: --------------------------- Name: Windows boot log diagnosis Result: Completed successfully. Error code = 0x0 Time taken = 16 ms Test Performed: --------------------------- Name: Bugcheck analysis Result: Completed successfully. Error code = 0x0 Time taken = 828 ms Root cause found: --------------------------- Bugcheck 6b. Parameters = 0xffffffffc0000034, 0x2, 0x0, 0x0. Boot critical file d:\windows\system32\ntdll.dll is missing. Repair action: File repair Result: Completed successfully. Error code = 0x0 Time taken = 6469 ms --------------------------- ---------------------------
For other cases, it may be necessary to perform further analysis as to why the file disappeared (possibly due to memory or hard drive issues). For most cases, running startup repair or an offline integrity verification should be enough to restore the file and get the system running again.
See Also,
Windows Crash Dump Analysis
No comments:
Post a Comment