Windows Serverで下記のイベントログが記録されていました。
1 2 3 4 5 6 7 8 9 10 |
Log Name: System Source: Microsoft-Windows-WER-SystemErrorReporting Date: 2015-10-16T20:39:45.000 Event ID: 1001 Level: エラー User: N/A User Name: N/A Computer: SERVER Description: このコンピューターはバグチェック後、再起動されました。バグチェック: 0x00000050 (0xfffffa800fbd84c0, 0x0000000000000001, 0xfffff8800a6c5057, 0x0000000000000000)。ダンプの保存先: C:\Windows\MEMORY.DMP。レポート ID: 111615-38328-01。 |
Debugging Tools for Windows(windbg.exe)を使用してC:\Windows\MEMORY.DMPを解析してみます。
WDKとWinDbg のダウンロード
https://msdn.microsoft.com/ja-jp/windows/hardware/hh852365
!analyze -vをクリックすると詳細が確認できます。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
Loading User Symbols Loading unloaded module list .................................................. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 50, {fffffa800fbd84c0, 1, fffff8800a6c5057, 0} *** ERROR: Module load completed but symbols could not be loaded for iqvw64e.sys Probably caused by : iqvw64e.sys ( iqvw64e+1057 ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffffa800fbd84c0, memory referenced. Arg2: 0000000000000001, value 0 = read operation, 1 = write operation. Arg3: fffff8800a6c5057, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) Debugging Details: ------------------ OVERLAPPED_MODULE: Address regions for 'iqvw64e' and 'iqvw64e.sys' overlap WRITE_ADDRESS: fffffa800fbd84c0 Nonpaged pool FAULTING_IP: iqvw64e+1057 fffff880`0a6c5057 48c7431000000000 mov qword ptr [rbx+10h],0 MM_INTERNAL_CODE: 0 IMAGE_NAME: iqvw64e.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4fcf7f7e MODULE_NAME: iqvw64e FAULTING_MODULE: fffff8800a6c4000 iqvw64e DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: AV PROCESS_NAME: System CURRENT_IRQL: 0 TRAP_FRAME: fffff88004924970 -- (.trap 0xfffff88004924970) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=fffff8800a6c8710 rdx=000000800481b200 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8800a6c5057 rsp=fffff88004924b00 rbp=fffff800031bc4d8 r8=0000000000008802 r9=00000000ffffffff r10=fffff800031682d8 r11=fffff88004924aa0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc iqvw64e+0x1057: fffff880`0a6c5057 48c7431000000000 mov qword ptr [rbx+10h],0 ds:00000000`00000010=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80002f2b3f1 to fffff80002e6a440 STACK_TEXT: fffff880`04924788 fffff800`02f2b3f1 : 00000000`00000050 fffffa80`0fbd84c0 00000000`00000001 fffff880`04924970 : nt!KeBugCheckEx fffff880`04924790 fffff800`02ea4acb : 00000000`00000001 fffffa80`0fbd84c0 fffffa80`04ac6900 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x33c2b fffff880`04924830 fffff800`02e67eee : 00000000`00000001 fffffa80`0fbd84b0 fffffa80`0fbd8300 fffff880`04924970 : nt!MmAccessFault+0x55b fffff880`04924970 fffff880`0a6c5057 : fffffa80`0fbd84b0 fffff800`031bc4d8 fffff880`08abf680 fffff880`08abf680 : nt!KiPageFault+0x16e fffff880`04924b00 fffff800`033ef506 : fffff800`0358abb8 fffff800`03096000 fffff800`0359eda0 fffff800`02e73cbc : iqvw64e+0x1057 fffff880`04924b40 fffff800`02ea82b1 : fffff800`03096110 fffffa80`04ac6900 fffffa80`04ac6900 fffff800`02e73c00 : nt! ?? ::NNGAKEGL::`string'+0x16a3a fffff880`04924b80 fffff800`02e3d045 : 00000000`00000000 00000000`00000080 fffff800`02ea8170 fffffa80`04ac6900 : nt!ExpWorkerThread+0x142 fffff880`04924c10 fffff800`02ef1766 : fffff880`009c7180 fffffa80`04ac6900 fffff880`009d2e40 fffffa80`04abf700 : nt!PspSystemThreadStartup+0x59 fffff880`04924c60 00000000`00000000 : fffff880`04925000 fffff880`0491f000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16 STACK_COMMAND: kb FOLLOWUP_IP: iqvw64e+1057 fffff880`0a6c5057 48c7431000000000 mov qword ptr [rbx+10h],0 SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: iqvw64e+1057 FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: AV_VRF_iqvw64e+1057 BUCKET_ID: AV_VRF_iqvw64e+1057 Followup: MachineOwner --------- |
どうも原因はiqvw64e.sysのようなのでサーバを調べたら存在したのはC:\Windows\System32\Drivers\iqvw64e.sysだけでした。
さらに0x00000050から下記のサイトを見てみると
Bug Check Code (WinDbg : 10.0.10075.9)
http://www.geocities.jp/timstjp/WinDbg-BugCheckCode.htm
Bug Check 0x50: PAGE_FAULT_IN_NONPAGED_AREA
http://www.geocities.jp/timstjp/WinDbg-BugCheckCode.htm#50
・不具合のあるハードウェアが原因
・不具合のあるシステムサービスが原因
・壊れたNTFSシステム上でのアンチウルスソフトウェアが原因
上記が原因と思われる中でiqvw64e.sysが不具合を起こして強制再起動が行われたようです。
いずれにしてもこの手の障害は一つ一つ調べないとダメなので厄介ですね。