起因
某群友的电脑老是会在打派(APEX)或者狒狒(ff14) 时蓝屏死机,而蓝屏的错误都是惊人的一致,原因都为 DPC_WATCHDOG_VIOLATION,而我从 WinDbg 的自动分析中并没有发现什么有价值的信息(归因到了内核),且每次 Stack 都在 ExpGetPoolTagInfoTarget 方法上。
考虑到Windows系统内核一般不会出 bug,我将其简单的归类为硬件问题,并考虑了内存(群友为此尝试了单插、交换插和换槽插)和硬盘(后续群友发现事件管理器中报告 Disk 事件源 ID 为 7 的日志,描述信息为 xxx have a bad block),但在群友更换内存、硬盘以及重装系统后仍然出现此现象后,我决定开始深入调查(We need to go deeper! )
DPC 和 DPC Watchdog
那么要调查这么一个玩意,我们应该了解一下 DPC 这玩意是个啥。按照微软官方文档的说法,DPC 的全称是 Deferred Procedure Calls,我把他暂时叫做“延迟过程调用”,看起来就是为了让ISR(Interrupt Service Routines,中断服务程序,由驱动进行注册)执行某些耗时任务而生的系统级支持,因为在 ISR 里面的处理必须快速完成。
看到这里,你是不是有一种熟悉的感觉?如果你使用过某些事件系统和任务调度系统的话,我们可以将 ISR 当作事件处理器(EventHandler),中断当作事件(Event),DPC 当作某个延时执行的耗时代码,那么根据自己曾经的代码经验,我们就可以大致知道这是一个驱动层面上的事件系统和调度系统(我是这么理解的,如果有不对的欢迎评论区网友斧正。)
这么理解下来,我们就明白了 DPC 大致是个啥,但是 DPC Watchdog 是干啥的?从微软中对这个 BugCheck 的代码的文档中我们可以了解到,DPC_WATCHDOG_VIOLATION 有两种发生可能:
- 单个 DPC 运行超时,超出了本来规定好的时间。
- 在 DISPATCH_LEVEL 等级以上的 IRQL(Interrupt ReQuest Level,中断请求等级,可理解为内核中的任务执行优先级)运行时间过长,导致没有时间执行 DPC。
那么答案就很显而易见了,它的存在是为了确保各个 DPC 的正常运行,确保系统良好运转,当发生上述情况时直接给你吃一个蓝屏套餐来避免系统处于不可预见的状态(虽然我觉得打游戏时给你这玩意并不那么好吃)。
实践分析
那么理论做足了,接下来就是实战了!在询问之后,我拿到了群友的一堆 dump,通过 WinDbg 打开它们(当然这需要一个和微软符号服务器直接比较良好的网络,你要通过下载尽可能的 PDB 文件来将 Stack 从文件偏移转换为对应的函数命名,以帮助分析Dump),并运行 !analyze -v 命令,得到了下述输出:
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xfffff802`18200000 PsLoadedModuleList = 0xfffff802`18e2a230
Debug session time: Wed Aug 3 01:19:47.063 2022 (UTC + 8:00)
System Uptime: 0 days 0:38:37.734
Loading Kernel Symbols
..
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.............................................................
................................................................
................................................................
.....................
Loading User Symbols
Loading unloaded module list
............
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff802`185f8590 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffbe80`a776de20=0000000000000133
10: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending component can usually be identified with a stack trace.
Arg2: 0000000000000501, The DPC time count (in ticks).
Arg3: 0000000000000500, The DPC time allotment (in ticks).
Arg4: fffff80218efb320, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
additional information regarding this single DPC timeout
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: TickPeriods ***
*** ***
*************************************************************************
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2686
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 2748
Key : Analysis.Init.CPU.mSec
Value: 640
Key : Analysis.Init.Elapsed.mSec
Value: 17740
Key : Analysis.Memory.CommitPeak.Mb
Value: 92
Key : Bugcheck.Code.DumpHeader
Value: 0x133
Key : Bugcheck.Code.Register
Value: 0x133
Key : Dump.Attributes.AsUlong
Value: 8
Key : Dump.Attributes.KernelGeneratedTriageDump
Value: 1
FILE_IN_CAB: 080322-35484-01.dmp
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
BUGCHECK_CODE: 133
BUGCHECK_P1: 0
BUGCHECK_P2: 501
BUGCHECK_P3: 500
BUGCHECK_P4: fffff80218efb320
DPC_TIMEOUT_TYPE: SINGLE_DPC_TIMEOUT_EXCEEDED
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
ffffbe80`a776de18 fffff802`1864d1da: 00000000`00000133 00000000`00000000 00000000`00000501 00000000`00000500: nt!KeBugCheckEx
ffffbe80`a776de20 fffff802`184aa263: 000007d8`2be59bce ffffbe80`a7754180 00000000`00000000 ffffbe80`a7754180: nt!KeAccumulateTicks+0x1a071a
ffffbe80`a776de80 fffff802`184a9d4a: ffffa804`04b093e0 ffffbc03`07ebf6b0 fffff802`2560d800 00000000`00006202: nt!KeClockInterruptNotify+0x453
ffffbe80`a776df30 fffff802`18464785: ffffa804`04b093e0 ffffbe80`a776df40 00000000`00000010 ffff253d`85c0c2b4: nt!HalpTimerClockIpiRoutine+0x1a
ffffbe80`a776df60 fffff802`185fa03a: ffffbc03`07ebf6b0 ffffa804`04b093e0 000007c6`efaf3b0d 00000000`00000000: nt!KiCallInterruptServiceRoutine+0xa5
ffffbe80`a776dfb0 fffff802`185fa5a7: 00000000`00000000 00001f80`005f02b4 00000000`4ba78dc2 ffffbc03`07ebf828: nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
ffffbc03`07ebf630 fffff802`1844493b: 00000000`80000000 fffff802`18526f29 00000000`00010001 00000000`00000000: nt!KiInterruptDispatchNoLockNoEtw+0x37
ffffbc03`07ebf7c0 fffff802`18526f29: 00000000`00010001 00000000`00000000 00000000`00000000 00000000`00000000: nt!KeYieldProcessorEx+0x1b
ffffbc03`07ebf7d0 fffff802`184ca52e: ffffbe80`a7757240 00000000`4ba8ffa8 00000000`00000004 ffffbe80`a7754180: nt!ExpGetPoolTagInfoTarget+0x149
ffffbc03`07ebf820 fffff802`184c9814: 00000000`00000000 00000000`00000000 00000000`00140001 00000000`00000000: nt!KiExecuteAllDpcs+0x30e
ffffbc03`07ebf990 fffff802`185fc0fe: ffffffff`00000000 ffffbe80`a7754180 ffffbe80`a775f340 ffffa804`17e87080: nt!KiRetireDpcList+0x1f4
ffffbc03`07ebfc20 00000000`00000000: ffffbc03`07ec0000 ffffbc03`07eb9000 00000000`00000000 00000000`00000000: nt!KiIdleLoop+0x9e
SYMBOL_NAME: nt!KeAccumulateTicks+1a071a
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.1826
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 1a071a
FAILURE_BUCKET_ID: 0x133_DPC_nt!KeAccumulateTicks
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {88dc98ce-f842-4daa-98d0-858621db6b0f}
Followup: MachineOwner
---------
可以看出,WinDbg 自动为我们分析出了原因是第一种,根据官方文档,第一个参数指定了对应的类型,BUGCHECK_P1=0,这里 WinDbg 自动按类型附上了相应的解释和原因,表示大多数情况下可能的罪魁祸首都会在 Stack 下显示,而我们可以看见当前的 Stack 是在 ExpGetPoolTagInfoTarget 的执行下,但是这个是内核方法,显然不是根因,为了知道更多信息,我们运行 !dpcwatchdog 命令:
10: kd> !dpcwatchdog
All durations are in seconds (1 System tick = 0.000000 milliseconds)
Circular Kernel Context Logger history: !logdump 0x2
DPC and ISR stats (total since boot): !intstats /d
DPC and ISR stats (during DPC watchdog period): !intstats /w
--------------------------------------------------
CPU#0
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#1
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#2
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#3
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#4
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#5
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#6
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#7
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#8
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#9
--------------------------------------------------
Failed to read nt!_KPRCB for the processor
--------------------------------------------------
CPU#10
--------------------------------------------------
Current DPC: Unable to read nt!_KDPC.DeferredRoutine
DPC Watchdog Captures Analysis for CPU #10.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 5.
Most common function: fffff802185fc0fe nt!KiIdleLoop+0x9E
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #10 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 38 Min 36 Sec 46.88 mSec
# RetAddr Call Site
00 fffff802184a9d4a nt!KeClockInterruptNotify+0x453
01 fffff80218464785 nt!HalpTimerClockIpiRoutine+0x1A
02 fffff802185fa03a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff802185fa5a7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8021844493b nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80218526f29 nt!KeYieldProcessorEx+0x1B
06 fffff802184ca52e nt!ExpGetPoolTagInfoTarget+0x149
07 fffff802184c9814 nt!KiExecuteAllDpcs+0x30E
08 fffff802185fc0fe nt!KiRetireDpcList+0x1F4
09 ---------------- nt!KiIdleLoop+0x9E
--------------------------------------------------
CPU#11
--------------------------------------------------
Failed to read nt!_KPRCB for the processor很遗憾,这份 Dump 并不能提供什么有效的信息,WinDbg 提示要分析其他处理器这个时候在干嘛,然而我们并没有得到对应数据,没关系,我们来看看对现在正在执行的 CPU10 的分析:
10: kd> !watchdoganalyze -v 0n10
CPU #10 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 38 Min 36 Sec 46.88 mSec
# RetAddr Call Site
04 fffff8021844493b nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80218526f29 nt!KeYieldProcessorEx+0x1B
06 fffff802184ca52e nt!ExpGetPoolTagInfoTarget+0x149
07 fffff802184c9814 nt!KiExecuteAllDpcs+0x30E
08 fffff802185fc0fe nt!KiRetireDpcList+0x1F4
09 ---------------- nt!KiIdleLoop+0x9E
[Stack 16] Elapsed time since previous stack: 250 mSec; since reference stack: 250 mSec
Exiting function: fffff80218526f17 nt!ExpGetPoolTagInfoTarget+0x137
# RetAddr Call Site
05 fffff80218526f29 nt!KeYieldProcessorEx+0xD
06 fffff802184ca52e nt!ExpGetPoolTagInfoTarget+0x149
[Stack 53] Elapsed time since previous stack: 578 mSec; since reference stack: 828 mSec
Exiting function: fffff80218526f19 nt!ExpGetPoolTagInfoTarget+0x139
# RetAddr Call Site
05 fffff80218526f29 nt!KeYieldProcessorEx+0x1B
06 fffff802184ca52e nt!ExpGetPoolTagInfoTarget+0x149
[Stack 80] Elapsed time since previous stack: 421 mSec; since reference stack: 1250 mSec
Exiting function: fffff80218526f17 nt!ExpGetPoolTagInfoTarget+0x137
# RetAddr Call Site
05 fffff80218526f29 nt!KeYieldProcessorEx+0x1B
06 fffff802184ca52e nt!ExpGetPoolTagInfoTarget+0x149
[Stack 91] Elapsed time since previous stack: 171 mSec; since reference stack: 1421 mSec
Exiting function: fffff80218526f17 nt!ExpGetPoolTagInfoTarget+0x137
# RetAddr Call Site
05 fffff80218526f29 nt!KeYieldProcessorEx+0x1B
06 fffff802184ca52e nt!ExpGetPoolTagInfoTarget+0x149
DPC Watchdog Captures Analysis for CPU #10.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 5.
Most common function: fffff802185fc0fe nt!KiIdleLoop+0x9E
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #10 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 38 Min 36 Sec 46.88 mSec
# RetAddr Call Site
00 fffff802184a9d4a nt!KeClockInterruptNotify+0x453
01 fffff80218464785 nt!HalpTimerClockIpiRoutine+0x1A
02 fffff802185fa03a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff802185fa5a7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8021844493b nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80218526f29 nt!KeYieldProcessorEx+0x1B
06 fffff802184ca52e nt!ExpGetPoolTagInfoTarget+0x149
07 fffff802184c9814 nt!KiExecuteAllDpcs+0x30E
08 fffff802185fc0fe nt!KiRetireDpcList+0x1F4
09 ---------------- nt!KiIdleLoop+0x9E 可以看出一直在处于 Yield 状态,似乎在等待其他处理器的任务完成,我们换一份 Dump 看看:
11: kd> !dpcwatchdog
All durations are in seconds (1 System tick = 0.000000 milliseconds)
Circular Kernel Context Logger history: !logdump 0x2
DPC and ISR stats (total since boot): !intstats /d
DPC and ISR stats (during DPC watchdog period): !intstats /w
--------------------------------------------------
CPU#0
--------------------------------------------------
Current DPC: No Active DPC
Pending DPCs:
----------------------------------------
CPU Type KDPC Function
Failed to read DPC at 0xffffb58d9b5c46e8
dpcs: no pending DPCs found
--------------------------------------------------
CPU#1
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 15
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d04b0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #1.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 6.
Most common function: fffff80119bc5024 nt!KiIdleLoop+0x84
List of functions that exist often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 014 5 (of 5)
List of functions that are called often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 015 5 (of 5)
--------------------------------------------------
CPU#2
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d0fb0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #2.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 2.
Most common function: fffff80119bc79e0 nt!KiDpcInterrupt+0x2F0
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #2 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 43 Min 25 Sec 515.62 mSec
# RetAddr Call Site
00 fffff801199601e1 nt!KeClockInterruptNotify+0xC07
01 fffff80119a02a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff80119bc2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff80119bc34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff80119a1ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80119b07f39 nt!KeYieldProcessorEx+0x1F
06 fffff80119a6ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff80119a6a4ef nt!KiExecuteAllDpcs+0x305
08 fffff80119bc8525 nt!KiRetireDpcList+0x1EF
09 fffff80119bc8310 nt!KxRetireDpcList+0x5
0a fffff80119bc79e0 nt!KiDispatchInterruptContinue
0b ---------------- nt!KiDpcInterrupt+0x2F0
--------------------------------------------------
CPU#3
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d1ab0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #3.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 2.
Most common function: fffff80119bc79e0 nt!KiDpcInterrupt+0x2F0
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #3 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 43 Min 25 Sec 515.62 mSec
# RetAddr Call Site
00 fffff801199601e1 nt!KeClockInterruptNotify+0xC07
01 fffff80119a02a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff80119bc2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff80119bc34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff80119a1ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80119b07f39 nt!KeYieldProcessorEx+0x1F
06 fffff80119a6ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff80119a6a4ef nt!KiExecuteAllDpcs+0x305
08 fffff80119bc8525 nt!KiRetireDpcList+0x1EF
09 fffff80119bc8310 nt!KxRetireDpcList+0x5
0a fffff80119bc79e0 nt!KiDispatchInterruptContinue
0b ---------------- nt!KiDpcInterrupt+0x2F0
--------------------------------------------------
CPU#4
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d25b0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #4.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 6.
Most common function: fffff80119bc79e0 nt!KiDpcInterrupt+0x2F0
List of functions that exist often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 004 5 (of 5)
List of functions that are called often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 005 5 (of 5)
--------------------------------------------------
CPU#5
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d30b0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #5.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 4.
Most common function: fffff80119bc5024 nt!KiIdleLoop+0x84
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #5 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 43 Min 25 Sec 515.62 mSec
# RetAddr Call Site
00 fffff801199601e1 nt!KeClockInterruptNotify+0xC07
01 fffff80119a02a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff80119bc2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff80119bc34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff80119a1ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80119b07f39 nt!KeYieldProcessorEx+0x1F
06 fffff80119a6ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff80119a6a4ef nt!KiExecuteAllDpcs+0x305
08 fffff80119bc5024 nt!KiRetireDpcList+0x1EF
09 ---------------- nt!KiIdleLoop+0x84
--------------------------------------------------
CPU#6
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d3bb0
Unable to read nt!_ISRDPCSTATS.IsrActive
Unable to load image \??\C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for EasyAntiCheat.sys
DPC Watchdog Captures Analysis for CPU #6.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 3.
Most common function: fffff801753f7b11 EasyAntiCheat+0x187B11
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #6 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 43 Min 25 Sec 515.62 mSec
# RetAddr Call Site
00 fffff801199601e1 nt!KeClockInterruptNotify+0xC07
01 fffff80119a02a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff80119bc2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff80119bc34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff80119a1ba1d nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80119b07f39 nt!KeYieldProcessorEx+0xD
06 fffff80119a6ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff80119a6a4ef nt!KiExecuteAllDpcs+0x305
08 fffff80119bc8525 nt!KiRetireDpcList+0x1EF
09 fffff80119bc8310 nt!KxRetireDpcList+0x5
0a fffff80119bc79e0 nt!KiDispatchInterruptContinue
0b fffff801753f7b11 nt!KiDpcInterrupt+0x2F0
0c ---------------- EasyAntiCheat+0x187B11
--------------------------------------------------
CPU#7
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d46b0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #7.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 6.
Most common function: fffff80119bc79e0 nt!KiDpcInterrupt+0x2F0
List of functions that exist often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 010 5 (of 5)
List of functions that are called often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 011 5 (of 5)
--------------------------------------------------
CPU#8
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d52b0
Unable to read nt!_ISRDPCSTATS.IsrActive
Unable to load image \SystemRoot\system32\drivers\artusbaud.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for artusbaud.sys
DPC Watchdog Captures Analysis for CPU #8.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 3.
Most common function: fffff80119bc8b2a nt!KiStartSystemThread+0x2A
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #8 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 43 Min 25 Sec 515.62 mSec
# RetAddr Call Site
00 fffff8011995e4b7 nt!KeClockInterruptNotify+0x98C
01 fffff80119a02a25 hal!HalpTimerClockInterrupt+0xF7
02 fffff80119bc2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff80119bc34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff80119a1ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80119b07f39 nt!KeYieldProcessorEx+0x1F
06 fffff80119a6ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff80119a6a4ef nt!KiExecuteAllDpcs+0x305
08 fffff80119bc8525 nt!KiRetireDpcList+0x1EF
09 fffff80119bc8310 nt!KxRetireDpcList+0x5
0a fffff80119bc79e0 nt!KiDispatchInterruptContinue
0b fffff80119a5fa4e nt!KiDpcInterrupt+0x2F0
0c fffff8012a1e29af nt!KzLowerIrql+0x1E
0d fffff8011d9b837f USBXHCI!Isoch_WdfEvtIoQueueReadyNotification+0xAF
0e fffff8011d9a8c3d Wdf01000!FxIoQueue::ProcessReadyNotify+0x8F [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 4841]
0f fffff8011d9b2a74 Wdf01000!FxIoQueue::DispatchEvents+0x48D [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 2871]
10 fffff8012a256944 Wdf01000!imp_WdfDeviceWdmDispatchIrpToIoQueue+0x634 [minkernel\wdf\framework\shared\core\km\fxdeviceapikm.cpp @ 494]
11 fffff8012a255b95 ucx01000!UrbHandler_USBPORTStyle_Legacy_IsochTransfer+0x1B4
12 fffff8012a246038 ucx01000!Urb_USBPORTStyle_ProcessURB+0x361
13 fffff8011d9aacad ucx01000!RootHub_Pdo_EvtInternalDeviceControlIrpPreprocessCallback+0x278
14 fffff80119a31f79 Wdf01000!FxDevice::DispatchWithLock+0x1ED [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430]
15 fffff8011daf14ad nt!IofCallDriver+0x59
16 fffff8011daf10d7 ACPI!ACPIIrpDispatchDeviceControl+0xAD
17 fffff80119a31f79 ACPI!ACPIDispatchIrp+0xC7
18 fffff8012eb27314 nt!IofCallDriver+0x59
19 fffff8011d9aacad UsbHub3!HUBPDO_EvtDeviceWdmIrpPreprocess+0x11C4
1a fffff80119a31f79 Wdf01000!FxDevice::DispatchWithLock+0x1ED [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430]
1b fffff8011daf14ad nt!IofCallDriver+0x59
1c fffff8011daf10d7 ACPI!ACPIIrpDispatchDeviceControl+0xAD
1d fffff80119a31f79 ACPI!ACPIDispatchIrp+0xC7
1e fffff8012ec44f92 nt!IofCallDriver+0x59
1f fffff8012ec450ed artusbaud+0x4F92
20 fffff8012ec45279 artusbaud+0x50ED
21 fffff8012ec474c9 artusbaud+0x5279
22 fffff80119a67c0f artusbaud+0x74C9
23 fffff80119abd095 nt!IopProcessWorkItem+0xFF
24 fffff80119b2a7a5 nt!ExpWorkerThread+0x105
25 fffff80119bc8b2a nt!PspSystemThreadStartup+0x55
26 ---------------- nt!KiStartSystemThread+0x2A
--------------------------------------------------
CPU#9
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d5cb0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #9.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 7.
Most common function: fffff80119bc5024 nt!KiIdleLoop+0x84
List of functions that exist often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 012 6 (of 6)
List of functions that are called often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 013 6 (of 6)
--------------------------------------------------
CPU#10
--------------------------------------------------
Current DPC: No Active DPC
Pending DPCs:
----------------------------------------
CPU Type KDPC Function
10: Normal : 0xffff9180157cea20 0xfffff80119b07e00 nt!ExpGetPoolTagInfoTarget
10: Normal : 0xffff9180157cf568 0xfffff80119b26dc0 nt!KiEntropyDpcRoutine
--------------------------------------------------
CPU#11
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffb58d944d72b0
IsrActive: TRUE
Pending DPCs:
----------------------------------------
CPU Type KDPC Function
dpcs: no pending DPCs found
DPC Watchdog Captures Analysis for CPU #11.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 3.
Most common function: fffff80119bc5024 nt!KiIdleLoop+0x84
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #11 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 43 Min 25 Sec 515.62 mSec
# RetAddr Call Site
00 fffff801199601e1 nt!KeClockInterruptNotify+0xC07
01 fffff80119a02a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff80119bc2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff80119bc34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff80119a1ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff80119b07f39 nt!KeYieldProcessorEx+0x1F
06 fffff80119a6ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff80119a6a4ef nt!KiExecuteAllDpcs+0x305
08 fffff80119bc5024 nt!KiRetireDpcList+0x1EF
09 ---------------- nt!KiIdleLoop+0x84 这份 Dump 给了我们一份完整的报告,可以看到其他拥有待处理 DPC 的 CPU 都在 ExpGetPoolTagInfoTarget 下 Yield 等待,只有CPU 8在勤恳工作,那么答案就差不多呼之欲出了,再找一份有完整报告的 Dump 看看:
10: kd> !dpcwatchdog
All durations are in seconds (1 System tick = 0.000000 milliseconds)
Circular Kernel Context Logger history: !logdump 0x2
DPC and ISR stats (total since boot): !intstats /d
DPC and ISR stats (during DPC watchdog period): !intstats /w
--------------------------------------------------
CPU#0
--------------------------------------------------
Current DPC: No Active DPC
Pending DPCs:
----------------------------------------
CPU Type KDPC Function
Failed to read DPC at 0xffffd28d7a032da8
dpcs: no pending DPCs found
--------------------------------------------------
CPU#1
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 15
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d04b0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #1.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 4.
Most common function: fffff8067e5c79e0 nt!KiDpcInterrupt+0x2F0
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #1 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 28 Min 28 Sec 734.38 mSec
# RetAddr Call Site
00 fffff8067eeb91e1 nt!KeClockInterruptNotify+0xC07
01 fffff8067e402a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff8067e5c2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff8067e5c34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8067e41ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff8067e507f39 nt!KeYieldProcessorEx+0x1F
06 fffff8067e46ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff8067e46a4ef nt!KiExecuteAllDpcs+0x305
08 fffff8067e5c8525 nt!KiRetireDpcList+0x1EF
09 fffff8067e5c8310 nt!KxRetireDpcList+0x5
0a fffff8067e5c79e0 nt!KiDispatchInterruptContinue
0b ---------------- nt!KiDpcInterrupt+0x2F0
--------------------------------------------------
CPU#2
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d0fb0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #2.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 6.
Most common function: fffff8067e5c79e0 nt!KiDpcInterrupt+0x2F0
List of functions that exist often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 022 5 (of 5)
List of functions that are called often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 023 5 (of 5)
--------------------------------------------------
CPU#3
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d1ab0
Unable to read nt!_ISRDPCSTATS.IsrActive
Unable to load image \SystemRoot\system32\drivers\artusbaud.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for artusbaud.sys
DPC Watchdog Captures Analysis for CPU #3.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 2.
Most common function: fffff8067e5c8b2a nt!KiStartSystemThread+0x2A
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #3 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 28 Min 28 Sec 734.38 mSec
# RetAddr Call Site
00 fffff8067eeb91e1 nt!KeClockInterruptNotify+0xC07
01 fffff8067e402a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff8067e5c2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff8067e5c34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8067e41ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff8067e507f39 nt!KeYieldProcessorEx+0x1F
06 fffff8067e46ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff8067e46a4ef nt!KiExecuteAllDpcs+0x305
08 fffff8067e5c8525 nt!KiRetireDpcList+0x1EF
09 fffff8067e5c8310 nt!KxRetireDpcList+0x5
0a fffff8067e5c79e0 nt!KiDispatchInterruptContinue
0b fffff8067e45fa4e nt!KiDpcInterrupt+0x2F0
0c fffff8068ee129af nt!KzLowerIrql+0x1E
0d fffff8068253837f USBXHCI!Isoch_WdfEvtIoQueueReadyNotification+0xAF
0e fffff80682528c3d Wdf01000!FxIoQueue::ProcessReadyNotify+0x8F [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 4841]
0f fffff80682532a74 Wdf01000!FxIoQueue::DispatchEvents+0x48D [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 2871]
10 fffff8068ee86944 Wdf01000!imp_WdfDeviceWdmDispatchIrpToIoQueue+0x634 [minkernel\wdf\framework\shared\core\km\fxdeviceapikm.cpp @ 494]
11 fffff8068ee85b95 ucx01000!UrbHandler_USBPORTStyle_Legacy_IsochTransfer+0x1B4
12 fffff8068ee76038 ucx01000!Urb_USBPORTStyle_ProcessURB+0x361
13 fffff8068252acad ucx01000!RootHub_Pdo_EvtInternalDeviceControlIrpPreprocessCallback+0x278
14 fffff8067e431f79 Wdf01000!FxDevice::DispatchWithLock+0x1ED [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430]
15 fffff806826f14ad nt!IofCallDriver+0x59
16 fffff806826f10d7 ACPI!ACPIIrpDispatchDeviceControl+0xAD
17 fffff8067e431f79 ACPI!ACPIDispatchIrp+0xC7
18 fffff80693aa7314 nt!IofCallDriver+0x59
19 fffff8068252acad UsbHub3!HUBPDO_EvtDeviceWdmIrpPreprocess+0x11C4
1a fffff8067e431f79 Wdf01000!FxDevice::DispatchWithLock+0x1ED [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430]
1b fffff806826f14ad nt!IofCallDriver+0x59
1c fffff806826f10d7 ACPI!ACPIIrpDispatchDeviceControl+0xAD
1d fffff8067e431f79 ACPI!ACPIDispatchIrp+0xC7
1e fffff80693bc4f92 nt!IofCallDriver+0x59
1f fffff80693bc50ed artusbaud+0x4F92
20 fffff80693bc5279 artusbaud+0x50ED
21 fffff80693bc74c9 artusbaud+0x5279
22 fffff8067e467c0f artusbaud+0x74C9
23 fffff8067e4bd095 nt!IopProcessWorkItem+0xFF
24 fffff8067e52a7a5 nt!ExpWorkerThread+0x105
25 fffff8067e5c8b2a nt!PspSystemThreadStartup+0x55
26 ---------------- nt!KiStartSystemThread+0x2A
--------------------------------------------------
CPU#4
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d25b0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #4.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 1.
No common functions detected!
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #4 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 28 Min 28 Sec 734.38 mSec
# RetAddr Call Site
00 fffff8067eeb91e1 nt!KeClockInterruptNotify+0xC07
01 fffff8067e402a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff8067e5c2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff8067e5c34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8067e41ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff8067e507f39 nt!KeYieldProcessorEx+0x1F
06 fffff8067e46ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff8067e46a4ef nt!KiExecuteAllDpcs+0x305
08 fffff8067e5c5024 nt!KiRetireDpcList+0x1EF
09 ---------------- nt!KiIdleLoop+0x84
--------------------------------------------------
CPU#5
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d30b0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #5.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 2.
Most common function: fffff8067e5c79e0 nt!KiDpcInterrupt+0x2F0
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #5 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 28 Min 28 Sec 734.38 mSec
# RetAddr Call Site
00 fffff8067eeb91e1 nt!KeClockInterruptNotify+0xC07
01 fffff8067e402a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff8067e5c2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff8067e5c34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8067e41ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff8067e507f39 nt!KeYieldProcessorEx+0x1F
06 fffff8067e46ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff8067e46a4ef nt!KiExecuteAllDpcs+0x305
08 fffff8067e5c8525 nt!KiRetireDpcList+0x1EF
09 fffff8067e5c8310 nt!KxRetireDpcList+0x5
0a fffff8067e5c79e0 nt!KiDispatchInterruptContinue
0b ---------------- nt!KiDpcInterrupt+0x2F0
--------------------------------------------------
CPU#6
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d3bb0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #6.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 6.
Most common function: fffff8067e5c5024 nt!KiIdleLoop+0x84
List of functions that exist often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 004 5 (of 5)
List of functions that are called often in the Watchdog record:
Module Name Function Name #Stack #Of Occurrences
nt ExpGetPoolTagInfoTarget 005 5 (of 5)
--------------------------------------------------
CPU#7
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d46b0
Unable to read nt!_ISRDPCSTATS.IsrActive
Unable to load image \??\C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for EasyAntiCheat.sys
DPC Watchdog Captures Analysis for CPU #7.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 3.
Most common function: fffff806d69d518c EasyAntiCheat+0x9D518C
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #7 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 28 Min 28 Sec 734.38 mSec
# RetAddr Call Site
00 fffff8067eeb91e1 nt!KeClockInterruptNotify+0xC07
01 fffff8067e402a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff8067e5c2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff8067e5c34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8067e41ba18 nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff8067e507f39 nt!KeYieldProcessorEx+0x8
06 fffff8067e46ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff8067e46a4ef nt!KiExecuteAllDpcs+0x305
08 fffff8067e5c8525 nt!KiRetireDpcList+0x1EF
09 fffff8067e5c8310 nt!KxRetireDpcList+0x5
0a fffff8067e5c79e0 nt!KiDispatchInterruptContinue
0b fffff806d69d518c nt!KiDpcInterrupt+0x2F0
0c ---------------- EasyAntiCheat+0x9D518C
--------------------------------------------------
CPU#8
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d51b0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #8.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 3.
Most common function: fffff8067e5c79e0 nt!KiDpcInterrupt+0x2F0
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #8 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 28 Min 28 Sec 734.38 mSec
# RetAddr Call Site
00 fffff8067eeb91e1 nt!KeClockInterruptNotify+0xC07
01 fffff8067e402a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff8067e5c2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff8067e5c34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8067e41ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff8067e507f39 nt!KeYieldProcessorEx+0x1F
06 fffff8067e46ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff8067e46a4ef nt!KiExecuteAllDpcs+0x305
08 fffff8067e5c8525 nt!KiRetireDpcList+0x1EF
09 fffff8067e5c8310 nt!KxRetireDpcList+0x5
0a fffff8067e5c79e0 nt!KiDispatchInterruptContinue
0b ---------------- nt!KiDpcInterrupt+0x2F0
--------------------------------------------------
CPU#9
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d5cb0
Unable to read nt!_ISRDPCSTATS.IsrActive
DPC Watchdog Captures Analysis for CPU #9.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 5.
Most common function: fffff8067e5c5024 nt!KiIdleLoop+0x84
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #9 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 28 Min 28 Sec 734.38 mSec
# RetAddr Call Site
00 fffff8067eeb91e1 nt!KeClockInterruptNotify+0xC07
01 fffff8067e402a25 hal!HalpTimerClockIpiRoutine+0x21
02 fffff8067e5c2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff8067e5c34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8067e41ba2f nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff8067e507f39 nt!KeYieldProcessorEx+0x1F
06 fffff8067e46ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff8067e46a4ef nt!KiExecuteAllDpcs+0x305
08 fffff8067e5c5024 nt!KiRetireDpcList+0x1EF
09 ---------------- nt!KiIdleLoop+0x84
--------------------------------------------------
CPU#10
--------------------------------------------------
Current DPC: nt!ExpGetPoolTagInfoTarget (Normal DPC)
Debugger Saved IRQL: 13
Cumulative DPC Time Limit: 0.000 seconds
Current Cumulative DPC Time: 0.000 seconds
Single DPC Time Limit: 0.000 seconds
Current Single DPC Time: 0.000 seconds
dt nt!_ISRDPCSTATS ffffd28d712d68b0
IsrActive: TRUE
Pending DPCs:
----------------------------------------
CPU Type KDPC Function
10: Normal : 0xfffff8067e83b540 0xfffff8067e426730 nt!PpmCheckPeriodicStart
10: Normal : 0xfffff8067e84fd60 0xfffff8067e4fc740 nt!KiBalanceSetManagerDeferredRoutine
DPC Watchdog Captures Analysis for CPU #10.
DPC Watchdog capture size: 108 stacks.
Number of unique stacks: 2.
Most common function: fffff8067e5c79e0 nt!KiDpcInterrupt+0x2F0
The captured stacks seem to indicate that only a single DPC or generic function is the culprit.
Try to analyse what other processors were doing at the time of the following reference capture:
CPU #10 DPC Watchdog Reference Stack (#0 of 108) - Profiling started at time since boot: 28 Min 28 Sec 734.38 mSec
# RetAddr Call Site
00 fffff8067eeb74b7 nt!KeClockInterruptNotify+0x98C
01 fffff8067e402a25 hal!HalpTimerClockInterrupt+0xF7
02 fffff8067e5c2f7a nt!KiCallInterruptServiceRoutine+0xA5
03 fffff8067e5c34e7 nt!KiInterruptSubDispatchNoLockNoEtw+0xFA
04 fffff8067e41ba30 nt!KiInterruptDispatchNoLockNoEtw+0x37
05 fffff8067e507f39 nt!KeYieldProcessorEx+0x20
06 fffff8067e46ae95 nt!ExpGetPoolTagInfoTarget+0x139
07 fffff8067e46a4ef nt!KiExecuteAllDpcs+0x305
08 fffff8067e5c8525 nt!KiRetireDpcList+0x1EF
09 fffff8067e5c8310 nt!KxRetireDpcList+0x5
0a fffff8067e5c79e0 nt!KiDispatchInterruptContinue
0b ---------------- nt!KiDpcInterrupt+0x2F0
--------------------------------------------------
CPU#11
--------------------------------------------------
Current DPC: No Active DPC
Pending DPCs:
----------------------------------------
CPU Type KDPC Function
11: Normal : 0xffff9600e60e4a20 0xfffff8067e507e00 nt!ExpGetPoolTagInfoTarget
11: Normal : 0xffff9600e60e5568 0xfffff8067e526dc0 nt!KiEntropyDpcRoutine完全一致的情况!只是这次辛勤工作的是 CPU 3,那么这个罪魁祸首 artusbaud 是何方神圣呢?
11: kd> lmvm artusbaud
Browse full module list
start end module name
fffff806`93bc0000 fffff806`93be7000 artusbaud T (no symbols)
Loaded symbol image file: artusbaud.sys
Image path: \SystemRoot\system32\drivers\artusbaud.sys
Image name: artusbaud.sys
Browse all global symbols functions data
Timestamp: Wed Jun 17 20:22:14 2015 (55816676)
CheckSum: 000297B9
ImageSize: 00027000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:是一个驱动!按这个路径找群友要来 sys 看了一下:
是一个 USB 声卡驱动!和上方 Stack 中存在 USB 相关的方法完美匹配,群友在我指出后临时卸载驱动后恢复正常,并在后续找卖家更换了新的驱动,问题完满解决!(群内未解之谜又少了一个
小结和鸣谢
那么这次的分析就到这里结束啦,感谢你看到这里!其实在一开始分析的时候我的思路并没有那么清晰,全都是胡乱操作(?
不过多亏了网上已有的分析实战文章帮助我找到并解决了这个千古难题(据说是快把电脑都整个换掉了好像),在这里我想感谢前人写下的下列文章:
- DPC_WATCHDOG_VIOLATION蓝屏分析(https://blog.csdn.net/xiangbaohui/article/details/104849967)——提供了基本的解决思路
- Debugging Stop 0x133 – Using !dpcwatchdog(https://www.sysnative.com/forums/threads/debugging-stop-0x133-using-dpcwatchdog.33789/)——指出可以使用 dpcwatchdog 命令查看具体信息,他的分析比我更为深层,推荐阅读!
我在此之前也没有尝试分析过这类蓝屏,这是我第一次分析并解决此类蓝屏,可以说我是站在巨人的肩膀上,真的由衷感觉到知识的宝贵和资料的重要性,所以我在这里也将我的这次分析记录下来,以供后人参考。
参考资料
- What is IRQL and why is it important? (https://techcommunity.microsoft.com/t5/ask-the-performance-team/what-is-irql-and-why-is-it-important/ba-p/372666)
- Introduction to Interrupt Service Routines(https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-interrupt-service-routines)
- Introduction to DPC Objects(https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-dpc-objects)
- Bug Check 0x133 DPC_WATCHDOG_VIOLATION(https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x133-dpc-watchdog-violation)