查看以前的日志
总存在主要两个错误,顺便看了看。

会话“Microsoft.Windows.Remediation”未能启动,存在以下错误: 0xC0000035

查后说可能系统不完整,或者文件系统什么的受损

查阅得到

建议您先尝试以下方案检查您的计算机组件的完整性:

在管理员命令提示符下键入以下命令:sfc /SCANNOW 及

Dism /Online /Cleanup-Image /ScanHealth

这条命令将扫描全部系统文件并和官方系统文件对比,扫描计算机中的不一致情况。

Dism /Online /Cleanup-Image /CheckHealth

这条命令必须在前一条命令执行完以后,发现系统文件有损坏时使用。

DISM /Online /Cleanup-image /RestoreHealth

这条命令是把那些不同的系统文件还原成官方系统源文件。

完成后重启,再键入以下命令:sfc /SCANNOW,

检查系统文件是否被修复。

结果是没什么问题

会话“PerfDiag Logger”未能启动,存在以下错误: 0xC0000035

建议是更新系统 https://www.microsoft.com/zh-cn/software-download/windows10
再说再说,下次一定

本次crash错误

Snipaste_2021-09-23_00-20-59

Snipaste_2021-09-23_00-20-34

Snipaste_2021-09-23_00-20-49

Snipaste_2021-09-23_00-24-52

Snipaste_2021-09-23_00-25-04

仔细一看,这 windows 能安全运行好几天真是太幸运了。接下来就是分析 dump 文件了。虽然我学过 windbg ,这种场景还是没怎么见过的。

windbg 推荐我用 !analyze -v 看一下。

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
	component can usually be identified with a stack trace.
Arg2: 0000000000000501, The DPC time count (in ticks).
Arg3: 0000000000000500, The DPC time allotment (in ticks).
Arg4: fffff8000d8fa320, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
	additional information regarding this single DPC timeout

Debugging Details:
------------------

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that     ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: TickPeriods                                   ***
***                                                                   ***
*************************************************************************

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 4999

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 20595

    Key  : Analysis.Init.CPU.mSec
    Value: 827

    Key  : Analysis.Init.Elapsed.mSec
    Value: 965821

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 99

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  133

BUGCHECK_P1: 0

BUGCHECK_P2: 501

BUGCHECK_P3: 500

BUGCHECK_P4: fffff8000d8fa320

DPC_TIMEOUT_TYPE:  SINGLE_DPC_TIMEOUT_EXCEEDED

TRAP_FRAME:  ffff8a88d504e270 -- (.trap 0xffff8a88d504e270)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000001c514908 rbx=0000000000000000 rcx=ffff8a88d504e460
rdx=ffff8a88d507e5d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8000ce80dd7 rsp=ffff8a88d504e400 rbp=ffff8a88d504e590
 r8=ffff8a88d504e560  r9=ffff8a88d504ee00 r10=0000000000000002
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!KeYieldProcessorEx+0x17:
fffff800`0ce80dd7 4883c420        add     rsp,20h
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

STACK_TEXT:  
ffffdc00`98ccbe18 fffff800`0d01f4fa     : 00000000`00000133 00000000`00000000 00000000`00000501 00000000`00000500 : nt!KeBugCheckEx
ffffdc00`98ccbe20 fffff800`0ce16ac3     : 0000167c`d2cb323c ffffdc00`98c79180 00000000`00000000 ffffdc00`98c79180 : nt!KeAccumulateTicks+0x2061da
ffffdc00`98ccbe80 fffff800`0ce165aa     : ffffc68f`8e512d40 ffff8a88`d504e2f0 00000206`c786f000 00000206`c0f12d00 : nt!KeClockInterruptNotify+0x453
ffffdc00`98ccbf30 fffff800`0cede055     : ffffc68f`8e512d40 00000000`00000000 00000000`00000000 ffff1ef0`995a317d : nt!HalpTimerClockIpiRoutine+0x1a
ffffdc00`98ccbf60 fffff800`0cff8c6a     : ffff8a88`d504e2f0 ffffc68f`8e512d40 ffff8a88`d504ee00 00000000`00000000 : nt!KiCallInterruptServiceRoutine+0xa5
ffffdc00`98ccbfb0 fffff800`0cff91d7     : 00000000`00000000 00000000`00000000 ffff8a88`d504e5d0 fffff800`0cff91e4 : nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
ffff8a88`d504e270 fffff800`0ce80dd7     : 00000000`00000010 00000000`00000202 ffff8a88`d504e428 00000000`00000018 : nt!KiInterruptDispatchNoLockNoEtw+0x37
ffff8a88`d504e400 fffff800`0cec0dea     : ffffc68f`b2f23d00 fffff800`00000006 00000000`00000000 00000000`00000000 : nt!KeYieldProcessorEx+0x17
ffff8a88`d504e430 fffff800`0cec0daf     : ffffc68f`1c514908 fffff800`64427610 00000000`00000000 ffff8a88`d504e8f0 : nt!KxWaitForLockOwnerShip+0x2a
ffff8a88`d504e460 fffff800`64426512     : 00000000`00000000 ffff8a88`d504e590 11100032`daef9cfb ffffc68f`9599fa20 : nt!KeAcquireInStackQueuedSpinLock+0x7f
ffff8a88`d504e490 fffff800`1331ca51     : ffff8a88`d504ee00 ffffc68f`9599fa20 00000000`00032300 ffffc68f`9599fa20 : SmbCo10X64+0x6512
ffff8a88`d504e690 fffff800`133195eb     : ffffc68f`a4800010 ffff8a88`d504ee00 ffffc68f`9599fa20 ffffc68f`a854ea40 : NETIO!ProcessCallout+0x5d1
ffff8a88`d504e810 fffff800`1331818a     : ffffc68f`a4368e30 ffff8a88`d504ee00 00000000`00000000 ffff8a88`d504eb10 : NETIO!ArbitrateAndEnforce+0x71b
ffff8a88`d504e970 fffff800`137f89cc     : ffffc68f`9599fcc0 00000000`00032334 ffff8a88`d504ee60 fffff800`1370be21 : NETIO!KfdClassify+0x37a
ffff8a88`d504ed60 fffff800`1378f751     : ffffc68f`966438e8 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!WfpTlShimInspectSendTcpDatagram+0x360
ffff8a88`d504eed0 fffff800`1370b19b     : ffffc68f`966439c8 ffffc68f`ad1f7a40 ffffc68f`966438e8 ffff8a88`d504f330 : tcpip!IppInspectLocalDatagramsOut+0x83eb1
ffff8a88`d504f1a0 fffff800`1370ad60     : fffff780`00000000 00000000`00000000 fffff800`138c9230 ffffc68f`b3946980 : tcpip!IppSendDatagramsCommon+0x41b
ffff8a88`d504f320 fffff800`136f91f8     : 00000000`00000003 00000014`00000006 00000000`00000000 00000000`00000004 : tcpip!IpNlpSendDatagrams+0x40
ffff8a88`d504f360 fffff800`136f907a     : ffffc68f`9d54dbf0 ffff8a88`d504f4e0 ffffc68f`b3949010 00000000`f482c1e2 : tcpip!InetSendDatagramsOnPathAf+0xe0
ffff8a88`d504f460 fffff800`1371e431     : 00000000`00000000 00000000`009116c6 00000000`009116c6 ffffc68f`b3949260 : tcpip!TcpTcbKeepAliveSend+0x2b2
ffff8a88`d504f540 fffff800`0ce9a3be     : ffffdc00`98c7c240 ffffc68f`8e9e0000 ffff8a88`d504fa20 ffffdc00`98c79180 : tcpip!TcpPeriodicTimeoutHandler+0x16e1
ffff8a88`d504f760 fffff800`0ce996a4     : 00000000`00000000 fffff800`0ceedb55 00000000`00140001 00000000`00000000 : nt!KiExecuteAllDpcs+0x30e
ffff8a88`d504f8d0 fffff800`0cffad2e     : ffffffff`00000000 ffffdc00`98c79180 ffffdc00`98c84340 ffffc68f`a1913080 : nt!KiRetireDpcList+0x1f4
ffff8a88`d504fb60 00000000`00000000     : ffff8a88`d5050000 ffff8a88`d5049000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e


SYMBOL_NAME:  SmbCo10X64+6512

MODULE_NAME: SmbCo10X64

IMAGE_NAME:  SmbCo10X64.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  6512

FAILURE_BUCKET_ID:  0x133_DPC_SmbCo10X64!unknown_function

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {b7ae26a3-5838-8ff0-cad2-fb40469d2555}

Followup:     MachineOwner

下一个任务,分析 dump 文件,通过栈回溯(其实回溯不了,只能看看调用的顺序。
很快会发现是一个驱动崩了,由于不是很懂,也不会复现,只好重新装一下几个网卡驱动。

其实 analyze 一下就知道了是一个驱动炸了 SmbCo10X64。已经被他搞两次蓝屏了雾草。
在内核态抢占的时间太久就 DPC_WATCHING_DOG(似乎这么拼写的)

是一个被 DELL 收购的公司开发的。重装也没什么管用的,我感觉我需要逆它。。

https://github.com/volatilityfoundation/volatility 可以用这个工具进行分析,还没试过。