Ok, fortunatamente avevo al lavoro un mini dump del BSOD e cosi' ho installato i symbols per Vista ed ho fatto l'analisi.
A parte che ho provato varie versioni dei simboli, ma c'e' qualche pdb che ancora manca, anyway, ecco il risultato migliore...
Codice:
1: kd> !analyze -v
Unable to load image CLFS.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for CLFS.SYS
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Unknown bugcheck code (c1f5)
Unknown bugcheck description
Arguments:
Arg1: 00000009
Arg2: 00000001
Arg3: 93555000
Arg4: 00000000
Debugging Details:
------------------
Unable to load image Ntfs.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Ntfs.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: CLFS
FAULTING_MODULE: 8220f000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 47918a61
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xC1F5
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8068e0bc to 822dc0e3
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
8ff512e0 8068e0bc 0000c1f5 00000009 00000001 nt+0xcd0e3
8ff512fc 806b80b4 00000001 00000000 00000009 CLFS!CClfsLogFcbPhysical::UpdateOwnerSectors+0x24
8ff5140c 806baa1e 8f4fa488 03000003 00000001 CLFS!CClfsLogFcbPhysical::UpdateCachedOwnerPage+0x51e
8ff51468 80693990 8f4fa488 0f9f15a2 81429438 CLFS!CClfsLogFcbPhysical::RebuildOwnerPage+0x136
8ff51524 806ab928 00000000 865a30a4 0013019f CLFS!CClfsLogFcbPhysical::Initialize+0x764
8ff515d8 806aefaa 0f9f1692 85755bf8 814293c8 CLFS!CClfsRequest::Create+0x3c2
8ff51614 806bda7f 814293c8 85755bf8 0f9f16d2 CLFS!CClfsRequest::Dispatch+0xe2
8ff51654 806a34ea 85755bf8 814293c8 0f9f1616 CLFS!ClfsDispatchIoRequest+0x13b
8ff51690 822cafd3 85755bf8 814293c8 866bfb9c CLFS!CClfsDriver::LogIoDispatch+0x3c
8ff516a8 8242fce1 7aeb133d 865a312c 85755be0 nt+0xbbfd3
8ff51778 824553cf 85755bf8 00000000 865a3088 nt+0x220ce1
8ff51808 8242d0c6 00000000 8ff51860 00000242 nt+0x2463cf
8ff5186c 8242ebc3 8ff51a04 00000000 86c44a00 nt+0x21e0c6
8ff518e0 8243551d 8ff51a64 c0010000 8ff51a04 nt+0x21fbc3
8ff5193c 823edf9d 8ff51a64 c0010000 8ff51a04 nt+0x22651d
8ff51998 806be310 8ff51a64 c0010000 8ff51a04 nt+0x1def9d
8ff51aa4 8865f9bf 92bdd168 a7307550 c0000000 CLFS!ClfsCreateLogFile+0x824
8ff51c14 8865c81c 84872328 aafc0c18 ca1ee008 Ntfs!TxfStartRm+0x60e
8ff51ca8 8869c97c 864ec498 863c9b30 84872328 Ntfs!TxfInitializeVolume+0x688
8ff51cc4 8860f03e 84872328 00000000 07912669 Ntfs!NtfsCommonFileSystemControl+0x99
8ff51d44 82247445 00000000 00000000 86c44a28 Ntfs!NtfsFspDispatch+0x264
8ff51d7c 823e4b18 84872328 7aeb1985 00000000 nt+0x38445
8ff51dc0 8223da2e 82247348 80000000 00000000 nt+0x1d5b18
00000000 00000000 00000000 00000000 00000000 nt+0x2ea2e
STACK_COMMAND: kb
FOLLOWUP_IP:
CLFS!CClfsLogFcbPhysical::UpdateOwnerSectors+24
8068e0bc ?? ???
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: CLFS!CClfsLogFcbPhysical::UpdateOwnerSectors+24
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: CLFS.SYS
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
Non butta molto bene, sembra un problema di file system (appunto quello che pensavo) peccato manchino ancora dei pdb per aver ulteriori info..
Non riesco ad allegare il mini dump zippato perche' e' di 4kb in piu' la lunghezza concessa.. cmq ecco qui, fammi sapere cose ne pensi..
magari mando in email il dmp, magari hai piu' fortuna a trovare i symbols giusti.. io ne ho provati TRE ma in nessuno dei casi avevo tutti i pdb.
Ciao!