![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 90%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZC%3C/text%3E%3C/svg%3E)
您好,9月9号进行微软系统热补丁包安装,其中两台为DNS集群关系,软硬件配置为一致,其中02为安装完补丁包后手动重启虚拟机。正常升级,未发生蓝屏。01在安装完补丁后,操作系统自动重启升级,于9月10号早上5点多发生的蓝屏,重启操作系统后正常开机,并继续升级完成。需要找到其中原因。
以下为本地蓝屏的dmp日志分析
9: kd> !analyze -v
Loading Kernel Symbols
...............................................................
................................................................
........................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000e1`c91d4018). Type ".hh dbgerr001" for details
Loading unloaded module list
.........................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffffd10e26e91080, Object whose reference count is being lowered
Arg3: 0000000000000002, Reserved
Arg4: fffffffffffffffd, Reserved
The reference count of an object is illegal for the current state of the object.
Each time a driver uses a pointer to an object the driver calls a kernel routine
to increment the reference count of the object. When the driver is done with the
pointer the driver calls another kernel routine to decrement the reference count.
Drivers must match calls to the increment and decrement routines. This BugCheck
can occur because an object's reference count goes to zero while there are still
open handles to the object, in which case the fourth parameter indicates the number
of opened handles. It may also occur when the object's reference count drops below zero
whether or not there are open handles to the object, and in that case the fourth parameter
contains the actual value of the pointer references count.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2312
Key : Analysis.Elapsed.mSec
Value: 22047
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 1
Key : Analysis.IO.Write.Mb
Value: 0
Key : Analysis.Init.CPU.mSec
Value: 578
Key : Analysis.Init.Elapsed.mSec
Value: 3508
Key : Analysis.Memory.CommitPeak.Mb
Value: 103
Key : Analysis.Version.DbgEng
Value: 10.0.27920.1001
Key : Analysis.Version.Description
Value: 10.2506.23.01 amd64fre
Key : Analysis.Version.Ext
Value: 1.2506.23.1
Key : Bugcheck.Code.LegacyAPI
Value: 0x18
Key : Bugcheck.Code.TargetModel
Value: 0x18
Key : Failure.Bucket
Value: 0x18_CORRUPT_REF_COUNT_nt!ObfDereferenceObjectWithTag
Key : Failure.Hash
Value: {fa6b3516-71cb-1e92-b987-b8bebd3458ac}
Key : Hypervisor.Enlightenments.Value
Value: 368
Key : Hypervisor.Enlightenments.ValueHex
Value: 0x170
Key : Hypervisor.Flags.AnyHypervisorPresent
Value: 1
Key : Hypervisor.Flags.ApicEnlightened
Value: 1
Key : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 0
Key : Hypervisor.Flags.AsyncMemoryHint
Value: 0
Key : Hypervisor.Flags.CoreSchedulerRequested
Value: 0
Key : Hypervisor.Flags.CpuManager
Value: 0
Key : Hypervisor.Flags.DeprecateAutoEoi
Value: 0
Key : Hypervisor.Flags.DynamicCpuDisabled
Value: 0
Key : Hypervisor.Flags.Epf
Value: 0
Key : Hypervisor.Flags.ExtendedProcessorMasks
Value: 0
Key : Hypervisor.Flags.HardwareMbecAvailable
Value: 0
Key : Hypervisor.Flags.MaxBankNumber
Value: 0
Key : Hypervisor.Flags.MemoryZeroingControl
Value: 0
Key : Hypervisor.Flags.NoExtendedRangeFlush
Value: 1
Key : Hypervisor.Flags.NoNonArchCoreSharing
Value: 0
Key : Hypervisor.Flags.Phase0InitDone
Value: 1
Key : Hypervisor.Flags.PowerSchedulerQos
Value: 0
Key : Hypervisor.Flags.RootScheduler
Value: 0
Key : Hypervisor.Flags.SynicAvailable
Value: 1
Key : Hypervisor.Flags.UseQpcBias
Value: 0
Key : Hypervisor.Flags.Value
Value: 536617
Key : Hypervisor.Flags.ValueHex
Value: 0x83029
Key : Hypervisor.Flags.VpAssistPage
Value: 1
Key : Hypervisor.Flags.VsmAvailable
Value: 0
Key : Hypervisor.RootFlags.AccessStats
Value: 0
Key : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 0
Key : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 0
Key : Hypervisor.RootFlags.DisableHyperthreading
Value: 0
Key : Hypervisor.RootFlags.HostTimelineSync
Value: 0
Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0
Key : Hypervisor.RootFlags.IsHyperV
Value: 0
Key : Hypervisor.RootFlags.LivedumpEnlightened
Value: 0
Key : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 0
Key : Hypervisor.RootFlags.MceEnlightened
Value: 0
Key : Hypervisor.RootFlags.Nested
Value: 0
Key : Hypervisor.RootFlags.StartLogicalProcessor
Value: 0
Key : Hypervisor.RootFlags.Value
Value: 0
Key : Hypervisor.RootFlags.ValueHex
Value: 0x0
Key : WER.OS.Branch
Value: ge_release
Key : WER.OS.Version
Value: 10.0.26100.1
BUGCHECK_CODE: 18
BUGCHECK_P1: 0
BUGCHECK_P2: ffffd10e26e91080
BUGCHECK_P3: 2
BUGCHECK_P4: fffffffffffffffd
FILE_IN_CAB: 091025-12062-01.dmp
FAULTING_THREAD: ffffd10e16647140
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXSCM: 1 (!blackboxscm)
BLACKBOXWINLOGON: 1 (!blackboxwinlogon)
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: smss.exe
STACK_TEXT:
ffff9404`43987258 fffff800`9522db4a : 00000000`00000018 00000000`00000000 ffffd10e`26e91080 00000000`00000002 : nt!KeBugCheckEx
ffff9404`43987260 fffff800`9584bb19 : 00000000`00000001 00000000`00000000 ffffd10e`16647140 00000000`00000000 : nt!ObfDereferenceObjectWithTag+0x7a
ffff9404`439872a0 fffff800`9584a289 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd10e`26e91080 : nt!ObCloseHandleTableEntry+0x3d9
ffff9404`439873f0 fffff800`956b7c55 : ffffd10e`26e91000 00000284`63109080 ffffd10e`16647140 00000000`00000002 : nt!NtClose+0xe9
ffff9404`43987460 00007fff`41aa1ce4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000e1`c927f5a8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`41aa1ce4
SYMBOL_NAME: nt!ObfDereferenceObjectWithTag+7a
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.26100.4343
STACK_COMMAND: .process /r /p 0xffffd10e166b1140; .thread 0xffffd10e16647140 ; kb
BUCKET_ID_FUNC_OFFSET: 7a
FAILURE_BUCKET_ID: 0x18_CORRUPT_REF_COUNT_nt!ObfDereferenceObjectWithTag
OS_VERSION: 10.0.26100.1
BUILDLAB_STR: ge_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {fa6b3516-71cb-1e92-b987-b8bebd3458ac}
Followup: MachineOwner
---------
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 90%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQQ%3C/text%3E%3C/svg%3E)
亲爱的陈泽杰,
感谢您的详细报告和 DMP 日志分析。根据提供的信息,安装KB5064081热补丁后 VM 01 上的蓝屏似乎是由 REFERENCE_BY_POINTER(错误检查0x18) 错误引起的。这通常表示对象引用计数处理不匹配,通常是由于驱动程序或系统组件不正确释放资源。
VM 02 完成升级没有问题,这一事实表明该问题可能与自动与手动重新启动过程中的时间或顺序差异有关。出错的线程 (smss.exe) 和 ObfDereferenceObjectWithTag 函数指向系统级对象被错误地取消引用,可能是在会话初始化期间。
我们建议执行以下步骤:
查看 VM 01 上安装的任何第三方驱动程序或代理,这些驱动程序或代理可能在启动期间与系统对象交互。
比较虚拟机 01 和虚拟机 02 之间的启动序列和修补应用程序日志。
如果可行,请在测试 VM 上启用驱动程序验证程序,以识别行为不端的驱动程序。
如果您需要帮助收集其他诊断或升级此问题以进行更深入的分析,请告诉我们。
此致敬意
奎尼·郭。
