该死的 QQ2006 键盘加密功能给我带来了很多的不便,为了保证我的系统和虚拟机能正常运行,我不得不一直使用 QQ2006 Beta3 ,并且在每次启动前必须把自动下载的升级程序删除才能继续正常使用 QQ,最近好友 YY 也遇到了这个问题,并将 Dump 文件传给了我,通过 WinDBG 的分析得知系统重启和蓝屏的罪魁祸首确是 QQ2006 的键盘加密驱动文件。之后从 YY 那边得到的资料基本上解决了这个问题。
---------
首先使用 WinDBG 分析的结果如下:
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:Mini012507-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: E:Symbols_WXPSP2
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055d700
Debug session time: Thu Jan 25 09:00:47.319 2007 (GMT+8)
System Uptime: 0 days 0:27:20.203
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
............................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {e14c1898, 2, 0, 805d8b06}
*** WARNING: Unable to verify timestamp for npkcusb.sys
*** ERROR: Module load completed but symbols could not be loaded for npkcusb.sys
Unable to load image hidusb.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for hidusb.sys
Unable to load image HIDCLASS.SYS, Win32 error 2
*** WARNING: Unable to verify timestamp for HIDCLASS.SYS
Unable to load image kbdhid.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for kbdhid.sys
*** WARNING: Unable to verify timestamp for win32k.sys
Probably caused by : npkcusb.sys ( npkcusb+384 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: e14c1898, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 805d8b06, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: e14c1898
CURRENT_IRQL: 2
FAULTING_IP:
nt!RtlValidRelativeSecurityDescriptor+143
805d8b06 0fb70a movzx ecx,word ptr [edx]
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: csrss.exe
LOCK_ADDRESS: 80559b60 -- (!locks 80559b60)
Resource @ nt!PiEngineLock (0x80559b60) Available
WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.
WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.
1 total locks
PNP_TRIAGE:
Lock address : 0x80559b60
Thread Count : 0
Thread address: 0x00000000
Thread wait : 0x0
LAST_CONTROL_TRANSFER: from 805e12a6 to 805d8b06
STACK_TEXT:
f76dd2fc 805e12a6 f76dd318 e14c1898 00000052 nt!RtlValidRelativeSecurityDescriptor+0x143
f76dd310 805e1b40 8640568c 86405668 0000001c nt!SetVirtualBits+0x30
f76dd328 8060f7b7 f76dd348 8640568c 00000000 nt!PushException+0x85
f76dd358 80611121 8055d700 8055d5d0 8557f000 nt!CmpGetHiveName+0x113
f76dd5a0 8054160c 0000000b 8557f000 00022f30 nt!PiGetRelatedDevice+0x16e
f76dd5b8 80500e35 badb0d00 f76dd630 00000000 nt!RtlIpv4StringToAddressA+0xfd
f76dd650 f6e3d384 f6e3faec f7820190 85c3e0d8 nt!RtlpRunTable+0x345
WARNING: Stack unwind information not available. Following frames may be wrong.
f76dd668 f6e3df9c f7820190 f76dd684 85c3e0d8 npkcusb+0x384
f76dd790 804efeb1 85f421e0 85d73008 85d73008 npkcusb+0xf9c
f76dd7dc f6e49558 856eba98 85d73008 f76dd7fb nt!MiAddViewsForSection+0x38
f76dd7fc f766ee91 856eba98 85d73008 856ebb64 hidusb!HumInternalIoctl+0x5a
f76dd810 f7671b19 856eba98 85d73008 85d7316c HIDCLASS!HidpCallDriver+0x3f
f76dd864 f766f8e3 85f9c518 85d73008 f76dd8bc HIDCLASS!HidpIrpMajorWrite+0x17f
f76dd874 804efeb1 85f9c460 85d73008 85d73190 HIDCLASS!HidpMajorHandler+0x31
f76dd8bc aaa8595c 856fb9a0 86108038 85d73008 nt!MiAddViewsForSection+0x38
f76dd8e0 804efeb1 00000000 856fb9f8 85d731b4 kbdhid!KbdHid_IOCTL+0xea
f76dd918 804efeb1 863de8a8 85d73198 806e5410 nt!MiAddViewsForSection+0x38
f76dd93c 805804e3 863de8a8 85d73008 86404d78 nt!MiAddViewsForSection+0x38
f76dd9d8 80579038 000008e8 00000000 00000000 nt!MiFindEmptyAddressRangeDownTree+0x92
f76dda0c 8054160c 000008e8 00000000 00000000 nt!RtlLengthSecurityDescriptor+0x24
f76dda3c 805005d9 badb0d00 f76ddab4 ff00ffff nt!RtlIpv4StringToAddressA+0xfd
f76ddd30 bf86d09c f76cd4a8 00000002 f76ddd54 nt!RtlpStatusTable+0x371
f76ddd40 bf8010ca f76cd4a8 f76ddd64 0075fff4 win32k!vDisableSynchronize+0x36
f76ddd54 8054160c 00000000 00000022 00000000 win32k!TimersProc+0xe
f76ddd64 7c92eb94 badb0d00 0075ffec f71aad98 nt!RtlIpv4StringToAddressA+0xfd
00000000 00000000 00000000 00000000 00000000 0x7c92eb94
STACK_COMMAND: kb
FOLLOWUP_IP:
npkcusb+384
f6e3d384 ?? ???
SYMBOL_STACK_INDEX: 7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npkcusb
IMAGE_NAME: npkcusb.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 451240bb
SYMBOL_NAME: npkcusb+384
FAILURE_BUCKET_ID: 0xA_npkcusb+384
BUCKET_ID: 0xA_npkcusb+384
Followup: MachineOwner
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:Mini012507-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: E:Symbols_WXPSP2
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055d700
Debug session time: Thu Jan 25 09:00:47.319 2007 (GMT+8)
System Uptime: 0 days 0:27:20.203
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
............................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {e14c1898, 2, 0, 805d8b06}
*** WARNING: Unable to verify timestamp for npkcusb.sys
*** ERROR: Module load completed but symbols could not be loaded for npkcusb.sys
Unable to load image hidusb.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for hidusb.sys
Unable to load image HIDCLASS.SYS, Win32 error 2
*** WARNING: Unable to verify timestamp for HIDCLASS.SYS
Unable to load image kbdhid.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for kbdhid.sys
*** WARNING: Unable to verify timestamp for win32k.sys
Probably caused by : npkcusb.sys ( npkcusb+384 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: e14c1898, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 805d8b06, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: e14c1898
CURRENT_IRQL: 2
FAULTING_IP:
nt!RtlValidRelativeSecurityDescriptor+143
805d8b06 0fb70a movzx ecx,word ptr [edx]
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: csrss.exe
LOCK_ADDRESS: 80559b60 -- (!locks 80559b60)
Resource @ nt!PiEngineLock (0x80559b60) Available
WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.
WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.
1 total locks
PNP_TRIAGE:
Lock address : 0x80559b60
Thread Count : 0
Thread address: 0x00000000
Thread wait : 0x0
LAST_CONTROL_TRANSFER: from 805e12a6 to 805d8b06
STACK_TEXT:
f76dd2fc 805e12a6 f76dd318 e14c1898 00000052 nt!RtlValidRelativeSecurityDescriptor+0x143
f76dd310 805e1b40 8640568c 86405668 0000001c nt!SetVirtualBits+0x30
f76dd328 8060f7b7 f76dd348 8640568c 00000000 nt!PushException+0x85
f76dd358 80611121 8055d700 8055d5d0 8557f000 nt!CmpGetHiveName+0x113
f76dd5a0 8054160c 0000000b 8557f000 00022f30 nt!PiGetRelatedDevice+0x16e
f76dd5b8 80500e35 badb0d00 f76dd630 00000000 nt!RtlIpv4StringToAddressA+0xfd
f76dd650 f6e3d384 f6e3faec f7820190 85c3e0d8 nt!RtlpRunTable+0x345
WARNING: Stack unwind information not available. Following frames may be wrong.
f76dd668 f6e3df9c f7820190 f76dd684 85c3e0d8 npkcusb+0x384
f76dd790 804efeb1 85f421e0 85d73008 85d73008 npkcusb+0xf9c
f76dd7dc f6e49558 856eba98 85d73008 f76dd7fb nt!MiAddViewsForSection+0x38
f76dd7fc f766ee91 856eba98 85d73008 856ebb64 hidusb!HumInternalIoctl+0x5a
f76dd810 f7671b19 856eba98 85d73008 85d7316c HIDCLASS!HidpCallDriver+0x3f
f76dd864 f766f8e3 85f9c518 85d73008 f76dd8bc HIDCLASS!HidpIrpMajorWrite+0x17f
f76dd874 804efeb1 85f9c460 85d73008 85d73190 HIDCLASS!HidpMajorHandler+0x31
f76dd8bc aaa8595c 856fb9a0 86108038 85d73008 nt!MiAddViewsForSection+0x38
f76dd8e0 804efeb1 00000000 856fb9f8 85d731b4 kbdhid!KbdHid_IOCTL+0xea
f76dd918 804efeb1 863de8a8 85d73198 806e5410 nt!MiAddViewsForSection+0x38
f76dd93c 805804e3 863de8a8 85d73008 86404d78 nt!MiAddViewsForSection+0x38
f76dd9d8 80579038 000008e8 00000000 00000000 nt!MiFindEmptyAddressRangeDownTree+0x92
f76dda0c 8054160c 000008e8 00000000 00000000 nt!RtlLengthSecurityDescriptor+0x24
f76dda3c 805005d9 badb0d00 f76ddab4 ff00ffff nt!RtlIpv4StringToAddressA+0xfd
f76ddd30 bf86d09c f76cd4a8 00000002 f76ddd54 nt!RtlpStatusTable+0x371
f76ddd40 bf8010ca f76cd4a8 f76ddd64 0075fff4 win32k!vDisableSynchronize+0x36
f76ddd54 8054160c 00000000 00000022 00000000 win32k!TimersProc+0xe
f76ddd64 7c92eb94 badb0d00 0075ffec f71aad98 nt!RtlIpv4StringToAddressA+0xfd
00000000 00000000 00000000 00000000 00000000 0x7c92eb94
STACK_COMMAND: kb
FOLLOWUP_IP:
npkcusb+384
f6e3d384 ?? ???
SYMBOL_STACK_INDEX: 7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npkcusb
IMAGE_NAME: npkcusb.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 451240bb
SYMBOL_NAME: npkcusb+384
FAILURE_BUCKET_ID: 0xA_npkcusb+384
BUCKET_ID: 0xA_npkcusb+384
Followup: MachineOwner
---------
确认是 QQ2006 的键盘加密导致的系统故障后,参考 YY 的资料执行以下操作步骤:
1、进入 QQ 安装目录,找到“npkcusb.sys、npkcrypt.sys”文件,将其删除。注意:必须在 QQ2006 关闭的情况下删除;
2、进入注册表找到“HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBVid_413c&Pid_2003”并删除它。
最佳的做法就是在首次安装完 QQ 后,就删除键盘加密的驱动文件,之后删除注册表的键值并重新启动计算机。启动进入系统登录后会有短暂的时间键盘无法操作,稍后就可以正常使用。经过测试,系统和运行虚拟机时没有蓝屏或意外重启问题。其他的待观察……
本文转自 苏繁 51CTO博客,原文链接:http://blog.51cto.com/goxia/220320,如需转载请自行联系原作者