标题:解决 QQ2006 键盘加密造成的系统当机故障 出处:gOxiA=苏繁=SuFan Blog 时间:Thu, 25 Jan 2007 11:22:53 +0000 作者:gOxiA 地址:https://goxia.maytide.net/read.php/282.htm 内容:       该死的 QQ2006 键盘加密功能给我带来了很多的不便,为了保证我的系统和虚拟机能正常运行,我不得不一直使用 QQ2006 Beta3 ,并且在每次启动前必须把自动下载的升级程序删除才能继续正常使用 QQ,最近好友 YY 也遇到了这个问题,并将 Dump 文件传给了我,通过 WinDBG 的分析得知系统重启和蓝屏的罪魁祸首确是 QQ2006 的键盘加密驱动文件。之后从 YY 那边得到的资料基本上解决了这个问题。       首先使用 WinDBG 分析的结果如下: Microsoft (R) Windows Debugger  Version 6.6.0007.5Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Mini012507-02.dmp]Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: E:\Symbols_WXPSP2Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 2*** WARNING: Unable to verify timestamp for ntoskrnl.exeWindows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatibleProduct: WinNt, suite: TerminalServer SingleUserTSKernel base = 0x804d8000 PsLoadedModuleList = 0x8055d700Debug session time: Thu Jan 25 09:00:47.319 2007 (GMT+8)System Uptime: 0 days 0:27:20.203Unable to load image ntoskrnl.exe, Win32 error 2*** WARNING: Unable to verify timestamp for ntoskrnl.exeLoading Kernel Symbols............................................................................................................................Loading User SymbolsLoading unloaded module list............********************************************************************************                                                                             **                        Bugcheck Analysis                                    **                                                                             ******************************************************************************** Use !analyze -v to get detailed debugging information. BugCheck 1000000A, {e14c1898, 2, 0, 805d8b06} *** WARNING: Unable to verify timestamp for npkcusb.sys*** ERROR: Module load completed but symbols could not be loaded for npkcusb.sysUnable to load image hidusb.sys, Win32 error 2*** WARNING: Unable to verify timestamp for hidusb.sysUnable to load image HIDCLASS.SYS, Win32 error 2*** WARNING: Unable to verify timestamp for HIDCLASS.SYSUnable to load image kbdhid.sys, Win32 error 2*** WARNING: Unable to verify timestamp for kbdhid.sys*** WARNING: Unable to verify timestamp for win32k.sysProbably caused by : npkcusb.sys ( npkcusb+384 ) Followup: MachineOwner--------- 1: kd> !analyze -v********************************************************************************                                                                             **                        Bugcheck Analysis                                    **                                                                             ******************************************************************************** IRQL_NOT_LESS_OR_EQUAL (a)An attempt was made to access a pageable (or completely invalid) address at aninterrupt request level (IRQL) that is too high.  This is usuallycaused by drivers using improper addresses.If a kernel debugger is available get the stack backtrace.Arguments:Arg1: e14c1898, memory referencedArg2: 00000002, IRQLArg3: 00000000, value 0 = read operation, 1 = write operationArg4: 805d8b06, address which referenced memory Debugging Details:------------------ READ_ADDRESS:  e14c1898 CURRENT_IRQL:  2 FAULTING_IP: nt!RtlValidRelativeSecurityDescriptor+143805d8b06 0fb70a          movzx   ecx,word ptr [edx] CUSTOMER_CRASH_COUNT:  2 DEFAULT_BUCKET_ID:  DRIVER_FAULT BUGCHECK_STR:  0xA PROCESS_NAME:  csrss.exe LOCK_ADDRESS:  80559b60 -- (!locks 80559b60) Resource @ nt!PiEngineLock (0x80559b60)    Available WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted. WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted. 1 total locks PNP_TRIAGE:  Lock address  : 0x80559b60 Thread Count  : 0 Thread address: 0x00000000 Thread wait   : 0x0 LAST_CONTROL_TRANSFER:  from 805e12a6 to 805d8b06 STACK_TEXT:  f76dd2fc 805e12a6 f76dd318 e14c1898 00000052 nt!RtlValidRelativeSecurityDescriptor+0x143f76dd310 805e1b40 8640568c 86405668 0000001c nt!SetVirtualBits+0x30f76dd328 8060f7b7 f76dd348 8640568c 00000000 nt!PushException+0x85f76dd358 80611121 8055d700 8055d5d0 8557f000 nt!CmpGetHiveName+0x113f76dd5a0 8054160c 0000000b 8557f000 00022f30 nt!PiGetRelatedDevice+0x16ef76dd5b8 80500e35 badb0d00 f76dd630 00000000 nt!RtlIpv4StringToAddressA+0xfdf76dd650 f6e3d384 f6e3faec f7820190 85c3e0d8 nt!RtlpRunTable+0x345WARNING: Stack unwind information not available. Following frames may be wrong.f76dd668 f6e3df9c f7820190 f76dd684 85c3e0d8 npkcusb+0x384f76dd790 804efeb1 85f421e0 85d73008 85d73008 npkcusb+0xf9cf76dd7dc f6e49558 856eba98 85d73008 f76dd7fb nt!MiAddViewsForSection+0x38f76dd7fc f766ee91 856eba98 85d73008 856ebb64 hidusb!HumInternalIoctl+0x5af76dd810 f7671b19 856eba98 85d73008 85d7316c HIDCLASS!HidpCallDriver+0x3ff76dd864 f766f8e3 85f9c518 85d73008 f76dd8bc HIDCLASS!HidpIrpMajorWrite+0x17ff76dd874 804efeb1 85f9c460 85d73008 85d73190 HIDCLASS!HidpMajorHandler+0x31f76dd8bc aaa8595c 856fb9a0 86108038 85d73008 nt!MiAddViewsForSection+0x38f76dd8e0 804efeb1 00000000 856fb9f8 85d731b4 kbdhid!KbdHid_IOCTL+0xeaf76dd918 804efeb1 863de8a8 85d73198 806e5410 nt!MiAddViewsForSection+0x38f76dd93c 805804e3 863de8a8 85d73008 86404d78 nt!MiAddViewsForSection+0x38f76dd9d8 80579038 000008e8 00000000 00000000 nt!MiFindEmptyAddressRangeDownTree+0x92f76dda0c 8054160c 000008e8 00000000 00000000 nt!RtlLengthSecurityDescriptor+0x24f76dda3c 805005d9 badb0d00 f76ddab4 ff00ffff nt!RtlIpv4StringToAddressA+0xfdf76ddd30 bf86d09c f76cd4a8 00000002 f76ddd54 nt!RtlpStatusTable+0x371f76ddd40 bf8010ca f76cd4a8 f76ddd64 0075fff4 win32k!vDisableSynchronize+0x36f76ddd54 8054160c 00000000 00000022 00000000 win32k!TimersProc+0xef76ddd64 7c92eb94 badb0d00 0075ffec f71aad98 nt!RtlIpv4StringToAddressA+0xfd00000000 00000000 00000000 00000000 00000000 0x7c92eb94 STACK_COMMAND:  kb FOLLOWUP_IP: npkcusb+384f6e3d384 ??              ??? SYMBOL_STACK_INDEX:  7 FOLLOWUP_NAME:  MachineOwner MODULE_NAME: npkcusb IMAGE_NAME:  npkcusb.sys DEBUG_FLR_IMAGE_TIMESTAMP:  451240bb SYMBOL_NAME:  npkcusb+384 FAILURE_BUCKET_ID:  0xA_npkcusb+384 BUCKET_ID:  0xA_npkcusb+384 Followup: MachineOwner---------       确认是 QQ2006 的键盘加密导致的系统故障后,参考 YY 的资料执行以下操作步骤:       1、进入 QQ 安装目录,找到“npkcusb.sys、npkcrypt.sys”文件,将其删除。注意:必须在 QQ2006 关闭的情况下删除;       2、进入注册表找到“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_413c&Pid_2003”并删除它。       最佳的做法就是在首次安装完 QQ 后,就删除键盘加密的驱动文件,之后删除注册表的键值并重新启动计算机。启动进入系统登录后会有短暂的时间键盘无法操作,稍后就可以正常使用。经过测试,系统和运行虚拟机时没有蓝屏或意外重启问题。其他的待观察…… Generated by Bo-blog 2.1.1 Release