first commit

2026-04-04 15:32:51 +08:00
commit a862314d94
34 changed files with 10253 additions and 0 deletions
--- a/收集蓝屏信息.ps1
+++ b/收集蓝屏信息.ps1
@@ -0,0 +1,127 @@
+# BSOD (Blue Screen) info collection - Run as Administrator for full access
+# Output saved to BSODReport_*.txt in same folder
+
+$ReportDir = $PSScriptRoot
+$Timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
+$ReportFile = Join-Path $ReportDir "BSODReport_$Timestamp.txt"
+
+function Write-Report {
+    param([string]$Text, [string]$Section = "")
+    if ($Section) { $script:Report += "`n========== $Section ==========`n" }
+    $script:Report += $Text + "`n"
+}
+
+# Common BugCheck codes (hex, 0x prefix optional)
+$BugCheckNames = @{
+    "0x0000000A" = "IRQL_NOT_LESS_OR_EQUAL"
+    "0x0000001E" = "KMODE_EXCEPTION_NOT_HANDLED"
+    "0x0000003B" = "SYSTEM_SERVICE_EXCEPTION"
+    "0x00000050" = "PAGE_FAULT_IN_NONPAGED_AREA"
+    "0x0000007E" = "SYSTEM_THREAD_EXCEPTION_NOT_HANDLED"
+    "0x0000007F" = "UNEXPECTED_KERNEL_MODE_TRAP"
+    "0x000000D1" = "DRIVER_IRQL_NOT_LESS_OR_EQUAL"
+    "0x000000D8" = "DRIVER_USED_EXCESSIVE_PTES"
+    "0x000000EA" = "THREAD_STUCK_IN_DEVICE_DRIVER"
+    "0x000000BE" = "ATTEMPTED_WRITE_TO_READONLY_MEMORY"
+    "0x000000C2" = "BAD_POOL_CALLER"
+    "0x000000C5" = "DRIVER_CORRUPTED_EXPOOL"
+    "0x000000EF" = "CRITICAL_PROCESS_DIED"
+    "0x00000109" = "CRITICAL_STRUCTURE_CORRUPTION"
+    "0x00000133" = "DPC_WATCHDOG_VIOLATION"
+    "0x00000139" = "KERNEL_SECURITY_CHECK_FAILURE"
+    "0x000001E2" = "KERNEL_MODE_HEAP_CORRUPTION"
+    "0x0000014C" = "REFERENCE_BY_POINTER"
+    "0x00000019" = "BAD_POOL_HEADER"
+    "0x0000001A" = "MEMORY_MANAGEMENT"
+}
+
+function Get-BugCheckName {
+    param([string]$Code)
+    $h = if ($Code -match "^0x") { $Code } else { "0x" + $Code }
+    $h = $h.ToUpper()
+    if ($BugCheckNames[$h]) { return $BugCheckNames[$h] }
+    return $Code
+}
+
+$Report = ""
+Write-Report "BSOD / Blue Screen Crash Report" "Header"
+Write-Report "Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
+Write-Report "Computer: $env:COMPUTERNAME"
+Write-Report "Run this AFTER reboot to collect the previous crash info."
+
+# 1. Event 1001 - Windows Error Reporting (Application log)
+Write-Report "" "[Primary] BugCheck / BSOD (Event 1001, Application log)"
+try {
+    $evt = Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1001; ProviderName = 'Windows Error Reporting' } -MaxEvents 20 -ErrorAction SilentlyContinue
+    if ($evt) {
+        foreach ($e in $evt) {
+            $msg = $e.Message
+            $code = ""
+            if ($msg -match "BugcheckCode\s*:\s*(\d+)") { $code = $Matches[1]; $hex = "0x{0:X8}" -f [int]$code; $name = Get-BugCheckName $hex }
+            Write-Report "  Time: $($e.TimeCreated)"
+            Write-Report "  Message: $($msg.Substring(0, [Math]::Min(500, $msg.Length)))"
+            if ($code) { Write-Report "  -> BugCheck: $hex ($name)" }
+            Write-Report ""
+        }
+    } else { Write-Report "  No Event 1001 (WER) records. Try running as Administrator." }
+} catch { Write-Report "  Read failed: $($_.Exception.Message)" }
+
+# 2. Kernel-Power Event 41 (includes BugcheckCode when present)
+Write-Report "" "[Important] Unclean shutdown (Kernel-Power Event 41)"
+try {
+    $evt41 = Get-WinEvent -FilterHashtable @{ LogName = 'System'; Id = 41; ProviderName = 'Microsoft-Windows-Kernel-Power' } -MaxEvents 20 -ErrorAction SilentlyContinue
+    if ($evt41) {
+        foreach ($e in $evt41) {
+            Write-Report "  Time: $($e.TimeCreated)"
+            if ($e.Properties -and $e.Properties.Count -ge 1 -and $e.Properties[0].Value) {
+                $code = $e.Properties[0].Value
+                $hex = "0x{0:X8}" -f [int]$code
+                $name = Get-BugCheckName $hex
+                Write-Report "  BugcheckCode: $hex ($name)"
+            }
+            Write-Report ""
+        }
+    } else { Write-Report "  No Event 41 records" }
+} catch { Write-Report "  Read failed: $($_.Exception.Message)" }
+
+# 3. Event 6008 - Unexpected shutdown
+Write-Report "" "Unexpected shutdown (Event 6008)"
+try {
+    $evt6008 = Get-WinEvent -FilterHashtable @{ LogName = 'System'; Id = 6008 } -MaxEvents 10 -ErrorAction SilentlyContinue
+    if ($evt6008) {
+        foreach ($e in $evt6008) {
+            Write-Report "  Previous shutdown: $($e.TimeCreated)"
+        }
+    } else { Write-Report "  No 6008 records" }
+} catch { Write-Report "  Read failed: $($_.Exception.Message)" }
+
+# 4. Minidump files
+Write-Report "" "Minidump files (C:\Windows\Minidump\)"
+$minidumpPath = "C:\Windows\Minidump"
+if (Test-Path $minidumpPath) {
+    $dumps = Get-ChildItem $minidumpPath -Filter "*.dmp" -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending
+    if ($dumps) {
+        foreach ($d in $dumps) {
+            $sizeKB = [Math]::Round($d.Length / 1KB, 1)
+            Write-Report "  $($d.Name)  |  $($d.LastWriteTime)  |  $sizeKB KB"
+        }
+    } else { Write-Report "  No .dmp files (ensure small memory dump is enabled)" }
+} else { Write-Report "  Minidump folder not found" }
+
+# 5. Full memory dump
+Write-Report "" "Full memory dump (C:\Windows\MEMORY.DMP)"
+$memDump = "C:\Windows\MEMORY.DMP"
+if (Test-Path $memDump) {
+    $f = Get-Item $memDump -ErrorAction SilentlyContinue
+    $sizeMB = [Math]::Round($f.Length / 1MB, 2)
+    Write-Report "  Exists: $($f.LastWriteTime) | $sizeMB MB"
+} else { Write-Report "  Not present (or full dump disabled)" }
+
+# 6. How to enable minidump (if not enabled)
+Write-Report "" "If no dumps appear"
+Write-Report "  Enable small memory dump: System Properties > Advanced > Startup and Recovery > Settings"
+Write-Report "  Set 'Write debugging information' to 'Small memory dump (256 KB)'"
+Write-Report "  Dump file: %SystemRoot%\Minidump"
+
+$Report | Set-Content -Path $ReportFile -Encoding UTF8 -NoNewline
+Write-Host "Report saved: $ReportFile" -ForegroundColor Green