Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Blue Screen of Death Bad_Pool_Header


  • Please log in to reply
6 replies to this topic

#1 Aegis27

Aegis27

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 26 April 2010 - 08:12 PM

Hello all,

Today is the third time I've gotten the blue screen of death in the last three days-- my computer was fine yesterday, and I had gotten two crashes on the 24th. They've been very random, and all seem to occur only when I have a browser and instant messenger open. I've done Ccleaner, malware scans, and a system restore with apparently no effect. The title reads "Bad_Pool_Header," and goes on about something regarding a physical memory dump. I downloaded the Windows Debugger tool, and here's my computer info as well. :thumbsup: Any help would be appreciated!

Dell Inspiron 6000
Windows XP v. 2002 Service Pack 3
1.60GHz 590 MHz, 512 MB Ram


Debugger info:


Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini042610-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100216-1514
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
Debug session time: Mon Apr 26 17:07:02.875 2010 (GMT-7)
System Uptime: 0 days 0:27:49.459
Loading Kernel Symbols
...............................................................
.............................................................
Loading User Symbols
Loading unloaded module list
................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, f0f38194, f0f389bc, fd050f80}

Probably caused by : NDIS.sys ( NDIS!ndisMFreeSGList+25 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: f0f38194, The pool entry we were looking for within the page.
Arg3: f0f389bc, The next pool entry.
Arg4: fd050f80, (reserved)

Debugging Details:
------------------


BUGCHECK_STR: 0x19_20

POOL_ADDRESS: f0f38194

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: Idle

LAST_CONTROL_TRANSFER: from 80544b06 to 804f8cc5

STACK_TEXT:
80549a40 80544b06 00000019 00000020 f0f38194 nt!KeBugCheckEx+0x1b
80549a90 806d4a7f f0f3819c 00000000 81425f30 nt!ExFreePoolWithTag+0x2a0
80549aac f83bf5c5 8255db30 f0f3819c 00000001 hal!HalPutScatterGatherList+0x29
80549ac4 f83bbbe4 822d18e8 8220537c 0000004a NDIS!ndisMFreeSGList+0x25
80549adc 8154b6a7 822d18e8 81425f30 00000000 NDIS!ndisMSendCompleteX+0x34
WARNING: Frame IP not in any known module. Following frames may be wrong.
80549aec e3135fba 00000003 f83bbbb0 00000016 0x8154b6a7
00000000 00000000 00000000 00000000 00000000 0xe3135fba


STACK_COMMAND: kb

FOLLOWUP_IP:
NDIS!ndisMFreeSGList+25
f83bf5c5 8b4618 mov eax,dword ptr [esi+18h]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: NDIS!ndisMFreeSGList+25

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NDIS

IMAGE_NAME: NDIS.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025d03

FAILURE_BUCKET_ID: 0x19_20_NDIS!ndisMFreeSGList+25

BUCKET_ID: 0x19_20_NDIS!ndisMFreeSGList+25

Followup: MachineOwner
---------



If any of this is wrong I apologize, and will fix things accordingly. :flowers:

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:38 PM

Posted 26 April 2010 - 08:25 PM

From http://www.aumha.org/a/stop.htm:

0x00000019: BAD_POOL_HEADER
A pool header issue is a problem with Windows memory allocation. Device driver issues are probably the msot common, but this can have diverse causes including bad sectors or other disk write issues, and problems with some routers. (By theory, RAM problems would be suspect for memory pool issues, but I havenít been able to confirm this as a cause.)

Info on ndis.sys at http://www.file.net/process/ndis.sys.html.

If the assumption is made that it's really a driver problem...uninstalling the current file and replacing it...should overcome it.

Before attempting that, I would check the file size, location, etc...and convince myself that it is not malware.

Replacing Ndis.sys File

Louis

#3 Aegis27

Aegis27
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 26 April 2010 - 09:14 PM

Thank you Louis, I ran two more malware scans and only found a few tracking cookies, so I'll wait a day or so to see what happens. However, I have a question about replacing the ndis.sys-- the options given in the link you provided are confusing. Unfortunately I'm not the greatest tech expert so it's a little lost on me, could you maybe elaborate? I'm really not sure where to start.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:38 PM

Posted 26 April 2010 - 09:25 PM

I'm afraid that I cannot explain a solution offered by someone which I haven't tried or needed to try.

If I wanted to replace the ndis.sys file...I would probably just do a repair install of XP (replacing all system files). My premise has always been...if one is damaged, how do I know how many others are damaged or missing? A repair install takes care of worrying about it for me.

Louis

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:38 PM

Posted 27 April 2010 - 01:44 PM

ndis is used by networking, so updating your network card drivers should probably update it as well.

#6 Aegis27

Aegis27
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 27 April 2010 - 10:10 PM

It crashed again today, this time with a blue screen title reading "Irql_not_less_or_equal." Here's windows debugger info:


Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini042710-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100216-1514
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
Debug session time: Tue Apr 27 19:27:17.953 2010 (GMT-7)
System Uptime: 0 days 0:05:49.555
Loading Kernel Symbols
...............................................................
............................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {f000efd2, 2, 0, 80500d23}

Probably caused by : win32k.sys ( win32k!SetWakeBit+b2 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: f000efd2, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80500d23, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: f000efd2

CURRENT_IRQL: 2

FAULTING_IP:
nt!KiUnlinkThread+7
80500d23 8b10 mov edx,dword ptr [eax]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: csrss.exe

LAST_CONTROL_TRANSFER: from 80500d8a to 80500d23

STACK_TEXT:
f76cea3c 80500d8a 8222ff20 8222ff28 00000100 nt!KiUnlinkThread+0x7
f76cea50 80500f81 00000002 f76cea6c 00000000 nt!KiUnwaitThread+0x12
f76cea7c 804f9014 0000003e e2a03838 00000010 nt!KiWaitTest+0xab
f76cea90 bf801776 8222ff20 00000002 00000000 nt!KeSetEvent+0x58
f76ceaac bf801295 e2a03838 00000010 804fe2d0 win32k!SetWakeBit+0xb2
f76cead4 bf8905d2 00000022 006efff4 bf8010da win32k!TimersProc+0xeb
f76ced30 bf87500f f87f3490 00000002 f76ced54 win32k!RawInputThread+0x634
f76ced40 bf8010fd f87f3490 f76ced64 006efff4 win32k!xxxCreateSystemThreads+0x60
f76ced54 8053d658 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23
f76ced54 7c90e514 00000000 00000022 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!SetWakeBit+b2
bf801776 ebe2 jmp win32k!SetWakeBit+0xb2 (bf80175a)

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: win32k!SetWakeBit+b2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a8564c7

FAILURE_BUCKET_ID: 0xA_win32k!SetWakeBit+b2

BUCKET_ID: 0xA_win32k!SetWakeBit+b2

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: f000efd2, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80500d23, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: f000efd2

CURRENT_IRQL: 2

FAULTING_IP:
nt!KiUnlinkThread+7
80500d23 8b10 mov edx,dword ptr [eax]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: csrss.exe

LAST_CONTROL_TRANSFER: from 80500d8a to 80500d23

STACK_TEXT:
f76cea3c 80500d8a 8222ff20 8222ff28 00000100 nt!KiUnlinkThread+0x7
f76cea50 80500f81 00000002 f76cea6c 00000000 nt!KiUnwaitThread+0x12
f76cea7c 804f9014 0000003e e2a03838 00000010 nt!KiWaitTest+0xab
f76cea90 bf801776 8222ff20 00000002 00000000 nt!KeSetEvent+0x58
f76ceaac bf801295 e2a03838 00000010 804fe2d0 win32k!SetWakeBit+0xb2
f76cead4 bf8905d2 00000022 006efff4 bf8010da win32k!TimersProc+0xeb
f76ced30 bf87500f f87f3490 00000002 f76ced54 win32k!RawInputThread+0x634
f76ced40 bf8010fd f87f3490 f76ced64 006efff4 win32k!xxxCreateSystemThreads+0x60
f76ced54 8053d658 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23
f76ced54 7c90e514 00000000 00000022 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!SetWakeBit+b2
bf801776 ebe2 jmp win32k!SetWakeBit+0xb2 (bf80175a)

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: win32k!SetWakeBit+b2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a8564c7

FAILURE_BUCKET_ID: 0xA_win32k!SetWakeBit+b2

BUCKET_ID: 0xA_win32k!SetWakeBit+b2

Followup: MachineOwner

#7 hamluis

hamluis

    Moderator


  • Moderator
  • 56,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:38 PM

Posted 28 April 2010 - 07:18 AM

Csrss.exe...do a search of your files (all files, hidden and system, with all file extensions shown)...and list the paths shown for each file.

The legitimate csrss.exe file is located in the folder C:\Windows\System32. In other cases, csrss.exe is a virus, spyware, trojan or worm.

Read the Users Opinions at Summary Data.

Louis

Based on has been submitted thus far...it seems to me that you either have an infection or you have a number of system files which are damaged.

Edited by hamluis, 28 April 2010 - 07:19 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users