Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BAD_POOL_HEADER 0x00000019


  • Please log in to reply
3 replies to this topic

#1 Weirdscience

Weirdscience

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 04 June 2015 - 11:07 AM

I have a Dell Vostro the intermittently crashes with a  BAD_POOL_HEADER  0x00000019 error

I have ran a memory test overnight with no errors and it is currently running Driver Verifier

Any help would be greatly appreciated

Thank you

Attached Files



BC AdBot (Login to Remove)

 


#2 Jared44

Jared44

  • BSOD Kernel Dump Expert
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dronfield
  • Local time:03:35 AM

Posted 04 June 2015 - 02:27 PM

2: kd> .dumpdebug
----- 64 bit Kernel Mini Dump Analysis

DUMP_HEADER64:
MajorVersion        0000000f
MinorVersion        00001db1
KdSecondaryVersion  00000000
DirectoryTableBase  00000000`53c08000
PfnDataBase         fffff800`030fa278
PsLoadedModuleList  fffff800`03090730
PsActiveProcessHead fffff800`03072420
MachineImageType    00008664
NumberProcessors    00000004
BugCheckCode        00000019
BugCheckParameter1  00000000`00000021  //Proceeding data block from the pool block being freed was corrupt
BugCheckParameter2  fffff8a0`17021000  //Pool pointer being freed
BugCheckParameter3  00000000`00002020  //The number of bytes allocated for the pool block
BugCheckParameter4  ffffffff`ffffffff  //The value of the corrupted pool block
KdDebuggerDataBlock fffff800`0303b0f0
ProductType         00000001
SuiteMask           00000110
WriterStatus        00000000
MiniDumpFields      00000cff 

2: kd> k
Child-SP          RetAddr           Call Site
fffff880`0294d1f8 fffff800`02ff39c2 nt!KeBugCheckEx //Pool block on the same page was corrupt
fffff880`0294d200 fffff880`044caa91 nt!ExAllocatePoolWithTag+0x16fa //Allocate a pool block
fffff880`0294d2b0 fffff880`04554530 RapportCerberus64_80128+0x36a91 //Trusteer Rapport driver 
fffff880`0294d2b8 fffff880`0294d2f8 RapportCerberus64_80128+0xc0530
fffff880`0294d2c0 fffffa80`4b4c5452 0xfffff880`0294d2f8
fffff880`0294d2c8 fffff880`00000000 0xfffffa80`4b4c5452
fffff880`0294d2d0 fffff8a0`0398e588 0xfffff880`00000000
fffff880`0294d2d8 fffff880`01006c3b 0xfffff8a0`0398e588
fffff880`0294d2e0 fffff8a0`0398e4f0 fltmgr!FltpFreeNameGenerationContext+0x4b
fffff880`0294d310 fffffa80`00000000 0xfffff8a0`0398e4f0
fffff880`0294d318 fffff880`0449a588 0xfffffa80`00000000
fffff880`0294d320 fffff8a0`0480fc90 RapportCerberus64_80128+0x6588
fffff880`0294d328 00000000`00000002 0xfffff8a0`0480fc90
fffff880`0294d330 fffff880`0449a5a0 0x2
fffff880`0294d338 00000000`00000000 RapportCerberus64_80128+0x65a0

2: kd> !pool fffff8a017021000
Pool page fffff8a017021000 region is Paged pool
GetUlongFromAddress: unable to read from fffff80003067a38
Unable to get pool big page table. Check for valid symbols.
fffff8a017021000 is not valid pool. Checking for freed (or corrupt) pool
Bad allocation size @fffff8a017021000, zero is invalid

***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval fffff8a017021000 for more details.


Pool page [ fffff8a017021000 ] is __inVALID.

Analyzing linked list...


Scanning for single bit errors...

None found

2: kd> !poolval fffff8a017021000
Pool page fffff8a017021000 region is Paged pool

Validating Pool headers for pool page: fffff8a017021000

Pool page [ fffff8a017021000 ] is __inVALID.

Analyzing linked list...


Scanning for single bit errors...

None found

 //No single bit errors, most likely software related

It's impossible to say what the cause is when we can't even look at the pool block being freed.

It's probably Trusteer Rapport causing the problems.

You've got two options, you can try and uninstall Trusteer Rapport, or you can enable Driver Verifier.

 

What is Driver Verifier?

Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.

Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8/8.1)
- DDI compliance checking (Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
 Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

- If you have the system set to generate Small Memory Dumps, they will be located in %systemroot%\Minidump.

- If you have the system set to generate Kernel-Memory Dumps, it will be located in %systemroot%[B] and labeled [B]MEMORY.DMP.


Edited by Jared44, 04 June 2015 - 02:30 PM.


#3 Weirdscience

Weirdscience
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 04 June 2015 - 05:26 PM

The system was very slugish as well as the BSOD so I uninstalled Trusteer Rapport and after rebooting it seemed to have improved but then I got a BSOD PAGE_FAULT_IN_NONPAGED_AREA

I ran SysnativeFileCollectionApp  and perfmon again and included files

 

I will follow your directions for Driver Verifier now

Attached Files



#4 Jared44

Jared44

  • BSOD Kernel Dump Expert
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dronfield
  • Local time:03:35 AM

Posted 04 June 2015 - 06:10 PM

The latest dump file I have already analysed, it probably wasn't written to disk.

We'll have to wait for another BSOD.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users