Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD - Bad Pool Header. Please Help and Advice.


  • Please log in to reply
1 reply to this topic

#1 jinxiang

jinxiang

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 23 June 2015 - 11:22 AM

I had a BSOD with Bad Pool Header and manage to debug it..

 

Here are the details...

 

 
Microsoft ® Windows Debugger Version 6.3.9600.17298 AMD64
Copyright © Microsoft Corporation. All rights reserved.
 
 
Loading Dump File [C:\Users\JinXiang\Downloads\062315-23368-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
 
 
************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\debug*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\debug*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18869.amd64fre.win7sp1_gdr.150525-0603
Machine Name:
Kernel base = 0xfffff800`03406000 PsLoadedModuleList = 0xfffff800`0364d730
Debug session time: Tue Jun 23 01:56:58.742 2015 (UTC + 8:00)
System Uptime: 0 days 2:27:05.288
Loading Kernel Symbols
.
 
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
 
..............................................................
................................................................
.....................
Loading User Symbols
Loading unloaded module list
....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck 19, {20, fffffa8004d49830, fffffa8004d49850, 402000a}
 
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : fwpkclnt.sys ( fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a )
 
Followup: MachineOwner
---------
 
2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: fffffa8004d49830, The pool entry we were looking for within the page.
Arg3: fffffa8004d49850, The next pool entry.
Arg4: 000000000402000a, (reserved)
 
Debugging Details:
------------------
 
 
BUGCHECK_STR:  0x19_20
 
POOL_ADDRESS: GetPointerFromAddress: unable to read from fffff800036b7100
GetUlongFromAddress: unable to read from fffff800036b71c0
 fffffa8004d49830 Nonpaged pool
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
 
PROCESS_NAME:  mbamservice.ex
 
CURRENT_IRQL:  2
 
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
 
LAST_CONTROL_TRANSFER:  from fffff800035b0cbe to fffff8000347a8c0
 
STACK_TEXT:  
fffff880`097732f8 fffff800`035b0cbe : 00000000`00000019 00000000`00000020 fffffa80`04d49830 fffffa80`04d49850 : nt!KeBugCheckEx
fffff880`09773300 fffff880`01927cfd : 00000000`00000008 00000000`00000010 00000000`676e7049 fffff880`04a71034 : nt!ExAllocatePoolWithTag+0x1a2a
fffff880`097733b0 fffff880`0120a04a : 00000000`00000000 fffff880`012060c3 00000000`00000000 fffffa80`0742e5d0 : tcpip!IppInspectBuildHeaders+0x65d
fffff880`09773690 fffff880`08d8b12d : 00000000`00000008 00000000`00000014 00000000`00000000 fffffa80`01a96200 : fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+0x20a
fffff880`09773730 00000000`00000008 : 00000000`00000014 00000000`00000000 fffffa80`01a96200 fffffa80`01a96214 : mwac+0x612d
fffff880`09773738 00000000`00000014 : 00000000`00000000 fffffa80`01a96200 fffffa80`01a96214 00000000`00000011 : 0x8
fffff880`09773740 00000000`00000000 : fffffa80`01a96200 fffffa80`01a96214 00000000`00000011 00000000`00000000 : 0x14
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a
fffff880`0120a04a 85c0            test    eax,eax
 
SYMBOL_STACK_INDEX:  3
 
SYMBOL_NAME:  fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: fwpkclnt
 
IMAGE_NAME:  fwpkclnt.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  50e4f5c8
 
IMAGE_VERSION:  6.1.7601.18042
 
FAILURE_BUCKET_ID:  X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a
 
BUCKET_ID:  X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a
 
ANALYSIS_SOURCE:  KM
 
FAILURE_ID_HASH_STRING:  km:x64_0x19_20_fwpkclnt!fwpsconstructipheaderfortransportpacket0+20a
 
FAILURE_ID_HASH:  {863e217f-0693-d7a3-6d21-a4c5a3f57698}
 
Followup: MachineOwner
---------

Please advice.

Edited by hamluis, 23 June 2015 - 12:05 PM.
Moved from Win 7 to BSODs/Crashes - Hamluis.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,019 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 23 June 2015 - 12:09 PM

fwpkclnt.sys is a firewall driver. I would uninstall Malwarebytes and see if you continue to get the BSOD.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users