Solved Bsod bad_pool_header (19)

[bsfinkel]

I have four BSODs bad_pool_header(19) since June 18. Everything I have read about this BSOD points to an outdated device driver. How can I use windbg on the minidumps and/or full dumps to determine what device driver caused each of the four BSODs? Note that I spent 25+ years working with IBM mainframe operating systems reading/debugging dumps. I do not know the internals of Windows 7, so I do not know where to look in the dump to get the information. And right now I do not know if the same device driver caused each of the four BSODs. I have attached the zip output of the SF_Diagnostic tool; the output contains a number of minidumps. I want to debug/diagnose each minidump, so I am starting with this BSOD before I diagnose the other BSODs. The OS is Windows 7 Pro 32-bit.

 

[koolkat77]

Please post the reports following.

Blue Screen of Death Posting Instructions​

 

[bsfinkel]

BSOD - Posting Instructions

I read the "BSOD - Posting Instructions" document. It mentions a "Crashes and Debugging" section of the foiums. I do not see that, but I originally opened my problem in a section "BSOD Help and Support" , and I assume that that is the correct sub-section of the forum web site. The posting document also explains to use the SF diagnostics tool to produce a zip file. If I remember correctly, I did that and attached that bsfinkel.zip file to my original problem report. Please let me know if that was not attached to my initial posting. I have just attached that file to this posting, (I assume).
--Barry Finkel

 

[x BlueRobot]

This is the right section, they changed the name of the sub-section to make it clearer for users, since many people were posting in the General Discussion section and weren't receiving help. You haven't uploaded the zip file.

 

[bsfinkel]

bsfinkel.zip Uploaded

I just uploaded the zip file. I guess I did not wait long enough the first time.
--Barry Finkel

 

[x BlueRobot]

Where is it?

Did you follow this tutorial? http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html

 

[bsfinkel]

I clicked "Post Reply". Then near the bottom of the page I click the blue "Manage Attachments" button. "Broswe.. No file selected." Click "Browse". Select bsfinkel.zip from my desktop. Click the blue "Upload" button. "Uploading File(s) - Please Wait" . "Current Attachments (1.94 MB) bsfinkel.zip". I now see two "Submit Reply" buttons, one at "Reply to Thread" and one in "Additional Options". Last time I clicked the "Reply to Thread" "Submit Reply". Now I will click the lower button.
--Barry Finkel

 

[x BlueRobot]

[COLOR="Red"]BugCheck 19[/COLOR], {[COLOR="Blue"]3[/COLOR], [COLOR="SeaGreen"]85900bd8[/COLOR], 85900bd8, [COLOR="Orange"]85900b40[/COLOR]}

Probably caused by : ntkrpamp.exe ( nt!ExAllocatePoolWithTag+682 )

Usual causes:  Device driver

It seems we are dealing with corrupt pool freelist, the blink freelist address seems to be corrupt for some reason.

0: kd> [COLOR="SeaGreen"]dt nt!_POOL_HEADER 85900bd8[/COLOR]
   +0x000 PreviousSize     : 0y100101000 (0x128)
   +0x000 PoolIndex        : 0y0111100 (0x3c)
   +0x002 BlockSize        : 0y101111101 (0x17d)
   +0x002 PoolType         : 0y1011001 (0x59)
   +0x000 Ulong1           : 0xb37d7928
   +0x004 PoolTag          : [COLOR="Red"]0xb37d7928[/COLOR] <-- Owner of the Pool Allocation
   +0x004 AllocatorBackTraceIndex : 0x7928
   +0x006 PoolTagHash      : 0xb37d

Run Driver Verifier to scan for any corrupted drivers which may be causing problems, this program works by running various stress tests on drivers, in order to produce a BSOD which will locate the driver; run for least 24 hours:

• http://www.sevenforums.com/tutorials/101379-driver-verifier-enable-disable.html

   Information

Additional Help - http://www.sevenforums.com/crash-lo...-driver-verifier-identify-issues-drivers.html

You may need to enable the Special Pool option too.

Remove:

Start Menu\Programs\Advanced SystemCare 6

Windows 7 doesn't require any programs which make changes to the operating system and registry, these programs tend to cause problems by modifying and deleting files.

• http://www.sevenforums.com/performa...registry-cleaner-tests-why-not-use-one-2.html

Windows is a closed source system. Developers of registry cleaners do not have the core code of Windows 7 and are not working on definitive information, but rather they are going on past knowledge and experience. Automatic cleaners will usually have to do some guesswork.

Modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix.

Registry cleaners cannot distinguish between good and bad. If you run a registry cleaner, it will delete all those keys which are obsolete and sitting idle; but in reality, those keys may well be needed by some programs or windows at a later time.

Windows 7 is much more efficient at managing the registry than previous Windows versions. If you run any other registry cleaner and do not know precisely what you are doing, you will have problems down the road. There are no gains to be had from using a registry cleaner and the risk is great.

Remove:

Start Menu\Programs\IObit Malware Fighter

Having two real-time anti-virus programs can cause serious conflicts and crashes with your computer such as BSODs. Please remove IOBit program, which is known to cause BSODs, and keep MSE along with the other program listed below.

Install and perform full scans with:

• Malwarebytes : Free anti-malware download
• Microsoft Security Essentials | Protect against viruses, spyware, and other malware

   Information

Remember to install the free version of Malwarebytes not the free trail; untick the free trial box during installation. MSE is the most lightweight and compatible with the Windows 7 operating system

You can also view this thread for a complete free and lightweight security protection combination:

• http://www.sevenforums.com/system-security/206705-good-free-system-security-combination.html

Update BIOS (if possible):

0: kd> [COLOR="SeaGreen"]!sysinfo machineid[/COLOR]
Machine ID Information [From Smbios 2.4, DMIVersion 36, Size=1794]
BiosMajorRelease = 0
BiosMinorRelease = 0
FirmwareMajorRelease = 0
FirmwareMinorRelease = 0
BiosVendor = Intel Corp.
BiosVersion = MQ96510J.86A.1715.2007.1202.0001
BiosReleaseDate = [COLOR="Red"]12/02/2007[/COLOR]
SystemManufacturer =                                 
SystemProductName =                                 
SystemVersion =                         
BaseBoardManufacturer = Intel Corporation
BaseBoardProduct = [COLOR="Red"]DP965LT[/COLOR]
BaseBoardVersion = [COLOR="Red"]AAD41694-302[/COLOR]

Remember to find the exact version and revision of your motherboard, in order to flash the BIOS with the correct version, otherwise you could irreversibility corrupt your BIOS.

Reduce the number of programs at startup, to avoid any driver or program conflicts:

• http://www.sevenforums.com/tutorial...ation-conflicts-performing-clean-startup.html
• http://www.sevenforums.com/tutorials/1401-startup-programs-change.html

 

[x BlueRobot]

Remove:

0: kd> [COLOR="SeaGreen"]lmvm CBUFS[/COLOR]
start    end        module name
8c379000 8c3bd000   CBUFS    T (no symbols)           
    Loaded symbol image file: CBUFS.sys
    Image path: \SystemRoot\system32\drivers\CBUFS.sys
    Image name: CBUFS.sys
    Timestamp:        [COLOR="Red"]Mon Jan 14 12:27:18 2013[/COLOR] (50F3F9A6)
    CheckSum:         0004B8FC
    ImageSize:        00044000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Comodo seems to be causing problems, please remove the program completely with the Comodo Removal Tool.

 

[bsfinkel]

First, I went to verifier.exe and selected all non-MS products. Then verfifier told me I had to reboot. I closed Firefox,Thunderbird, and other applications, and I rebooted through the Start menu. I immediately received a BSOD BAD_POOL_HEADER (19), and the machine would crash upon reboot. I had to go to system repair to get the machine to reboot. I do not know what system repair did; I have not looked for any log. So, I do not know what happened with verifer.exe.

I did remove IObit Malware Fighter. I am installing Malwarebytes Anti-Malware, and I will run it. I am not sure why you want me to not run IObit but run Malwarebytes. What is the difference?

As for cbufs.exe, I am unsure whether to delete it. I use Comodo Backup Utility as my backup. The web page to which you point talks about Comodo Internet Security removal, and I do not have that product installed. I do not want to disable my backups (and potential restores) by deleting a file that Comodo Backup might need.

I will ruin Malewarebytes and report when it has finished.
--Barry Finkel

 

[x BlueRobot]

Okay, you need to go this directory, and then upload the Minidump if Windows managed to save one:

C:\Windows\Minidump or %systemroot%\Minidump

IObit Malware Fighter is known to cause problems such as BSODs, and is a very ineffective AV program.

Don't delete the CBUFS.sys driver, remove the program from the Control Panel or preferably run Revo Uninstaller Pro - Uninstall Software, Remove Programs easily, Forced Uninstall, Leftovers Uninstaller

Comodo is causing problems, and needs to be removed, you can use Windows own in-built backup utility or a third-party imaging program:

• http://www.sevenforums.com/tutorials/615-backup-user-system-files.html
• http://www.sevenforums.com/tutorials/663-backup-complete-computer-create-image-backup.html
• http://www.sevenforums.com/tutorials/73828-imaging-free-macrium.html

 

[bsfinkel]

I did some research on verifier.exe, and your instructions at

http://www.sevenforums.com/tutorials/101379-driver-verifier-enable-disable.html

are incomplete. They do not say how verifier works, and I did not know. I had followed the instructions, and during the reboot I received a BSOD BAD_POOL_HEADER (19) IMAGE_NAME: ntkrpamp.exe . Your instructions did not tell me how to get out of the problem (by booting into safe mode and resetting the verifier state). I got repeated BSODs, and I eventually went to "system repair" to get my system bootable. I did not know that verifier ran at reboot, and it ran until either it BSODed with a problem
or I rebooted into safe mode to stop the verifier from running at reboot.

I have no idea what "system repair" did; I have not looked for any log. I looked at the minidump with "!analyzse -f -v", and the reported IMAGE_NAME is ntkrpamp.exe . I do not know if this mindump (or full dump) will tell me anything about what verifier.exe found. Also, I opened a problem report with Comodo on their cbufs.sys driver to see if they have reports from any other customers on that driver causing BSODs.
--Barry Finkel

 

[x BlueRobot]

Didn't you read this link, which was part of my instructions too? http://www.sevenforums.com/crash-lo...-driver-verifier-identify-issues-drivers.html

There's three methods within the above link, which show how to disable Driver Verifier, and least three Microsoft links explaining the command line options on how to disable Driver Verifier without needing to do a Startup Repair.

Can you upload the Minidump file too?

 

[bsfinkel]

I must have missed the beginning of the verifier page. Sorry. I have uploaded the one mini-dump in a zip file.
--barry Finkel

 

[x BlueRobot]

[COLOR="Red"]BugCheck 19[/COLOR], {[COLOR="Blue"]20[/COLOR], [COLOR="SeaGreen"]a6076f00[/COLOR], [COLOR="Orange"]a6076f80[/COLOR], a1005e0}

GetPointerFromAddress: unable to read from 82f8184c
Unable to read MiSystemVaType memory at 82f60e20
Probably caused by : ntkrpamp.exe ( nt!ExFreePoolWithTag+1b1 )

It seems that the pool header block size is corrupt. The Block Size shows the size of the pool allocation, and the Previous Size indicates the size of the previous pool allocation, therefore the Previous Size of next pool entry should match the Block Size of the current allocation.

To other debuggers, I would have used the !pool extension, however, this information wasn't available within this dump file (mainly because it's a Minidump)

0: kd> [COLOR="SeaGreen"]dt nt!_POOL_HEADER a6076f00[/COLOR] <-- Pool Entry We Were Looking For
   +0x000 PreviousSize     : 0y111100000 (0x1e0)
   +0x000 PoolIndex        : 0y0000010 (0x2)
   +0x002 BlockSize        : [COLOR="Red"]0y000010000 (0x10)[/COLOR]
   +0x002 PoolType         : 0y0000101 (0x5)
   +0x000 Ulong1           : 0xa1005e0
   +0x004 PoolTag          : 0x6d4e6f49
   +0x004 AllocatorBackTraceIndex : 0x6f49
   +0x006 PoolTagHash      : 0x6d4e

0: kd> [COLOR="SeaGreen"]dt nt!_POOL_HEADER a6076f80[/COLOR] <-- Next Pool Entry
   +0x000 PreviousSize     : [COLOR="Red"]0y000000000 (0)[/COLOR]
   +0x000 PoolIndex        : 0y0000010 (0x2)
   +0x002 BlockSize        : 0y000000100 (0x4)
   +0x002 PoolType         : 0y0000011 (0x3)
   +0x000 Ulong1           : 0x6040400
   +0x004 PoolTag          : 0x74416553
   +0x004 AllocatorBackTraceIndex : 0x6553
   +0x006 PoolTagHash      : 0x7441

Looking at the raw stack of the thread, we can see that the Comodo software, again seems to be a possible cause and causing problems.

0: kd> [COLOR="SeaGreen"]lmvm CBUFS[/COLOR]
start    end        module name
8c37a000 8c3be000   CBUFS    T (no symbols)           
    Loaded symbol image file: CBUFS.sys
    Image path: \SystemRoot\system32\drivers\CBUFS.sys
    Image name: CBUFS.sys
    Timestamp:        [COLOR="Red"]Mon Jan 14 12:27:18 2013[/COLOR] (50F3F9A6)
    CheckSum:         0004B8FC
    ImageSize:        00044000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

 

[bsfinkel]

If your research points to cbufs.exe, then I will wait until I hear back from Comodo before I do anything else. I do have the full dump associated with the mini-dump, but it probably is not worth the effort to look at that dump.
--Barry Finkel

 

[x BlueRobot]

The dump file was quite straight forward, so Minidumps are okay

Wait, until Comodo replies, they may be already be working on patching the program.

 

[bsfinkel]

I have switched backup programs, and I renamed the cbufs.sys driver file. I have not yet gotten a reply from my posting on the Comodo forum, and I have no idea when to expect a reply. I will wait until I get another BSOD (that is not a VIDEO_TDR_FAILURE (116)). I am currently working with nVIDIA support on those video timeout BSODs. I will wait a week before I mark this problem solved.
--Barry Finkel

 

[x BlueRobot]

Okay thanks for the update

 

[bsfinkel]

I will close this trouble ticket, as the dump was caused by cbufs.sys, which I am no longer using.
--Barry Finkel