BSOD System Service Exception and Bad pool header

[hejowicz]

Hi

Once a week or few days i get bsod service exception and bad pool header.
I don't play games for now. And bsod have very random timming, eg. when i browse the internet.

Latest bsod i get System Service Exception.

I test my ram with memtest86 and with standard windows tool
I also check my hdd with chkdsk

Here is data from your SF program.

 

[x BlueRobot]

[COLOR="Red"]BugCheck 3B[/COLOR], {[COLOR="SeaGreen"]c0000005[/COLOR], fffff800031ccc20, fffff8800afda320, 0}

Probably caused by : ntkrnlmp.exe ( nt!ObpCreateHandle+300 )

Usual causes:  System service, Device driver, graphics driver, memory

2: kd> [COLOR="SeaGreen"]lmvm aswSnx[/COLOR]
start             end                 module name
fffff880`01800000 fffff880`01896000   aswSnx   T (no symbols)           
    Loaded symbol image file: aswSnx.SYS
    Image path: \SystemRoot\System32\Drivers\aswSnx.SYS
    Image name: aswSnx.SYS
    Timestamp:        [COLOR="Red"]Mon Nov 28 17:54:05 2011[/COLOR] (4ED3CABD)
    CheckSum:         00096E09
    ImageSize:        00096000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

avast! seems to be causing problems, please remove the program completely with the avast! Removal Tool, and then install and run full scans with these free and proven alternatives which work best with the operating system due to their compatibility and lightweight nature on system resources.

Install and perform full scans with:

• Malwarebytes : Free anti-malware download
• Microsoft Security Essentials | Protect against viruses, spyware, and other malware

   Information

Remember to install the free version of Malwarebytes not the free trail; untick the free trial box during installation. MSE is the most lightweight and compatible with the Windows 7 operating system

You can also view this thread for a complete free and lightweight security protection combination:

• http://www.sevenforums.com/system-security/206705-good-free-system-security-combination.html

 

[hejowicz]

x BlueRobot, Thank you for your reply.

I removed avast using that tool in safe mode.
I installed Malwarebytes without trial option, and i scan my computer
There was 6 issues found, which i removed.

I installed MS Security Essentials, scaned computer without any issues.

I hope that will solve the bsod problems.

Can you tell me / teach me how you manange to find problem in logs ?

Can i post present logs ?
http://www.malwarebytes.org/

 

[x BlueRobot]

You need to download and install WinDbg firstly - http://www.sevenforums.com/crash-lockup-debug-how/26584-configuring-debugging-tools.html

 

[hejowicz]

Do I have to install debugging tool from that link Download and Install Debugging Tools for Windows ?

Or just WinDbg ? or WinDbg is part of debugging tool from that url ?

I not sure which tool install, WDK or SDK ?
Can I install both of them ?

I tried to install SDK from here Download Microsoft Windows SDK for Windows 7 and .NET Framework 4 from Official Microsoft Download Center

I wanted change path, to recommended c:\debuggers
But i see two location:
folder for tools and folder for samples

Will be better to install tools in c:\debuggers and samples in original folder or in eg. c:\debuggers\samples ?

// edit

Meanwhile i got another bsod Memory Management
I had this bsod before, fogot to meantion

 

[x BlueRobot]

Have you got the debugger installed now? It chose the SDK option too

Associate the dump files with the debugger with this command, you may need to open a elevated (Administrator) command prompt:

"C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\windbg.exe" -IA

Source: http://www.sevenforums.com/crash-lockup-debug-how/221485-bsod-analysis-getting-started.html

BSOD Analysis:

[COLOR="Red"]BugCheck 1A[/COLOR], {[COLOR="Blue"]41287[/COLOR], 0, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+454f5 )

Usual causes:  Device driver, memory, kernel

It appears that a illegal page fault has occurred during working set synchronization, causing some memory management data structures to become corrupt.

TRAP_FRAME:  fffff88009040d70 -- ([COLOR="SeaGreen"].trap 0xfffff88009040d70[/COLOR])
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000001
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002eea967 rsp=fffff88009040f08 rbp=0000000000002000
 [COLOR="Red"]r8=0000000000000000[/COLOR]  r9=00000000ffffffff r10=fffffa8009b16a50
r11=fffffa800a007f78 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!MiInsertNode+0xa7:
fffff800`02eea967 498b08          mov     rcx,qword ptr [COLOR="Red"][r8][/COLOR] ds:00000000`00000000=????????????????

Run Driver Verifier to scan for any corrupted drivers which may be causing problems, this program works by running various stress tests on drivers, in order to produce a BSOD which will locate the driver; run for least 24 hours:

• http://www.sevenforums.com/tutorials/101379-driver-verifier-enable-disable.html

   Information

Additional Help - http://www.sevenforums.com/crash-lo...-driver-verifier-identify-issues-drivers.html

 

[hejowicz]

Ok, I trun on driver verifier, it's running about 4 hours now, i let you know, after day.

Meanwhile i have question about debugging tools.

I installed Windows SDK for Windows 7 and .NET Framework 4
(with little problem, because i had to uinstall latest Visual C ++)

durring installation
In section called "redistribudable packages"
I selected "Debugging Tools"

After success installation , I can't find winDBG.exe in c:\debuggers\


I don't have such folder in
C:\Program Files (x86)\Windows Kits\

edit:
i found windbg.exe in another location

I allready associate windbg with .dmp
and i add symbol file path

I copied full memory.dmp from windows directory to desktop , for testing.
But i think , i have problem with read this.

I opened 8GiB file, and i see:

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Piotrek\Desktop\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`02e4d000 PsLoadedModuleList = 0xfffff800`03090670
Debug session time: Mon Aug 12 09:57:28.880 2013 (UTC + 2:00)
System Uptime: 2 days 6:19:19.740
Loading Kernel Symbols
...............................................................
................................................................
...............................
Loading User Symbols
.....
Loading unloaded module list
..........................Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
................................................................
................................................................
.......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1A, {41287, 0, 0, 0}


"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+454f5 )

Followup: MachineOwner
---------

Is this full dump or just a part of it ?,
I think maybe something went wrong, and i don't see full content of crash dump

Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147

 

[x BlueRobot]

Make sure your Symbol Path is the exact same as mine:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

That's a Complete Memory dump too, so it will contain User-Mode and Kernel-Mode address space, a Kernel Memory dump or a Minidump is all you will need, since a BSOD results because of an error in Kernel Mode.

 

[hejowicz]

Ok. I changed symbol path to your, i had slight different.

After turrning on driver verifier i finally got bsod.


Yes. i got 8gb dump because i choose full memory dump
http://www.sevenforums.com/tutorials/174459-dump-files-configure-windows-create-bsod.html

maybe it's not necessary to choose that big dump ?

edit:
can i now disable driver verifier ?

 

[x BlueRobot]

It's not necessary at all, I'll keep it configured at a Kernel Memory dump or a Minidump

There's no new dump files within that folder, please check this directory:

C:\Windows\Minidump

 

[hejowicz]

Ok, here is dump from

C:\Windows\Minidump
I opened it, and tried see what is wrong

i saw:

BugCheck 1A, {41287, 0, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+454f5 )

And i searched for ntkrnlmp.exe here Driver Reference Table

Is that mean that problem is in Windows Update ?
That Windows Update downloaded corrupted driver ?

 

[x BlueRobot]

0: kd> [COLOR=SeaGreen].time[/COLOR]
Debug session time: [COLOR=Red]Mon Aug 12 08:57:28.880 2013[/COLOR] (UTC + 1:00)
System Uptime: 2 days 6:19:19.740

It's still the same dump file from yesterday, here I would suggest configuring Minidumps to be saved, and then running Driver Verifier again, upon the next BSOD please upload the files.

To answer your question, ntkrnlmp.exe is the NT Kernel module and is not the problem at all. Windows lists it as the possible cause when it can't find any third-party driver which caused the problem or the real cause of the problem.

 

[hejowicz]

Ok, I switched to minidump.

I think last crash was not registered by logs, because when i woke up i saw "funny" blured colours on my display, and computer was still running. Didn't restart, like in most cases with bsod

I had to, manually turn off and on.

I set up again driver verifier.

Can you tell me about that file ntkrnlmp.exe, from the last crash, is it related with Windows Update ?

 

[x BlueRobot]

It's the Windows Kernel - Architecture of Windows NT - Wikipedia, the free encyclopedia

 

[hejowicz]

Thanks , now i undersand that a bit better.

Few moments ago, i had another crash, but standard bsod didn't displayed.
It was same like before, blur screen, i made photo to show you.

I attached aslso logs from SF Diagnostic Tool, but what i checked there is no dump including present crash.

0: kd> .time
Debug session time: Mon Aug 12 09:57:28.880 2013 (UTC + 2:00)
System Uptime: 2 days 6:19:19.740

So, sine i got driver verifier working, i had 2 crashes, which were not registered by system ?

 

[x BlueRobot]

Nope, it's because the BSODs are happening before, the all the necessary data structures have been loaded.

Run some hard-drive diagnostics and follow these steps:

• Hard Drive Diagnostic Procedure

Find your hard-drive manufacturer and run their tests.

Additional Tests:

• SeaTools for DOS | Seagate
• CrystalDiskInfo - Software - Crystal Dew World

Post a screenshot of Crystal Disk Info summary:

• http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html

If you have an SSD, make sure the following are up to date:

• SSD firmware
• BIOS Version
• Chipset Drivers
• Hard disk controller drivers/SATA drivers
• If you have a Marvell IDE ATA/ATAPI device, make sure the drivers are up to date from the Intel site or Marvell site and not from your motherboard/vendor support site.

Check for any file system errors and bad sectors using Option #2 of:

• http://www.sevenforums.com/tutorials/433-disk-check.html

Use this command with Disk Check:

chkdsk C: /f /r

 

[hejowicz]

I don't have SSD.

I checked my HDD with Cristaldisk, chkdsk and Data Lifeguard Diagnostic (it passed, but no logs available)
hdd Firmware, chipset and bios i have up to date.

Meanwhile i got another crash, without bsod (i disable driver verifier long before)

This time i see new dump.

 

[x BlueRobot]

[COLOR="Red"]BugCheck 1A[/COLOR], {[COLOR="Blue"]5003[/COLOR], fffff70001080000, 17fd8, 17c420002feb0}

Probably caused by : win32k.sys ( win32k!fnHkINLPMSG+28b )

Okay, this bugcheck is slightly different, it indicates that the working set free list has become corrupt, this is usually due to hardware error.

• http://www.sevenforums.com/tutorials/105647-ram-test-memtest86.html

Run Memtest86+ for least 9-10 passes, and preferably overnight as it can take a while to fully complete.

Test each RAM stick individually, if an error is found then move the same RAM stick into the next DIMM slot and test again, if errors are found for the same RAM stick in every available slot then you have a faulty RAM module. On the other hand, if no errors are found in the next slot or the other slots for the same RAM module, then you have a faulty DIMM slot.

Test each RAM stick and every motherboard DIMM slot available.

test|Slot1|Slot2
RAM1| Error | Error
RAM2|Good|Good

It is a RAM, a bad RAM.

But if you have got a result like that:

test|Slot1|Slot2
RAM1| Error |Good
RAM2| Error |Good

It is a motherboard issue. The particular slot is bad.

 

[hejowicz]

I tested all possibilities, about 10-11 times

I decide to use for now only one stick (for testing)

I had about one week uptime, without any errors

But yesterday and today i had few crashes.

I'm sending dumps.

 

[x BlueRobot]

[COLOR="Red"]BugCheck C2[/COLOR], {[COLOR="Blue"]7[/COLOR], 109b, 81d3aa0, [COLOR="SeaGreen"]fffffa8006b8cb00[/COLOR]}

GetPointerFromAddress: unable to read from fffff800034f8100
GetUlongFromAddress: unable to read from fffff800034f81c0

fffffa8006b8caf0 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...

GetUlongFromAddress: unable to read from fffff80003466a38

fffffa8006b8caf0 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...

GetUlongFromAddress: unable to read from fffff80003466a38
Probably caused by : ntkrnlmp.exe ( nt!ObpCloseHandleTableEntry+c4 )

Usual causes:  Device driver, Memory

0: kd>[COLOR="SeaGreen"] !pool fffffa8006b8c000[/COLOR]
Pool page fffffa8006b8c000 region is Nonpaged pool
[COLOR="Red"]*fffffa8006b8c000 size:  150 previous size:    0  (Allocated) *File (Protected)[/COLOR]
		Pooltag File : File objects
 fffffa8006b8c150 size:   40 previous size:  150  (Allocated)  WfpF
 fffffa8006b8c190 size:   c0 previous size:   40  (Allocated)  FMsl
 fffffa8006b8c250 size:   20 previous size:   c0  (Free)       NSIk
 fffffa8006b8c270 size:  150 previous size:   20  (Allocated)  File (Protected)
 fffffa8006b8c3c0 size:  150 previous size:  150  (Allocated)  UdpA
 fffffa8006b8c510 size:   80 previous size:  150  (Free)       Even
 fffffa8006b8c590 size:  160 previous size:   80  (Allocated)  Ntfx
 fffffa8006b8c6f0 size:   50 previous size:  160  (Allocated)  VadS
 fffffa8006b8c740 size:   80 previous size:   50  (Allocated)  SeTl
 fffffa8006b8c7c0 size:   80 previous size:   80  (Allocated)  SeTl
 fffffa8006b8c840 size:   10 previous size:   80  (Free)       Even
 fffffa8006b8c850 size:  220 previous size:   10  (Allocated)  Nb07
 fffffa8006b8ca70 size:   80 previous size:  220  (Allocated)  Even (Protected)

The pool allocation within the pool page which has caused the corruption, this a file object, a file object can either correspond to a I/O device or a open file.

The I/O device seems to more likely due to other errors earlier.

0: kd> [COLOR="SeaGreen"]k[/COLOR]
Child-SP          RetAddr           Call Site
fffff880`082be8e8 fffff800`033f3be9 nt!KeBugCheckEx
fffff880`082be8f0 fffff800`032c9e5c nt!ExDeferredFreePool+0x1201
fffff880`082be9a0 fffff800`035b9054 nt!ObfDereferenceObject+0xdc
fffff880`082bea00 fffff800`035b9604 nt!ObpCloseHandleTableEntry+0xc4
fffff880`082bea90 fffff800`032bfe13 nt!ObpCloseHandle+0x94
fffff880`082beae0 00000000`770913aa nt!KiSystemServiceCopyEnd+0x13
00000000`00eef9d8 00000000`00000000 0x770913aa

The current thread has attempted to free a pool allocation which has already been freed, we can see from the call stack the general process of freeing a object.

Other bugcheck is same as the other one in my last post:

[COLOR="Red"]BugCheck 1A[/COLOR], {[COLOR="Blue"]5003[/COLOR], fffff70001080000, 1dbf4, 1c4540003b6e8}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+45f7d )

0: kd> [COLOR="SeaGreen"]!sysinfo machineid[/COLOR]
Machine ID Information [From Smbios 2.7, DMIVersion 39, Size=2355]
BiosMajorRelease = 21
BiosMinorRelease = 240
BiosVendor = Acer
BiosVersion = V1.21
BiosReleaseDate = [COLOR="Red"]08/09/2012[/COLOR]
SystemManufacturer = [COLOR="Red"]Acer[/COLOR]
SystemProductName = [COLOR="Red"]Aspire 7750G[/COLOR]
SystemFamily =  
SystemVersion = V1.21
SystemSKU =  
BaseBoardManufacturer = Acer
BaseBoardProduct = [COLOR="Red"]JE70_HR[/COLOR]
BaseBoardVersion = Base Board Version

Have you checked for any BIOS updates from your motherboard/model support page? Ensure if your going to update the BIOS, then you make sure you update with the BIOS version directly intended for your motherboard, as you irreversibility corrupt your BIOS.