Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Bad_pool_caller

- - - - -

  • Please log in to reply
22 replies to this topic

#1
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08
Hello,

I need help. SOmetimes i always got blue screen
Bad_pool_caller stop: 0x000000c2 (0x00000007,0x00000cd4,0x02130041,0x88616210)

Anyone expert help me please

thanks
Anton


How to remove advertisement from MSFN

#2
Mr Snrub

Mr Snrub

    Former MSFT

  • Super Moderator
  • 775 posts
  • Joined 14-September 04
  • OS:Windows 8 x64
  • Country: Country Flag
You need to prepare your system to create a kernel memory dump the next time it bugchecks (bluescreens):
- Right-click My Computer, click Properties
- Click the Advanced tab
- Click the Settings button under Startup and Recovery
- Under Write debugging information, select Kernel memory dump
- Click OK
- Click the Settings button under Performance
- Click the Advanced tab
- Click the Change button
- Ensure that the drive on which the Windows folder resides (the 'boot' drive) has a page file at least as large as the RAM you have installed plus 50MB
(e.g. if you have 1GB RAM on a default installation, the page file needs to go up to at least 1074MB on the C: drive - if the range already covers this then no change is required)
- Click OK on each of the 3 open windows

When the system next bugchecks it will display a status message "Beginning dump of physical memory" and work up to 100% before restarting.
After restarting, the memory dump is copied from %systemdrive%\pagefile.sys to %systemroot%\MEMORY.DMP.

Zip up the MEMORY.DMP file and upload it to any of the free file sharing sites and post a link here so we can download it for analysis.

My TechNet Blog
I have CDO. It's like OCD except the letters are in alphabetical order, as they should be.


#3
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08

You need to prepare your system to create a kernel memory dump the next time it bugchecks (bluescreens):
- Right-click My Computer, click Properties
- Click the Advanced tab
- Click the Settings button under Startup and Recovery
- Under Write debugging information, select Kernel memory dump
- Click OK
- Click the Settings button under Performance
- Click the Advanced tab
- Click the Change button
- Ensure that the drive on which the Windows folder resides (the 'boot' drive) has a page file at least as large as the RAM you have installed plus 50MB
(e.g. if you have 1GB RAM on a default installation, the page file needs to go up to at least 1074MB on the C: drive - if the range already covers this then no change is required)
- Click OK on each of the 3 open windows

When the system next bugchecks it will display a status message "Beginning dump of physical memory" and work up to 100% before restarting.
After restarting, the memory dump is copied from %systemdrive%\pagefile.sys to %systemroot%\MEMORY.DMP.

Zip up the MEMORY.DMP file and upload it to any of the free file sharing sites and post a link here so we can download it for analysis.


Hello,

Sorry late reply..

I already try update my driver and so far is work fine for me. But i still do your step. But i don't understand about re size ram. I have 2gb ram. (DUAL) please see my SS
Posted Image
all size is setting automatically. I must manual setting?

thanks
Anton

Edited by gOber, 20 August 2008 - 08:05 PM.


#4
Mr Snrub

Mr Snrub

    Former MSFT

  • Super Moderator
  • 775 posts
  • Joined 14-September 04
  • OS:Windows 8 x64
  • Country: Country Flag
That's fine as is it, no need to change it from those settings - the page file is on the boot drive and can grow to at least 2098MB (2048+50) - which is also the largest you could possibly need for a kernel dump on a 32-bit system too.

My TechNet Blog
I have CDO. It's like OCD except the letters are in alphabetical order, as they should be.


#5
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,253 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag

That's fine as is it, no need to change it from those settings - the page file is on the boot drive and can grow to at least 2098MB (2048+50) - which is also the largest you could possibly need for a kernel dump on a 32-bit system too.

Actually, untrue. When you dump the box it only reads the "Initial size" number, and as such this has the possibility for not being large enough for a kernel dump (can be up to 2GB, if this is x86), and definitely not enough for a complete dump.

I would suggest changing the initial size to at least 2200 and rebooting before expecting this to work properly.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#6
Mr Snrub

Mr Snrub

    Former MSFT

  • Super Moderator
  • 775 posts
  • Joined 14-September 04
  • OS:Windows 8 x64
  • Country: Country Flag

Actually, untrue. When you dump the box it only reads the "Initial size" number, and as such this has the possibility for not being large enough for a kernel dump (can be up to 2GB, if this is x86), and definitely not enough for a complete dump.

You live & learn, cheers :)
Though in practicality I don't think I've seen a kernel dump larger than ~800MB even from x64 Server systems.

My TechNet Blog
I have CDO. It's like OCD except the letters are in alphabetical order, as they should be.


#7
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08

Actually, untrue. When you dump the box it only reads the "Initial size" number, and as such this has the possibility for not being large enough for a kernel dump (can be up to 2GB, if this is x86), and definitely not enough for a complete dump.

You live & learn, cheers :)
Though in practicality I don't think I've seen a kernel dump larger than ~800MB even from x64 Server systems.


Hello,

I got BSOD again... and i already upload my dump file..

here http://rapidshare.co...EMORYy.rar.html actually size 196MB after rar 38mb

hope can help me..

thanks

Edited by gOber, 21 August 2008 - 12:47 AM.


#8
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08

That's fine as is it, no need to change it from those settings - the page file is on the boot drive and can grow to at least 2098MB (2048+50) - which is also the largest you could possibly need for a kernel dump on a 32-bit system too.

Actually, untrue. When you dump the box it only reads the "Initial size" number, and as such this has the possibility for not being large enough for a kernel dump (can be up to 2GB, if this is x86), and definitely not enough for a complete dump.

I would suggest changing the initial size to at least 2200 and rebooting before expecting this to work properly.


Ok i will change after mr snrub see my dump file

thank
anton

#9
eyeball

eyeball

    Have you tried turning it off and on again?

  • Member
  • PipPipPipPipPipPip
  • 1,150 posts
  • Joined 28-October 05
gOber, this is completely off-topic, but do you have a "ram optimizer" in that screenshot? :P

#10
Ponch

Ponch

    MSFN Junkie

  • Patrons
  • 3,320 posts
  • Joined 23-November 05
  • OS:none specified
  • Country: Country Flag
I once had a Bad_pool_caller stop and after 1/2 hour, I found out one of the RAM module on that laptop was bad.
It doesn't mean it's you case, but I'd test the ram extensively.

#11
Mr Snrub

Mr Snrub

    Former MSFT

  • Super Moderator
  • 775 posts
  • Joined 14-September 04
  • OS:Windows 8 x64
  • Country: Country Flag
The problem in this dump is a "double free" of a nonpaged pool allocation - a driver has already freed up an allocation and then tries to free it again, so it's not a corruption and not something you can trap easily with a crash dump (if at all).

The culprit driver here looks like Zone Labs' vsdatant.sys - I'm guessing Zone Alarm or the security suite.

Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Aug 21 04:48:05.484 2008 (GMT+2)
System Uptime: 0 days 4:15:37.190

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 02060001, Memory contents of the pool block
Arg4: 888ac380, Address of the block of pool being deallocated

DEFAULT_BUCKET_ID: DRIVER_FAULT

STACK_TEXT:
bacf78b8 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
bacf7908 ae962782 888ac380 00000000 bacf7950 nt!ExFreePoolWithTag+0x2a3
bacf7918 ae962450 888f9c68 888f9cfc 888f9cfc tcpip!TCPClose+0x16
bacf7950 ae8ef0c1 8a0af5e8 888f9c68 ae8ee9cd tcpip!TCPDispatch+0x101
bacf795c ae8ee9cd 8a0af5e8 888f9c68 00000002 vsdatant+0x450c1
bacf7990 ae8ef04a 8a0af5e8 888f9c68 888f9c68 vsdatant+0x449cd
bacf79b4 ae8eeee7 897e87a0 ae8ef057 888f9c68 vsdatant+0x4504a
bacf79bc ae8ef057 888f9c68 8a0ab5e0 8a0a60d8 vsdatant+0x44ee7
bacf79ec 8053721f 00000000 bacf7a28 80537283 vsdatant+0x45057
bacf7a40 bab384c9 ae999690 bab384d4 ae998000 nt!ExNotifyCallback+0x43
bacf7a58 ae965c0b 02999680 ae965c16 898636f4 TDI!CTEScheduleDelayedEvent+0x35
bacf7a70 ae95b65a 8a0b0da8 02cf7ab0 00000001 tcpip!LoopXmit+0x6a
bacf7aa0 ae95b79f ae9994c0 0100007f 88bf0880 tcpip!SendIPPacket+0x193
bacf7bec 888e5d68 00000000 89032c68 00000000 tcpip!IPTransmit+0x289e
bacf7c48 804ef18f 8a0af5e8 888f9c68 888f9c68 0x888e5d68
bacf7cbc 80583af8 888e5d68 00000000 00000000 nt!IopfCallDriver+0x31
bacf7cf4 805bb466 008e5d80 00000000 888e5d68 nt!IopDeleteFile+0x132
bacf7d10 805266ca 888e5d80 00000000 8052667e nt!ObpRemoveObjectRoutine+0xe0
bacf7d28 ae88bc0f 88944468 889443f0 ae888cb6 nt!ObfDereferenceObject+0x4c
bacf7d3c ae88bbbc 889443f0 ae88a7a8 bacf7d68 afd!AfdFreeConnectionResources+0x38
bacf7d4c ae88886a 88944468 8a12a1f0 8a215740 afd!AfdFreeConnection+0x5c
bacf7d68 80576ad5 8a215740 00000000 8056485c afd!AfdDoWork+0x51
bacf7d7c 8053876d 8a12a1f0 00000000 8a5bd8b8 nt!IopProcessWorkItem+0x13
bacf7dac 805cff64 8a12a1f0 00000000 00000000 nt!ExpWorkerThread+0xef
bacf7ddc 805460de 8053867e 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
vsdatant+450c1
ae8ef0c1 c20c00 ret 0Ch

1: kd> !pool 888ac380
Pool page 888ac380 region is Nonpaged pool
888ac000 size: 228 previous size: 0 (Free) GeN-
888ac228 size: 70 previous size: 228 (Allocated) GeN-
888ac298 size: 8 previous size: 70 (Free) AfdC
888ac2a0 size: d0 previous size: 8 (Allocated) FMsl
888ac370 size: 8 previous size: d0 (Free) File
*888ac378 size: 30 previous size: 8 (Free) *TCPc
Pooltag TCPc : TCP/IP network protocol, Binary : TCP

888ac3a8 size: c58 previous size: 30 (Free) Ddk

1: kd> dc 888ac378 888ac3a8-1
888ac378 02060001 63504354 88adb188 00000000 ....TCPc........
888ac388 bad00101 02040001 00000000 888ac394 ................
888ac398 888ac394 899a9c18 888f9c68 00000000 ........h.......

1: kd> lmvm vsdatant
start end module name
ae8aa000 ae9090e0 vsdatant (no symbols)
Loaded symbol image file: vsdatant.sys
Image path: \SystemRoot\System32\vsdatant.sys
Image name: vsdatant.sys
Timestamp: Wed Jul 09 17:33:32 2008 (4874DA4C)
CheckSum: 00068FDC
ImageSize: 0005F0E0
File version: 7.0.483.0
Product version: 7.0.483.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: Zone Labs, LLC
ProductName: TrueVector Device Driver
InternalName: vsdatant
OriginalFilename: vsdatant.sys
ProductVersion: 7.0.483.000
FileVersion: 7.0.483.000
FileDescription: TrueVector Device Driver
LegalCopyright: Copyright © 1998-2006, Zone Labs, LLC

Virtual memory and running process summary shows no particular issue:

1: kd> !vm
*** Virtual Memory Usage ***
Physical Memory: 523883 ( 2095532 Kb)
Page File: \??\C:\pagefile.sys
Current: 1572864 Kb Free Space: 1528732 Kb
Minimum: 1572864 Kb Maximum: 3145728 Kb
Available Pages: 248404 ( 993616 Kb)
ResAvail Pages: 436781 ( 1747124 Kb)
Locked IO Pages: 229 ( 916 Kb)
Free System PTEs: 173801 ( 695204 Kb)
Free NP PTEs: 32766 ( 131064 Kb)
Free Special NP: 0 ( 0 Kb)
Modified Pages: 202 ( 808 Kb)
Modified PF Pages: 202 ( 808 Kb)
NonPagedPool Usage: 7565 ( 30260 Kb)
NonPagedPool Max: 65536 ( 262144 Kb)
PagedPool 0 Usage: 9806 ( 39224 Kb)
PagedPool 1 Usage: 3665 ( 14660 Kb)
PagedPool 2 Usage: 3688 ( 14752 Kb)
PagedPool 3 Usage: 3643 ( 14572 Kb)
PagedPool 4 Usage: 3636 ( 14544 Kb)
PagedPool Usage: 24438 ( 97752 Kb)
PagedPool Maximum: 92160 ( 368640 Kb)
Shared Commit: 5223 ( 20892 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 3566 ( 14264 Kb)
PagedPool Commit: 24438 ( 97752 Kb)
Driver Commit: 4490 ( 17960 Kb)
Committed pages: 210183 ( 840732 Kb)
Commit limit: 876542 ( 3506168 Kb)

Total Private: 166545 ( 666180 Kb)
0a7c war3.exe 57184 ( 228736 Kb)
0750 firefox.exe 27261 ( 109044 Kb)
0080 iexplore.exe 27193 ( 108772 Kb)
01d4 avp.exe 10246 ( 40984 Kb)
039c vsmon.exe 8637 ( 34548 Kb)
07a4 RTHDCPL.exe 4920 ( 19680 Kb)
02f4 svchost.exe 4683 ( 18732 Kb)
0444 HDSentinel.exe 4172 ( 16688 Kb)
0360 explorer.exe 4046 ( 16184 Kb)
075c zlclient.exe 2977 ( 11908 Kb)
0598 winlogon.exe 2025 ( 8100 Kb)
05d0 lsass.exe 1099 ( 4396 Kb)
0408 vmware-authd.ex 1095 ( 4380 Kb)
02ec IDMan.exe 1064 ( 4256 Kb)
0500 svchost.exe 980 ( 3920 Kb)
0704 avp.exe 978 ( 3912 Kb)
0524 xRaidSetup.exe 865 ( 3460 Kb)
01f8 spoolsv.exe 861 ( 3444 Kb)
0680 svchost.exe 783 ( 3132 Kb)
0428 nvsvc32.exe 698 ( 2792 Kb)
044c svchost.exe 640 ( 2560 Kb)
06ec rundll32.exe 636 ( 2544 Kb)
07f8 SoundMan.exe 509 ( 2036 Kb)
06b8 svchost.exe 504 ( 2016 Kb)
0580 csrss.exe 492 ( 1968 Kb)
05c4 services.exe 470 ( 1880 Kb)
0688 svchost.exe 433 ( 1732 Kb)
0d58 alg.exe 330 ( 1320 Kb)
0c90 ping.exe 288 ( 1152 Kb)
0480 vmnat.exe 232 ( 928 Kb)
02b0 vmnetdhcp.exe 195 ( 780 Kb)
036c smss.exe 42 ( 168 Kb)
0004 System 7 ( 28 Kb)
0484 war3.exe 0 ( 0 Kb)

Did you have a problem with Warcraft 3?
There are 2 processes war3.exe, one has an elapsed time of ~4 days and has 0 handles, implying the process did not close properly - the second instance has been running ~18 hours:

1: kd> !process 0 0 war3.exe
PROCESS 892f1020 SessionId: 0 Cid: 0484 Peb: 7ffd5000 ParentCid: 0f88
DirBase: 0b180440 ObjectTable: 00000000 HandleCount: 0.
Image: war3.exe

PROCESS 8924d020 SessionId: 0 Cid: 0a7c Peb: 7ffde000 ParentCid: 0e80
DirBase: 0b180460 ObjectTable: e60de848 HandleCount: 2920.
Image: war3.exe

You also have VMWare installed, so it might be these 2 products (Zone Labs and VMWare) not playing nicely:

1: kd> lmvm vm*
start end module name
b178e000 b1798480 vmci (export symbols) vmci.sys
Loaded symbol image file: vmci.sys
Image path: \??\C:\WINDOWS\system32\Drivers\vmci.sys
Image name: vmci.sys
Timestamp: Thu Jun 19 02:45:11 2008 (4859AC17)
CheckSum: 000102A1
ImageSize: 0000A480
File version: 6.5.0.3129
Product version: 6.5.0.3129
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: VMware, Inc.
ProductName: VMware kernel driver
InternalName: vmci.sys
OriginalFilename: vmci.sys
ProductVersion: e.x.p build-99530
FileVersion: e.x.p
FileDescription: VMware kernel driver
LegalCopyright: Copyright © 1998-2008 VMware, Inc.

b335e000 b3364000 vmnetbridge (no symbols)
Loaded symbol image file: vmnetbridge.sys
Image path: \SystemRoot\system32\DRIVERS\vmnetbridge.sys
Image name: vmnetbridge.sys
Timestamp: Thu Jun 19 03:26:56 2008 (4859B5E0)
CheckSum: 00015E55
ImageSize: 00006000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

b54b5000 b54b9c00 vmnetuserif (no symbols)
Loaded symbol image file: vmnetuserif.sys
Image path: \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys
Image name: vmnetuserif.sys
Timestamp: Thu Jun 19 03:26:32 2008 (4859B5C8)
CheckSum: 00015C3F
ImageSize: 00004C00
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

b9b43000 b9b46b00 VMkbd (no symbols)
Loaded symbol image file: VMkbd.sys
Image path: \??\C:\WINDOWS\system32\drivers\VMkbd.sys
Image name: VMkbd.sys
Timestamp: Thu Jun 19 04:19:43 2008 (4859C23F)
CheckSum: 00005A54
ImageSize: 00003B00
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

ba067000 ba069f00 VMNET (export symbols) VMNET.SYS
Loaded symbol image file: VMNET.SYS
Image path: \SystemRoot\system32\DRIVERS\VMNET.SYS
Image name: VMNET.SYS
Timestamp: Thu Jun 19 03:26:22 2008 (4859B5BE)
CheckSum: 0000772F
ImageSize: 00002F00
File version: 4.0.2.0
Product version: 4.0.2.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: VMware, Inc.
ProductName: VMware virtual network driver (32-bit)
InternalName: VMnet.sys
OriginalFilename: VMnet.sys
ProductVersion: 4.0.2.0 build-99530
FileVersion: 4.0.2.0
FileDescription: VMware virtual network driver (32-bit)
LegalCopyright: Copyright © 1998-2008 VMware, Inc.

bada4000 bada6680 vmnetadapter (no symbols)
Loaded symbol image file: vmnetadapter.sys
Image path: \SystemRoot\system32\DRIVERS\vmnetadapter.sys
Image name: vmnetadapter.sys
Timestamp: Thu Jun 19 03:26:25 2008 (4859B5C1)
CheckSum: 0000BC14
ImageSize: 00002680
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

badbe000 badc0000 VMparport (no symbols)
Loaded symbol image file: VMparport.sys
Image path: \??\C:\WINDOWS\system32\Drivers\VMparport.sys
Image name: VMparport.sys
Timestamp: Thu Jun 19 02:44:23 2008 (4859ABE7)
CheckSum: 0001193F
ImageSize: 00002000
File version: 6.5.0.3129
Product version: 6.5.0.3129
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: VMware, Inc.
ProductName: VMware parallel port driver
InternalName: VMparport.sys
OriginalFilename: VMparport.sys
ProductVersion: e.x.p build-99530
FileVersion: e.x.p
FileDescription: VMware parallel port driver
LegalCopyright: Copyright © 1998-2008 VMware, Inc.

Onboard Marvell Yukon NIC driver seems pretty recent:

1: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.4, DMIVersion 36, Size=1197]
BiosVendor = Award Software International, Inc.
BiosVersion = F10H
BiosReleaseDate = 04/24/2008
SystemManufacturer = Gigabyte Technology Co., Ltd.
SystemProductName = 965G-DS3
SystemFamily =
SystemVersion =
SystemSKU =
BaseBoardManufacturer = Gigabyte Technology Co., Ltd.
BaseBoardProduct = 965G-DS3
BaseBoardVersion =

1: kd> lmvm yk*
start end module name
b9420000 b9466880 yk51x86 (no symbols)
Loaded symbol image file: yk51x86.sys
Image path: \SystemRoot\system32\DRIVERS\yk51x86.sys
Image name: yk51x86.sys
Timestamp: Tue May 20 15:03:14 2008 (4832CC12)
CheckSum: 00054588
ImageSize: 00046880
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

Depending on how consistent the dumps are (always have the same stack or the same drivers in the stack, same bugcheck code, etc.) this could be a RAM fault as it's nonpaged pool (resident in physical memory), but I would be more inclined to believe a driver fault.

I would go down the route of either uninstalling VMWare to see if the problem goes away, or the Zone Labs software so long as you are behind a NAT router.

Or wait until the next dump is produced and we can check for consistency (i.e. always network-related activity on the crashing thread stack).

A few hours testing overnight with memtest86 would not be a bad idea either.

My TechNet Blog
I have CDO. It's like OCD except the letters are in alphabetical order, as they should be.


#12
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08

gOber, this is completely off-topic, but do you have a "ram optimizer" in that screenshot? :P

What do you mind? I not understand Sir. Please tell me more detail coz im newbie :blushing:

#13
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08
Dear Mr Snrub,

Thank you for your all reply sir....

The problem in this dump is a "double free" of a nonpaged pool allocation - a driver has already freed up an allocation and then tries to free it again, so it's not a corruption and not something you can trap easily with a crash dump (if at all).

The culprit driver here looks like Zone Labs' vsdatant.sys - I'm guessing Zone Alarm or the security suite.

Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Aug 21 04:48:05.484 2008 (GMT+2)
System Uptime: 0 days 4:15:37.190

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 02060001, Memory contents of the pool block
Arg4: 888ac380, Address of the block of pool being deallocated

DEFAULT_BUCKET_ID: DRIVER_FAULT

STACK_TEXT:
bacf78b8 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
bacf7908 ae962782 888ac380 00000000 bacf7950 nt!ExFreePoolWithTag+0x2a3
bacf7918 ae962450 888f9c68 888f9cfc 888f9cfc tcpip!TCPClose+0x16
bacf7950 ae8ef0c1 8a0af5e8 888f9c68 ae8ee9cd tcpip!TCPDispatch+0x101
bacf795c ae8ee9cd 8a0af5e8 888f9c68 00000002 vsdatant+0x450c1
bacf7990 ae8ef04a 8a0af5e8 888f9c68 888f9c68 vsdatant+0x449cd
bacf79b4 ae8eeee7 897e87a0 ae8ef057 888f9c68 vsdatant+0x4504a
bacf79bc ae8ef057 888f9c68 8a0ab5e0 8a0a60d8 vsdatant+0x44ee7
bacf79ec 8053721f 00000000 bacf7a28 80537283 vsdatant+0x45057
bacf7a40 bab384c9 ae999690 bab384d4 ae998000 nt!ExNotifyCallback+0x43
bacf7a58 ae965c0b 02999680 ae965c16 898636f4 TDI!CTEScheduleDelayedEvent+0x35
bacf7a70 ae95b65a 8a0b0da8 02cf7ab0 00000001 tcpip!LoopXmit+0x6a
bacf7aa0 ae95b79f ae9994c0 0100007f 88bf0880 tcpip!SendIPPacket+0x193
bacf7bec 888e5d68 00000000 89032c68 00000000 tcpip!IPTransmit+0x289e
bacf7c48 804ef18f 8a0af5e8 888f9c68 888f9c68 0x888e5d68
bacf7cbc 80583af8 888e5d68 00000000 00000000 nt!IopfCallDriver+0x31
bacf7cf4 805bb466 008e5d80 00000000 888e5d68 nt!IopDeleteFile+0x132
bacf7d10 805266ca 888e5d80 00000000 8052667e nt!ObpRemoveObjectRoutine+0xe0
bacf7d28 ae88bc0f 88944468 889443f0 ae888cb6 nt!ObfDereferenceObject+0x4c
bacf7d3c ae88bbbc 889443f0 ae88a7a8 bacf7d68 afd!AfdFreeConnectionResources+0x38
bacf7d4c ae88886a 88944468 8a12a1f0 8a215740 afd!AfdFreeConnection+0x5c
bacf7d68 80576ad5 8a215740 00000000 8056485c afd!AfdDoWork+0x51
bacf7d7c 8053876d 8a12a1f0 00000000 8a5bd8b8 nt!IopProcessWorkItem+0x13
bacf7dac 805cff64 8a12a1f0 00000000 00000000 nt!ExpWorkerThread+0xef
bacf7ddc 805460de 8053867e 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
vsdatant+450c1
ae8ef0c1 c20c00 ret 0Ch

1: kd> !pool 888ac380
Pool page 888ac380 region is Nonpaged pool
888ac000 size: 228 previous size: 0 (Free) GeN-
888ac228 size: 70 previous size: 228 (Allocated) GeN-
888ac298 size: 8 previous size: 70 (Free) AfdC
888ac2a0 size: d0 previous size: 8 (Allocated) FMsl
888ac370 size: 8 previous size: d0 (Free) File
*888ac378 size: 30 previous size: 8 (Free) *TCPc
Pooltag TCPc : TCP/IP network protocol, Binary : TCP

888ac3a8 size: c58 previous size: 30 (Free) Ddk

1: kd> dc 888ac378 888ac3a8-1
888ac378 02060001 63504354 88adb188 00000000 ....TCPc........
888ac388 bad00101 02040001 00000000 888ac394 ................
888ac398 888ac394 899a9c18 888f9c68 00000000 ........h.......

1: kd> lmvm vsdatant
start end module name
ae8aa000 ae9090e0 vsdatant (no symbols)
Loaded symbol image file: vsdatant.sys
Image path: \SystemRoot\System32\vsdatant.sys
Image name: vsdatant.sys
Timestamp: Wed Jul 09 17:33:32 2008 (4874DA4C)
CheckSum: 00068FDC
ImageSize: 0005F0E0
File version: 7.0.483.0
Product version: 7.0.483.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: Zone Labs, LLC
ProductName: TrueVector Device Driver
InternalName: vsdatant
OriginalFilename: vsdatant.sys
ProductVersion: 7.0.483.000
FileVersion: 7.0.483.000
FileDescription: TrueVector Device Driver
LegalCopyright: Copyright © 1998-2006, Zone Labs, LLC


So i must uninstall ZoneLabs or discuss with ZA Forum?

Virtual memory and running process summary shows no particular issue:

1: kd> !vm
*** Virtual Memory Usage ***
Physical Memory: 523883 ( 2095532 Kb)
Page File: \??\C:\pagefile.sys
Current: 1572864 Kb Free Space: 1528732 Kb
Minimum: 1572864 Kb Maximum: 3145728 Kb
Available Pages: 248404 ( 993616 Kb)
ResAvail Pages: 436781 ( 1747124 Kb)
Locked IO Pages: 229 ( 916 Kb)
Free System PTEs: 173801 ( 695204 Kb)
Free NP PTEs: 32766 ( 131064 Kb)
Free Special NP: 0 ( 0 Kb)
Modified Pages: 202 ( 808 Kb)
Modified PF Pages: 202 ( 808 Kb)
NonPagedPool Usage: 7565 ( 30260 Kb)
NonPagedPool Max: 65536 ( 262144 Kb)
PagedPool 0 Usage: 9806 ( 39224 Kb)
PagedPool 1 Usage: 3665 ( 14660 Kb)
PagedPool 2 Usage: 3688 ( 14752 Kb)
PagedPool 3 Usage: 3643 ( 14572 Kb)
PagedPool 4 Usage: 3636 ( 14544 Kb)
PagedPool Usage: 24438 ( 97752 Kb)
PagedPool Maximum: 92160 ( 368640 Kb)
Shared Commit: 5223 ( 20892 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 3566 ( 14264 Kb)
PagedPool Commit: 24438 ( 97752 Kb)
Driver Commit: 4490 ( 17960 Kb)
Committed pages: 210183 ( 840732 Kb)
Commit limit: 876542 ( 3506168 Kb)

Total Private: 166545 ( 666180 Kb)
0a7c war3.exe 57184 ( 228736 Kb)
0750 firefox.exe 27261 ( 109044 Kb)
0080 iexplore.exe 27193 ( 108772 Kb)
01d4 avp.exe 10246 ( 40984 Kb)
039c vsmon.exe 8637 ( 34548 Kb)
07a4 RTHDCPL.exe 4920 ( 19680 Kb)
02f4 svchost.exe 4683 ( 18732 Kb)
0444 HDSentinel.exe 4172 ( 16688 Kb)
0360 explorer.exe 4046 ( 16184 Kb)
075c zlclient.exe 2977 ( 11908 Kb)
0598 winlogon.exe 2025 ( 8100 Kb)
05d0 lsass.exe 1099 ( 4396 Kb)
0408 vmware-authd.ex 1095 ( 4380 Kb)
02ec IDMan.exe 1064 ( 4256 Kb)
0500 svchost.exe 980 ( 3920 Kb)
0704 avp.exe 978 ( 3912 Kb)
0524 xRaidSetup.exe 865 ( 3460 Kb)
01f8 spoolsv.exe 861 ( 3444 Kb)
0680 svchost.exe 783 ( 3132 Kb)
0428 nvsvc32.exe 698 ( 2792 Kb)
044c svchost.exe 640 ( 2560 Kb)
06ec rundll32.exe 636 ( 2544 Kb)
07f8 SoundMan.exe 509 ( 2036 Kb)
06b8 svchost.exe 504 ( 2016 Kb)
0580 csrss.exe 492 ( 1968 Kb)
05c4 services.exe 470 ( 1880 Kb)
0688 svchost.exe 433 ( 1732 Kb)
0d58 alg.exe 330 ( 1320 Kb)
0c90 ping.exe 288 ( 1152 Kb)
0480 vmnat.exe 232 ( 928 Kb)
02b0 vmnetdhcp.exe 195 ( 780 Kb)
036c smss.exe 42 ( 168 Kb)
0004 System 7 ( 28 Kb)
0484 war3.exe 0 ( 0 Kb)

Ok thanks

Did you have a problem with Warcraft 3?
There are 2 processes war3.exe, one has an elapsed time of ~4 days and has 0 handles, implying the process did not close properly - the second instance has been running ~18 hours:

1: kd> !process 0 0 war3.exe
PROCESS 892f1020 SessionId: 0 Cid: 0484 Peb: 7ffd5000 ParentCid: 0f88
DirBase: 0b180440 ObjectTable: 00000000 HandleCount: 0.
Image: war3.exe

PROCESS 8924d020 SessionId: 0 Cid: 0a7c Peb: 7ffde000 ParentCid: 0e80
DirBase: 0b180460 ObjectTable: e60de848 HandleCount: 2920.
Image: war3.exe

Yes, Mostly im got BSOD when i played Warcarft 3(DOTA) But i already install latest VGA driver but still same

You also have VMWare installed, so it might be these 2 products (Zone Labs and VMWare) not playing nicely:

1: kd> lmvm vm*
start end module name
b178e000 b1798480 vmci (export symbols) vmci.sys
Loaded symbol image file: vmci.sys
Image path: \??\C:\WINDOWS\system32\Drivers\vmci.sys
Image name: vmci.sys
Timestamp: Thu Jun 19 02:45:11 2008 (4859AC17)
CheckSum: 000102A1
ImageSize: 0000A480
File version: 6.5.0.3129
Product version: 6.5.0.3129
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: VMware, Inc.
ProductName: VMware kernel driver
InternalName: vmci.sys
OriginalFilename: vmci.sys
ProductVersion: e.x.p build-99530
FileVersion: e.x.p
FileDescription: VMware kernel driver
LegalCopyright: Copyright © 1998-2008 VMware, Inc.

b335e000 b3364000 vmnetbridge (no symbols)
Loaded symbol image file: vmnetbridge.sys
Image path: \SystemRoot\system32\DRIVERS\vmnetbridge.sys
Image name: vmnetbridge.sys
Timestamp: Thu Jun 19 03:26:56 2008 (4859B5E0)
CheckSum: 00015E55
ImageSize: 00006000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

b54b5000 b54b9c00 vmnetuserif (no symbols)
Loaded symbol image file: vmnetuserif.sys
Image path: \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys
Image name: vmnetuserif.sys
Timestamp: Thu Jun 19 03:26:32 2008 (4859B5C8)
CheckSum: 00015C3F
ImageSize: 00004C00
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

b9b43000 b9b46b00 VMkbd (no symbols)
Loaded symbol image file: VMkbd.sys
Image path: \??\C:\WINDOWS\system32\drivers\VMkbd.sys
Image name: VMkbd.sys
Timestamp: Thu Jun 19 04:19:43 2008 (4859C23F)
CheckSum: 00005A54
ImageSize: 00003B00
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

ba067000 ba069f00 VMNET (export symbols) VMNET.SYS
Loaded symbol image file: VMNET.SYS
Image path: \SystemRoot\system32\DRIVERS\VMNET.SYS
Image name: VMNET.SYS
Timestamp: Thu Jun 19 03:26:22 2008 (4859B5BE)
CheckSum: 0000772F
ImageSize: 00002F00
File version: 4.0.2.0
Product version: 4.0.2.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: VMware, Inc.
ProductName: VMware virtual network driver (32-bit)
InternalName: VMnet.sys
OriginalFilename: VMnet.sys
ProductVersion: 4.0.2.0 build-99530
FileVersion: 4.0.2.0
FileDescription: VMware virtual network driver (32-bit)
LegalCopyright: Copyright © 1998-2008 VMware, Inc.

bada4000 bada6680 vmnetadapter (no symbols)
Loaded symbol image file: vmnetadapter.sys
Image path: \SystemRoot\system32\DRIVERS\vmnetadapter.sys
Image name: vmnetadapter.sys
Timestamp: Thu Jun 19 03:26:25 2008 (4859B5C1)
CheckSum: 0000BC14
ImageSize: 00002680
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

badbe000 badc0000 VMparport (no symbols)
Loaded symbol image file: VMparport.sys
Image path: \??\C:\WINDOWS\system32\Drivers\VMparport.sys
Image name: VMparport.sys
Timestamp: Thu Jun 19 02:44:23 2008 (4859ABE7)
CheckSum: 0001193F
ImageSize: 00002000
File version: 6.5.0.3129
Product version: 6.5.0.3129
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: VMware, Inc.
ProductName: VMware parallel port driver
InternalName: VMparport.sys
OriginalFilename: VMparport.sys
ProductVersion: e.x.p build-99530
FileVersion: e.x.p
FileDescription: VMware parallel port driver
LegalCopyright: Copyright © 1998-2008 VMware, Inc.

Onboard Marvell Yukon NIC driver seems pretty recent:

1: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.4, DMIVersion 36, Size=1197]
BiosVendor = Award Software International, Inc.
BiosVersion = F10H
BiosReleaseDate = 04/24/2008
SystemManufacturer = Gigabyte Technology Co., Ltd.
SystemProductName = 965G-DS3
SystemFamily =
SystemVersion =
SystemSKU =
BaseBoardManufacturer = Gigabyte Technology Co., Ltd.
BaseBoardProduct = 965G-DS3
BaseBoardVersion =

1: kd> lmvm yk*
start end module name
b9420000 b9466880 yk51x86 (no symbols)
Loaded symbol image file: yk51x86.sys
Image path: \SystemRoot\system32\DRIVERS\yk51x86.sys
Image name: yk51x86.sys
Timestamp: Tue May 20 15:03:14 2008 (4832CC12)
CheckSum: 00054588
ImageSize: 00046880
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

So, i must uninstall this software? or update latest version?

Depending on how consistent the dumps are (always have the same stack or the same drivers in the stack, same bugcheck code, etc.) this could be a RAM fault as it's nonpaged pool (resident in physical memory), but I would be more inclined to believe a driver fault.

I would go down the route of either uninstalling VMWare to see if the problem goes away, or the Zone Labs software so long as you are behind a NAT router.

Or wait until the next dump is produced and we can check for consistency (i.e. always network-related activity on the crashing thread stack).

A few hours testing overnight with memtest86 would not be a bad idea either.


Mr. Snurb... do you think my memory got error? If yes maybe i must buy new one?

SOrry if my language english to bad

Thank
gOber


#14
mara-

mara-

    Office Integrator Developer

  • Member
  • PipPipPipPipPipPip
  • 1,181 posts
  • Joined 19-February 07
  • OS:Windows 7 x64
  • Country: Country Flag
He suggested that problem might me ZoneAlarm. If you have it, remove it and see if you'll get BSOD again.

Cheers ;)

#15
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08

He suggested that problem might me ZoneAlarm. If you have it, remove it and see if you'll get BSOD again.

Cheers ;)


Hi,

Ok thank... btw if i only disable ZA can? or must full uninstall?

thank
gOber

#16
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,253 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag

Hi,

Ok thank... btw if i only disable ZA can? or must full uninstall?

thank
gOber

To remove filter drivers, you MUST uninstall. Disabling leaves the drivers intact and enabled, just without any work to do from the controlling application in user-mode. Since the problem with a filter driver can happen regardless of whether the app is enabled or not, you have to actually uninstall to do a valid test.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#17
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08

Hi,

Ok thank... btw if i only disable ZA can? or must full uninstall?

thank
gOber

To remove filter drivers, you MUST uninstall. Disabling leaves the drivers intact and enabled, just without any work to do from the controlling application in user-mode. Since the problem with a filter driver can happen regardless of whether the app is enabled or not, you have to actually uninstall to do a valid test.


Hello,

Ok thank you for your respond.. Maybe i will try uninstall Vmware then let see tomorrow i will report to you.

thank
gOber

#18
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08
Hello Again,

I already uninstall vmware and still got BSOD :( but i still keep my firewall coz im still waiting email from microsoft to see my dump report.

I will give report again later..

thanks
Anton

#19
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08
Hi Mr Snrub,

Could you please check my last mini dump file? Please download my attached

thank you

gOber

Attached Files



#20
Mr Snrub

Mr Snrub

    Former MSFT

  • Super Moderator
  • 775 posts
  • Joined 14-September 04
  • OS:Windows 8 x64
  • Country: Country Flag
Only a minidump, so not much info to extract, but it's the same bugcheck and underlying reason - an attempt to free a memory allocation which has already been freed.

Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Aug 26 16:14:51.406 2008 (GMT+2)
System Uptime: 0 days 4:47:58.968

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 02130007, Memory contents of the pool block
Arg4: 88c100d8, Address of the block of pool being deallocated

STACK_TEXT:
bacebcd4 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
bacebd24 805c1014 88c100d8 00000000 88e84ee0 nt!ExFreePoolWithTag+0x2a3
bacebd4c 805bb46e 00000000 88e84ef8 00000001 nt!ObpFreeObject+0x142
bacebd64 805bb8b8 88e84ef8 00000001 80562f20 nt!ObpRemoveObjectRoutine+0xe8
bacebd7c 8053876d 00000000 00000000 8a5bd020 nt!ObpProcessRemoveObjectQueue+0x36
bacebdac 805cff64 00000000 00000000 00000000 nt!ExpWorkerThread+0xef
bacebddc 805460de 8053867e 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

1: kd> !pool 88c100d8
Pool page 88c100d8 region is Unknown
88c10000 size: 98 previous size: 0 (Allocated) File (Protected)
88c10098 size: 38 previous size: 98 (Free) ....
*88c100d0 size: 98 previous size: 38 (Free ) *File (Protected)
Pooltag File : File objects
88c10168 size: a0 previous size: 98 (Free ) AfdC (Protected)
88c10208 size: 20 previous size: a0 (Allocated) ReTa
...

// Here is the raw dump of the problematic pool allocation:
1: kd> dc 88c100d0 88c10168-1
88c100d0 02130007 e56c6946 88b72330 00000000 ....Fil.0#......
88c100e0 00000000 00000000 bad0b0b0 c2000800 ................
88c100f0 00000000 00000000 00700005 8a077cf0 ..........p..|..
88c10100 00000000 88cdb350 00000002 00000000 ....P...........
88c10110 00000000 00000000 00000000 00000000 ................
88c10120 00000000 00040000 00000000 00000000 ................
88c10130 00000000 00000000 00000000 00000000 ................
88c10140 00000000 00000000 00000000 00000000 ................
88c10150 00000000 00040000 00000000 88c1015c ............\...
88c10160 88c1015c 00000000

// The pool allocation immediately before is also freed (looks like some USB communication driver allocation), but doesn't appear to have been a typical overrun as the header after is still intact:
1: kd> dc 88c10098 88c100d0-1
88c10098 00070013 00000000 89373c88 89309c50 .........<7.P.0.
88c100a8 88b9c748 00000000 00000010 88d816a0 H...............
88c100b8 022a0004 70627375 8a5246a8 0000020e ..*.usbp.FR.....
88c100c8 00000144 00000100 D.......

Can't see from this dump what driver was freeing the memory, but as before it could be the victim not the cause - this allocation was last used for a File object, where before it was related to networking (TCP).

The following driver I thought was installed by VMWare for its emulated NIC, but it is still loaded in this dump, and look at the date on it...

1: kd> lmvm el90xbc5
start end module name
b94dd000 b94ed400 el90xbc5 (deferred)
Image path: el90xbc5.sys
Image name: el90xbc5.sys
Timestamp: Tue Jul 17 01:40:19 2001 (3B537B63)
CheckSum: 0001DD13
ImageSize: 00010400
File version: 4.5.0.0
Product version: 5.0.0.0
File flags: 8 (Mask 3F) Private
File OS: 40004 NT Win32
File type: 3.6 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: 3Com Corporation
ProductName: 3Com EtherLink PCI
InternalName: EL90XBC5.SYS
OriginalFilename: EL90XBC5.SYS
ProductVersion: 5.00
FileVersion: 4.05.00.0000
FileDescription: 3Com EtherLink PCI Driver
LegalCopyright: Copyright 1994-2001, 3Com Corporation.

I don't think this is an onboard device from the last time I checked the specs, so if you don't have one of these installed it may be a good idea to see if it's in Device Manager, and maybe even rename/delete the file on disk to prevent it being loaded.
Though it's not a filter driver so I don't see how it should be interfering... I'd stick with the ZoneAlarm plan for now.

My TechNet Blog
I have CDO. It's like OCD except the letters are in alphabetical order, as they should be.


#21
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08

Only a minidump, so not much info to extract, but it's the same bugcheck and underlying reason - an attempt to free a memory allocation which has already been freed.

Thank but microsoft support ask to me to do minidump. But i still waiting reply from microsoft

Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Aug 26 16:14:51.406 2008 (GMT+2)
System Uptime: 0 days 4:47:58.968

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 02130007, Memory contents of the pool block
Arg4: 88c100d8, Address of the block of pool being deallocated

STACK_TEXT:
bacebcd4 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
bacebd24 805c1014 88c100d8 00000000 88e84ee0 nt!ExFreePoolWithTag+0x2a3
bacebd4c 805bb46e 00000000 88e84ef8 00000001 nt!ObpFreeObject+0x142
bacebd64 805bb8b8 88e84ef8 00000001 80562f20 nt!ObpRemoveObjectRoutine+0xe8
bacebd7c 8053876d 00000000 00000000 8a5bd020 nt!ObpProcessRemoveObjectQueue+0x36
bacebdac 805cff64 00000000 00000000 00000000 nt!ExpWorkerThread+0xef
bacebddc 805460de 8053867e 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

1: kd> !pool 88c100d8
Pool page 88c100d8 region is Unknown
88c10000 size: 98 previous size: 0 (Allocated) File (Protected)
88c10098 size: 38 previous size: 98 (Free) ....
*88c100d0 size: 98 previous size: 38 (Free ) *File (Protected)
Pooltag File : File objects
88c10168 size: a0 previous size: 98 (Free ) AfdC (Protected)
88c10208 size: 20 previous size: a0 (Allocated) ReTa
...

// Here is the raw dump of the problematic pool allocation:
1: kd> dc 88c100d0 88c10168-1
88c100d0 02130007 e56c6946 88b72330 00000000 ....Fil.0#......
88c100e0 00000000 00000000 bad0b0b0 c2000800 ................
88c100f0 00000000 00000000 00700005 8a077cf0 ..........p..|..
88c10100 00000000 88cdb350 00000002 00000000 ....P...........
88c10110 00000000 00000000 00000000 00000000 ................
88c10120 00000000 00040000 00000000 00000000 ................
88c10130 00000000 00000000 00000000 00000000 ................
88c10140 00000000 00000000 00000000 00000000 ................
88c10150 00000000 00040000 00000000 88c1015c ............\...
88c10160 88c1015c 00000000

// The pool allocation immediately before is also freed (looks like some USB communication driver allocation), but doesn't appear to have been a typical overrun as the header after is still intact:
1: kd> dc 88c10098 88c100d0-1
88c10098 00070013 00000000 89373c88 89309c50 .........<7.P.0.
88c100a8 88b9c748 00000000 00000010 88d816a0 H...............
88c100b8 022a0004 70627375 8a5246a8 0000020e ..*.usbp.FR.....
88c100c8 00000144 00000100 D.......

Can't see from this dump what driver was freeing the memory, but as before it could be the victim not the cause - this allocation was last used for a File object, where before it was related to networking (TCP).

The following driver I thought was installed by VMWare for its emulated NIC, but it is still loaded in this dump, and look at the date on it...font="Courier New"]1: kd> lmvm el90xbc5
start end module name
b94dd000 b94ed400 el90xbc5 (deferred)
Image path: el90xbc5.sys
Image name: el90xbc5.sys
Timestamp: Tue Jul 17 01:40:19 2001 (3B537B63)
CheckSum: 0001DD13
ImageSize: 00010400
File version: 4.5.0.0
Product version: 5.0.0.0
File flags: 8 (Mask 3F) Private
File OS: 40004 NT Win32
File type: 3.6 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: 3Com Corporation
ProductName: 3Com EtherLink PCI
InternalName: EL90XBC5.SYS
OriginalFilename: EL90XBC5.SYS
ProductVersion: 5.00
FileVersion: 4.05.00.0000
FileDescription: 3Com EtherLink PCI Driver
LegalCopyright: Copyright 1994-2001, 3Com Corporation.[/font]

I don't think this is an onboard device from the last time I checked the specs, so if you don't have one of these installed it may be a good idea to see if it's in Device Manager, and maybe even rename/delete the file on disk to prevent it being loaded.
Though it's not a filter driver so I don't see how it should be interfering... I'd stick with the ZoneAlarm plan for now.

Yes 3com is not onboard device.. that for my LAN network but i never use again. i use onboard network for internet connection.

Ok i will try uninstall ZA later after get email from microsoft.....

Btw do you have other option be sides ZoneAlarm?


Thanks
gOber


#22
Mr Snrub

Mr Snrub

    Former MSFT

  • Super Moderator
  • 775 posts
  • Joined 14-September 04
  • OS:Windows 8 x64
  • Country: Country Flag
I used Zone Alarm Pro years ago, but found that it got slower and filled with more features that I didn't want in a personal firewall solution and so dumped it once the license expired.

Now I just use the built-in Windows Firewall, and rely on:
- NAT router to drop external attack attempts before they even reach any clients
- Windows Defender and anti-virus for malware detection
- UAC to prompt when a program is trying to do "something administrative" (I use Vista)
- common sense when browsing, downloading & receiving emails with attachments I don't expect or recognise

(As the NAT router takes care of the perimeter, the Windows Firewall is just protecting each client from its peers, just in case something managed to get in and hit one of the clients.)

My TechNet Blog
I have CDO. It's like OCD except the letters are in alphabetical order, as they should be.


#23
gOber

gOber

    Newbie

  • Member
  • 24 posts
  • Joined 22-July 08

I used Zone Alarm Pro years ago, but found that it got slower and filled with more features that I didn't want in a personal firewall solution and so dumped it once the license expired.

Now I just use the built-in Windows Firewall, and rely on:
- NAT router to drop external attack attempts before they even reach any clients
- Windows Defender and anti-virus for malware detection
- UAC to prompt when a program is trying to do "something administrative" (I use Vista)
- common sense when browsing, downloading & receiving emails with attachments I don't expect or recognise

(As the NAT router takes care of the perimeter, the Windows Firewall is just protecting each client from its peers, just in case something managed to get in and hit one of the clients.)


Thank for your information sir... but i dont have router... only normal modem....

Ok i will report u again later Snrub.... sorry if my language english to bad...

Thank again
gOber




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users