gOber

Bad_pool_caller

23 posts in this topic

Hi,

Ok thank... btw if i only disable ZA can? or must full uninstall?

thank

gOber

To remove filter drivers, you MUST uninstall. Disabling leaves the drivers intact and enabled, just without any work to do from the controlling application in user-mode. Since the problem with a filter driver can happen regardless of whether the app is enabled or not, you have to actually uninstall to do a valid test.

0

Share this post


Link to post
Share on other sites
Hi,

Ok thank... btw if i only disable ZA can? or must full uninstall?

thank

gOber

To remove filter drivers, you MUST uninstall. Disabling leaves the drivers intact and enabled, just without any work to do from the controlling application in user-mode. Since the problem with a filter driver can happen regardless of whether the app is enabled or not, you have to actually uninstall to do a valid test.

Hello,

Ok thank you for your respond.. Maybe i will try uninstall Vmware then let see tomorrow i will report to you.

thank

gOber

0

Share this post


Link to post
Share on other sites

Hello Again,

I already uninstall vmware and still got BSOD :( but i still keep my firewall coz im still waiting email from microsoft to see my dump report.

I will give report again later..

thanks

Anton

0

Share this post


Link to post
Share on other sites

Only a minidump, so not much info to extract, but it's the same bugcheck and underlying reason - an attempt to free a memory allocation which has already been freed.

Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Tue Aug 26 16:14:51.406 2008 (GMT+2)

System Uptime: 0 days 4:47:58.968

BAD_POOL_CALLER (c2)

The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.

Arguments:

Arg1: 00000007, Attempt to free pool which was already freed

Arg2: 00000cd4, (reserved)

Arg3: 02130007, Memory contents of the pool block

Arg4: 88c100d8, Address of the block of pool being deallocated

STACK_TEXT:

bacebcd4 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b

bacebd24 805c1014 88c100d8 00000000 88e84ee0 nt!ExFreePoolWithTag+0x2a3

bacebd4c 805bb46e 00000000 88e84ef8 00000001 nt!ObpFreeObject+0x142

bacebd64 805bb8b8 88e84ef8 00000001 80562f20 nt!ObpRemoveObjectRoutine+0xe8

bacebd7c 8053876d 00000000 00000000 8a5bd020 nt!ObpProcessRemoveObjectQueue+0x36

bacebdac 805cff64 00000000 00000000 00000000 nt!ExpWorkerThread+0xef

bacebddc 805460de 8053867e 00000000 00000000 nt!PspSystemThreadStartup+0x34

00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

1: kd> !pool 88c100d8

Pool page 88c100d8 region is Unknown

88c10000 size: 98 previous size: 0 (Allocated) File (Protected)

88c10098 size: 38 previous size: 98 (Free) ....

*88c100d0 size: 98 previous size: 38 (Free ) *File (Protected)

Pooltag File : File objects

88c10168 size: a0 previous size: 98 (Free ) AfdC (Protected)

88c10208 size: 20 previous size: a0 (Allocated) ReTa

...

// Here is the raw dump of the problematic pool allocation:

1: kd> dc 88c100d0 88c10168-1

88c100d0 02130007 e56c6946 88b72330 00000000 ....Fil.0#......

88c100e0 00000000 00000000 bad0b0b0 c2000800 ................

88c100f0 00000000 00000000 00700005 8a077cf0 ..........p..|..

88c10100 00000000 88cdb350 00000002 00000000 ....P...........

88c10110 00000000 00000000 00000000 00000000 ................

88c10120 00000000 00040000 00000000 00000000 ................

88c10130 00000000 00000000 00000000 00000000 ................

88c10140 00000000 00000000 00000000 00000000 ................

88c10150 00000000 00040000 00000000 88c1015c ............\...

88c10160 88c1015c 00000000

// The pool allocation immediately before is also freed (looks like some USB communication driver allocation), but doesn't appear to have been a typical overrun as the header after is still intact:

1: kd> dc 88c10098 88c100d0-1

88c10098 00070013 00000000 89373c88 89309c50 .........<7.P.0.

88c100a8 88b9c748 00000000 00000010 88d816a0 H...............

88c100b8 022a0004 70627375 8a5246a8 0000020e ..*.usbp.FR.....

88c100c8 00000144 00000100 D.......

Can't see from this dump what driver was freeing the memory, but as before it could be the victim not the cause - this allocation was last used for a File object, where before it was related to networking (TCP).

The following driver I thought was installed by VMWare for its emulated NIC, but it is still loaded in this dump, and look at the date on it...

1: kd> lmvm el90xbc5

start end module name

b94dd000 b94ed400 el90xbc5 (deferred)

Image path: el90xbc5.sys

Image name: el90xbc5.sys

Timestamp: Tue Jul 17 01:40:19 2001 (3B537B63)

CheckSum: 0001DD13

ImageSize: 00010400

File version: 4.5.0.0

Product version: 5.0.0.0

File flags: 8 (Mask 3F) Private

File OS: 40004 NT Win32

File type: 3.6 Driver

File date: 00000000.00000000

Translations: 0409.04b0

CompanyName: 3Com Corporation

ProductName: 3Com EtherLink PCI

InternalName: EL90XBC5.SYS

OriginalFilename: EL90XBC5.SYS

ProductVersion: 5.00

FileVersion: 4.05.00.0000

FileDescription: 3Com EtherLink PCI Driver

LegalCopyright: Copyright 1994-2001, 3Com Corporation.

I don't think this is an onboard device from the last time I checked the specs, so if you don't have one of these installed it may be a good idea to see if it's in Device Manager, and maybe even rename/delete the file on disk to prevent it being loaded.

Though it's not a filter driver so I don't see how it should be interfering... I'd stick with the ZoneAlarm plan for now.

0

Share this post


Link to post
Share on other sites
Only a minidump, so not much info to extract, but it's the same bugcheck and underlying reason - an attempt to free a memory allocation which has already been freed.

Thank but microsoft support ask to me to do minidump. But i still waiting reply from microsoft

Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Tue Aug 26 16:14:51.406 2008 (GMT+2)

System Uptime: 0 days 4:47:58.968

BAD_POOL_CALLER (c2)

The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.

Arguments:

Arg1: 00000007, Attempt to free pool which was already freed

Arg2: 00000cd4, (reserved)

Arg3: 02130007, Memory contents of the pool block

Arg4: 88c100d8, Address of the block of pool being deallocated

STACK_TEXT:

bacebcd4 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b

bacebd24 805c1014 88c100d8 00000000 88e84ee0 nt!ExFreePoolWithTag+0x2a3

bacebd4c 805bb46e 00000000 88e84ef8 00000001 nt!ObpFreeObject+0x142

bacebd64 805bb8b8 88e84ef8 00000001 80562f20 nt!ObpRemoveObjectRoutine+0xe8

bacebd7c 8053876d 00000000 00000000 8a5bd020 nt!ObpProcessRemoveObjectQueue+0x36

bacebdac 805cff64 00000000 00000000 00000000 nt!ExpWorkerThread+0xef

bacebddc 805460de 8053867e 00000000 00000000 nt!PspSystemThreadStartup+0x34

00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

1: kd> !pool 88c100d8

Pool page 88c100d8 region is Unknown

88c10000 size: 98 previous size: 0 (Allocated) File (Protected)

88c10098 size: 38 previous size: 98 (Free) ....

*88c100d0 size: 98 previous size: 38 (Free ) *File (Protected)

Pooltag File : File objects

88c10168 size: a0 previous size: 98 (Free ) AfdC (Protected)

88c10208 size: 20 previous size: a0 (Allocated) ReTa

...

// Here is the raw dump of the problematic pool allocation:

1: kd> dc 88c100d0 88c10168-1

88c100d0 02130007 e56c6946 88b72330 00000000 ....Fil.0#......

88c100e0 00000000 00000000 bad0b0b0 c2000800 ................

88c100f0 00000000 00000000 00700005 8a077cf0 ..........p..|..

88c10100 00000000 88cdb350 00000002 00000000 ....P...........

88c10110 00000000 00000000 00000000 00000000 ................

88c10120 00000000 00040000 00000000 00000000 ................

88c10130 00000000 00000000 00000000 00000000 ................

88c10140 00000000 00000000 00000000 00000000 ................

88c10150 00000000 00040000 00000000 88c1015c ............\...

88c10160 88c1015c 00000000

// The pool allocation immediately before is also freed (looks like some USB communication driver allocation), but doesn't appear to have been a typical overrun as the header after is still intact:

1: kd> dc 88c10098 88c100d0-1

88c10098 00070013 00000000 89373c88 89309c50 .........<7.P.0.

88c100a8 88b9c748 00000000 00000010 88d816a0 H...............

88c100b8 022a0004 70627375 8a5246a8 0000020e ..*.usbp.FR.....

88c100c8 00000144 00000100 D.......

Can't see from this dump what driver was freeing the memory, but as before it could be the victim not the cause - this allocation was last used for a File object, where before it was related to networking (TCP).

The following driver I thought was installed by VMWare for its emulated NIC, but it is still loaded in this dump, and look at the date on it...font="Courier New"]1: kd> lmvm el90xbc5

start end module name

b94dd000 b94ed400 el90xbc5 (deferred)

Image path: el90xbc5.sys

Image name: el90xbc5.sys

Timestamp: Tue Jul 17 01:40:19 2001 (3B537B63)

CheckSum: 0001DD13

ImageSize: 00010400

File version: 4.5.0.0

Product version: 5.0.0.0

File flags: 8 (Mask 3F) Private

File OS: 40004 NT Win32

File type: 3.6 Driver

File date: 00000000.00000000

Translations: 0409.04b0

CompanyName: 3Com Corporation

ProductName: 3Com EtherLink PCI

InternalName: EL90XBC5.SYS

OriginalFilename: EL90XBC5.SYS

ProductVersion: 5.00

FileVersion: 4.05.00.0000

FileDescription: 3Com EtherLink PCI Driver

LegalCopyright: Copyright 1994-2001, 3Com Corporation.

I don't think this is an onboard device from the last time I checked the specs, so if you don't have one of these installed it may be a good idea to see if it's in Device Manager, and maybe even rename/delete the file on disk to prevent it being loaded.

Though it's not a filter driver so I don't see how it should be interfering... I'd stick with the ZoneAlarm plan for now.

Yes 3com is not onboard device.. that for my LAN network but i never use again. i use onboard network for internet connection.

Ok i will try uninstall ZA later after get email from microsoft.....

Btw do you have other option be sides ZoneAlarm?

Thanks

gOber

0

Share this post


Link to post
Share on other sites

I used Zone Alarm Pro years ago, but found that it got slower and filled with more features that I didn't want in a personal firewall solution and so dumped it once the license expired.

Now I just use the built-in Windows Firewall, and rely on:

- NAT router to drop external attack attempts before they even reach any clients

- Windows Defender and anti-virus for malware detection

- UAC to prompt when a program is trying to do "something administrative" (I use Vista)

- common sense when browsing, downloading & receiving emails with attachments I don't expect or recognise

(As the NAT router takes care of the perimeter, the Windows Firewall is just protecting each client from its peers, just in case something managed to get in and hit one of the clients.)

0

Share this post


Link to post
Share on other sites
I used Zone Alarm Pro years ago, but found that it got slower and filled with more features that I didn't want in a personal firewall solution and so dumped it once the license expired.

Now I just use the built-in Windows Firewall, and rely on:

- NAT router to drop external attack attempts before they even reach any clients

- Windows Defender and anti-virus for malware detection

- UAC to prompt when a program is trying to do "something administrative" (I use Vista)

- common sense when browsing, downloading & receiving emails with attachments I don't expect or recognise

(As the NAT router takes care of the perimeter, the Windows Firewall is just protecting each client from its peers, just in case something managed to get in and hit one of the clients.)

Thank for your information sir... but i dont have router... only normal modem....

Ok i will report u again later Snrub.... sorry if my language english to bad...

Thank again

gOber

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.