Avatar of stareonal
stareonal asked on

BSOD Bugcheck String: 0x000000c2 (0x00000007, 0x0000121a, 0x00000000, 0x8bde5818)

My server seems to reboot occasionally during veritas backup exec 11d backups.  Attached is the minidump.  Any help would be much appreciated.  Thank you.  Allan
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\allan.NWMNS\Desktop\Minidump\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_gdr.070304-2240
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Tue May 20 15:10:01.733 2008 (GMT-6)
System Uptime: 0 days 10:56:14.463
Loading Kernel Symbols
..............................................................................................................................
Loading User Symbols

Loading unloaded module list
.......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 121a, 0, 8bde5818}

*** ERROR: Module load completed but symbols could not be loaded for naveng.sys
*** ERROR: Module load completed but symbols could not be loaded for navex15.sys
*** ERROR: Module load completed but symbols could not be loaded for EraserUtilRebootDrv.sys
*** ERROR: Module load completed but symbols could not be loaded for eeCtrl.sys
*** ERROR: Module load completed but symbols could not be loaded for SPBBCDrv.sys
*** ERROR: Module load completed but symbols could not be loaded for VirtFile.sys
*** ERROR: Module load completed but symbols could not be loaded for Savrtpel.sys
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for savrt.sys
*** ERROR: Module load completed but symbols could not be loaded for ati2mtag.sys
*** ERROR: Module load completed but symbols could not be loaded for e1e5132.sys
*** ERROR: Module load completed but symbols could not be loaded for scsichng.sys
*** ERROR: Module load completed but symbols could not be loaded for awlegacy.sys
*** ERROR: Module load completed but symbols could not be loaded for aw_host5.sys
*** ERROR: Module load completed but symbols could not be loaded for NTCMBASE.SYS
*** WARNING: Unable to verify timestamp for ati2dvag.dll
*** ERROR: Module load completed but symbols could not be loaded for ati2dvag.dll
*** WARNING: Unable to verify timestamp for ati2cqag.dll
*** ERROR: Module load completed but symbols could not be loaded for ati2cqag.dll
*** WARNING: Unable to verify timestamp for atikvmag.dll
*** ERROR: Module load completed but symbols could not be loaded for atikvmag.dll
*** WARNING: Unable to verify timestamp for vncdrv.dll
*** ERROR: Module load completed but symbols could not be loaded for vncdrv.dll
*** WARNING: Unable to verify timestamp for vnchelp.dll
*** ERROR: Module load completed but symbols could not be loaded for vnchelp.dll
*** WARNING: Unable to verify timestamp for ATMFD.DLL
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
*** ERROR: Module load completed but symbols could not be loaded for ulsata2.sys
*** ERROR: Module load completed but symbols could not be loaded for msas2k3.sys
*** ERROR: Module load completed but symbols could not be loaded for vsp.sys
*** ERROR: Module load completed but symbols could not be loaded for bb-run.sys
*** ERROR: Module load completed but symbols could not be loaded for ioatdma.sys
*** ERROR: Module load completed but symbols could not be loaded for dump_msas2k3.sys
*** ERROR: Module load completed but symbols could not be loaded for DontGo.sys
*** ERROR: Module load completed but symbols could not be loaded for Gernuwa.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vncdrv.sys -
*** ERROR: Module load completed but symbols could not be loaded for awechomd.sys
*** ERROR: Module load completed but symbols could not be loaded for vnccom.SYS
Probably caused by : ntkrpamp.exe ( nt!ExFreePoolWithTag+477 )

Followup: MachineOwner
---------

5: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000121a, (reserved)
Arg3: 00000000, Memory contents of the pool block
Arg4: 8bde5818, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  8bde5818 Nonpaged pool

BUGCHECK_STR:  0xc2_7

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63

STACK_TEXT:  
f791ac7c 808927bb 000000c2 00000007 0000121a nt!KeBugCheckEx+0x1b
f791ace4 8090fadb 8bde5818 00000000 8ba41c30 nt!ExFreePoolWithTag+0x477
f791ad00 808f945b 8bde5818 00000000 f791ad2c nt!IopDestroyDeviceNode+0x171
f791ad10 80933914 8ba41c58 80a5bf00 8ba41c40 nt!IopDeleteDevice+0x17
f791ad2c 8086c955 8ba41c58 00000000 e15ab358 nt!ObpRemoveObjectRoutine+0xdc
f791ad4c 80918b50 8bd773f0 88c9acc8 00000000 nt!ObfDereferenceObject+0x67
f791ad68 8090f6ba 00000000 808ae5fc 88c9acd0 nt!IopFreeRelationList+0x36
f791ad80 8088043d 88c9acc8 00000000 8bd773f0 nt!IopDelayedRemoveWorker+0x64
f791adac 80949b7c 88c9acc8 00000000 00000000 nt!ExpWorkerThread+0xeb
f791addc 8088e062 80880352 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+477
808927bb ff75fc          push    dword ptr [ebp-4]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExFreePoolWithTag+477

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  45ec0a19

FAILURE_BUCKET_ID:  0xc2_7_nt!ExFreePoolWithTag+477

BUCKET_ID:  0xc2_7_nt!ExFreePoolWithTag+477

Followup: MachineOwner
---------

Additional info
Exchange 2003
Symantec AV 10.1.5
Symantec Mail Security for Microsoft Exchange 5.0.5.366
Intel S5000PSL MotherBoard
Intel RAID Controller SRCSAS18E
4GB RAM
2xIntelXeon E5320@1.86Ghz
SBSMicrosoft Server OSExchange

Avatar of undefined
Last Comment
stareonal

8/22/2022 - Mon
Sinder255248

Not sure if this is related but might be worth a call to MS:

http://support.microsoft.com/kb/888431
Sinder255248

Check your versions of ntkrpamp.exe to the ones on the above link.
ASKER
stareonal

It got me again this morning.  Below is the debug of the memory.dmp file...

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_gdr.070304-2240
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed May 21 09:47:14.755 2008 (GMT-6)
System Uptime: 0 days 18:34:15.089
Loading Kernel Symbols
.............................................................................................................................
Loading User Symbols

Loading unloaded module list
.........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C5, {0, d0000002, 1, 808921dd}

Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1d7 )

Followup: Pool_corruption
---------

6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 00000000, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 808921dd, address which referenced memory

Debugging Details:
------------------


BUGCHECK_STR:  0xC5_D0000002

CURRENT_IRQL:  2

FAULTING_IP:
nt!ExDeferredFreePool+1d7
808921dd 8937            mov     dword ptr [edi],esi

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

TRAP_FRAME:  f7926bf8 -- (.trap 0xfffffffff7926bf8)
ErrCode = 00000002
eax=8bde9b80 ebx=00000000 ecx=000001ff edx=8bde9a58 esi=8b9d0a68 edi=00000000
eip=808921dd esp=f7926c6c ebp=f7926ca4 iopl=0         nv up ei ng nz ac pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010297
nt!ExDeferredFreePool+0x1d7:
808921dd 8937            mov     dword ptr [edi],esi  ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 808921dd to 8088c963

STACK_TEXT:  
f7926bf8 808921dd badb0d00 8bde9a58 8bd76b40 nt!KiTrap0E+0x2a7
f7926ca4 808928c3 808aeae0 8ba41808 8ba41830 nt!ExDeferredFreePool+0x1d7
f7926cfc 808f946e 8bc3b708 00000000 00000000 nt!ExFreePoolWithTag+0x57f
f7926d10 80933914 8ba41830 80a5bf00 8ba41818 nt!IopDeleteDevice+0x2a
f7926d2c 8086c955 8ba41830 00000000 e1747110 nt!ObpRemoveObjectRoutine+0xdc
f7926d4c 80918b50 8bd76b40 8b120d00 00000000 nt!ObfDereferenceObject+0x67
f7926d68 8090f6ba 00000000 808ae5fc 8b120d08 nt!IopFreeRelationList+0x36
f7926d80 8088043d 8b120d00 00000000 8bd76b40 nt!IopDelayedRemoveWorker+0x64
f7926dac 80949b7c 8b120d00 00000000 00000000 nt!ExpWorkerThread+0xeb
f7926ddc 8088e062 80880352 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!ExDeferredFreePool+1d7
808921dd 8937            mov     dword ptr [edi],esi

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExDeferredFreePool+1d7

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID:  0xC5_D0000002_nt!ExDeferredFreePool+1d7

BUCKET_ID:  0xC5_D0000002_nt!ExDeferredFreePool+1d7

Followup: Pool_corruption
---------

6: kd> lmvm Pool_Corruption
start    end        module name


Again this happened during a backup.  THanks for your time.
Allan
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
stareonal

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question