Solved

SBS Premium BAD_POOL_HEADER

Posted on 2008-06-23
8
1,555 Views
Last Modified: 2013-12-01
SBS Premium with SQL and ISA, no new hardware or software added in the last 6 months.

On Friday, the server suddenly crashed...when I got to it it was rebooting and crashed again with the BAD_POOL_HEADER BSOD.  I haven't made much headway since then (and I've been working on this all weekend).  At first, the BSOD would come up consistently on bootup.  I can boot up into safe mode fine, I can boot up in Diagnostic Mode via MSCONFIG just fine.  On Saturday, I could only work on it for a couple of hours and the server constantly rebooted for a few hours until it was able to load up without intervention..and most things seemed to be working.  Today, it won't go away no matter what I try.  It seemed the problem was with Avast or ISA or the Microsoft Firewall service.  I uninstalled Avast and it rebooted fine the first time, but ISA wouldn't start properly.  I uninstalled ISA and I got the BSOD during the install.  At this point, I ran a chkdsk on the drive; it had a few errors in steps 1-3, then it finished without incedent (of course, while I was out).  I finished uninstalling ISA, and when it was removed, it automatically kicked off the Connect to Internet wizard.  When I got to the step regarding the certificate, BSOD again.

Went into safe mode, rebooted in diagnostic mode, came up fine.  Turned on all services again, BSOD during boot (late in the process). I'm pasting one of many, many minidumps, the below information is identical in all of them.  I can't upload the memory dump, as it is too large even when zipped.  You can download it here (uploading as I compose this):

http://lesro.net/files/memory.zip

in addition to the chkdsk, I'm currently running a memory scan, which was clean on 2 passes and is now on step 7 of 11 in the more thorough pass.

LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63 is on every minidump.

This is in every minidump:
FOLLOWUP_IP:
nt!ExFreePoolWithTag+477
808927bb ff75fc          push    dword ptr [ebp-4]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExFreePoolWithTag+477

And the stack text is identical for all of them except the first snippet in the last line.

BAD_POOL_HEADER (19)

The pool is already corrupt at the time of the current request.

This may or may not be due to the caller.

The internal pool links must be walked to figure out a possible cause of

the problem, and then special pool applied to the suspect tags or the driver

verifier to a suspect driver.

Arguments:

Arg1: 00000020, a pool block header size is corrupt.

Arg2: e1124ed0, The pool entry we were looking for within the page.

Arg3: e1124f38, The next pool entry.

Arg4: 0c0d0610, (reserved)
 

Debugging Details:

------------------
 
 

BUGCHECK_STR:  0x19_20
 

POOL_ADDRESS:  e1124ed0 
 

CUSTOMER_CRASH_COUNT:  2
 

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP
 

PROCESS_NAME:  inetinfo.exe
 

CURRENT_IRQL:  0
 

LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63
 

STACK_TEXT:  

b9905388 808927bb 00000019 00000020 e1124ed0 nt!KeBugCheckEx+0x1b

b99053f0 f7b7ac3c e1124ed8 00000000 f7b7c2bd nt!ExFreePoolWithTag+0x477

b99054a8 f7b7ac7f 89d09720 e3518570 e34068e8 Ntfs!NtfsAddDosOnlyName+0x1d1

b99054e4 f7b904af 89d09720 00000001 30800100 Ntfs!NtfsAddLink+0xac

b99056e0 f7b94a04 89d09720 89c2c008 89c2c1bc Ntfs!NtfsCreateNewFile+0x847

b9905904 f7b91ef8 89d09720 89c2c008 b9905944 Ntfs!NtfsCommonCreate+0x1226

b9905a08 8081df65 8aa42020 89c2c008 8b135158 Ntfs!NtfsFsdCreate+0x17d

b9905a1c f725d458 89fffc58 8b135158 8ad20c18 nt!IofCallDriver+0x45

b9905a48 8081df65 8aa432d0 89c2c008 89c2c008 fltmgr!FltpCreate+0xe4

b9905a5c 808f8f71 b9905c04 8b14b4e0 00000000 nt!IofCallDriver+0x45

b9905b44 80937942 8b14b4f8 00000000 89f9adc0 nt!IopParseDevice+0xa35

b9905bc4 80933a76 00000000 b9905c04 00000040 nt!ObpLookupObjectName+0x5b0

b9905c18 808eae25 00000000 00000000 99980801 nt!ObOpenObjectByName+0xea

b9905c94 808ec0bf 073ef2dc 40100080 073ef278 nt!IopCreateFile+0x447

b9905cf0 808eeb4e 073ef2dc 40100080 073ef278 nt!IoCreateFile+0xa3

b9905d30 8088978c 073ef2dc 40100080 073ef278 nt!NtCreateFile+0x30

b9905d30 7c8285ec 073ef2dc 40100080 073ef278 nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

073ef2d4 00000000 00000000 00000000 00000000 0x7c8285ec
 
 

STACK_COMMAND:  kb
 

FOLLOWUP_IP: 

nt!ExFreePoolWithTag+477

808927bb ff75fc          push    dword ptr [ebp-4]
 

SYMBOL_STACK_INDEX:  1
 

SYMBOL_NAME:  nt!ExFreePoolWithTag+477
 

FOLLOWUP_NAME:  MachineOwner
 

MODULE_NAME: nt
 

IMAGE_NAME:  ntkrpamp.exe
 

DEBUG_FLR_IMAGE_TIMESTAMP:  45ec0a19
 

FAILURE_BUCKET_ID:  0x19_20_nt!ExFreePoolWithTag+477
 

BUCKET_ID:  0x19_20_nt!ExFreePoolWithTag+477
 

Followup: MachineOwner

Open in new window

0
Comment
Question by:tmwes
  • 4
  • 3
8 Comments
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21844357
Does none of the minidumps say a driver name or something when putting them in WinDBG?
0
 

Author Comment

by:tmwes
ID: 21844399
Every minidump says virtually the same thing...at first, tie module/image reported was aswmon2.sys, which points towards Avast.  But since uninstalling Avast, they have all pointed to ntkrpamp.exe.

The last several minidumps have been just like you see here (reposting so it isn't in code).  The only thing that changes are the following:

Arg2, Arg3, Arg4
Pool_Address
first code in the last line of stack text (in this one it is 073ef2d4 )

_________________________________________________________________________

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e1124ed0, The pool entry we were looking for within the page.
Arg3: e1124f38, The next pool entry.
Arg4: 0c0d0610, (reserved)

Debugging Details:
------------------


BUGCHECK_STR:  0x19_20

POOL_ADDRESS:  e1124ed0

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME:  inetinfo.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63

STACK_TEXT:  
b9905388 808927bb 00000019 00000020 e1124ed0 nt!KeBugCheckEx+0x1b
b99053f0 f7b7ac3c e1124ed8 00000000 f7b7c2bd nt!ExFreePoolWithTag+0x477
b99054a8 f7b7ac7f 89d09720 e3518570 e34068e8 Ntfs!NtfsAddDosOnlyName+0x1d1
b99054e4 f7b904af 89d09720 00000001 30800100 Ntfs!NtfsAddLink+0xac
b99056e0 f7b94a04 89d09720 89c2c008 89c2c1bc Ntfs!NtfsCreateNewFile+0x847
b9905904 f7b91ef8 89d09720 89c2c008 b9905944 Ntfs!NtfsCommonCreate+0x1226
b9905a08 8081df65 8aa42020 89c2c008 8b135158 Ntfs!NtfsFsdCreate+0x17d
b9905a1c f725d458 89fffc58 8b135158 8ad20c18 nt!IofCallDriver+0x45
b9905a48 8081df65 8aa432d0 89c2c008 89c2c008 fltmgr!FltpCreate+0xe4
b9905a5c 808f8f71 b9905c04 8b14b4e0 00000000 nt!IofCallDriver+0x45
b9905b44 80937942 8b14b4f8 00000000 89f9adc0 nt!IopParseDevice+0xa35
b9905bc4 80933a76 00000000 b9905c04 00000040 nt!ObpLookupObjectName+0x5b0
b9905c18 808eae25 00000000 00000000 99980801 nt!ObOpenObjectByName+0xea
b9905c94 808ec0bf 073ef2dc 40100080 073ef278 nt!IopCreateFile+0x447
b9905cf0 808eeb4e 073ef2dc 40100080 073ef278 nt!IoCreateFile+0xa3
b9905d30 8088978c 073ef2dc 40100080 073ef278 nt!NtCreateFile+0x30
b9905d30 7c8285ec 073ef2dc 40100080 073ef278 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
073ef2d4 00000000 00000000 00000000 00000000 0x7c8285ec


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+477
808927bb ff75fc          push    dword ptr [ebp-4]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExFreePoolWithTag+477

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  45ec0a19

FAILURE_BUCKET_ID:  0x19_20_nt!ExFreePoolWithTag+477

BUCKET_ID:  0x19_20_nt!ExFreePoolWithTag+477

Followup: MachineOwner
0
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21844490
Hmm i found something on the inetinfo crash here but i don't think that is the reason:
http://support.microsoft.com/kb/827214/en-us

Also i would suggest Windows Memory Diagnostics instead of MemTest becouse WMD simulates the 'Windows Usage' to find errors:
http://oca.microsoft.com/en/windiag.asp

0x7c8285ec is usually a memory problem or some application having a memory leak.
0
 

Author Comment

by:tmwes
ID: 21844509
I am using Windows Memory Diagnostics...was using 'memtest' as a general description (forgive me; it is 5 AM my time and I've been here since 1 PM yesterday).  It is on pass 1 of the extended tests right now; 11 of 11 with no errors found yet.

The events referenced in that kb article do not show up in my event log.

thanks...
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Expert Comment

by:JapyDooge
ID: 21844541
Okay no problem :) good luck man... U said there was nothing installed lately, also no drivers who have an auto-update utility or Windows Updates?
0
 
LVL 32

Expert Comment

by:r-k
ID: 21852791
If you're still having the problem please zip a few minidumps and post them here.

It does sound like bad memory, try swapping and re-seating the ram modules.

Could be the video memory also, swap video card if possible.

AV on the server is probably not a good thing so leave that uninstalled.

Disk errors are a possibility, check the event logs.

Did you install any new drivers lately?


0
 

Author Comment

by:tmwes
ID: 21854300
Problem was fixed yesterday when I broke down and called Microsoft after 24 straight hours of troubleshooting.  Turns out there is an upcoming hotfix for my exact problem; I'll post the details of it when I get to the office.  They sent it to me, I made one registry change, and I'm back in business.
0
 

Accepted Solution

by:
tmwes earned 0 total points
ID: 21856452
Here is the text of the KB article that will be out shortly:

SYMPTOMS

You may receive a Stop error message that resembles the following on a Windows Server 2003-based computer:

STOP: 0x00000019 ( parameter1 , parameter2 , parameter3 , parameter4 )

Notes

"
      

The parameters in this Stop error message vary, depending on the configuration of the computer and on the type of the issue.

"
      

Not all "0x00000019" Stop errors are caused by this problem.

CAUSE

This problem occurs because the pool memory is unexpectedly corrupted. This problem occurs when the NTFS file system creates a name in the 8.3 name format for a file that has a long file name.

WORKAROUND

To work around this problem, disable 8.3 name creation. To do this, use one of the following methods.

Method 1

1.
      

Run the following command at a command prompt:

fsutil behavior set disable8dot3 1

2.
      

Restart the computer.

Method 2

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

1.
      

Click Start, click Run, type regedit , and then click OK.

2.
      

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

3.
      

Right-click NtfsDisable8dot3NameCreation, and then click Modify.

4.
      

In the Value data box, type 1 , and then click OK.

Note The default value is 0.

5.
      

Exit Registry Editor.

6.
      

To make this registry change effective, restart the computer.

I made the registry change, and they also sent me a hotfix that I installed.  He said it will be released shortly.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now