Solved

SBS Premium BAD_POOL_HEADER

Posted on 2008-06-23
8
1,566 Views
Last Modified: 2013-12-01
SBS Premium with SQL and ISA, no new hardware or software added in the last 6 months.

On Friday, the server suddenly crashed...when I got to it it was rebooting and crashed again with the BAD_POOL_HEADER BSOD.  I haven't made much headway since then (and I've been working on this all weekend).  At first, the BSOD would come up consistently on bootup.  I can boot up into safe mode fine, I can boot up in Diagnostic Mode via MSCONFIG just fine.  On Saturday, I could only work on it for a couple of hours and the server constantly rebooted for a few hours until it was able to load up without intervention..and most things seemed to be working.  Today, it won't go away no matter what I try.  It seemed the problem was with Avast or ISA or the Microsoft Firewall service.  I uninstalled Avast and it rebooted fine the first time, but ISA wouldn't start properly.  I uninstalled ISA and I got the BSOD during the install.  At this point, I ran a chkdsk on the drive; it had a few errors in steps 1-3, then it finished without incedent (of course, while I was out).  I finished uninstalling ISA, and when it was removed, it automatically kicked off the Connect to Internet wizard.  When I got to the step regarding the certificate, BSOD again.

Went into safe mode, rebooted in diagnostic mode, came up fine.  Turned on all services again, BSOD during boot (late in the process). I'm pasting one of many, many minidumps, the below information is identical in all of them.  I can't upload the memory dump, as it is too large even when zipped.  You can download it here (uploading as I compose this):

http://lesro.net/files/memory.zip

in addition to the chkdsk, I'm currently running a memory scan, which was clean on 2 passes and is now on step 7 of 11 in the more thorough pass.

LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63 is on every minidump.

This is in every minidump:
FOLLOWUP_IP:
nt!ExFreePoolWithTag+477
808927bb ff75fc          push    dword ptr [ebp-4]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExFreePoolWithTag+477

And the stack text is identical for all of them except the first snippet in the last line.

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e1124ed0, The pool entry we were looking for within the page.
Arg3: e1124f38, The next pool entry.
Arg4: 0c0d0610, (reserved)
 
Debugging Details:
------------------
 
 
BUGCHECK_STR:  0x19_20
 
POOL_ADDRESS:  e1124ed0 
 
CUSTOMER_CRASH_COUNT:  2
 
DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP
 
PROCESS_NAME:  inetinfo.exe
 
CURRENT_IRQL:  0
 
LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63
 
STACK_TEXT:  
b9905388 808927bb 00000019 00000020 e1124ed0 nt!KeBugCheckEx+0x1b
b99053f0 f7b7ac3c e1124ed8 00000000 f7b7c2bd nt!ExFreePoolWithTag+0x477
b99054a8 f7b7ac7f 89d09720 e3518570 e34068e8 Ntfs!NtfsAddDosOnlyName+0x1d1
b99054e4 f7b904af 89d09720 00000001 30800100 Ntfs!NtfsAddLink+0xac
b99056e0 f7b94a04 89d09720 89c2c008 89c2c1bc Ntfs!NtfsCreateNewFile+0x847
b9905904 f7b91ef8 89d09720 89c2c008 b9905944 Ntfs!NtfsCommonCreate+0x1226
b9905a08 8081df65 8aa42020 89c2c008 8b135158 Ntfs!NtfsFsdCreate+0x17d
b9905a1c f725d458 89fffc58 8b135158 8ad20c18 nt!IofCallDriver+0x45
b9905a48 8081df65 8aa432d0 89c2c008 89c2c008 fltmgr!FltpCreate+0xe4
b9905a5c 808f8f71 b9905c04 8b14b4e0 00000000 nt!IofCallDriver+0x45
b9905b44 80937942 8b14b4f8 00000000 89f9adc0 nt!IopParseDevice+0xa35
b9905bc4 80933a76 00000000 b9905c04 00000040 nt!ObpLookupObjectName+0x5b0
b9905c18 808eae25 00000000 00000000 99980801 nt!ObOpenObjectByName+0xea
b9905c94 808ec0bf 073ef2dc 40100080 073ef278 nt!IopCreateFile+0x447
b9905cf0 808eeb4e 073ef2dc 40100080 073ef278 nt!IoCreateFile+0xa3
b9905d30 8088978c 073ef2dc 40100080 073ef278 nt!NtCreateFile+0x30
b9905d30 7c8285ec 073ef2dc 40100080 073ef278 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
073ef2d4 00000000 00000000 00000000 00000000 0x7c8285ec
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
nt!ExFreePoolWithTag+477
808927bb ff75fc          push    dword ptr [ebp-4]
 
SYMBOL_STACK_INDEX:  1
 
SYMBOL_NAME:  nt!ExFreePoolWithTag+477
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: nt
 
IMAGE_NAME:  ntkrpamp.exe
 
DEBUG_FLR_IMAGE_TIMESTAMP:  45ec0a19
 
FAILURE_BUCKET_ID:  0x19_20_nt!ExFreePoolWithTag+477
 
BUCKET_ID:  0x19_20_nt!ExFreePoolWithTag+477
 
Followup: MachineOwner

Open in new window

0
Comment
Question by:tmwes
  • 4
  • 3
8 Comments
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21844357
Does none of the minidumps say a driver name or something when putting them in WinDBG?
0
 

Author Comment

by:tmwes
ID: 21844399
Every minidump says virtually the same thing...at first, tie module/image reported was aswmon2.sys, which points towards Avast.  But since uninstalling Avast, they have all pointed to ntkrpamp.exe.

The last several minidumps have been just like you see here (reposting so it isn't in code).  The only thing that changes are the following:

Arg2, Arg3, Arg4
Pool_Address
first code in the last line of stack text (in this one it is 073ef2d4 )

_________________________________________________________________________

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e1124ed0, The pool entry we were looking for within the page.
Arg3: e1124f38, The next pool entry.
Arg4: 0c0d0610, (reserved)

Debugging Details:
------------------


BUGCHECK_STR:  0x19_20

POOL_ADDRESS:  e1124ed0

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME:  inetinfo.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63

STACK_TEXT:  
b9905388 808927bb 00000019 00000020 e1124ed0 nt!KeBugCheckEx+0x1b
b99053f0 f7b7ac3c e1124ed8 00000000 f7b7c2bd nt!ExFreePoolWithTag+0x477
b99054a8 f7b7ac7f 89d09720 e3518570 e34068e8 Ntfs!NtfsAddDosOnlyName+0x1d1
b99054e4 f7b904af 89d09720 00000001 30800100 Ntfs!NtfsAddLink+0xac
b99056e0 f7b94a04 89d09720 89c2c008 89c2c1bc Ntfs!NtfsCreateNewFile+0x847
b9905904 f7b91ef8 89d09720 89c2c008 b9905944 Ntfs!NtfsCommonCreate+0x1226
b9905a08 8081df65 8aa42020 89c2c008 8b135158 Ntfs!NtfsFsdCreate+0x17d
b9905a1c f725d458 89fffc58 8b135158 8ad20c18 nt!IofCallDriver+0x45
b9905a48 8081df65 8aa432d0 89c2c008 89c2c008 fltmgr!FltpCreate+0xe4
b9905a5c 808f8f71 b9905c04 8b14b4e0 00000000 nt!IofCallDriver+0x45
b9905b44 80937942 8b14b4f8 00000000 89f9adc0 nt!IopParseDevice+0xa35
b9905bc4 80933a76 00000000 b9905c04 00000040 nt!ObpLookupObjectName+0x5b0
b9905c18 808eae25 00000000 00000000 99980801 nt!ObOpenObjectByName+0xea
b9905c94 808ec0bf 073ef2dc 40100080 073ef278 nt!IopCreateFile+0x447
b9905cf0 808eeb4e 073ef2dc 40100080 073ef278 nt!IoCreateFile+0xa3
b9905d30 8088978c 073ef2dc 40100080 073ef278 nt!NtCreateFile+0x30
b9905d30 7c8285ec 073ef2dc 40100080 073ef278 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
073ef2d4 00000000 00000000 00000000 00000000 0x7c8285ec


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+477
808927bb ff75fc          push    dword ptr [ebp-4]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExFreePoolWithTag+477

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  45ec0a19

FAILURE_BUCKET_ID:  0x19_20_nt!ExFreePoolWithTag+477

BUCKET_ID:  0x19_20_nt!ExFreePoolWithTag+477

Followup: MachineOwner
0
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21844490
Hmm i found something on the inetinfo crash here but i don't think that is the reason:
http://support.microsoft.com/kb/827214/en-us

Also i would suggest Windows Memory Diagnostics instead of MemTest becouse WMD simulates the 'Windows Usage' to find errors:
http://oca.microsoft.com/en/windiag.asp

0x7c8285ec is usually a memory problem or some application having a memory leak.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:tmwes
ID: 21844509
I am using Windows Memory Diagnostics...was using 'memtest' as a general description (forgive me; it is 5 AM my time and I've been here since 1 PM yesterday).  It is on pass 1 of the extended tests right now; 11 of 11 with no errors found yet.

The events referenced in that kb article do not show up in my event log.

thanks...
0
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21844541
Okay no problem :) good luck man... U said there was nothing installed lately, also no drivers who have an auto-update utility or Windows Updates?
0
 
LVL 32

Expert Comment

by:r-k
ID: 21852791
If you're still having the problem please zip a few minidumps and post them here.

It does sound like bad memory, try swapping and re-seating the ram modules.

Could be the video memory also, swap video card if possible.

AV on the server is probably not a good thing so leave that uninstalled.

Disk errors are a possibility, check the event logs.

Did you install any new drivers lately?


0
 

Author Comment

by:tmwes
ID: 21854300
Problem was fixed yesterday when I broke down and called Microsoft after 24 straight hours of troubleshooting.  Turns out there is an upcoming hotfix for my exact problem; I'll post the details of it when I get to the office.  They sent it to me, I made one registry change, and I'm back in business.
0
 

Accepted Solution

by:
tmwes earned 0 total points
ID: 21856452
Here is the text of the KB article that will be out shortly:

SYMPTOMS

You may receive a Stop error message that resembles the following on a Windows Server 2003-based computer:

STOP: 0x00000019 ( parameter1 , parameter2 , parameter3 , parameter4 )

Notes

"
      

The parameters in this Stop error message vary, depending on the configuration of the computer and on the type of the issue.

"
      

Not all "0x00000019" Stop errors are caused by this problem.

CAUSE

This problem occurs because the pool memory is unexpectedly corrupted. This problem occurs when the NTFS file system creates a name in the 8.3 name format for a file that has a long file name.

WORKAROUND

To work around this problem, disable 8.3 name creation. To do this, use one of the following methods.

Method 1

1.
      

Run the following command at a command prompt:

fsutil behavior set disable8dot3 1

2.
      

Restart the computer.

Method 2

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

1.
      

Click Start, click Run, type regedit , and then click OK.

2.
      

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

3.
      

Right-click NtfsDisable8dot3NameCreation, and then click Modify.

4.
      

In the Value data box, type 1 , and then click OK.

Note The default value is 0.

5.
      

Exit Registry Editor.

6.
      

To make this registry change effective, restart the computer.

I made the registry change, and they also sent me a hotfix that I installed.  He said it will be released shortly.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question