BSOD vista pool corruption

Posted on 2009-02-11
Last Modified: 2012-05-06
My vista business machine is crashing randomly while idle.  I have put the minidump through windbg and this is the result.  Can anyone help with interpreting this and suggest a cause for the crash?

Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [Z:\Mini021109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81e09000 PsLoadedModuleList = 0x81f20c70
Debug session time: Wed Feb 11 22:15:05.592 2009 (GMT+0)
System Uptime: 0 days 14:41:25.745
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck C5, {0, 2, 1, 81ef6218}

Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+213 )

Followup: Pool_corruption

2: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 81ef6218, address which referenced memory

Debugging Details:



81ef6218 893b            mov     dword ptr [ebx],edi




TRAP_FRAME:  8c3bfaf4 -- (.trap 0xffffffff8c3bfaf4)
ErrCode = 00000002
eax=c325b73f ebx=00000000 ecx=000001ff edx=00000011 esi=c325af3f edi=00000000
eip=81ef6218 esp=8c3bfb68 ebp=8c3bfba0 iopl=0         nv up ei ng nz ac pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010297
81ef6218 893b            mov     dword ptr [ebx],edi  ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 81ef6218 to 81e63d24

8c3bfaf4 81ef6218 badb0d00 00000011 00000000 nt!KiTrap0E+0x2ac
8c3bfba0 81ef76e0 81f0b6e0 00000001 81f04c80 nt!ExDeferredFreePool+0x213
8c3bfc08 81e461bc 87ff8808 00000000 87ff8808 nt!ExFreePoolWithTag+0x852
8c3bfc24 81e0de69 87ff8808 c15746e0 00000000 nt!IopFreeIrp+0x56
8c3bfc40 81e0ddf8 87ff889f 87ff8808 00000000 nt!PopFreeIrp+0x60
8c3bfc54 81e4310c 00000000 87ff8808 c1574602 nt!PopRequestCompletion+0x54
8c3bfc88 82aeede8 81f0b13c 84af3828 85408ca0 nt!IopfCompleteRequest+0x11d
8c3bfd34 82ad7013 85408c98 87fae438 8c3bfd7c ndis!ndisDevicePowerOn+0x474
8c3bfd44 81e41445 85408c98 00000000 84af3828 ndis!ndisWorkItemHandler+0xe
8c3bfd7c 81fdeb18 85408c98 1f9eded8 00000000 nt!ExpWorkerThread+0xfd
8c3bfdc0 81e37a2e 81e41348 00000001 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


81ef6218 893b            mov     dword ptr [ebx],edi


SYMBOL_NAME:  nt!ExDeferredFreePool+213

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption


MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID:  0xC5_2_nt!ExDeferredFreePool+213

BUCKET_ID:  0xC5_2_nt!ExDeferredFreePool+213

Followup: Pool_corruption
Question by:apt-it
    LVL 3

    Accepted Solution


    An attempt occurred to touch invalid memory at a process IRQL that is too high. This is almost always caused by drivers that have corrupted the system pool. If youve recently installed any new software, check to see if its properly installed; and check for updated drivers on the manufacturers web site.

    * I would go into Device Manager and see if there are any conflicts.

    * Update your drivers to the latest.

    Somewhere a driver is in conflict by attempting to access an IRQL that is has no right to do thus causing your crashes.
    LVL 12

    Expert Comment

    by:John Griffith
    For bugcheck 0xc5 run the driver verifier to help ID the bad kernel-mode driver.  Instructions in code box.
    If the Driver Verifier finds a violation, it will result in a BSOD.  To see the status of Verifier - type verifier - select the last option on the first screen - "Display information about the currently verified drivers..".  To turn Driver Verifier off - verifier /reset - then re-boot.
    BSOD will result in verifier-enabled mini kernel dump w/ additional stack text information.  Instead of clicking on "!analyze -v" use "!analyze -v;r;kv;lmtn" at the kd> command line.  This will produce loaded driver listing making it very easy to check driver timestamps.

    START | type cmd.exe | right-click on cmd.exe uptop under programs | Run as Administrator | type VERIFIER - hit enter | do the following:
    1. Select 2nd option - Create custom settings (for code developers)
    2. Select 2nd option - Select individual settings from a full list.
    3. Check the boxes
        " Special Pool 
        " Pool Tracking 
        " Force IRQL checking
    4. Select last option - Select driver names from a list 
    5. Click on the Provider heading - sorts list by Provider
    6. Check ALL boxes where Microsoft is not the Provider
    7. Click on Finish 
    8. Re-boot

    Open in new window


    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
    Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now