[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1783
  • Last Modified:

BSoD BAD_POOL_HEADER (19) and DRIVER_CORRUPTED_EXPOOL (c5)

A client's new Dell Latitude E6400 has blue screened twice.  The setup at the office is the laptop with a Lenovo USB port replicator.  Ext HD, MS Bluetooth USB, USB Printer, USB Scanner, USB>Ethernet dongle are plugged into the port replicator.  Laptop has Windows XP SP3 and Office suite, Acronis TrueImage Home 2010, iTunes and a few other applications.

The first blue screen happened with the laptop detached from the port replicator.  The second happened with it plugged into the port replicator.  The second one points to the USB bluetooth adapter, so I will try to update the drivers for it.  I ran a sfc /scannow and all was clean.

Please let me know what else you see in these dumps.  Thanks
1st Minidump
-----------------------------------------

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Owner\Desktop\Mini122309-01\Mini121809-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090804-1435
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Fri Dec 18 16:18:38.609 2009 (GMT-7)
System Uptime: 0 days 0:18:08.281
Loading Kernel Symbols
...............................................................
................................................................
...........................
Loading User Symbols
Loading unloaded module list
.................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, 572ca40, 572d5f8, b776441}

Unable to load image tdrpm258.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for tdrpm258.sys
*** ERROR: Module load completed but symbols could not be loaded for tdrpm258.sys
Probably caused by : tdrpm258.sys ( tdrpm258+28101 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 0572ca40, The pool entry we were looking for within the page.
Arg3: 0572d5f8, The next pool entry.
Arg4: 0b776441, (reserved)

Debugging Details:
------------------


BUGCHECK_STR:  0x19_20

POOL_ADDRESS:  0572ca40 

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

LOCK_ADDRESS:  8055b4e0 -- (!locks 8055b4e0)

Resource @ nt!PiEngineLock (0x8055b4e0)    Available

WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.


WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.

1 total locks

PNP_TRIAGE: 
	Lock address  : 0x8055b4e0
	Thread Count  : 0
	Thread address: 0x00000000
	Thread wait   : 0x0

LAST_CONTROL_TRANSFER:  from 8054b583 to 804f9f43

STACK_TEXT:  
ba4fb8b4 8054b583 00000019 00000020 0572ca40 nt!KeBugCheckEx+0x1b
ba4fb904 b9c03101 0572ca48 00000000 b9c076c2 nt!ExFreePoolWithTag+0x2a3
WARNING: Stack unwind information not available. Following frames may be wrong.
ba4fb9e8 804f73cf 8a793958 85683028 e1628ae8 tdrpm258+0x28101
ba4fba00 80590eff b9c04b30 00000006 00000001 nt!PpvUtilCallAddDevice+0x19
ba4fbac8 80592264 00000000 04000001 85709030 nt!PipCallDriverAddDevice+0x3b9
ba4fbd24 805927fa 858b1008 00000001 00000000 nt!PipProcessDevNodeTree+0x1a4
ba4fbd54 804f699e 00000003 8055b5c0 8056485c nt!PiRestartDevice+0x80
ba4fbd7c 8053877d 00000000 00000000 8ae1fda8 nt!PipDeviceActionWorker+0x168
ba4fbdac 805cff72 00000000 00000000 00000000 nt!ExpWorkerThread+0xef
ba4fbddc 805460ee 8053868e 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
tdrpm258+28101
b9c03101 ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  tdrpm258+28101

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: tdrpm258

IMAGE_NAME:  tdrpm258.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4add695a

FAILURE_BUCKET_ID:  0x19_20_tdrpm258+28101

BUCKET_ID:  0x19_20_tdrpm258+28101

Followup: MachineOwner
---------



2nd Minidump:
-----------------------------------------

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Owner\Desktop\Mini122309-01\Mini122309-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090804-1435
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Dec 23 11:19:04.906 2009 (GMT-7)
System Uptime: 0 days 0:41:14.578
Loading Kernel Symbols
...............................................................
................................................................
......................................
Loading User Symbols
Loading unloaded module list
.....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000C5, {4, 2, 0, 8054b71c}

Probably caused by : bthport.sys ( bthport!HCI_CompleteAclRd+4d )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8054b71c, address which referenced memory

Debugging Details:
------------------


BUGCHECK_STR:  0xC5_2

CURRENT_IRQL:  2

FAULTING_IP: 
nt!ExFreePoolWithTag+43c
8054b71c 668b4b04        mov     cx,word ptr [ebx+4]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  iTunesHelper.ex

LAST_CONTROL_TRANSFER:  from 996d861d to 8054b71c

STACK_TEXT:  
ba4d3b88 996d861d 04fd5e88 00000000 850d65b8 nt!ExFreePoolWithTag+0x43c
ba4d3ba0 996f9af9 850d65d0 ba4d3ce8 8a17acb0 bthport!HCI_CompleteAclRd+0x4d
ba4d3bb8 996d86dd 00000000 00000000 00000086 bthport!RefObj_ReleaseEx+0xd5
ba4d3bd8 996d877f 84fd9578 84fd9578 8ada0e54 bthport!HCI_CompleteAclRdHciPkt+0x4d
ba4d3bf8 996ef4b1 8ada0e30 8a17acf0 00000001 bthport!HCI_CompleteAclRdChain+0x4f
ba4d3d00 996d92aa 8a323b40 84f447b8 8ada0e30 bthport!L2CapInt_ProcessReadBip+0x381
ba4d3d84 996ed92f 89c26610 89c6ac80 00000000 bthport!HCI_ProcessAclRead+0x52a
ba4d3da0 996d0785 89c26610 89c6ac80 89c26610 bthport!HCI_ProcessMpBip+0x5f
ba4d3dbc 99e6ffb9 89c6ac80 89c6ac80 ba4d3e20 bthport!BTHPORT_RecvMpBip+0x75
ba4d3dcc 99e70e0d 8725b108 84fcc7f8 0000000f BTHUSB!BthUsb_ReadTransferComplete+0x89
ba4d3e20 99e710e6 89c6f8b8 ba4d3e3c 8a340f4f BTHUSB!UsbWrapWorkRoutine+0x79
ba4d3e48 804f16c0 89c6f8b8 8a340e70 0117acb0 BTHUSB!UsbWrapInterruptReadComplete+0xb4
ba4d3e78 b85a806d 8a340e70 84e06008 8a24e028 nt!IopfCompleteRequest+0xa2
ba4d3ee0 b85a8cdf 8a2cca48 00000000 8a24e7d8 USBPORT!USBPORT_CompleteTransfer+0x373
ba4d3f10 b85a98dc 026e6f44 8a24e0e0 8a24e0e0 USBPORT!USBPORT_DoneTransfer+0x137
ba4d3f48 b85ab0d2 8a24e028 80546acc 8a24e230 USBPORT!USBPORT_FlushDoneTransferList+0x16c
ba4d3f74 b85b928b 8a24e028 80546acc 8a24e028 USBPORT!USBPORT_DpcWorker+0x224
ba4d3fb0 b85b9402 8a24e028 00000001 89bcd920 USBPORT!USBPORT_IsrDpcWorker+0x38f
ba4d3fcc 80545e7f 8a24e64c 6b755044 00000000 USBPORT!USBPORT_IsrDpc+0x166
ba4d3ff4 805459eb 8d20cd44 00000000 00000000 nt!KiRetireDpcList+0x61
ba4d3ff8 8d20cd44 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2b
WARNING: Frame IP not in any known module. Following frames may be wrong.
805459eb 00000000 00000009 0081850f bb830000 0x8d20cd44


STACK_COMMAND:  kb

FOLLOWUP_IP: 
bthport!HCI_CompleteAclRd+4d
996d861d 8b4df8          mov     ecx,dword ptr [ebp-8]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  bthport!HCI_CompleteAclRd+4d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: bthport

IMAGE_NAME:  bthport.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4852548e

FAILURE_BUCKET_ID:  0xC5_2_bthport!HCI_CompleteAclRd+4d

BUCKET_ID:  0xC5_2_bthport!HCI_CompleteAclRd+4d

Followup: MachineOwner
---------

Open in new window

0
Zsaltzman
Asked:
Zsaltzman
1 Solution
 
Jason WatkinsIT Project LeaderCommented:
Does the client eject the laptop from the port replicator, when finished, or does he just remove the laptop?  I would create two hardware profiles.  One docked, and the one undocked, and of course, update the bluetooth drivers.
0
 
akahanCommented:
tdrpm258.sys, which is mentioned in the dump, is a component of Acronis: it's part of the "try and decide restore points filter".  If updating the bluetooth driver doesn't fix things, you might want to, as an experiment, uninstall Acronis (temporarily), and see if that does away with the Bluescreens.
0
 
BitbullCommented:
I saw as well that the second bsod had to do with the process ItunesHelper.ex(e?), so that might be one of the applications that you could try to uninstall and see if the problem persists afterwards. But I agree to the previous posts, so try uninstalling Acronis as well.
P.S. Is your bluetooth driver digitally signed (i.e. no warning about unsigned driver when installing) by WHQL? That might cause problems as well: try installing signed drivers if possible.
0
 
ZsaltzmanAuthor Commented:
I am still waiting to go on-site.  The user hasn't reported any more blue screens (using it standalone only without the USB dock--which the offending bluetooth adapter is plugged into).

I will update later.
0
 
ZsaltzmanAuthor Commented:
Updating the BIOS seemed to fix this issue.
0
Tackle projects and never again get stuck behind a technical roadblock.
Join Now