Error Bad Pool Header

All replies

• 

  

  2

  Sign in to vote

  Hi,
  
  In order to assist you, we will need the .DMP files to analyze what exactly occurred at the time of the crash, etc.
  
  If you don't know where .DMP files are located, here's how to get to them:
  
  1. Navigate to the %systemroot%\Minidump folder.
  
  2. Copy any and all DMP files in the Minidump folder to your Desktop and then zip up these files.
  
  3. Upload the zip containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply. Prefered sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers.
  
  4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel-Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference between Small Memory Dumps and Kernel-Dumps in the simplest definition is a Kernel-Dump contains much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel-Dump is the best choice. Do note that Kernel-Dumps are much larger in size due to containing much more info, which is why I mentioned upload speed, etc.
  
  If you are going to use Onedrive but don't know how to upload to it, please visit the following:
  
  Upload photos and files to Onedrive.
  
  Please note that any "cleaner" programs such as TuneUp Utilities, CCleaner, etc, by default will delete .DMP files upon use.
  
  If your computer is not generating .DMP files, please do the following:
  
  1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.
  
  2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all drives'.
  
  3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.
  
  Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.
  
  4. Double check that the WERS is ENABLED:
  
  Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.
  
  If you cannot get into normal mode to do any of this, please do this via Safe Mode.
  
  Regards,
  
  Patrick

  Monday, April 14, 2014 2:55 AM
• 

  

  0

  Sign in to vote

  Hi

  Here is the dmp zip file link: http://1drv.ms/1eKE6pC

  The memory.dmp file has almost 1 GB.So, i can only upload it at home.

  Thank you for your help.

  Tuesday, April 15, 2014 2:30 PM
• 

  

  1

  Sign in to vote

  Not a problem! Luckily, in this case, it appears that a kernel-dump won't be necessary.
  
  We have a few bug checks:
  
  BAD_POOL_HEADER (19)
  
  This indicates that a pool header is corrupt.
  
  

  BugCheck 19, {d, ffffe0000f4fc32f, c2fbebf7646c9270, 6c2fbebf7646c8d}

  ^^
  
  

  2: kd> !pool ffffe0000f4fc32f
  Pool page ffffe0000f4fc32f region is Unknown
   ffffe0000f4fc000 size:   e0 previous size:    0  (Allocated)  klpt
   ffffe0000f4fc0e0 size:   a0 previous size:   e0  (Free)       Free
   ffffe0000f4fc180 size:   e0 previous size:   a0  (Allocated)  klpt
  *ffffe0000f4fc260 size:   d0 previous size:   e0  (Allocated) *KLsc
  		Owning component : Unknown (update pooltag.txt)
   ffffe0000f4fc330 size:   50 previous size:   d0  (Free )  KLWp
   ffffe0000f4fc380 size:  100 previous size:   50  (Allocated)  KPXY
   ffffe0000f4fc480 size:   a0 previous size:  100  (Allocated)  dlib
   ffffe0000f4fc520 size:   d0 previous size:   a0  (Allocated)  KLsc
   ffffe0000f4fc5f0 size:   90 previous size:   d0  (Allocated)  KLsm
   ffffe0000f4fc680 size:   d0 previous size:   90  (Allocated)  KLsh
   ffffe0000f4fc750 size:  250 previous size:   d0  (Allocated)  @GM2
   ffffe0000f4fc9a0 size:   d0 previous size:  250  (Allocated)  KLsc
   ffffe0000f4fca70 size:   d0 previous size:   d0  (Allocated)  KLsh
   ffffe0000f4fcb40 size:  250 previous size:   d0  (Allocated)  klxm
   ffffe0000f4fcd90 size:   40 previous size:  250  (Allocated)  klqi
   ffffe0000f4fcdd0 size:   90 previous size:   40  (Allocated)  KLsm
   ffffe0000f4fce60 size:   d0 previous size:   90  (Allocated)  KLsh
   ffffe0000f4fcf30 size:   d0 previous size:   d0  (Allocated)  KLsh

  
  ^^ The pool block we're looking at within the pool page belongs to LKsc (unknown). When the owning component is unknown and it alerts to update the pooltag, it's generally a 3rd party driver causing corruption.
  
  We can confirm this by checking the call stack:
  
  

  2: kd> k
  Child-SP          RetAddr           Call Site
  ffffd000`2256ea48 fffff803`83f18167 nt!KeBugCheckEx
  ffffd000`2256ea50 fffff803`83f17a03 nt!ExFreePoolWithTag+0xe97
  ffffd000`2256ead0 fffff800`023e9918 nt!ExFreePoolWithTag+0x733
  ffffd000`2256eba0 fffff803`83c86000 klwfp+0x7918
  ffffd000`2256eba8 ffffe000`00000000 nt!_guard_check_icall_fptr <PERF> (nt+0x0)
  ffffd000`2256ebb0 ffffd000`2256ebe8 0xffffe000`00000000
  ffffd000`2256ebb8 00000000`70574c4b 0xffffd000`2256ebe8
  ffffd000`2256ebc0 fffff800`01992d60 0x70574c4b
  ffffd000`2256ebc8 fffff800`019aaf51 klflt+0xed60
  ffffd000`2256ebd0 ffffe000`0048d2f0 klflt+0x26f51
  ffffd000`2256ebd8 ffffc000`1197b000 0xffffe000`0048d2f0
  ffffd000`2256ebe0 ffffe000`0e0282b0 0xffffc000`1197b000
  ffffd000`2256ebe8 ffffe000`0e09a2a0 0xffffe000`0e0282b0
  ffffd000`2256ebf0 00000000`00000000 0xffffe000`0e09a2a0

  
  ^^ The driver(s) which appeared to have attributed to the corruption are Kaspersky drivers, with klwfp.sys (the one that caused the pool corruption) specifically being the Network Filtering Component driver for Kaspersky.
  
  DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
  
  This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
  
  A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.
  
  

  Unable to load image \SystemRoot\system32\DRIVERS\klwfp.sys, Win32 error 0n2
  *** WARNING: Unable to verify timestamp for klwfp.sys
  *** ERROR: Module load completed but symbols could not be loaded for klwfp.sys
  Probably caused by : klwfp.sys ( klwfp+6ff1 )

  
  ^^ Once again, the Network Filtering Component driver for Kaspersky.
  
  ------------------
  
  Remove and replace Kaspersky with Windows 8's built-in Windows Defender for temporary troubleshooting purposes as it appears to be causing NETBIOS conflicts:
  
  Kaspersky removal - http://support.kaspersky.com/common/service.aspx?el=1464
  
  Windows Defender (how to turn on after removal) - http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html
  
  Regards,
  
  Patrick
  

  • Proposed as answer by ZigZag3143x Tuesday, April 15, 2014 4:57 PM
  • Marked as answer by Michael_Martin Thursday, April 17, 2014 4:32 PM

  Tuesday, April 15, 2014 3:26 PM
• 

  

  0

  Sign in to vote

  Well, I was suspicious of the antivirus software. I will follow the instructions and report as soon as possible. Thank you again.

  Wednesday, April 16, 2014 4:34 PM
• 

  

  0

  Sign in to vote

  My pleasure, please keep me updated!
  
  Regards,
  
  Patrick

  Wednesday, April 16, 2014 4:44 PM