none
Windows 8.1 getting constant BAD_POOL_HEADER when Kaspersky Internet Security 2014 is enabled.

    Question

  • Hi there,

    I tried to reach the Minidumps, but it shows "Access Denied" even having admin privileges. I found that whenever Kaspersky Internet Security 2014 (14.0.0.4651) is enabled and running, the problem occurs. Just disabling is not enough, when I exit the software and shutdown all services regarding to it, the system runs smoothly.

    I've tryed to reach Kaspersky about this problem, but they keep on saying that this is an Windows 8.1 issue, not theirs.

    Can you help me? What should I do?

    Thanks a lot!

    Wednesday, April 30, 2014 3:01 AM

Answers

  • Thanks very much for the kernel-dump, Marcus!

    BAD_POOL_HEADER (19) is the bug check.

    This indicates that a pool header is corrupt.

    BugCheck 19, {d, ffffe000430cc80f, 350c7fbf7d05e569, 79350c7fbf7d05fa}

    0: kd> !pool ffffe000430cc80f
    Pool page ffffe000430cc80f region is unable to get nt!MmNonPagedPoolStart
    unable to get nt!MmSizeOfNonPagedPoolInBytes
    Unknown
     ffffe000430cc000 size:   d0 previous size:    0  (Allocated)  KLsh
     ffffe000430cc0d0 size:   40 previous size:   d0  (Allocated)  klqi
     ffffe000430cc110 size:  250 previous size:   40  (Allocated)  klxm
     ffffe000430cc360 size:  250 previous size:  250  (Allocated)  klxm
     ffffe000430cc5b0 size:   90 previous size:  250  (Allocated)  KLsm
     ffffe000430cc640 size:   90 previous size:   90  (Allocated)  KLsm
     ffffe000430cc6d0 size:   a0 previous size:   90  (Allocated)  dlib
    *ffffe000430cc770 size:   a0 previous size:   a0  (Allocated) *dlib
    		Owning component : Unknown (update pooltag.txt)
    

    We can see that the pool block which we're looking within belongs to unknown, which implies that it's very likely a 3rd party driver causing the corruption. FWIW, and as far as I know, KLsm is a part of Kaspersky as it's not in the official pooltag.

    0: kd> k
    Child-SP          RetAddr           Call Site
    ffffd000`d59baa48 fffff801`e011bcf3 nt!KeBugCheckEx
    ffffd000`d59baa50 fffff801`e011ba24 nt!ExFreePoolWithTag+0xa13
    ffffd000`d59baad0 fffff800`79528bce nt!ExFreePoolWithTag+0x744
    ffffd000`d59baba0 fffff800`795def51 klif+0x15bce
    ffffd000`d59babd0 fffff801`dff55794 klflt!TmngReset+0xbd
    ffffd000`d59bac00 fffff801`dffe05c6 nt!PspSystemThreadStartup+0x58
    ffffd000`d59bac60 00000000`00000000 nt!KiStartSystemThread+0x16

    In the call stack we have two Kaspersky drivers, and it appears klif.sys (Klif Mini-Filter fre_wnet_x86)is the driver which caused the pool corruption.

    -----------------------------

    To me, this looks like a Kaspersky problem (not a surprise). I see this quite a lot, especially on Windows 8 and forward. I checked the loaded modules list and there's nothing really I see that can be causing conflicts with Kaspersky. There's one thing, however, it's a long shot as opposed to a likely conflict. It's worth removing anyway.

    AiCharger.sys is listed and loaded in the modules list which is the Ai Charger driver. It's included in many Asus bloatware, which you appear to have installed. Please go ahead and uninstall any and all Asus software as it's unnecessary bloatware.

    If the above does not help, I would contact Kaspersky and tell them that you cannot see what possibly could be going wrong on Windows' end to cause a conflict, and that you would like an explanation and/or workaround.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama


    Wednesday, April 30, 2014 8:57 PM

All replies

  • Hi,

    May I see your latest crash dumps, please? I'd like to see if there's a conflict going on.

    If you don't know where .DMP files are located, here's how to get to them:

    1. Navigate to the %systemroot%\Minidump folder.

    2. Copy any and all DMP files in the Minidump folder to your Desktop and then zip up these files.

    3. Upload the zip containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply. Prefered sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers.

    4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel-Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference between Small Memory Dumps and Kernel-Dumps in the simplest definition is a Kernel-Dump contains much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel-Dump is the best choice. Do note that Kernel-Dumps are much larger in size due to containing much more info, which is why I mentioned upload speed, etc.

    If you are going to use Onedrive but don't know how to upload to it, please visit the following:

    Upload photos and files to Onedrive.

    Please note that any "cleaner" programs such as TuneUp Utilities, CCleaner, etc, by default will delete .DMP files upon use.

    If your computer is not generating .DMP files, please do the following:

    1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.

    2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all drives'.

    3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.

    Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.

    4. Double check that the WERS is ENABLED:

    Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.

    If you cannot get into normal mode to do any of this, please do this via Safe Mode.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Wednesday, April 30, 2014 3:48 AM
  • Hi Patrick!

    I had 2 memory dumps under "minidump" folder and one HUGE memory.dmp file. Just zipped them altogether and uploaded to dropbox.

    Here is the URL to download: https://www.dropbox.com/s/sqygzz1bn63nzhz/Win8DMPs.zip

    Thanks a lot!

    PS: since the last time that I disabled Kaspersky, the system is running without any hangs or errors. As a first try, I have disabled that NetBIOS over TCP/IP, without any success. The only part of Kaspersky that is still running is that Kaspersky Anti-Virus NDIS 6 Filter. Should I reenable NetBIOS over TCP/IP and disable this NDIS Filter?


    Wednesday, April 30, 2014 12:21 PM
  • Thanks very much for the kernel-dump, Marcus!

    BAD_POOL_HEADER (19) is the bug check.

    This indicates that a pool header is corrupt.

    BugCheck 19, {d, ffffe000430cc80f, 350c7fbf7d05e569, 79350c7fbf7d05fa}

    0: kd> !pool ffffe000430cc80f
    Pool page ffffe000430cc80f region is unable to get nt!MmNonPagedPoolStart
    unable to get nt!MmSizeOfNonPagedPoolInBytes
    Unknown
     ffffe000430cc000 size:   d0 previous size:    0  (Allocated)  KLsh
     ffffe000430cc0d0 size:   40 previous size:   d0  (Allocated)  klqi
     ffffe000430cc110 size:  250 previous size:   40  (Allocated)  klxm
     ffffe000430cc360 size:  250 previous size:  250  (Allocated)  klxm
     ffffe000430cc5b0 size:   90 previous size:  250  (Allocated)  KLsm
     ffffe000430cc640 size:   90 previous size:   90  (Allocated)  KLsm
     ffffe000430cc6d0 size:   a0 previous size:   90  (Allocated)  dlib
    *ffffe000430cc770 size:   a0 previous size:   a0  (Allocated) *dlib
    		Owning component : Unknown (update pooltag.txt)
    

    We can see that the pool block which we're looking within belongs to unknown, which implies that it's very likely a 3rd party driver causing the corruption. FWIW, and as far as I know, KLsm is a part of Kaspersky as it's not in the official pooltag.

    0: kd> k
    Child-SP          RetAddr           Call Site
    ffffd000`d59baa48 fffff801`e011bcf3 nt!KeBugCheckEx
    ffffd000`d59baa50 fffff801`e011ba24 nt!ExFreePoolWithTag+0xa13
    ffffd000`d59baad0 fffff800`79528bce nt!ExFreePoolWithTag+0x744
    ffffd000`d59baba0 fffff800`795def51 klif+0x15bce
    ffffd000`d59babd0 fffff801`dff55794 klflt!TmngReset+0xbd
    ffffd000`d59bac00 fffff801`dffe05c6 nt!PspSystemThreadStartup+0x58
    ffffd000`d59bac60 00000000`00000000 nt!KiStartSystemThread+0x16

    In the call stack we have two Kaspersky drivers, and it appears klif.sys (Klif Mini-Filter fre_wnet_x86)is the driver which caused the pool corruption.

    -----------------------------

    To me, this looks like a Kaspersky problem (not a surprise). I see this quite a lot, especially on Windows 8 and forward. I checked the loaded modules list and there's nothing really I see that can be causing conflicts with Kaspersky. There's one thing, however, it's a long shot as opposed to a likely conflict. It's worth removing anyway.

    AiCharger.sys is listed and loaded in the modules list which is the Ai Charger driver. It's included in many Asus bloatware, which you appear to have installed. Please go ahead and uninstall any and all Asus software as it's unnecessary bloatware.

    If the above does not help, I would contact Kaspersky and tell them that you cannot see what possibly could be going wrong on Windows' end to cause a conflict, and that you would like an explanation and/or workaround.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama


    Wednesday, April 30, 2014 8:57 PM
  • Great Patrick!

    Thank you very much for your help. I was really wondering about those Asus pre-installed bloatware. Just removed every Asus Bloatware I could. During the uninstall the system froze for some seconds and came back and gave me an error message telling me that the nVidia driver had crashed and Windows have recovered from that crash. I realized that the current driver version was outdated and I downloaded the latest drivers from nVidia website and performed a Clean Install (that is recommended by them when updating after system crashes).

    Afte both of that actions, at least until now, the system is running ok with Kaspersky up and running.

    I'll do some tests and I get back to you.

    Thanks a lot!

    Best,

    Wednesday, April 30, 2014 9:35 PM
  • Great to hear, I look forward to your update.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Wednesday, April 30, 2014 9:54 PM
  • Hello Patrick!

    It just happened again. I was just browsing (chrome browser) and the screen froze, the system began to become unstable and a few minutes later came the infamous BSOD with the information BAD_POOL_HEADER again.

    I think that I removed almost all bloatwares. I had to keep just one bloatware, the one that controls the trackpad, because without it I losethe interesting featuresof the trackpad.

    Kaspersky Internet Security was also running.

    After rebooting, everything seems normal. I tried to reproduce the problem but I could not.

    :(

    I have uploaded the new memory dumps in Dropbox. Here is the link: https://www.dropbox.com/s/7gxq4rvj83skla4/MemoryDumpNew.zip

    Best,

    Marcus Laranjeira www.marcuslaranjeira.com


    Friday, May 02, 2014 12:28 AM
  • It is the same bug check, with Kaspersky as the culprit. At this point, I would contact Kaspersky and see what they have to say/have regarding a workaround.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Friday, May 02, 2014 1:12 AM
  • Hi Patrick!

    I was wondering about compatibility issues between Windows 8.1 and Kaspersky Internet Security 2014 and went to their knowledge base. I found this:

    http://support.kaspersky.com/10028

    telling that Kaspersky 14.0.0.4651 is incompatible with Windows 8.1 And that is the version I have installed.

    But this is strange since here they say that this version IS compatible.

    Anyway, I will open a ticket there and I let you know what they say.

    Best,


    Marcus Laranjeira www.marcuslaranjeira.com

    Friday, May 02, 2014 2:03 AM
  • Great, please let me know what they have to say.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Friday, May 02, 2014 2:06 AM
  • Hi Folks,

    Would highly appreciate if you could have a look on my dump too. I am getting the BAD_POOL_HEADER BSOD  every alternate day.

    link to my dump:

    https://onedrive.live.com/?cid=AAEC507C2C950149&id=AAEC507C2C950149%21105

    I am using Asus Ultrabook X201E

    Win 8.1

    Intel cote i3 3rd Gen. 4GB RAM

    Kindly help.

    Regards

    Rajiv

    Thursday, October 02, 2014 6:15 PM