BSOD bad_pool_header SBS 2003
Tim W
minutes before I was going to leave (3 hours ago).
Upon restart, sometimes I get to the login, and bet an 0x19
bad_pool_header. Sometimes, I get it before login. But I get it
every time.
I can get into safe mode, and if I pick 'Diagnostic Startup', I can
reboot and log in fine.
The first 2 dump files tell me the probable culprit is aswMon2.sys,
which is Avast (I have the Avast SBS suite running on here).
I tried to disable certain processes (shadow copy, and then Avast),
but every dump file still points to aswMon2.sys. My next step that I
plan on trying after I post this is to uninstall Avast and see what
happens.
I have made no hardware changes in well over a year. The last debug
of memory.dmp is included below.
If the same thing happens after I uninstall Avast, I will run
memtest. In the meantime, if anybody has any other suggestions,
please feel free to reply.
Thanks
DEBUG INFO:
-------------------------------------------------------
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause
of
the problem, and then special pool applied to the suspect tags or the
driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e1647d48, The pool entry we were looking for within the page.
Arg3: e1647db0, The next pool entry.
Arg4: 0c0d0410, (reserved)
Debugging Details:
------------------
Page ea58c not present in the dump file. Type ".hh dbgerr004" for
details
Page ea860 not present in the dump file. Type ".hh dbgerr004" for
details
PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for
details
PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for
details
BUGCHECK_STR: 0x19_20
POOL_ADDRESS: e1647d48 Paged pool
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: inetinfo.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 808927bb to 80827c63
STACK_TEXT:
b9b85344 808927bb 00000019 00000020 e1647d48 nt!KeBugCheckEx+0x1b
b9b853ac f7b7ac3c e1647d50 00000000 f7b7c2bd nt!ExFreePoolWithTag
+0x477
b9b85464 f7b7ac7f 89c3c008 e3f9e0d0 e13583b8 Ntfs!NtfsAddDosOnlyName
+0x1d1
b9b854a0 f7b904af 89c3c008 00000001 10a00400 Ntfs!NtfsAddLink+0xac
b9b8569c f7b94a04 89c3c008 8a5ec210 8a5ec3c4 Ntfs!NtfsCreateNewFile
+0x847
b9b858c0 f7b91ef8 89c3c008 8a5ec210 b9b85900 Ntfs!NtfsCommonCreate
+0x1226
b9b859c4 8081df65 8aa37020 8a5ec210 8b190030 Ntfs!NtfsFsdCreate+0x17d
b9b859d8 f725d458 8a5ec3e8 8b190030 8ad303f0 nt!IofCallDriver+0x45
b9b85a04 8081df65 8aa36260 8a5ec210 00000000 fltmgr!FltpCreate+0xe4
b9b85a18 ba25c95e 8a1eef60 8a173d58 89c92f00 nt!IofCallDriver+0x45
WARNING: Stack unwind information not available. Following frames may
be wrong.
b9b85a3c ba25683c 8a16c760 005ec210 8081df65 aswMon2+0x695e
b9b85a5c 808f8f71 b9b85c04 8b13ec70 00000000 aswMon2+0x83c
b9b85b44 80937942 8b13ec88 00000000 8991d680 nt!IopParseDevice+0xa35
b9b85bc4 80933a76 00000000 b9b85c04 00000040 nt!ObpLookupObjectName
+0x5b0
b9b85c18 808eae25 00000000 00000000 00000001 nt!ObOpenObjectByName
+0xea
b9b85c94 808ec0bf 072ef2dc 40100080 072ef278 nt!IopCreateFile+0x447
b9b85cf0 808eeb4e 072ef2dc 40100080 072ef278 nt!IoCreateFile+0xa3
b9b85d30 8088978c 072ef2dc 40100080 072ef278 nt!NtCreateFile+0x30
b9b85d30 7c8285ec 072ef2dc 40100080 072ef278 nt!KiFastCallEntry+0xfc
072ef2d4 00000000 00000000 00000000 00000000 0x7c8285ec
STACK_COMMAND: kb
FOLLOWUP_IP:
aswMon2+695e
ba25c95e eb22 jmp aswMon2+0x6982 (ba25c982)
SYMBOL_STACK_INDEX: a
SYMBOL_NAME: aswMon2+695e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: aswMon2
IMAGE_NAME: aswMon2.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 46326b17
FAILURE_BUCKET_ID: 0x19_20_aswMon2+695e
BUCKET_ID: 0x19_20_aswMon2+695e
Followup: MachineOwner
![SuperGumby [SBS MVP]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
SuperGumby [SBS MVP]
http://www.aumha.org/a/stop.php
0x00000019: BAD_POOL_HEADER
A pool header issue is a problem with Windows memory allocation. Device
driver issues are probably the msot common, but this can have diverse causes
including bad sectors or other disk write issues, and problems with some
routers. (By theory, RAM problems would be suspect for memory pool issues,
but I haven't been able to confirm this as a cause.)
"STOP: 0x00000019" error message on Windows Server 2003 {KB 892260} Server
2003 (NTFS problem corrected in current Service Pack)
Error message when a Delayed Write Failure event is reported in Windows
Server 2003: "Stop 0x00000019 - BAD_POOL_HEADER" or "Stop 0xCD
PAGE_FAULT_BEYOND_END_OF_ALLOCATION" {KB 925259} Server 2003 (driver issue;
hotfix available)
When backing up to Clarion storage in a SAN environment, Windows Server 2003
may stop responding after restart {KB 884585} Server 2003 (caused by adding
more than 20 mount points during the backup; hotfix available)
When trying to control a Systems Management Server 2003 client from a remote
location, Stop error on SMS 2003 client {KB 905795} SMS 2003 (driver issue)
---comment---
Disk write errors. SO, yes, AV is a possibility, also %free space (DO NOT
tell me 'I have 37GB free', tell me what percentage)
"Tim W" <t...@thewescotts.com> wrote in message
news:757f483d-bce7-4403...@l64g2000hse.googlegroups.com...
Tim W
distributed network manager, did a normal startup, and no BSOD.
Everything isn't working correctly (Windows is telling me I have to re-
activate within 3 days?), but its working enough where I'm confident
the worst is behind me.
Couldn't re-install Avast for some reason; I'm going to shut it down
and come back to the office tomorrow to figure out the rest.
Any other suggestions are always appreciated, and I'll be sure to keep
this thread updated.
Thanks,
Tim
Tim W
I did a fresh install of Avast server, and left for the night while it
did the boot scan upon restart.
Got back in here around 1 to see that the server still kept crashing
with the bad_pool_header error; last dump file I grabbed pointed to
ntkrpamp. It rebooted 4 or 5 times, the 5th time it stayed up.
The one process that keeps coming up is inetinfo
It was up and running for a while, with most things working
correctly...until I rebooted it.
It has now come up with the bad_pool_error BSOD 2 more times; I'm
trying the 3rd time now. I can't hang around the office today; so no
matter what happens I'm leaving it in a few minutes and plan on
spending all day tomorrow here.
Here is the latest memory.dmp
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause
of
the problem, and then special pool applied to the suspect tags or the
driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e258ca88, The pool entry we were looking for within the page.
Arg3: e258caf0, The next pool entry.
Arg4: 0c0d042a, (reserved)
Debugging Details:
------------------
Page ea36c not present in the dump file. Type ".hh dbgerr004" for
details
Page ea5e0 not present in the dump file. Type ".hh dbgerr004" for
details
PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for
details
PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for
details
BUGCHECK_STR: 0x19_20
POOL_ADDRESS: e258ca88 Paged pool
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: inetinfo.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 808927bb to 80827c63
STACK_TEXT:
ba456310 808927bb 00000019 00000020 e258ca88 nt!KeBugCheckEx+0x1b
ba456378 f7b7ac3c e258ca90 00000000 f7b7c2bd nt!ExFreePoolWithTag
+0x477
ba456430 f7b7ac7f 89628450 e42c8b38 e41299a8 Ntfs!NtfsAddDosOnlyName
+0x1d1
ba45646c f7b904af 89628450 00000001 08410400 Ntfs!NtfsAddLink+0xac
ba456668 f7b94a04 89628450 8a038008 8a0381bc Ntfs!NtfsCreateNewFile
+0x847
ba45688c f7b91ef8 89628450 8a038008 ba4568cc Ntfs!NtfsCommonCreate
+0x1226
ba456990 8081df65 8acba020 8a038008 8a038008 Ntfs!NtfsFsdCreate+0x17d
ba4569a4 f725d54d 895e1a80 00000000 8b12fbe0 nt!IofCallDriver+0x45
ba4569d4 8081df65 8b0781c0 8a038008 8a038008 fltmgr!FltpCreate+0x1d9
ba4569e8 f724fb25 00000000 8a038008 8a0381e0 nt!IofCallDriver+0x45
ba456a0c f725d5de ba456a2c 8a545318 00000000 fltmgr!
FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
ba456a48 8081df65 8a545318 8a038008 8a038008 fltmgr!FltpCreate+0x26a
ba456a5c 808f8f71 ba456c04 8b151018 00000000 nt!IofCallDriver+0x45
ba456b44 80937942 8b151030 00000000 897052e8 nt!IopParseDevice+0xa35
ba456bc4 80933a76 00000000 ba456c04 00000040 nt!ObpLookupObjectName
+0x5b0
ba456c18 808eae25 00000000 00000000 4d998001 nt!ObOpenObjectByName
+0xea
ba456c94 808ec0bf 152af2dc 40100080 152af278 nt!IopCreateFile+0x447
ba456cf0 808eeb4e 152af2dc 40100080 152af278 nt!IoCreateFile+0xa3
ba456d30 8088978c 152af2dc 40100080 152af278 nt!NtCreateFile+0x30
ba456d30 7c8285ec 152af2dc 40100080 152af278 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be
wrong.
152af2d4 00000000 00000000 00000000 00000000 0x7c8285ec
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExFreePoolWithTag+477
808927bb ff75fc push dword ptr [ebp-4]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ExFreePoolWithTag+477
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45ec0a19
FAILURE_BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+477
BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+477
Followup: MachineOwner
---------
Tim W
there seems to be no rhyme or reason as to when this comes up. Seemed
to be only during restart...then I could consistantly boot if I
disabled firewall and ISA during startup. Event log showed an error
with ISA regarding a web proxy filter not able to load..and ISA also
wouldn't take any changes I made. So I tried to uninstall ISA, and
halfway through the uninstall, I got the BSOD again. Figured maybe
the HD was corrupt whereever ISA resided, so I ran a chkdsk on
restart.
After 5 hours, it booted into Windows, but ISA had the same errors,
and Firewall wouldn't start. I competed the ISA uninstall, and the
last step where it has me run the connect to internet wizard, I got
the BSOD right where I was supposed to accept the certificate. BSOD
again while restarting; I'm about to go into safe mode again and try
to disable certain things.
There were some errors in the chkdsk that it supposedly fixed.
> ...
>
> read more »
Robbin Meng [MSFT]
Hello Tim,
Thank you for your post.
This is a kernel mode crash issue with error code 0x00000019:
BAD_POOL_HEADER. Generally it occurs when a driver tried to access an
address that is pageable (or that is completely invalid) while the IRQL was
too high.
To troubleshoot this kind of kernel crash issue, we need to debug the
crashed system dump. Unfortunately, debugging is beyond what we can do in
the forum. A suggestion would be to contact Microsoft Customer Service and
Support (CSS) via telephone so that a dedicated Support Professional can
assist with your request. Please be advised that contacting phone support
will be a charged call.
To obtain the phone numbers for specific technology request please take a
look at the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
I hope the problem will be resolved soon. Thank you for your time and
cooperation!
(Please note that the newsgroups are staffed weekdays by Microsoft Support
professionals to answer your non-urgent, break/fix systems and applications
questions. Our goal is to provide 24 hour response to all questions. If
this response time does not meet your needs, please contact Customer
Service and Support (CSS) for more immediate assistance. For more
information on available CSS services, please click here:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
)
Thank you for your time and cooperation!
Best regards,
Robbin Meng(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
![Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjVWEHNriBiYPzXk-vgDPwHLgmiXqqoZ_BdoNm0rTxa-ZYFnAw=s40-c)
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx
try that
> .)
Tim W
general to pinpoint the problem (at first it blamed my antivirus;
after I uninstalled that it blamed the NT kernel).
I finally called MS when I got a chance yesterday. Gave him all
my .dmp files, and it turns out my problem is one MS knows about and
are preparing a hotfix for. They sent me the hotfix and I also made
the registry change outlined in the KB article below. This KB isn't
up yet last I checked:
KB948289
SYMPTOMS
You may receive a Stop error message that resembles the following on a
Windows Server 2003-based computer:
STOP: 0x00000019 ( parameter1 , parameter2 , parameter3 , parameter4 )
Notes
•
The parameters in this Stop error message vary, depending on the
configuration of the computer and on the type of the issue.
•
Not all "0x00000019" Stop errors are caused by this problem.
CAUSE
This problem occurs because the pool memory is unexpectedly corrupted.
This problem occurs when the NTFS file system creates a name in the
8.3 name format for a file that has a long file name.
WORKAROUND
To work around this problem, disable 8.3 name creation. To do this,
use one of the following methods.
Method 1
1.
Run the following command at a command prompt:
fsutil behavior set disable8dot3 1
2.
Restart the computer.
Method 2
Important This section, method, or task contains steps that tell you
how to modify the registry. However, serious problems might occur if
you modify the registry incorrectly. Therefore, make sure that you
follow these steps carefully. For added protection, back up the
registry before you modify it. Then, you can restore the registry if a
problem occurs. For more information about how to back up and restore
the registry, click the following article number to view the article
in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
1.
Click Start, click Run, type regedit , and then click OK.
2.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
3.
Right-click NtfsDisable8dot3NameCreation, and then click Modify.
4.
In the Value data box, type 1 , and then click OK.
Note The default value is 0.
5.
Exit Registry Editor.
6.
To make this registry change effective, restart the computer.
On Jun 24, 2:40 am, "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbrad...@pacbell.net> wrote:
> If you can get a .dmp file off the boxhttp://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx
> try that
>
> Robbin Meng [MSFT] wrote:
> > Hello Tim,
>
> > Thank you for your post.
>
> > This is a kernel mode crash issue with error code 0x00000019:
> > BAD_POOL_HEADER. Generally it occurs when a driver tried to access an
> > address that is pageable (or that is completely invalid) while the IRQL was
> > too high.
>
> > To troubleshoot this kind of kernel crash issue, we need to debug the
> > crashed system dump. Unfortunately, debugging is beyond what we can do in
> > the forum. A suggestion would be to contact Microsoft Customer Service and
> > Support (CSS) via telephone so that a dedicated Support Professional can
> > assist with your request. Please be advised that contacting phone support
> > will be a charged call.
>
> > To obtain the phone numbers for specific technology request please take a
> > look at the web site listed below:
>
> >http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone...
>
> > I hope the problem will be resolved soon. Thank you for your time and
> > cooperation!
>
> > (Please note that the newsgroups are staffed weekdays by Microsoft Support
> > professionals to answer your non-urgent, break/fix systems and applications
> > questions. Our goal is to provide 24 hour response to all questions. If
> > this response time does not meet your needs, please contact Customer
> > Service and Support (CSS) for more immediate assistance. For more
> > information on available CSS services, please click here:
> >http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone...
> > .)
>
> > Thank you for your time and cooperation!
>
> > Best regards,
> > Robbin Meng(MSFT)
>
> > Microsoft CSS Online Newsgroup Support
> > Get Secure! -www.microsoft.com/security
>
> > =====================================================
> > This newsgroup only focuses on SBS technical issues. If you have issues
> > regarding other Microsoft products, you'd better post in the corresponding
> > newsgroups so that they can be resolved in an efficient and timely manner.
> > You can locate the newsgroup here:
> >http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> > When opening a new thread via the web interface, we recommend you check the
> > "Notify me of replies" box to receive e-mail notifications when there are
> > any updates in your thread. When responding to posts via your newsreader,
> > please "Reply to Group" so that others may learn and benefit from your
> > issue.
>
> > Microsoft engineers can only focus on one issue per thread. Although we
> > provide other information for your reference, we recommend you post
> > different incidents in different threads to keep the thread clean. In doing
> > so, it will ensure your issues are resolved in a timely manner.
>
> > For urgent issues, you may want to contact Microsoft CSS directly. Please
> > checkhttp://support.microsoft.comfor regional support phone numbers.