Bad_Pool_Caller - BSOD Windows 8.1 led to sfc /scannow revealing corrupted files

S

sarathnair

Member
Joined
Jun 24, 2015
Posts
7
Hi All,

I am not a computer geek/expert, and whatever I have done so far, have done so through numerous google searches of forums and posts put by helpful users such as yourself, and thanks a ton for that, first of all.

Ok, I keep getting a Bad_Pool_Caller BSOD on my laptop. The strange thing is that this occurs only when I connect to my company intranet, where a weekly password is issued to connect to internet. Without fail, I enter this password, and I go into a BSOD. I restart my system, and my internet is working and no BSOD issues as long as I am connected to the internet. The moment I let my system go idle, the company intranet logs me off the internet and I need to put in my password again which causes the BSOD again. I am convinced that the BSOD is triggered by some security rules activated when I enter the password to access the company WIFI Internet.

The Office IT refuses to assist since it is my personal laptop. And I do not face this issue at home or elsewhere and this seems to be an issue only here in the office. I am at my wits end trying to figure out how to resolve this.

Am attaching here the sfc scannow results - View attachment sfcdetails.txt

I do not know how to attach the minidump from the last time I faced the BSOD - It says I need administrative privileges.

Would appreciate assistance from anyone who can provide a clue as to wtf is going on, and how to resolve it.

Regards
S
 
Hi There,

I followed the instructions and generated the zip file. But I am unable to run the perfmon /report as it keeps throwing an error although I ran it from the Admin command prompt. I havent run the steps after that as I am not sure if the perfmon step is necessary to execute the rest of them.

I apologize if I seem dumb but I am just not sure what I need to do next. Am attaching here the zip folder. View attachment 13638

Thanks
S
 
That's okay, the perfmon isn't a big deal.

I'll analyze the crashes and post back when I can.
 
Code: 
2: kd> .bugcheck
Bugcheck code 000000C2
Arguments 00000000`00000007 00000000`00001200 00000000`68d40000 ffffe000`b62c8228

So the reason you're crashing is because a driver is attempting to free pool which was previously already freed.

Code: 
2: kd> knL
 # Child-SP          RetAddr           Call Site
00 ffffd001`313e3508 fffff803`a76b4ff2 nt!KeBugCheckEx
01 ffffd001`313e3510 fffff801`abd2691f nt!ExAllocatePoolWithTag+0x1102
02 ffffd001`313e3600 fffff801`abf1d824 NETIO!NetioFreeMdl+0x20d7f
03 ffffd001`313e3650 fffff801`abcf88c1 tcpip!FlpReturnNetBufferListChain+0x87094
04 ffffd001`313e36a0 fffff801`ac0a5792 NETIO!NetioDereferenceNetBufferList+0xc1
05 ffffd001`313e3720 fffff801`ac0a630d fwpkclnt!FwppDereferenceNetioNetBufferList+0x46
06 ffffd001`313e3770 fffff801`ac0a6466 fwpkclnt!FwpsDereferenceNetBufferList0+0x25
07 ffffd001`313e37a0 fffff801`af3b6728 fwpkclnt!FwpsFreeCloneNetBufferList0+0x106
08 ffffd001`313e37e0 ffffe000`b6211c00 aswStm+0x7728
09 ffffd001`313e37e8 00000000`00000000 0xffffe000`b6211c00

From the looks of it, avast! Antivirus Stream Filter driver looks to be freeing a memory descriptor list by calling NETIO, and that's when we go off the rails. So, it's safe to say it's probably avast!'s driver.

Code: 
2: kd> !pool ffffe000b62c8228
Pool page ffffe000b62c8228 region is Unknown
 ffffe000b62c8000 size:  110 previous size:    0  (Allocated)  MmCa
 ffffe000b62c8110 size:   10 previous size:  110  (Free)       Free
 ffffe000b62c8120 size:   30 previous size:   10  (Allocated)  ReEv
 ffffe000b62c8150 size:   d0 previous size:   30  (Allocated)  Mdl 
*ffffe000b62c8220 size:   d0 previous size:   d0  (Allocated) *Mdl 
        Pooltag Mdl  : Io, Mdls
 ffffe000b62c82f0 size:  820 previous size:   d0  (Allocated)  CcVl
 ffffe000b62c8b10 size:   d0 previous size:  820  (Allocated)  LfsS
 ffffe000b62c8be0 size:  420 previous size:   d0  (Allocated)  CcVp

We can see the memory descriptor list pooltag mentioned in the poolblock that was being deallocated.

Let's get rid of avast! for now and let me know how it goes.

avast! removal - Avast Uninstall Utility | Download aswClear for Avast Removal

Windows Defender (how to turn on after removal)

A.Navigate to Control Panel (with icons). You can do this by hitting Start > Search > Control Panel. Once in Control Panel, change the drop-down from Category to Large and/or Small icons.

B.Among the list of icons, find and click Action Center.

C.Assuming the removal of your prior antivirus software went properly, you will notice for both Spyware and unwated software protection (important) and Virus protection (important), it'll have a button labeled Turn on now. Click this button (it doesn't matter which, as Windows Defender serves as both in Windows 8/8.1).
 
Thanks Patrick

Much appreciated. I have uninstalled Avast and turned on defender.

I had pretty much been dependent on Avast to take care of my system. Will Windows Defender take care of all my virus protection or is there a different anti-virus software that i need to install?

Anyways fingers crossed and hoping that this works :)

Thanks a ton again !!!
 
Yeah, you'll be alright. I combo defender + malwarebytes as a weekly secondary standalone scanner on my system.
 
Do you still have system file corruptions shown from sfc scannow? If so, I'll get somebody who can resolve that too.
 
Hi Patrick,

I had the BSOD again today although not as frequent as it was in the previous days. It was again a Bad_Pool_caller. I have rerun your application and attached the zip file here. Please let me know what I need to do next.

View attachment 13680

Thanks & Regards
S
_
 
sarathnair said:
Hi Jared,

Yes, I am still showing system file corruptions from sfc scannow.

Thanks for your offer for help.

Regards
S
Click to expand...

Hello :)

I'm one of the Windows Update specialists here, and I actually have some really good news for you. There are times - for a variety of reasons - when SFC reports corruptions which do not need any action to be taken. For all three of your corruptions, there is no concern and nothing to be fixed. This is because of a slight issue with how SFC works at the moment. Microsoft are aware and will hopefully release a patch soon, but at the moment SFC is reporting as corrupt some files which are not corrupt.

This means that we don't need to take any action. SFC will always report corruptions on your PC unfortunately, but at least you can ignore it safe in the knowledge that it isn't causing the slightest bit of harm, and that it's nothing at all to worry about.

Richard
 
Thanks Richard.

So i dont have to worry about the results thrown up by sfc scannow :)

So back to BSOD issue even after removing Avast .... hopefully Patrick can come to my rescue again :)

Thanks
S
 
He did, Jared. Post #10.

Can you enable Driver Verifier, please?

Driver Verifier:

What is Driver Verifier?

Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.

Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 - Restore Point - Create in Windows 8

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (only on Windows 7 & 8/8.1)
- DDI compliance checking (only on Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- Perhaps the most important which I will now clarify as this has been misunderstood often, enabling Driver Verifier by itself is not! a solution, but instead a diagnostic utility. It will tell us if a driver is causing your issues, but again it will not outright solve your issues.

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.

- Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

- If you have the system set to generate Small Memory Dumps, they will be located in %systemroot%\Minidump.

- If you have the system set to generate Kernel Memory Dumps, it will be located in %systemroot% and labeled MEMORY.DMP.

Any other questions can most likely be answered by this article:

Using Driver Verifier to identify issues with Windows drivers for advanced users
 
Back
Top