[SOLVED] BSOD BAD_POOL_HEADER

[Ethan]

I haven't had this problem for some time but now that it starts i'm afraid it will continue so I am relying on you guys or girls to help me out on this one. :)

 

[Patrick]

Easy crash.

3: kd> .bugcheck
Bugcheck code 00000019
Arguments 00000000`00000020 ffffe000`89b76bf0 ffffe000`89b76c10 00000000`04020020

3: kd> !pool ffffe00089b76bf0
Pool page ffffe00089b76bf0 region is Unknown
 ffffe00089b76000 size:   e0 previous size:    0  (Allocated)  IoCo
 ffffe00089b760e0 size:   80 previous size:   e0  (Allocated)  Even
 ffffe00089b76160 size:   90 previous size:   80  (Allocated)  Vadl
 ffffe00089b761f0 size:  150 previous size:   90  (Allocated)  File
 ffffe00089b76340 size:   e0 previous size:  150  (Allocated)  EtwR
 ffffe00089b76420 size:   e0 previous size:   e0  (Allocated)  EtwR
 ffffe00089b76500 size:   80 previous size:   e0  (Allocated)  Even
 ffffe00089b76580 size:  150 previous size:   80  (Allocated)  File
 ffffe00089b766d0 size:  150 previous size:  150  (Allocated)  File
 ffffe00089b76820 size:  150 previous size:  150  (Allocated)  File
 ffffe00089b76970 size:   40 previous size:  150  (Allocated)  MmSe
 ffffe00089b769b0 size:   40 previous size:   40  (Allocated)  MmSe
 ffffe00089b769f0 size:  200 previous size:   40  (Free )  NpFR
*ffffe00089b76bf0 size:   20 previous size:  200  (Free ) *Ipng
        Pooltag Ipng : IP Generic buffers (Address, Interface, Packetize, Route allocations), Binary : tcpip.sys

3: kd> !poolval ffffe00089b76bf0
Pool page ffffe00089b76bf0 region is Unknown

Validating Pool headers for pool page: ffffe00089b76bf0

Pool page [ ffffe00089b76000 ] is __inVALID.

Analyzing linked list...
[ ffffe00089b76bf0 --> ffffe00089b76cf0 (size = 0x100 bytes)]: Corrupt region

Corrupt pool, specifically regarding the IP generic buffers tag. With that said, we can assume this is being caused by a network related driver.

3: kd> knL
 # Child-SP          RetAddr           Call Site
00 ffffd000`79a1f088 fffff802`b612e0f4 nt!KeBugCheckEx
01 ffffd000`79a1f090 fffff801`ad026819 nt!ExAllocatePoolWithTag+0x1204
02 ffffd000`79a1f180 fffff801`ad144f0a tcpip!IppInspectBuildHeaders+0x5e9
03 ffffd000`79a1f470 fffff801`af294135 fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+0x1be
04 ffffd000`79a1f520 00000000`00000008 mwac+0x6135
05 ffffd000`79a1f528 ffffd000`00000014 0x8
06 ffffd000`79a1f530 ffffe000`8976af00 0xffffd000`00000014
07 ffffd000`79a1f538 ffffe000`8976af24 0xffffe000`8976af00
08 ffffd000`79a1f540 ffffe000`8976af14 0xffffe000`8976af24
09 ffffd000`79a1f548 ffffe000`00000011 0xffffe000`8976af14
0a ffffd000`79a1f550 00000000`00000000 0xffffe000`00000011

Looking at the stack, we can see Malwarebytes' web access control driver calling the FwpsConstructIpHeaderForTransportPacket0 function to rebuild a preexisting IP header in a packet (that's why we see IP generic buffers' pooltag in the pool block dump).

Most I can recommend for now is to just remove Malwarebytes or contact their support to see if it's a bug.

 

[Ethan]

Thank you so much I will remove that now and I was trying to get the rest of the info like mother board but Im glad you where able to find the information without it.

 

[Patrick]

You're welcome.

 

[Ethan]

Another thing to ask, I been having this kind of crash for some time like maybe 3 times a day every day for a week it starts and stops. Was this the problem that it was causeing me to crash so many times?

 

[Patrick]

Can't say for sure, but probably.

 

[Ethan]

K thank you again, I have been telling my friends about you guys here so much they say I practically a Advertisement <3

 

[Patrick]

Thanks, it's certainly appreciated.