Code:
1: kd> .bugcheck
Bugcheck code 00000019
Arguments 00000000`00000020 ffffc001`a2f66b80 ffffc001`a2f66c10 00000000`05090106
1: kd> k
Child-SP RetAddr Call Site
ffffd000`27b0b638 fffff803`24eab058 nt!KeBugCheckEx
ffffd000`27b0b640 fffff801`cdcddf17 nt!ExFreePool+0x36c
ffffd000`27b0b730 fffff801`cdcddd85 Ntfs!NtfsAppendEa+0x123
ffffd000`27b0b770 fffff801`cdcdd993 Ntfs!NtfsBuildEaList+0x11d
ffffd000`27b0b7f0 fffff801`cdd4dfee Ntfs!NtfsCommonSetEa+0x2e3
ffffd000`27b0b960 fffff801`cdd4e18a Ntfs!NtfsFsdDispatchSwitch+0x13e
ffffd000`27b0b9e0 fffff801`cdb29b1e Ntfs!NtfsFsdDispatchWait+0x47
ffffd000`27b0bc30 fffff801`cdb280c2 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
ffffd000`27b0bcd0 fffff803`250d3893 fltmgr!FltpDispatch+0xb2
ffffd000`27b0bd30 fffff803`2515ab35 nt!FsRtlSetKernelEaFile+0xd7
ffffd000`27b0bd90 fffff803`250ae549 nt! ?? ::NNGAKEGL::`string'+0x27865 //nt!LdrpResSearchResourceInsideDirectory+0xc58 ??
ffffd000`27b0d1c0 fffff803`24cacff3 nt!PfSnHashUnsafeUnicodeString+0x229
ffffd000`27b0d200 fffff803`250a37d8 nt!KeExpandKernelStackAndCalloutInternal+0xf3
ffffd000`27b0d2f0 fffff803`250a36ef nt!IopReplaceSeperatorWithPound+0x2c8
ffffd000`27b0d350 fffff803`24fa891a nt!IopReplaceSeperatorWithPound+0x1df
ffffd000`27b0d400 fffff803`24fa78dd nt!ExpQuerySystemInformation+0xfea
ffffd000`27b0dac0 fffff803`24d621b3 nt!NtQuerySystemInformation+0x49
ffffd000`27b0db00 00007ffa`16a110ea nt!KiSystemServiceCopyEnd+0x13
000000cd`45d3e748 00000000`00000000 0x00007ffa`16a110ea
1: kd> !pool ffffc001a2f66c10
Pool page ffffc001a2f66c10 region is Unknown
ffffc001a2f66000 size: 510 previous size: 0 (Allocated) Ntff
ffffc001a2f66510 size: b0 previous size: 510 (Allocated) NtFs
ffffc001a2f665c0 size: 510 previous size: b0 (Allocated) Ntff
ffffc001a2f66ad0 size: 10 previous size: 510 (Free) Free
ffffc001a2f66ae0 size: 40 previous size: 10 (Free ) SLS
ffffc001a2f66b20 size: 60 previous size: 40 (Free) Free
ffffc001a2f66b80 size: 90 previous size: 60 (Free ) NtFE
ffffc001a2f66c10 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...
GetUlongFromAddress: unable to read from fffff80324ebfc78
Unable to get pool big page table. Check for valid symbols.
ffffc001a2f66c10 is not valid pool. Checking for freed (or corrupt) pool
Bad previous allocation size @ffffc001a2f66c10, last size was 9
1: kd> dc ffffc001a2f66b80
ffffc001`a2f66b80 05090106 4546744e 34086787 5f0add55 ....NtFE.g.4U.._
ffffc001`a2f66b90 00000040 001e1600 52454b24 2e4c454e @.......$KERNEL.
ffffc001`a2f66ba0 47525550 53452e45 43414342 1e004548 PURGE.ESBCACHE..
ffffc001`a2f66bb0 03000000 28060200 4b367bb3 0001d00f .......(.{6K....
ffffc001`a2f66bc0 66d531ad 0201d00e 00000000 2e4c4500 .1.f.........EL.
ffffc001`a2f66bd0 00000000 03200109 6e664d46 00650044 ...... .FMfnD.e.
ffffc001`a2f66be0 0061006c 01ecf204 00000000 00000000 l.a.............
ffffc001`a2f66bf0 00000000 0000006a 00000000 a2f66c38 ....j.......8l..
Looks like a bug in a file system driver, not cleaning up.
We were doing some work with Extended File Attributes, which is a file stream data type, represented as
::$EA
Both times we failed at the same place, which makes this look like some poor programming code.
It looks like we wer emeant to flush the Kernel ESB cache by grabbing the appropriate data in the next list entry. No idea what the ESB cache is though.
Your best bet is probably Driver Verifier, this looks like a bad driver.
What is Driver Verifier?
Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.
Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.
Before enabling Driver Verifier, it is recommended to create a System Restore Point:
Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
How to enable Driver Verifier:
Start > type "verifier" without the quotes > Select the following options -
1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8/8.1)
- DDI compliance checking (Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.
Important information regarding Driver Verifier:
- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.
- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.
If this happens, do not panic, do the following:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > Search > type "cmd" without the quotes.
- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
Restart and boot into normal Windows.
If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > type "system restore" without the quotes.
- Choose the restore point you created earlier.
-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1
How long should I keep Driver Verifier enabled for?
I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.
My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?
- If you have the system set to generate Small Memory Dumps, they will be located in
%systemroot%\Minidump.
- If you have the system set to generate Kernel-Memory Dumps, it will be located in
%systemroot% and labeled MEMORY.DMP.
