Jump to content

Bad_Pool_Header


Recommended Posts

Hi

 

I have an issue with bad_pool_headers which only occus when browsing the internet and MalwareBytes is installed (latest version). I will say that I've used MalwareBytes for years without issue (I think it started after upgrading to Windows 10). It's not the RAM as this has passed 10 full cycles of MemTest without error. The SSD health is also reporting as fine.

 

I can replicate the BIOS error fairly easily with MalwareBytes installed, all I need to do is make a request of the browser to open a lot of tabs and it'll happen most of the time. Uninstall MalwareBytes and I can no longer replicate the issue. Obviously this isn't ideal as I've come to trust MalwareBytes.

 

Bluescreen viewer shows the issue as tcpip.sys / Ntoskrnl.exe as the issue, of which it'll not be Ntoskrnl and tcpip has been updated to the latest driver version from MSI, I also tried it with the latest Intel direct driver... same crash. Again uninstalling MalwareBytes stops the issue.

 

I tried Windbg, but couldn't get the symbols to register...so I can't feed any information in from that.

 

Any advice? 

 

System Questions

· OS - Windows 10, 8.1, 8, 7, Vista ? Windows 10
·
x86 (32-bit) or x64 ? 64bit

· What was original installed OS on system? Clean install
· Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)? Full retail
· Age of system (hardware) 1 Year
· Age of OS installation - have you re-installed the OS? Since Windows 10 came out, then reinstalled 2 weeks ago - same issues.

· CPU i7-5820k
· Video Card NVidia GTX970
· MotherBoard - (if NOT a laptop) MSI SLI X99S Plus
· Power Supply - brand & wattage (skip if laptop) Corsair 850w

·
System Manufacturer Custom build
· Exact model number (if laptop, check label on bottom)

· Laptop or Desktop? Desktop

SysnativeFileCollectionApp.zip

Prefmon.rar

Link to post
Share on other sites

Let's look at this scenario:

- a misbehaving program writes to memory space owned by another (innocent) program.

- the misbehaving program exits, leaving no trace of it's operation

- the other (innocent) program accesses the memory space that was overwritten and finds unexpected data

- the other (innocent) program panics and spits out a blue screen error.

- as there is no other program present, the reports have nothing else to blame except for the other (innocent) program

 

Unfortunately, this sort of error is difficult to find.  You can do it with live debugging, but we can't do that here (and, to have it done professionally would be very, very expensive).\

Driver Verifier may help us to locate it - but more on that later....

FWIW - you're not the only person experiencing this - and we have yet to determine the source of this problem (if it's only 1 thing causing it - it could be even more things).  But BSOD's are actually pretty rare - so it's not easy to gather info on them.

 

Did this problem occur before you updated to the Windows 10 Fall Update (aka Threshold 2, TH2, build 10586)?

 

FYI - did you set your symbols in the debugger?  If not, have a look at Step E here:  http://www.carrona.org/dbgrpt.html

 

On to the analysis...........

 

Be sure that you have ALL available Windows Updates.  This is especially critical when starting with a major upgrade (such as TH2).

 

The WER section of MSINFO32 shows several BSOD errors blaming fwpkclnt.sys.  This is an IPSEC driver that Windows uses in it's networking sub-system.

As is true with ntoskrnl.exe and tcpip.sys - it's unlikely that Windows drivers are to blame.  There are many protection mechanisms built in to protect these drivers - and should they become corrupted anyway, you'd be experiencing many more problems other than just the occasional BSOD.

 

The memory dumps all blame tcpip.sys

 

Notice the "Process name" entry - each of them points directly to mbamservice.ex

When analyzing BSOD's, these entries aren't usually significant.

But when they repeat in every BSOD, they start to worry us.

 

Beyond that, we can work over the list of drivers present in the memory dump (to see if any of them are involved).

But what if the initial scenario that I posted is happening?  Then the driver won't even be present in the memory dump.

 

So, let's see if we can force the system to give up the name of another driver that might be to blame.

To do this, please run Driver Verifier according to these instructions:  http://www.carrona.org/verifier.html

 

 

 

Analysis:
The following is for informational purposes only.
**************************Mon Nov 16 15:05:55.765 2015 (UTC - 5:00)**************************
Loading Dump File [C:\Users\John\SysnativeBSODApps\111615-7156-01.dmp]
Windows 10 Kernel Version 10586 MP (12 procs) Free x64
Built by: 10586.3.amd64fre.th2_release_sec.151104-1948
System Uptime:0 days 0:05:12.426
*** WARNING: Unable to verify timestamp for tcpip.sys
*** ERROR: Module load completed but symbols could not be loaded for tcpip.sys
Probably caused by :tcpip.sys ( tcpip+150ed2 )
BugCheck 19, {20, ffffe0003600f190, ffffe0003600f1b0, 4020019}
BugCheck Info: BAD_POOL_HEADER (19)
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: ffffe0003600f190, The pool entry we were looking for within the page.
Arg3: ffffe0003600f1b0, The next pool entry.
Arg4: 0000000004020019, (reserved)
BUGCHECK_STR:  0x19_20
PROCESS_NAME:  mbamservice.ex
FAILURE_BUCKET_ID: 0x19_20_tcpip!Unknown_Function
CPUID:        "Intel® Core i7-5820K CPU @ 3.30GHz"
MaxSpeed:     3300
CurrentSpeed: 3300
  BIOS Version                  1.80
  BIOS Release Date             03/20/2015
  Manufacturer                  MSI
  Product Name                  MS-7885
  Baseboard Product             X99S SLI PLUS (MS-7885)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Mon Nov 16 14:59:47.431 2015 (UTC - 5:00)**************************
Loading Dump File [C:\Users\John\SysnativeBSODApps\111615-7375-01.dmp]
Windows 10 Kernel Version 10586 MP (12 procs) Free x64
Built by: 10586.3.amd64fre.th2_release_sec.151104-1948
System Uptime:0 days 0:03:13.092
*** WARNING: Unable to verify timestamp for tcpip.sys
*** ERROR: Module load completed but symbols could not be loaded for tcpip.sys
Probably caused by :tcpip.sys ( tcpip+150ed2 )
BugCheck 19, {20, ffffe00125f3f420, ffffe00125f3f440, 4020005}
BugCheck Info: BAD_POOL_HEADER (19)
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: ffffe00125f3f420, The pool entry we were looking for within the page.
Arg3: ffffe00125f3f440, The next pool entry.
Arg4: 0000000004020005, (reserved)
BUGCHECK_STR:  0x19_20
PROCESS_NAME:  mbamservice.ex
FAILURE_BUCKET_ID: 0x19_20_tcpip!Unknown_Function
CPUID:        "Intel® Core i7-5820K CPU @ 3.30GHz"
MaxSpeed:     3300
CurrentSpeed: 3300
  BIOS Version                  1.80
  BIOS Release Date             03/20/2015
  Manufacturer                  MSI
  Product Name                  MS-7885
  Baseboard Product             X99S SLI PLUS (MS-7885)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Mon Nov 16 14:55:50.543 2015 (UTC - 5:00)**************************
Loading Dump File [C:\Users\John\SysnativeBSODApps\111615-6921-01.dmp]
Windows 10 Kernel Version 10586 MP (12 procs) Free x64
Built by: 10586.3.amd64fre.th2_release_sec.151104-1948
System Uptime:0 days 21:20:06.204
*** WARNING: Unable to verify timestamp for tcpip.sys
*** ERROR: Module load completed but symbols could not be loaded for tcpip.sys
Probably caused by :tcpip.sys ( tcpip+150ed2 )
BugCheck 19, {20, ffffe00138d311e0, ffffe00138d31200, 4020005}
BugCheck Info: BAD_POOL_HEADER (19)
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: ffffe00138d311e0, The pool entry we were looking for within the page.
Arg3: ffffe00138d31200, The next pool entry.
Arg4: 0000000004020005, (reserved)
BUGCHECK_STR:  0x19_20
PROCESS_NAME:  mbamservice.ex
FAILURE_BUCKET_ID: 0x19_20_tcpip!Unknown_Function
CPUID:        "Intel® Core i7-5820K CPU @ 3.30GHz"
MaxSpeed:     3300
CurrentSpeed: 3300
  BIOS Version                  1.80
  BIOS Release Date             03/20/2015
  Manufacturer                  MSI
  Product Name                  MS-7885
  Baseboard Product             X99S SLI PLUS (MS-7885)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``


3rd Party Drivers:
The following is for information purposes only.
**************************Mon Nov 16 15:05:55.765 2015 (UTC - 5:00)**************************
SnakeEyes.sys               Wed Sep  5 01:31:26 2012 (5046E3AE)
bdvedisk.sys                Thu Sep 27 09:37:29 2012 (50645699)
bdfwfpf.sys                 Wed Oct 17 08:12:10 2012 (507EA09A)
semav6msr64.sys             Fri Jan 24 14:22:40 2014 (52E2BD80)
mwac.sys                    Tue Jun 17 22:07:00 2014 (53A0F444)
eudskacs.sys                Sun Dec 14 11:46:29 2014 (548DBEE5)
eubakup.sys                 Sun Dec 14 11:46:37 2014 (548DBEED)
EUBKMON.sys                 Sun Dec 14 11:46:59 2014 (548DBF03)
EuFdDisk.sys                Sun Dec 14 11:47:07 2014 (548DBF0B)
XtuAcpiDriver.sys           Thu Feb 26 07:51:57 2015 (54EF16ED)
gzflt.sys                   Wed Apr 29 07:32:17 2015 (5540C141)
MBAMSwissArmy.sys           Wed Jul 29 00:26:01 2015 (55B855D9)
nvvad64v.sys                Mon Aug 10 03:51:42 2015 (55C8580E)
mbam.sys                    Tue Aug 11 13:35:19 2015 (55CA3257)
e1d65x64.sys                Thu Aug 13 05:14:29 2015 (55CC5FF5)
avchv.sys                   Mon Aug 31 10:23:38 2015 (55E4636A)
TeeDriverW8x64.sys          Mon Aug 31 15:49:07 2015 (55E4AFB3)
asmtxhci.sys                Thu Sep 10 05:38:13 2015 (55F14F85)
asmthub3.sys                Thu Sep 10 05:38:17 2015 (55F14F89)
NvStreamKms.sys             Fri Sep 18 01:02:24 2015 (55FB9AE0)
nvhda64v.sys                Mon Sep 21 05:44:17 2015 (55FFD171)
RTKVHD64.sys                Wed Sep 30 06:28:14 2015 (560BB93E)
ignis.sys                   Tue Oct 20 06:08:29 2015 (5626129D)
intelppm.sys                Thu Oct 29 22:09:51 2015 (5632D16F)
xusb22.sys                  Thu Oct 29 22:41:10 2015 (5632D8C6)
nvlddmkm.sys                Thu Nov  5 09:35:23 2015 (563B692B)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Mon Nov 16 14:55:50.543 2015 (UTC - 5:00)**************************
cpuz137_x64.sys             Mon Aug 11 09:27:34 2014 (53E8C4C6)
http://www.carrona.org/drivers/driver.php?id=SnakeEyes.sys
http://www.carrona.org/drivers/driver.php?id=bdvedisk.sys
http://www.carrona.org/drivers/driver.php?id=bdfwfpf.sys
semav6msr64.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=mwac.sys
http://www.carrona.org/drivers/driver.php?id=eudskacs.sys
http://www.carrona.org/drivers/driver.php?id=eubakup.sys
http://www.carrona.org/drivers/driver.php?id=EUBKMON.sys
http://www.carrona.org/drivers/driver.php?id=EuFdDisk.sys
XtuAcpiDriver.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=gzflt.sys
http://www.carrona.org/drivers/driver.php?id=MBAMSwissArmy.sys
http://www.carrona.org/drivers/driver.php?id=nvvad64v.sys
http://www.carrona.org/drivers/driver.php?id=mbam.sys
e1d65x64.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=avchv.sys
http://www.carrona.org/drivers/driver.php?id=TeeDriverW8x64.sys
http://www.carrona.org/drivers/driver.php?id=asmtxhci.sys
http://www.carrona.org/drivers/driver.php?id=asmthub3.sys
http://www.carrona.org/drivers/driver.php?id=NvStreamKms.sys
http://www.carrona.org/drivers/driver.php?id=nvhda64v.sys
http://www.carrona.org/drivers/driver.php?id=RTKVHD64.sys
ignis.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=intelppm.sys
http://www.carrona.org/drivers/driver.php?id=xusb22.sys
http://www.carrona.org/drivers/driver.php?id=nvlddmkm.sys
http://www.carrona.org/drivers/driver.php?id=cpuz137_x64.sys
 

Link to post
Share on other sites

Hi

 

Thanks for the info. Symbols were pointed to in the debugger, but I was obviously missing something but thanks for link, I’ll have a look at this.

 

I’m managed to find out that the issue only happens when both MalwareBytes and BitDefender   are both running. Uninstalling either MalwareBytes or BitDefender stops the issue, but running both generates the BAD POOL HEADER when opening many browser tabs (Firefox in this case). As stated this only started under Windows 10, but I’ve been running a MalwareBytes/BitDefender simultaneous install for around 5 years now without issue...until now.

 

Funnily enough a Windows Driver Verifier session states that “DRIVER VERIFIER DETECTED VOLOLATION (avc3.sys)”, which is part of BitDefender. This crash happens while the machine is starting.

 

I’ve added to a post on their forum, it’ll be interesting to see what they come back with (I’m post #5):

http://forum.bitdefender.com/index.php?showtopic=60108&st=0&gopid=246784entry246784

 

Any suggestions are gratefully received?

 

Again, thanks for your help.

Link to post
Share on other sites

Mmmm... I'm running BitDefender Total Security 2016, but according the MalwareBytes website they've only tested 2015 AV products for compatibly. Looks like they haven't gotten around to testing 2016 products yet, this might simply be a compatibly issue that's not been recognised yet?

 

https://www.malwarebytes.org/pdf/reviews/AVTestingReport.pdf

Link to post
Share on other sites

I really don't know as I'm not involved in malware/anti-malware development.

I'd either turn off the MalwareBytes Pro version (that'll shut off the memory resident component) or I'd remove BitDefender.

You can run MalwareBytes scans on demand - and this'll avoid the BSOD's for now.

Then, once BitDefender 2016 is certified, you can go back to your usual setup.

Link to post
Share on other sites

I've switched off the Malicious Website Protection for now, which seems to have stabilised things.

 

Hopefully MalwareBytes will patch for BitDefender 2016 (and potentially other 2016 products) at some point in the near future.

 

For info, I've had no reply from BitDefender regarding the "“DRIVER VERIFIER DETECTED VOLOLATION (avc3.sys)” which is poor show.

 

Thanks for your help.

Link to post
Share on other sites

I'm glad to hear that you stabilized things.

It depends on what the issue is. I'm certain that both MalwareBytes and BitDefender have people working on this.

BUT, it's not all that easy, nor is it cheap to do. Redesigning a driver is an expensive proposition, and it's even more difficult if the cause for the crashes isn't pinned down exactly.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.