Continuous BSODs after clean installs

Well, I got three BSODs yesterday.
Another one returned this:
"Probably caused by : ntkrpamp.exe ( nt!NtFreeVirtualMemory+5d9c )"

and when i typed .bugcheck:
"Bugcheck code 000000C1
Arguments b5e28da8 00000000 00000258 00000022"
 

My Computer

System One

Is this before or after you updated/removed the McAfee AV package?

If you've updated it, try removing it. If you haven't updated it yet, that should be the first thing you try.

Enabling special pool has a way of revealing pool corruption bugs in drivers which may have otherwise gone unnoticed or just silently corrupted your data (nasty). Obviously, you do have a pool corruption problem - your original BSOD 0x50 - so enabling special pool is warranted, but in the meantime you may actually see more BSODs, not less, because of the guard pages now separating each pool allocation. (Ordinarily there's nothing in between two adjacent pool regions and over/underruns simply corrupt another bit of pool.)

There's still the chance that it might be hardware though, in which case all bets are off. Let's first see where the special pool adventure takes us :)
 

My Computer

System One

Here's the next one:
"
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\Mini041709-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymCache*Symbol information
Executable search path is:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = 0x81c0b000 PsLoadedModuleList = 0x81d22c70
Debug session time: Fri Apr 17 16:20:29.028 2009 (GMT-7)
System Uptime: 0 days 0:18:08.863
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Loading Kernel Symbols
...............................................................
................................................................
.................
Loading User Symbols
Loading unloaded module list
...
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C1, {b937cf08, 0, f8, 22}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : win32k.sys ( win32k!xxxMsgWaitForMultipleObjects+cb )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread's
stack backtrace will reveal the guilty party.
Arguments:
Arg1: b937cf08, address trying to free
Arg2: 00000000, bytes requested
Arg3: 000000f8, bytes calculated
Arg4: 00000022, caller is trying to free a bad address

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: win32k

FAULTING_MODULE: 81c0b000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 498f9e9d

BUGCHECK_STR: 0xC1_22

SPECIAL_POOL_CORRUPTION_TYPE: 22

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 81ca2a53 to 81cd80e3

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
8701f9f4 81ca2a53 000000c1 b937cf08 00000000 nt!KeBugCheckEx+0x1e
8701faec 81cf8f78 b937cf08 00000000 9617fbd8 nt!NtFreeVirtualMemory+0x5d9c
8701fb50 81c4c9b8 b937cf08 00000000 e24a4936 nt!ExFreePoolWithTag+0xeb
8701fb9c 81c4d04e 9617fc18 8701fbc8 8701fbd4 nt!ObDereferenceObjectDeferDelete+0x11f
8701fbf4 81cc2322 00000000 00000000 00000000 nt!KiDeliverApc+0xce
8701fc44 81cbf32f b5256d78 81cbedef fe4bae90 nt!KeInsertQueueDpc+0x670
8701fc98 9b92ee62 00000002 b4c54ff8 00000001 nt!KeWaitForMultipleObjects+0x540
8701fcf0 9b8bf1c8 00000001 b4c54ff8 9b8cfa7a win32k!xxxMsgWaitForMultipleObjects+0xcb
8701fd34 9b8bee28 b4c54ff8 00000001 9ba93260 win32k!xxxDesktopThread+0x1a8
8701fd48 9b981ff2 00000004 00f8fe08 8701fd64 win32k!xxxCreateSystemThreads+0x54
8701fd58 81c62a1a 00000004 00f8fe48 77029a94 win32k!NtUserCallNoParam+0x1b
8701fd64 77029a94 badb0d00 00f8fe04 00000000 nt!ZwQueryLicenseValue+0xbd2
8701fd68 badb0d00 00f8fe04 00000000 00000000 0x77029a94
8701fd6c 00f8fe04 00000000 00000000 00000000 0xbadb0d00
8701fd70 00000000 00000000 00000000 00000000 0xf8fe04


STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!xxxMsgWaitForMultipleObjects+cb
9b92ee62 8945e4 mov dword ptr [ebp-1Ch],eax

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: win32k!xxxMsgWaitForMultipleObjects+cb

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: win32k.sys

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------
"
 

My Computer

System One

and another:
"MODULE_NAME: nt

FAULTING_MODULE: 81c36000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 49ac8fb4

BUGCHECK_STR: 0xC1_22

SPECIAL_POOL_CORRUPTION_TYPE: 22

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 81ccda53 to 81d030e3

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
c308982c 81ccda53 000000c1 b82eca00 00000000 nt!KeBugCheckEx+0x1e
c3089924 81d23f78 b82eca00 00000000 00000000 nt!NtFreeVirtualMemory+0x5d9c
c3089988 81e4f020 b82eca00 00000000 c3ac3744 nt!ExFreePoolWithTag+0xeb
c3089bfc 81e4ed13 00000040 00000001 00000000 nt!CcPreparePinWrite+0x21dd
c3089d48 81c8da1a 00000040 002f7250 00000001 nt!CcPreparePinWrite+0x1ed0
c3089d64 77d99a94 badb0d00 02dffe7c 00000000 nt!ZwQueryLicenseValue+0xbd2
c3089d68 badb0d00 02dffe7c 00000000 00000000 0x77d99a94
c3089d6c 02dffe7c 00000000 00000000 00000000 0xbadb0d00
c3089d70 00000000 00000000 00000000 00000000 0x2dffe7c


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!NtFreeVirtualMemory+5d9c
81ccda53 cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!NtFreeVirtualMemory+5d9c

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrpamp.exe

BUCKET_ID: WRONG_SYMBOLS
"
 

My Computer

System One

Your symbols are detected as wrong for some reason, and without access to the minidump it's difficult to try to understand that stack.

Now that special pool has pinpointed McAfee as possibly being a pool corruptor and you've removed that package, the fact that further pool damage is being detected is worrying because it may mean bad hardware after all.

Interestingly, the path to this particular crash was through ZwQueryLicenseValue and then the licensing portions of the registry. This software is all legal right? I'm not accusing you or anything, but there's no kernel-mode trickery going on to try to defeat the licensing subsystem on your machine, right?
 

My Computer

System One

Well, unfortunately that's against the forum rules and it makes it impossible for me to continue with this other than to suggest that the pool damage could theoretically be due to some licensing circumvention mechanism. Also, you should not run under "special pool" once this is over (it uses more memory). Switch it off by removing those registry keys or by running VERIFIER /RESET (that should remove the keys). Good luck with it.
 

My Computer

System One

lacolocho said:
So you can't help me even though I removed those programs?
Click to expand...

I'm neither moderator nor the internet police. However, when I notice activity which possibly stems from a code-level attempt to defeat licensing, I do not feel obliged to continue to assist, especially give it is against the forum rules.

Anyway, you've got all the tools now to continue with this yourself. If the BSoD says "pool corruption", enable special pool, wait for another crash, inspect the dump, remove any pinpointed 3rd-party driver, rinse and repeat.

If special pool keeps reporting errors in OS binaries, it may be a hardware issue.
 

My Computer

System One

lacolocho said:
I've gotten two more crashes from ntkrpamp.exe
If it's a hardware issue is there any way to find out what hardware it's from?
Click to expand...

No. Minidumps are a summary of the immediate software conditions surrounding a crash. In >99% of cases, including yours, there's no deterministic way to tell from a minidump which specific piece of hardware may be responsible for a breakdown in software operation.
 

My Computer

System One

lacolocho said:
So what do I do, then?
Click to expand...

1) Stay away from warez.
2) Continue to experiment with special pool until you're sure that the "pool corruption" crashes are all supposedly caused by OS drivers.
3) At that point, reinstall the OS from scratch in an attempt to blow away all potential software issues. Use it for several days with no updates - completely cut off from the network. If it still crashes the same way...
4) Take it back to the shop if it's under warranty. If not, and you want to experiment with hardware troubleshooting yourself, pull out everything non-essential, reseat the RAM, reconnect all connectors, see if you can borrow equivalent components to use for testing...
 

My Computer

System One

You must log in or register to reply here.
Back
Top