nt!ExFreePoolWithTag problem

WINDBG
1

Hi,

In my MiniFilter,i am tracking Rename & Delete operation for Ms-Office
files.
While doing aggressive save on .doc files, my system crashed.
Crash dump shows as “Probably caused by : ntoskrnl.exe (
nt!ExFreePoolWithTag+2be )”.
Any suggestions will be helpful.

*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
Debug session time: Mon Jul 3 22:04:53.156 2006 (GMT+6)
System Uptime: 0 days 0:01:53.728
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols

Loading User Symbols
Loading unloaded module list

*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, e25ff808, e25ffcb8, f8969c0c}

Unable to load image Ntfs.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for Ntfs.sys
GetUlongFromAddress: unable to read from 80563070
Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )

Followup: MachineOwner

kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e25ff808, The pool entry we were looking for within the page.
Arg3: e25ffcb8, The next pool entry.
Arg4: f8969c0c, (reserved)

Debugging Details:

GetUlongFromAddress: unable to read from 80563070

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: e25ff808

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8054be41 to 805339ae

STACK_TEXT:
f8971af8 8054be41 00000019 00000020 e25ff808 nt!KeBugCheckEx+0x1b
f8971b48 8054b7b9 e25ff810 00000000 f8971b64 nt!ExFreePoolWithTag+0x2be
f8971b58 f83b2764 e25ff810 f8971b8c f83e35f4 nt!ExFreePool+0xf
f8971b64 f83e35f4 f83cfb20 e25ff810 823bb260
Ntfs!ExFreeToPagedLookasideList+0x1e
f8971b8c f83b657a 82104008 f8971bb4 f8971bbf Ntfs!NtfsDeleteFcb+0x205
f8971bd8 f83d7d00 82104008 823bb100 e25ff810 Ntfs!NtfsTeardownFromLcb+0x1fd
f8971c30 f83b2759 82104008 e25ff8d8 00000000
Ntfs!NtfsTeardownStructures+0x125
f8971c5c f83d56eb 82104008 015ff8d8 00000000
Ntfs!NtfsDecrementCloseCounts+0x9e
f8971ce0 f83dde13 82104008 e25ff8d8 e25ff810 Ntfs!NtfsCommonClose+0x397
f8971d74 804e47fe 00000000 00000000 823b5b30 Ntfs!NtfsFspClose+0xe3
f8971dac 8057dfed 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f8971ddc 804fa477 804e4729 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+2be
8054be41 ?? ???

FAULTING_SOURCE_CODE:

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExFreePoolWithTag+2be

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41108004

FAILURE_BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2be

BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2be
Followup: MachineOwner

Regards
Murali

2

Have you run your driver under full driver verifier (consider special pool)
yet? For pool corruption, this usually helps track down the original
culprit much faster.

“Murali A” wrote in message news:xxxxx@windbg…
Hi,
In my MiniFilter,i am tracking Rename & Delete operation for Ms-Office
files.
While doing aggressive save on .doc files, my system crashed.
Crash dump shows as “Probably caused by : ntoskrnl.exe (
nt!ExFreePoolWithTag+2be )”.
Any suggestions will be helpful.
WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
Debug session time: Mon Jul 3 22:04:53.156 2006 (GMT+6)
System Uptime: 0 days 0:01:53.728
Unable to load image ntoskrnl.exe, Win32 error 2
 WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols

Loading User Symbols
Loading unloaded module list

Bugcheck Analysis



******
Use !analyze -v to get detailed debugging information.
BugCheck 19, {20, e25ff808, e25ffcb8, f8969c0c}
Unable to load image Ntfs.sys, Win32 error 2
WARNING: Unable to verify timestamp for Ntfs.sys
GetUlongFromAddress: unable to read from 80563070
Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )
Followup: MachineOwner
---------
kd> !analyze -v
**********************************************************************

Bugcheck Analysis



*******************************************************************************
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e25ff808, The pool entry we were looking for within the page.
Arg3: e25ffcb8, The next pool entry.
Arg4: f8969c0c, (reserved)
Debugging Details:
------------------
GetUlongFromAddress: unable to read from 80563070
BUGCHECK_STR: 0x19_20
POOL_ADDRESS: e25ff808
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 8054be41 to 805339ae
STACK_TEXT:
f8971af8 8054be41 00000019 00000020 e25ff808 nt!KeBugCheckEx+0x1b
f8971b48 8054b7b9 e25ff810 00000000 f8971b64 nt!ExFreePoolWithTag+0x2be
f8971b58 f83b2764 e25ff810 f8971b8c f83e35f4 nt!ExFreePool+0xf
f8971b64 f83e35f4 f83cfb20 e25ff810 823bb260
Ntfs!ExFreeToPagedLookasideList+0x1e
f8971b8c f83b657a 82104008 f8971bb4 f8971bbf Ntfs!NtfsDeleteFcb+0x205
f8971bd8 f83d7d00 82104008 823bb100 e25ff810 Ntfs!NtfsTeardownFromLcb+0x1fd
f8971c30 f83b2759 82104008 e25ff8d8 00000000
Ntfs!NtfsTeardownStructures+0x125
f8971c5c f83d56eb 82104008 015ff8d8 00000000
Ntfs!NtfsDecrementCloseCounts+0x9e
f8971ce0 f83dde13 82104008 e25ff8d8 e25ff810 Ntfs!NtfsCommonClose+0x397
f8971d74 804e47fe 00000000 00000000 823b5b30 Ntfs!NtfsFspClose+0xe3
f8971dac 8057dfed 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f8971ddc 804fa477 804e4729 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExFreePoolWithTag+2be
8054be41 ?? ???
FAULTING_SOURCE_CODE:

SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!ExFreePoolWithTag+2be
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 41108004
FAILURE_BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2be
BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2be
Followup: MachineOwner
---------

Regards
Murali

3

Thanks for your help. As you suggested, i found the problem using driver
verifier.
When i try to access FLT_RELATED_OBJECTS in PreRename callback operation,
pool corruption occurs.

Regards
Murali

On 7/4/06, Skywing wrote:
>
> Have you run your driver under full driver verifier (consider special
> pool)
> yet? For pool corruption, this usually helps track down the original
> culprit much faster.
>
> –
>
> “Murali A” wrote in message news:xxxxx@windbg…
> Hi,
> In my MiniFilter,i am tracking Rename & Delete operation for Ms-Office
> files.
> While doing aggressive save on .doc files, my system crashed.
> Crash dump shows as “Probably caused by : ntoskrnl.exe (
> nt!ExFreePoolWithTag+2be )”.
> Any suggestions will be helpful.
> WARNING: Unable to verify timestamp for ntoskrnl.exe
> Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
> Product: WinNt, suite: TerminalServer SingleUserTS
> Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
> Debug session time: Mon Jul 3 22:04:53.156 2006 (GMT+6)
> System Uptime: 0 days 0:01:53.728
> Unable to load image ntoskrnl.exe, Win32 error 2
> WARNING: Unable to verify timestamp for ntoskrnl.exe
> Loading Kernel Symbols
>
> …
> Loading User Symbols
> Loading unloaded module list
> …
>
>
>
>
> * Bugcheck Analysis
>
>
>
>
>
> Use !analyze -v to get detailed debugging information.
> BugCheck 19, {20, e25ff808, e25ffcb8, f8969c0c}
> Unable to load image Ntfs.sys, Win32 error 2
> WARNING: Unable to verify timestamp for Ntfs.sys
> GetUlongFromAddress: unable to read from 80563070
> Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )
> Followup: MachineOwner
> ---------
> kd> !analyze -v
>
>***********************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
> *******************************************************************************
> BAD_POOL_HEADER (19)
> The pool is already corrupt at the time of the current request.
> This may or may not be due to the caller.
> The internal pool links must be walked to figure out a possible cause of
> the problem, and then special pool applied to the suspect tags or the
> driver
> verifier to a suspect driver.
> Arguments:
> Arg1: 00000020, a pool block header size is corrupt.
> Arg2: e25ff808, The pool entry we were looking for within the page.
> Arg3: e25ffcb8, The next pool entry.
> Arg4: f8969c0c, (reserved)
> Debugging Details:
> ------------------
> GetUlongFromAddress: unable to read from 80563070
> BUGCHECK_STR: 0x19_20
> POOL_ADDRESS: e25ff808
> DEFAULT_BUCKET_ID: DRIVER_FAULT
> LAST_CONTROL_TRANSFER: from 8054be41 to 805339ae
> STACK_TEXT:
> f8971af8 8054be41 00000019 00000020 e25ff808 nt!KeBugCheckEx+0x1b
> f8971b48 8054b7b9 e25ff810 00000000 f8971b64 nt!ExFreePoolWithTag+0x2be
> f8971b58 f83b2764 e25ff810 f8971b8c f83e35f4 nt!ExFreePool+0xf
> f8971b64 f83e35f4 f83cfb20 e25ff810 823bb260
> Ntfs!ExFreeToPagedLookasideList+0x1e
> f8971b8c f83b657a 82104008 f8971bb4 f8971bbf Ntfs!NtfsDeleteFcb+0x205
> f8971bd8 f83d7d00 82104008 823bb100 e25ff810
> Ntfs!NtfsTeardownFromLcb+0x1fd
> f8971c30 f83b2759 82104008 e25ff8d8 00000000
> Ntfs!NtfsTeardownStructures+0x125
> f8971c5c f83d56eb 82104008 015ff8d8 00000000
> Ntfs!NtfsDecrementCloseCounts+0x9e
> f8971ce0 f83dde13 82104008 e25ff8d8 e25ff810 Ntfs!NtfsCommonClose+0x397
> f8971d74 804e47fe 00000000 00000000 823b5b30 Ntfs!NtfsFspClose+0xe3
> f8971dac 8057dfed 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
> f8971ddc 804fa477 804e4729 00000000 00000000
> nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
> STACK_COMMAND: kb
> FOLLOWUP_IP:
> nt!ExFreePoolWithTag+2be
> 8054be41 ?? ???
> FAULTING_SOURCE_CODE:
>
> SYMBOL_STACK_INDEX: 1
> FOLLOWUP_NAME: MachineOwner
> SYMBOL_NAME: nt!ExFreePoolWithTag+2be
> MODULE_NAME: nt
> IMAGE_NAME: ntoskrnl.exe
> DEBUG_FLR_IMAGE_TIMESTAMP: 41108004
> FAILURE_BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2be
> BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2be
> Followup: MachineOwner
> ---------
>
> Regards
> Murali
>
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>