Hi All,
I’m developping a virtual disk driver to simulate disks using files.
It cause BugCheck in XP(SP1), I got a DRIVER_CORRUPTED_EXPOOL error code when the crash happenes. To catch this bug, I opened Special Pool flags with tag mask of 0x2a(monitor every pool). But I got a blue screen when the system boot, even after I’ve deleted my driver from the system! How can I deal with this situation.
Any help will be appreciated.
Yours, Bruce
It seems your driver is not the only faulty one on the system:
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.
Maybe there is another faulty driver. Hmm…
Now I’ve changed the specail pool tag into “NT??” and got a BugCheck when my driver was working.
It told:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C2, {99, fea127f0, 0, 0}
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMEVENT.SYS -
Probably caused by : SYMEVENT.SYS ( SYMEVENT!SYMEvent_GetVMDataPtr+6834 )
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000099, Attempt to free pool with invalid address (or corruption in pool header)
Arg2: fea127f0, Address being freed
Arg3: 00000000, 0
Arg4: 00000000, 0
BUGCHECK_STR: 0xc2_99
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 804fd977 to 804f5103
STACK_TEXT:
fa30b9dc 804fd977 000000c2 00000099 fea127f0 nt!KeBugCheckEx+0x19
fa30b9f8 805351ff fea127f0 000008b0 00000000 nt!VerifierFreeTrackedPool+0x21
fa30ba3c badeaea8 fea127f0 00000000 fa30baa0 nt!ExFreePoolWithTag+0xa7
fa30ba4c bae167e2 fea127f0 fe53d260 e122e0d0 Ntfs!NtfsFreeEresource+0x74
fa30ba70 badeab70 fe5b8dc8 fa30baa0 fa30baa5 Ntfs!NtfsDeleteFcb+0x4c
fa30bac0 bae16ac7 fe5b8dc8 fe53d100 e1259cc8 Ntfs!NtfsTeardownFromLcb+0x1ff
fa30bb18 bade5f02 fe5b8dc8 e1259d90 e1259f28 Ntfs!NtfsTeardownStructures+0x127
fa30bb44 bae068a7 fe5b8dc8 01259d90 e1259f28 Ntfs!NtfsDecrementCloseCounts+0x9c
fa30bbcc bae06715 fe5b8dc8 e1259d90 e1259cc8 Ntfs!NtfsCommonClose+0x37a
fa30bc6c 804eb221 fe53d020 fe9fb6c0 816c2f38 Ntfs!NtfsFsdClose+0x1f3
fa30bc7c bae8342d 804eb221 fe5663c0 fe9fb6c0 nt!IopfCallDriver+0x31
fa30bc80 804eb221 fe5663c0 fe9fb6c0 fa30bcc4 sr!SrPassThrough+0x2f
fa30bc90 f653afd4 fe9fb6d0 fa30bcc4 00000000 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
fa30bd28 80597675 00a321b8 fea321a0 00000000 SYMEVENT!SYMEvent_GetVMDataPtr+0x6834
fa30bd44 80517027 fea321b8 00000000 806acfac nt!ObpRemoveObjectRoutine+0xdd
fa30bd68 80501d4d 80544b78 fe9a7a60 806acfe0 nt!ObfDereferenceObject+0x5d
fa30bd8c 80503388 e1363a48 00000000 8170cbd8 nt!MiSegmentDelete+0xdb
fa30bdac 805ab2b6 00000000 00000000 00000000 nt!MiDereferenceSegmentThread+0x9c
fa30bddc 805329c6 805032ec 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
SYMEVENT!SYMEvent_GetVMDataPtr+6834
f653afd4 894618 mov [esi+0x18],eax
SYMBOL_STACK_INDEX: d
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: SYMEVENT!SYMEvent_GetVMDataPtr+6834
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4005f4a5
STACK_COMMAND: kb
BUCKET_ID: 0xc2_99_SYMEVENT!SYMEvent_GetVMDataPtr+6834
kd> !pool fea127f0
Pool page fea127f0 region is Nonpaged pool
fea12000 size: b0 previous size: 0 (Free) File
fea120b0 size: 28 previous size: b0 (Allocated) NtFs
fea120d8 size: 98 previous size: 28 (Allocated) MmCi
fea12170 size: 40 previous size: 98 (Allocated) Ntfr
fea121b0 size: 8 previous size: 40 (Free) …
fea121b8 size: 18 previous size: 8 (Allocated) Io
fea121d0 size: 28 previous size: 18 (Allocated) NtFs
fea121f8 size: 40 previous size: 28 (Allocated) Ntfr
fea12238 size: 18 previous size: 40 (Free) File
fea12250 size: 20 previous size: 18 (Allocated) ReSe
fea12270 size: 40 previous size: 20 (Allocated) Ntfr
fea122b0 size: 98 previous size: 40 (Allocated) File (Protected)
fea12348 size: 28 previous size: 98 (Allocated) NtFs
fea12370 size: 8 previous size: 28 (Free) Ntfn
fea12378 size: 20 previous size: 8 (Allocated) VadS
fea12398 size: 40 previous size: 20 (Allocated) Ntfr
fea123d8 size: 28 previous size: 40 (Allocated) Ntfn
fea12400 size: 38 previous size: 28 (Free) …
fea12438 size: 20 previous size: 38 (Allocated) VadS
fea12458 size: 98 previous size: 20 (Free ) File (Protected)
fea124f0 size: 68 previous size: 98 (Allocated) MmCa
fea12558 size: 8 previous size: 68 (Free) IoOp
fea12560 size: 30 previous size: 8 (Allocated) Vad
fea12590 size: 30 previous size: 30 (Allocated) Vad
fea125c0 size: 8 previous size: 30 (Free) Ntfn
fea125c8 size: 38 previous size: 8 (Allocated) Sema (Protected)
fea12600 size: 40 previous size: 38 (Allocated) Ntfr
fea12640 size: 98 previous size: 40 (Allocated) File (Protected)
fea126d8 size: 8 previous size: 98 (Free) IoOp
fea126e0 size: 108 previous size: 8 (Allocated) Ifs
Bad previous allocation size @fea127e8, last size was 21
***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval fea12000 for more details.
***
Pool page [fea12000] is INVALID.
Analyzing linked list…
[fea126e0 –> fea12828 (size = 0x148 bytes)]: Corrupt region
Scanning for single bit errors…
None found
Does this give any prompt or direction? Who has any idea about this?
If you have experience of virtual disk driver or something alike, can you tell me your idea?
----- Original Message -----
From: “Dejan Maksimovic”
To: “Windows File Systems Devs Interest List”
Sent: Monday, September 06, 2004 5:08 PM
Subject: Re: [ntfsd] SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION when system boot.
>
> It seems your driver is not the only faulty one on the system:
> - If you need to boot the system and disable DV, boot in safe mode,
> run verifier.exe, disable and reboot.
> - The faulty driver is almost certainly on the stack when this
> BugCheck occurs. And probably printed on the blue screen as well.
>
> –
> Kind regards, Dejan M. MVP for DDK
> http://www.alfasp.com E-mail: xxxxx@alfasp.com
> Alfa Transparent File Encryptor - Transparent file encryption services.
> Alfa File Protector - File protection and hiding library for Win32
> developers.
> Alfa File Monitor - File monitoring library for Win32 developers.
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@vip.sina.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Well, it says SymEvent (Norton AV) caused it. Most probably it did (even though these errors can be masked by another driver
sometimes)
For startup testing of any driver I suggest removing any software that might interfere with it.
Do vigorous testing without any 3rd party software first. Once you debug it, start adding the software (or put it back if you
disabled it previously). Last, but not least, get the latest version of the 3rd party software.
This is nothing technical, just (my view of) common sense.
Bruce Zhang wrote:
BugCheck C2, {99, fea127f0, 0, 0}
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMEVENT.SYS -
Probably caused by : SYMEVENT.SYS ( SYMEVENT!SYMEvent_GetVMDataPtr+6834 )
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
No, this is just the automatic triager giving the lowest driver on the
stack - NTFS - the benefit of the doubt and picking on the next lowest
driver, symevent. Putting faith in the triager to diagnose who is
responsible for pool corruption is a mistake.
The corrupted pool block was immediately after an “Ifs” tagged
allocation. That’s not a tag we use - I’d suggest picking on that. Use
gflags to set the special pool tag.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Monday, September 06, 2004 5:23 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION when system
boot.
Well, it says SymEvent (Norton AV) caused it. Most probably it did
(even though these errors can be masked by another driver
sometimes)
For startup testing of any driver I suggest removing any software
that might interfere with it.
Do vigorous testing without any 3rd party software first. Once you
debug it, start adding the software (or put it back if you
disabled it previously). Last, but not least, get the latest version of
the 3rd party software.
This is nothing technical, just (my view of) common sense.
Bruce Zhang wrote:
BugCheck C2, {99, fea127f0, 0, 0}
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for SYMEVENT.SYS -
Probably caused by : SYMEVENT.SYS (
SYMEVENT!SYMEvent_GetVMDataPtr+6834 )
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Curious… for all the times I saw this I was lucky that the driver WAS the next
one 
In this case it’s the only non-system driver on the stack (though the stack is
not complete).
I’d still go removing 3rd party software before the driver works properly alone.
Had his driver been on the stack a simple source trace and locals search would
reveal if it’s the culprit.
Dan Lovinger wrote:
No, this is just the automatic triager giving the lowest driver on the
stack - NTFS - the benefit of the doubt and picking on the next lowest
driver, symevent. Putting faith in the triager to diagnose who is
responsible for pool corruption is a mistake.The corrupted pool block was immediately after an “Ifs” tagged
allocation. That’s not a tag we use - I’d suggest picking on that. Use
gflags to set the special pool tag.
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
I used Norton Anti-virus just because it can read/write throughout the virtual disk automatically. The crash happenes after the virtual disk has been read for some time. But I can be sure that the crash is caused by my driver (it causes crash at other machines without Norton).
Could you please tell me how to use WinDbg to get something useful? I never see any message about my driver in the diagnosis of it. Should I do some work to add any thing to it? How can I do it?
Thanks.
----- Original Message -----
From: “Dejan Maksimovic”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 07, 2004 2:53 AM
Subject: Re: [ntfsd] SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION when system boot.
>
> Curious… for all the times I saw this I was lucky that the driver WAS the next
> one
> In this case it’s the only non-system driver on the stack (though the stack is
> not complete).
> I’d still go removing 3rd party software before the driver works properly alone.
> Had his driver been on the stack a simple source trace and locals search would
> reveal if it’s the culprit.
>
> Dan Lovinger wrote:
>
> > No, this is just the automatic triager giving the lowest driver on the
> > stack - NTFS - the benefit of the doubt and picking on the next lowest
> > driver, symevent. Putting faith in the triager to diagnose who is
> > responsible for pool corruption is a mistake.
> >
> > The corrupted pool block was immediately after an “Ifs” tagged
> > allocation. That’s not a tag we use - I’d suggest picking on that. Use
> > gflags to set the special pool tag.
>
> –
> Kind regards, Dejan M. MVP for DDK
> http://www.alfasp.com E-mail: xxxxx@alfasp.com
> Alfa Transparent File Encryptor - Transparent file encryption services.
> Alfa File Protector - File protection and hiding library for Win32 developers.
> Alfa File Monitor - File monitoring library for Win32 developers.
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@vip.sina.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
In File menu there is an option Source path (Ctrl+P). Specify the location of your .C sources. Your driver must be compiled with debug symbols.
Once you analyze the crash dump walk the stack (call Stack Alt+6) and analyze functions in your driver that were called. Check locals (local parameters Alt+3) for each call, as well as any buffer related to the call (IRP buffers !irp command).
Could you please tell me how to use WinDbg to get something useful? I never see any message about my driver in the diagnosis of it. Should I do some work to add any thing to it? How can I do it?
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
You are right!! The “Ifs” tagged allocation belongs to my driver. I used ExAllocatePool to allocate memory in my driver, at the underlayer, the IFS call ExAllocatePoolWithTag using its default tag “Ifs”.
I substituted ExAllocatePool with ExAllocatePoolWithTag and set an unique tag for every memory block I allocated. Then I cought the bug, it’s because of an over-flowing access to a memory block I allocated.
Thanks for all who have given me help and suggestion.
----- Original Message -----
From: “Dan Lovinger”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 07, 2004 2:34 AM
Subject: RE: [ntfsd] SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION when system boot.
No, this is just the automatic triager giving the lowest driver on the
stack - NTFS - the benefit of the doubt and picking on the next lowest
driver, symevent. Putting faith in the triager to diagnose who is
responsible for pool corruption is a mistake.
The corrupted pool block was immediately after an “Ifs” tagged
allocation. That’s not a tag we use - I’d suggest picking on that. Use
gflags to set the special pool tag.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Monday, September 06, 2004 5:23 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION when system
boot.
Well, it says SymEvent (Norton AV) caused it. Most probably it did
(even though these errors can be masked by another driver
sometimes)
For startup testing of any driver I suggest removing any software
that might interfere with it.
Do vigorous testing without any 3rd party software first. Once you
debug it, start adding the software (or put it back if you
disabled it previously). Last, but not least, get the latest version of
the 3rd party software.
This is nothing technical, just (my view of) common sense.
Bruce Zhang wrote:
> BugCheck C2, {99, fea127f0, 0, 0}
>
> *** ERROR: Symbol file could not be found. Defaulted to export
symbols for SYMEVENT.SYS -
> Probably caused by : SYMEVENT.SYS (
SYMEVENT!SYMEvent_GetVMDataPtr+6834 )
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com