Maybe there is another faulty driver. Hmm…
Now I’ve changed the specail pool tag into “NT??” and got a BugCheck when my driver was working.
It told:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C2, {99, fea127f0, 0, 0}
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMEVENT.SYS -
Probably caused by : SYMEVENT.SYS ( SYMEVENT!SYMEvent_GetVMDataPtr+6834 )
Followup: MachineOwner
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000099, Attempt to free pool with invalid address (or corruption in pool header)
Arg2: fea127f0, Address being freed
Arg3: 00000000, 0
Arg4: 00000000, 0
Debugging Details:
BUGCHECK_STR: 0xc2_99
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 804fd977 to 804f5103
STACK_TEXT:
fa30b9dc 804fd977 000000c2 00000099 fea127f0 nt!KeBugCheckEx+0x19
fa30b9f8 805351ff fea127f0 000008b0 00000000 nt!VerifierFreeTrackedPool+0x21
fa30ba3c badeaea8 fea127f0 00000000 fa30baa0 nt!ExFreePoolWithTag+0xa7
fa30ba4c bae167e2 fea127f0 fe53d260 e122e0d0 Ntfs!NtfsFreeEresource+0x74
fa30ba70 badeab70 fe5b8dc8 fa30baa0 fa30baa5 Ntfs!NtfsDeleteFcb+0x4c
fa30bac0 bae16ac7 fe5b8dc8 fe53d100 e1259cc8 Ntfs!NtfsTeardownFromLcb+0x1ff
fa30bb18 bade5f02 fe5b8dc8 e1259d90 e1259f28 Ntfs!NtfsTeardownStructures+0x127
fa30bb44 bae068a7 fe5b8dc8 01259d90 e1259f28 Ntfs!NtfsDecrementCloseCounts+0x9c
fa30bbcc bae06715 fe5b8dc8 e1259d90 e1259cc8 Ntfs!NtfsCommonClose+0x37a
fa30bc6c 804eb221 fe53d020 fe9fb6c0 816c2f38 Ntfs!NtfsFsdClose+0x1f3
fa30bc7c bae8342d 804eb221 fe5663c0 fe9fb6c0 nt!IopfCallDriver+0x31
fa30bc80 804eb221 fe5663c0 fe9fb6c0 fa30bcc4 sr!SrPassThrough+0x2f
fa30bc90 f653afd4 fe9fb6d0 fa30bcc4 00000000 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
fa30bd28 80597675 00a321b8 fea321a0 00000000 SYMEVENT!SYMEvent_GetVMDataPtr+0x6834
fa30bd44 80517027 fea321b8 00000000 806acfac nt!ObpRemoveObjectRoutine+0xdd
fa30bd68 80501d4d 80544b78 fe9a7a60 806acfe0 nt!ObfDereferenceObject+0x5d
fa30bd8c 80503388 e1363a48 00000000 8170cbd8 nt!MiSegmentDelete+0xdb
fa30bdac 805ab2b6 00000000 00000000 00000000 nt!MiDereferenceSegmentThread+0x9c
fa30bddc 805329c6 805032ec 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
SYMEVENT!SYMEvent_GetVMDataPtr+6834
f653afd4 894618 mov [esi+0x18],eax
SYMBOL_STACK_INDEX: d
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: SYMEVENT!SYMEvent_GetVMDataPtr+6834
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4005f4a5
STACK_COMMAND: kb
BUCKET_ID: 0xc2_99_SYMEVENT!SYMEvent_GetVMDataPtr+6834
Followup: MachineOwner
kd> !pool fea127f0
Pool page fea127f0 region is Nonpaged pool
fea12000 size: b0 previous size: 0 (Free) File
fea120b0 size: 28 previous size: b0 (Allocated) NtFs
fea120d8 size: 98 previous size: 28 (Allocated) MmCi
fea12170 size: 40 previous size: 98 (Allocated) Ntfr
fea121b0 size: 8 previous size: 40 (Free) …
fea121b8 size: 18 previous size: 8 (Allocated) Io
fea121d0 size: 28 previous size: 18 (Allocated) NtFs
fea121f8 size: 40 previous size: 28 (Allocated) Ntfr
fea12238 size: 18 previous size: 40 (Free) File
fea12250 size: 20 previous size: 18 (Allocated) ReSe
fea12270 size: 40 previous size: 20 (Allocated) Ntfr
fea122b0 size: 98 previous size: 40 (Allocated) File (Protected)
fea12348 size: 28 previous size: 98 (Allocated) NtFs
fea12370 size: 8 previous size: 28 (Free) Ntfn
fea12378 size: 20 previous size: 8 (Allocated) VadS
fea12398 size: 40 previous size: 20 (Allocated) Ntfr
fea123d8 size: 28 previous size: 40 (Allocated) Ntfn
fea12400 size: 38 previous size: 28 (Free) …
fea12438 size: 20 previous size: 38 (Allocated) VadS
fea12458 size: 98 previous size: 20 (Free ) File (Protected)
fea124f0 size: 68 previous size: 98 (Allocated) MmCa
fea12558 size: 8 previous size: 68 (Free) IoOp
fea12560 size: 30 previous size: 8 (Allocated) Vad
fea12590 size: 30 previous size: 30 (Allocated) Vad
fea125c0 size: 8 previous size: 30 (Free) Ntfn
fea125c8 size: 38 previous size: 8 (Allocated) Sema (Protected)
fea12600 size: 40 previous size: 38 (Allocated) Ntfr
fea12640 size: 98 previous size: 40 (Allocated) File (Protected)
fea126d8 size: 8 previous size: 98 (Free) IoOp
fea126e0 size: 108 previous size: 8 (Allocated) Ifs
Bad previous allocation size @fea127e8, last size was 21
***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval fea12000 for more details.
***
Pool page [fea12000] is INVALID.
Analyzing linked list…
[fea126e0 –> fea12828 (size = 0x148 bytes)]: Corrupt region
Scanning for single bit errors…
None found
kd> !pte fea127f0
VA fea127f0
PDE at C0300FE8 PTE at C03FA848
contains 011C3163 contains 051C5163
pfn 11c3 -G-DA–KWEV pfn 51c5 -G-DA–KWEV
Does this give any prompt or direction? Who has any idea about this?
If you have experience of virtual disk driver or something alike, can you tell me your idea?
----- Original Message -----
From: “Dejan Maksimovic”
To: “Windows File Systems Devs Interest List”
Sent: Monday, September 06, 2004 5:08 PM
Subject: Re: [ntfsd] SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION when system boot.
>
> It seems your driver is not the only faulty one on the system:
> - If you need to boot the system and disable DV, boot in safe mode,
> run verifier.exe, disable and reboot.
> - The faulty driver is almost certainly on the stack when this
> BugCheck occurs. And probably printed on the blue screen as well.
>
> –
> Kind regards, Dejan M. MVP for DDK
> http://www.alfasp.com E-mail: xxxxx@alfasp.com
> Alfa Transparent File Encryptor - Transparent file encryption services.
> Alfa File Protector - File protection and hiding library for Win32
> developers.
> Alfa File Monitor - File monitoring library for Win32 developers.
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@vip.sina.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>