SBS Blue Screen

We are recieving a blue screen and having to reboot the server periodically;
I have run a debug on the memory dump, but cannot ascertain the root of the
problem.
Could someone take a look and provide some more insight?


Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free
x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer
SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_gdr.070304-2240
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed May 7 23:00:35.312 2008 (GMT-4)
System Uptime: 1 days 14:14:54.843
Loading Kernel Symbol
....................................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
Loading unloaded module list
..
*******************************************************************************
*
*
* Bugcheck Analysis
*
*

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C5, {0, d0000002, 1, 808921dd}

Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1d7 )

Followup: Pool_corruption
---------

3: kd> !analyze -
*******************************************************************************
*
*
* Bugcheck Analysis
*
*

*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 00000000, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 808921dd, address which referenced memory

Debugging Details:
------------------

Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details

BUGCHECK_STR: 0xC5_D0000002

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExDeferredFreePool+1d7
808921dd 8937 mov dword ptr [edi],esi

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: vssvc.exe

IRP_ADDRESS: 88bbce00

TRAP_FRAME: b9368804 -- (.trap 0xffffffffb9368804)
ErrCode = 00000002
eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0 edi=00000000
eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
nt!ExDeferredFreePool+0x1d7:
808921dd 8937 mov dword ptr [edi],esi
ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 808921dd to 8088c963

STACK_TEXT:
b9368804 808921dd badb0d00 8b459c88 b936883c nt!KiTrap0E+0x2a7
b93688b0 808928c3 808aeae0 00000000 88bbce00 nt!ExDeferredFreePool+0x1d7
b9368908 8081c3e3 88bbce00 00000000 8b23fcb8 nt!ExFreePoolWithTag+0x57f
b9368924 80821957 88bbce00 88bbce40 88db2ae0 nt!IopFreeIrp+0xe9
b9368974 8082dfc3 88bbce40 b93689c0 b93689b4 nt!IopCompleteRequest+0x3db
b93689c4 80a5c199 00000000 00000000 00000000 nt!KiDeliverApc+0xbb
b93689e4 80a5c3d9 88db2b01 00000000 00000000
hal!HalpDispatchSoftwareInterrupt+0x49
b9368a00 80a5c456 00000001 88db2b00 b9368a2c
hal!HalpCheckForSoftwareInterrupt+0x81
b9368a10 8083129e 88db2ae0 88bbce40 808b43c0 hal!KfLowerIrql+0x62
b9368a2c 8082ab7b 88bbce40 88bbce00 00000000 nt!KiExitDispatcher+0x130
b9368a4c 8081e237 88bbce40 8b23fcb8 00000000 nt!KeInsertQueueApc+0x57
b9368a80 80982ed1 00000001 b9368b88 809830d1 nt!IopfCompleteRequest+0x201
b9368a8c 809830d1 8901e700 8b5a0230 88ac6000
nt!WmipCompleteGuidIrpWithError+0x2d
b9368b88 809810fc 88ac6000 b9368bd8 88249780 nt!WmipReceiveNotifications+0x193
b9368c3c 8081df65 8b5a0230 88249780 88bbce10 nt!WmipIoControl+0x5e8
b9368c50 808f5437 88249958 8b23fcb8 88249780 nt!IofCallDriver+0x45
b9368c64 808f61bf 8b5a0230 88249780 8b23fcb8
nt!IopSynchronousServiceTail+0x10b
b9368d00 808eed08 00000060 00000078 00000000 nt!IopXxxControlFile+0x5e5
b9368d34 8088978c 00000060 00000078 00000000 nt!NtDeviceIoControlFile+0x2a
b9368d34 7c8285ec 00000060 00000078 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0073fef4 00000000 00000000 00000000 00000000 0x7c8285ec


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExDeferredFreePool+1d7
808921dd 8937 mov dword ptr [edi],esi

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExDeferredFreePool+1d7

FOLLOWUP_NAME: Pool_corruption

IMAGE_NAME: Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7

BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7

Followup: Pool_corruption
---------

3: kd> .trap 0xffffffffb9368804
ErrCode = 00000002
eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0 edi=00000000
eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
nt!ExDeferredFreePool+0x1d7:
808921dd 8937 mov dword ptr [edi],esi
ds:0023:00000000=????????
3: kd> lmvm Pool_Corruption
start end module name
3: kd> lmvm Pool_Corruption
start end module name

Cliff
Thu May 08 16:58:58 PDT 2008

I saw this in the log you posted:

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.


Looks straightforward to me. You've got a misbehaving driver. Usually the
most common drivers that will actually bluescreen a server are video,
network, or RAID. You could start there.

-Cliff


"Ken" <Ken@discussions.microsoft.com> wrote in message
news:9700EB48-CBBF-4DD7-AB95-BD94D0BEE466@microsoft.com...
> We are recieving a blue screen and having to reboot the server
> periodically;
> I have run a debug on the memory dump, but cannot ascertain the root of
> the
> problem.
> Could someone take a look and provide some more insight?
>
>
> Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
> Copyright (c) Microsoft Corporation. All rights reserved.
>
>
> Loading Dump File [C:\WINDOWS\MEMORY.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
> Symbol search path is:
> SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
> Executable search path is:
> Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free
> x86 compatible
> Product: LanManNt, suite: SmallBusiness TerminalServer
> SmallBusinessRestricted SingleUserTS
> Built by: 3790.srv03_sp2_gdr.070304-2240
> Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
> Debug session time: Wed May 7 23:00:35.312 2008 (GMT-4)
> System Uptime: 1 days 14:14:54.843
> Loading Kernel Symbols
> ....................................................................................................................
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> Loading unloaded module list
> ...
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C5, {0, d0000002, 1, 808921dd}
>
> Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
> Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1d7 )
>
> Followup: Pool_corruption
> ---------
>
> 3: kd> !analyze -v
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> DRIVER_CORRUPTED_EXPOOL (c5)
> An attempt was made to access a pageable (or completely invalid) address
> at an
> interrupt request level (IRQL) that is too high. This is
> caused by drivers that have corrupted the system pool. Run the driver
> verifier against any new (or suspect) drivers, and if that doesn't turn up
> the culprit, then use gflags to enable special pool.
> Arguments:
> Arg1: 00000000, memory referenced
> Arg2: d0000002, IRQL
> Arg3: 00000001, value 0 = read operation, 1 = write operation
> Arg4: 808921dd, address which referenced memory
>
> Debugging Details:
> ------------------
>
> Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
> Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
>
> BUGCHECK_STR: 0xC5_D0000002
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!ExDeferredFreePool+1d7
> 808921dd 8937 mov dword ptr [edi],esi
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> PROCESS_NAME: vssvc.exe
>
> IRP_ADDRESS: 88bbce00
>
> TRAP_FRAME: b9368804 -- (.trap 0xffffffffb9368804)
> ErrCode = 00000002
> eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0
> edi=00000000
> eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe
> cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010297
> nt!ExDeferredFreePool+0x1d7:
> 808921dd 8937 mov dword ptr [edi],esi
> ds:0023:00000000=????????
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from 808921dd to 8088c963
>
> STACK_TEXT:
> b9368804 808921dd badb0d00 8b459c88 b936883c nt!KiTrap0E+0x2a7
> b93688b0 808928c3 808aeae0 00000000 88bbce00 nt!ExDeferredFreePool+0x1d7
> b9368908 8081c3e3 88bbce00 00000000 8b23fcb8 nt!ExFreePoolWithTag+0x57f
> b9368924 80821957 88bbce00 88bbce40 88db2ae0 nt!IopFreeIrp+0xe9
> b9368974 8082dfc3 88bbce40 b93689c0 b93689b4 nt!IopCompleteRequest+0x3db
> b93689c4 80a5c199 00000000 00000000 00000000 nt!KiDeliverApc+0xbb
> b93689e4 80a5c3d9 88db2b01 00000000 00000000
> hal!HalpDispatchSoftwareInterrupt+0x49
> b9368a00 80a5c456 00000001 88db2b00 b9368a2c
> hal!HalpCheckForSoftwareInterrupt+0x81
> b9368a10 8083129e 88db2ae0 88bbce40 808b43c0 hal!KfLowerIrql+0x62
> b9368a2c 8082ab7b 88bbce40 88bbce00 00000000 nt!KiExitDispatcher+0x130
> b9368a4c 8081e237 88bbce40 8b23fcb8 00000000 nt!KeInsertQueueApc+0x57
> b9368a80 80982ed1 00000001 b9368b88 809830d1 nt!IopfCompleteRequest+0x201
> b9368a8c 809830d1 8901e700 8b5a0230 88ac6000
> nt!WmipCompleteGuidIrpWithError+0x2d
> b9368b88 809810fc 88ac6000 b9368bd8 88249780
> nt!WmipReceiveNotifications+0x193
> b9368c3c 8081df65 8b5a0230 88249780 88bbce10 nt!WmipIoControl+0x5e8
> b9368c50 808f5437 88249958 8b23fcb8 88249780 nt!IofCallDriver+0x45
> b9368c64 808f61bf 8b5a0230 88249780 8b23fcb8
> nt!IopSynchronousServiceTail+0x10b
> b9368d00 808eed08 00000060 00000078 00000000 nt!IopXxxControlFile+0x5e5
> b9368d34 8088978c 00000060 00000078 00000000 nt!NtDeviceIoControlFile+0x2a
> b9368d34 7c8285ec 00000060 00000078 00000000 nt!KiFastCallEntry+0xfc
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 0073fef4 00000000 00000000 00000000 00000000 0x7c8285ec
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> nt!ExDeferredFreePool+1d7
> 808921dd 8937 mov dword ptr [edi],esi
>
> SYMBOL_STACK_INDEX: 1
>
> SYMBOL_NAME: nt!ExDeferredFreePool+1d7
>
> FOLLOWUP_NAME: Pool_corruption
>
> IMAGE_NAME: Pool_Corruption
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 0
>
> MODULE_NAME: Pool_Corruption
>
> FAILURE_BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
>
> BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
>
> Followup: Pool_corruption
> ---------
>
> 3: kd> .trap 0xffffffffb9368804
> ErrCode = 00000002
> eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0
> edi=00000000
> eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe
> cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010297
> nt!ExDeferredFreePool+0x1d7:
> 808921dd 8937 mov dword ptr [edi],esi
> ds:0023:00000000=????????
> 3: kd> lmvm Pool_Corruption
> start end module name
> 3: kd> lmvm Pool_Corruption
> start end module name
>

Duncan
Thu May 08 17:05:39 PDT 2008

Have you run the driver verifier? (if not, when you do, select just some
drivers to test at one time - for me, it crashes every single time if
you select all drivers to test at once)

Have you added any new hardware lately? - if so, the obvious culprit.

--
Duncan

In article <9700EB48-CBBF-4DD7-AB95-BD94D0BEE466@microsoft.com>,
Ken@discussions.microsoft.com says...
> We are recieving a blue screen and having to reboot the server periodically;
> I have run a debug on the memory dump, but cannot ascertain the root of the
> problem.
> Could someone take a look and provide some more insight?
>
>
> Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
> Copyright (c) Microsoft Corporation. All rights reserved.
>
>
> Loading Dump File [C:\WINDOWS\MEMORY.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
> Symbol search path is:
> SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
> Executable search path is:
> Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free
> x86 compatible
> Product: LanManNt, suite: SmallBusiness TerminalServer
> SmallBusinessRestricted SingleUserTS
> Built by: 3790.srv03_sp2_gdr.070304-2240
> Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
> Debug session time: Wed May 7 23:00:35.312 2008 (GMT-4)
> System Uptime: 1 days 14:14:54.843
> Loading Kernel Symbols
> ....................................................................................................................
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> Loading unloaded module list
> ...
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C5, {0, d0000002, 1, 808921dd}
>
> Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
> Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1d7 )
>
> Followup: Pool_corruption
> ---------
>
> 3: kd> !analyze -v
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> DRIVER_CORRUPTED_EXPOOL (c5)
> An attempt was made to access a pageable (or completely invalid) address at an
> interrupt request level (IRQL) that is too high. This is
> caused by drivers that have corrupted the system pool. Run the driver
> verifier against any new (or suspect) drivers, and if that doesn't turn up
> the culprit, then use gflags to enable special pool.
> Arguments:
> Arg1: 00000000, memory referenced
> Arg2: d0000002, IRQL
> Arg3: 00000001, value 0 = read operation, 1 = write operation
> Arg4: 808921dd, address which referenced memory
>
> Debugging Details:
> ------------------
>
> Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
> Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
>
> BUGCHECK_STR: 0xC5_D0000002
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!ExDeferredFreePool+1d7
> 808921dd 8937 mov dword ptr [edi],esi
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> PROCESS_NAME: vssvc.exe
>
> IRP_ADDRESS: 88bbce00
>
> TRAP_FRAME: b9368804 -- (.trap 0xffffffffb9368804)
> ErrCode = 00000002
> eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0 edi=00000000
> eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
> nt!ExDeferredFreePool+0x1d7:
> 808921dd 8937 mov dword ptr [edi],esi
> ds:0023:00000000=????????
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from 808921dd to 8088c963
>
> STACK_TEXT:
> b9368804 808921dd badb0d00 8b459c88 b936883c nt!KiTrap0E+0x2a7
> b93688b0 808928c3 808aeae0 00000000 88bbce00 nt!ExDeferredFreePool+0x1d7
> b9368908 8081c3e3 88bbce00 00000000 8b23fcb8 nt!ExFreePoolWithTag+0x57f
> b9368924 80821957 88bbce00 88bbce40 88db2ae0 nt!IopFreeIrp+0xe9
> b9368974 8082dfc3 88bbce40 b93689c0 b93689b4 nt!IopCompleteRequest+0x3db
> b93689c4 80a5c199 00000000 00000000 00000000 nt!KiDeliverApc+0xbb
> b93689e4 80a5c3d9 88db2b01 00000000 00000000
> hal!HalpDispatchSoftwareInterrupt+0x49
> b9368a00 80a5c456 00000001 88db2b00 b9368a2c
> hal!HalpCheckForSoftwareInterrupt+0x81
> b9368a10 8083129e 88db2ae0 88bbce40 808b43c0 hal!KfLowerIrql+0x62
> b9368a2c 8082ab7b 88bbce40 88bbce00 00000000 nt!KiExitDispatcher+0x130
> b9368a4c 8081e237 88bbce40 8b23fcb8 00000000 nt!KeInsertQueueApc+0x57
> b9368a80 80982ed1 00000001 b9368b88 809830d1 nt!IopfCompleteRequest+0x201
> b9368a8c 809830d1 8901e700 8b5a0230 88ac6000
> nt!WmipCompleteGuidIrpWithError+0x2d
> b9368b88 809810fc 88ac6000 b9368bd8 88249780 nt!WmipReceiveNotifications+0x193
> b9368c3c 8081df65 8b5a0230 88249780 88bbce10 nt!WmipIoControl+0x5e8
> b9368c50 808f5437 88249958 8b23fcb8 88249780 nt!IofCallDriver+0x45
> b9368c64 808f61bf 8b5a0230 88249780 8b23fcb8
> nt!IopSynchronousServiceTail+0x10b
> b9368d00 808eed08 00000060 00000078 00000000 nt!IopXxxControlFile+0x5e5
> b9368d34 8088978c 00000060 00000078 00000000 nt!NtDeviceIoControlFile+0x2a
> b9368d34 7c8285ec 00000060 00000078 00000000 nt!KiFastCallEntry+0xfc
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 0073fef4 00000000 00000000 00000000 00000000 0x7c8285ec
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> nt!ExDeferredFreePool+1d7
> 808921dd 8937 mov dword ptr [edi],esi
>
> SYMBOL_STACK_INDEX: 1
>
> SYMBOL_NAME: nt!ExDeferredFreePool+1d7
>
> FOLLOWUP_NAME: Pool_corruption
>
> IMAGE_NAME: Pool_Corruption
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 0
>
> MODULE_NAME: Pool_Corruption
>
> FAILURE_BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
>
> BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
>
> Followup: Pool_corruption
> ---------
>
> 3: kd> .trap 0xffffffffb9368804
> ErrCode = 00000002
> eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0 edi=00000000
> eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
> nt!ExDeferredFreePool+0x1d7:
> 808921dd 8937 mov dword ptr [edi],esi
> ds:0023:00000000=????????
> 3: kd> lmvm Pool_Corruption
> start end module name
> 3: kd> lmvm Pool_Corruption
> start end module name
>
>

Ken
Fri May 09 05:49:00 PDT 2008

Thanks for the replies ..
I would absolutely agree about a driver, and i would have went directly
after a driver for some new hardware added, however ...
There has not been any added hardware or changes to the system since its
rollout.
Its been running without this issue for about 2 months now ... this issue
has just started in the last 2 weeks or so.
Thats why im a bit baffled as to the culprit.
Automatic updates are off.
I thought to post the debug to see if anyone sees something im missing,
because its not giving a clear indication of what driver, (if indeed a
driver) is the cause.
The only other thing i saw was the vssvc.exe, which is shadow copy.
Any insights there?
Thanks again

"Ken" wrote:

> We are recieving a blue screen and having to reboot the server periodically;
> I have run a debug on the memory dump, but cannot ascertain the root of the
> problem.
> Could someone take a look and provide some more insight?
>
>
> Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
> Copyright (c) Microsoft Corporation. All rights reserved.
>
>
> Loading Dump File [C:\WINDOWS\MEMORY.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
> Symbol search path is:
> SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
> Executable search path is:
> Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free
> x86 compatible
> Product: LanManNt, suite: SmallBusiness TerminalServer
> SmallBusinessRestricted SingleUserTS
> Built by: 3790.srv03_sp2_gdr.070304-2240
> Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
> Debug session time: Wed May 7 23:00:35.312 2008 (GMT-4)
> System Uptime: 1 days 14:14:54.843
> Loading Kernel Symbols
> ....................................................................................................................
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> Loading unloaded module list
> ...
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C5, {0, d0000002, 1, 808921dd}
>
> Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
> Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1d7 )
>
> Followup: Pool_corruption
> ---------
>
> 3: kd> !analyze -v
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> DRIVER_CORRUPTED_EXPOOL (c5)
> An attempt was made to access a pageable (or completely invalid) address at an
> interrupt request level (IRQL) that is too high. This is
> caused by drivers that have corrupted the system pool. Run the driver
> verifier against any new (or suspect) drivers, and if that doesn't turn up
> the culprit, then use gflags to enable special pool.
> Arguments:
> Arg1: 00000000, memory referenced
> Arg2: d0000002, IRQL
> Arg3: 00000001, value 0 = read operation, 1 = write operation
> Arg4: 808921dd, address which referenced memory
>
> Debugging Details:
> ------------------
>
> Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
> Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
>
> BUGCHECK_STR: 0xC5_D0000002
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!ExDeferredFreePool+1d7
> 808921dd 8937 mov dword ptr [edi],esi
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> PROCESS_NAME: vssvc.exe
>
> IRP_ADDRESS: 88bbce00
>
> TRAP_FRAME: b9368804 -- (.trap 0xffffffffb9368804)
> ErrCode = 00000002
> eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0 edi=00000000
> eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
> nt!ExDeferredFreePool+0x1d7:
> 808921dd 8937 mov dword ptr [edi],esi
> ds:0023:00000000=????????
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from 808921dd to 8088c963
>
> STACK_TEXT:
> b9368804 808921dd badb0d00 8b459c88 b936883c nt!KiTrap0E+0x2a7
> b93688b0 808928c3 808aeae0 00000000 88bbce00 nt!ExDeferredFreePool+0x1d7
> b9368908 8081c3e3 88bbce00 00000000 8b23fcb8 nt!ExFreePoolWithTag+0x57f
> b9368924 80821957 88bbce00 88bbce40 88db2ae0 nt!IopFreeIrp+0xe9
> b9368974 8082dfc3 88bbce40 b93689c0 b93689b4 nt!IopCompleteRequest+0x3db
> b93689c4 80a5c199 00000000 00000000 00000000 nt!KiDeliverApc+0xbb
> b93689e4 80a5c3d9 88db2b01 00000000 00000000
> hal!HalpDispatchSoftwareInterrupt+0x49
> b9368a00 80a5c456 00000001 88db2b00 b9368a2c
> hal!HalpCheckForSoftwareInterrupt+0x81
> b9368a10 8083129e 88db2ae0 88bbce40 808b43c0 hal!KfLowerIrql+0x62
> b9368a2c 8082ab7b 88bbce40 88bbce00 00000000 nt!KiExitDispatcher+0x130
> b9368a4c 8081e237 88bbce40 8b23fcb8 00000000 nt!KeInsertQueueApc+0x57
> b9368a80 80982ed1 00000001 b9368b88 809830d1 nt!IopfCompleteRequest+0x201
> b9368a8c 809830d1 8901e700 8b5a0230 88ac6000
> nt!WmipCompleteGuidIrpWithError+0x2d
> b9368b88 809810fc 88ac6000 b9368bd8 88249780 nt!WmipReceiveNotifications+0x193
> b9368c3c 8081df65 8b5a0230 88249780 88bbce10 nt!WmipIoControl+0x5e8
> b9368c50 808f5437 88249958 8b23fcb8 88249780 nt!IofCallDriver+0x45
> b9368c64 808f61bf 8b5a0230 88249780 8b23fcb8
> nt!IopSynchronousServiceTail+0x10b
> b9368d00 808eed08 00000060 00000078 00000000 nt!IopXxxControlFile+0x5e5
> b9368d34 8088978c 00000060 00000078 00000000 nt!NtDeviceIoControlFile+0x2a
> b9368d34 7c8285ec 00000060 00000078 00000000 nt!KiFastCallEntry+0xfc
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 0073fef4 00000000 00000000 00000000 00000000 0x7c8285ec
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> nt!ExDeferredFreePool+1d7
> 808921dd 8937 mov dword ptr [edi],esi
>
> SYMBOL_STACK_INDEX: 1
>
> SYMBOL_NAME: nt!ExDeferredFreePool+1d7
>
> FOLLOWUP_NAME: Pool_corruption
>
> IMAGE_NAME: Pool_Corruption
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 0
>
> MODULE_NAME: Pool_Corruption
>
> FAILURE_BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
>
> BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
>
> Followup: Pool_corruption
> ---------
>
> 3: kd> .trap 0xffffffffb9368804
> ErrCode = 00000002
> eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0 edi=00000000
> eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
> nt!ExDeferredFreePool+0x1d7:
> 808921dd 8937 mov dword ptr [edi],esi
> ds:0023:00000000=????????
> 3: kd> lmvm Pool_Corruption
> start end module name
> 3: kd> lmvm Pool_Corruption
> start end module name
>

Cliff
Fri May 09 09:59:37 PDT 2008

Even though automatic updates are off, have you applied any manual updates
lately? If not, then I'd say you have a failing piece of hardware, but the
driver failing to properly communicate with it is just a symptom.

If you can't think of what might've changed, probably the easiest to
troubleshoot is the NIC. Disable the one you have (if it is onboard) or
remove it, and add in a different NIC and make sure to install the latest
drivers. See if that fixes the issue. NIC's are cheap, easy to install,
and are prone to failure...so it could be a magic bullet.

-Cliff


"Ken" <Ken@discussions.microsoft.com> wrote in message
news:484E0016-36D2-479B-BD6C-E04EFD6FBFCB@microsoft.com...
> Thanks for the replies ..
> I would absolutely agree about a driver, and i would have went directly
> after a driver for some new hardware added, however ...
> There has not been any added hardware or changes to the system since its
> rollout.
> Its been running without this issue for about 2 months now ... this issue
> has just started in the last 2 weeks or so.
> Thats why im a bit baffled as to the culprit.
> Automatic updates are off.
> I thought to post the debug to see if anyone sees something im missing,
> because its not giving a clear indication of what driver, (if indeed a
> driver) is the cause.
> The only other thing i saw was the vssvc.exe, which is shadow copy.
> Any insights there?
> Thanks again
>
> "Ken" wrote:
>
>> We are recieving a blue screen and having to reboot the server
>> periodically;
>> I have run a debug on the memory dump, but cannot ascertain the root of
>> the
>> problem.
>> Could someone take a look and provide some more insight?
>>
>>
>> Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
>> Copyright (c) Microsoft Corporation. All rights reserved.
>>
>>
>> Loading Dump File [C:\WINDOWS\MEMORY.DMP]
>> Kernel Summary Dump File: Only kernel address space is available
>>
>> Symbol search path is:
>> SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
>> Executable search path is:
>> Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs)
>> Free
>> x86 compatible
>> Product: LanManNt, suite: SmallBusiness TerminalServer
>> SmallBusinessRestricted SingleUserTS
>> Built by: 3790.srv03_sp2_gdr.070304-2240
>> Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
>> Debug session time: Wed May 7 23:00:35.312 2008 (GMT-4)
>> System Uptime: 1 days 14:14:54.843
>> Loading Kernel Symbols
>> ....................................................................................................................
>> Loading User Symbols
>> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
>> Loading unloaded module list
>> ...
>> *******************************************************************************
>> *
>> *
>> * Bugcheck Analysis
>> *
>> *
>> *
>> *******************************************************************************
>>
>> Use !analyze -v to get detailed debugging information.
>>
>> BugCheck C5, {0, d0000002, 1, 808921dd}
>>
>> Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for
>> details
>> Page 12bcba not present in the dump file. Type ".hh dbgerr004" for
>> details
>> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
>> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
>> Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1d7 )
>>
>> Followup: Pool_corruption
>> ---------
>>
>> 3: kd> !analyze -v
>> *******************************************************************************
>> *
>> *
>> * Bugcheck Analysis
>> *
>> *
>> *
>> *******************************************************************************
>>
>> DRIVER_CORRUPTED_EXPOOL (c5)
>> An attempt was made to access a pageable (or completely invalid) address
>> at an
>> interrupt request level (IRQL) that is too high. This is
>> caused by drivers that have corrupted the system pool. Run the driver
>> verifier against any new (or suspect) drivers, and if that doesn't turn
>> up
>> the culprit, then use gflags to enable special pool.
>> Arguments:
>> Arg1: 00000000, memory referenced
>> Arg2: d0000002, IRQL
>> Arg3: 00000001, value 0 = read operation, 1 = write operation
>> Arg4: 808921dd, address which referenced memory
>>
>> Debugging Details:
>> ------------------
>>
>> Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for
>> details
>> Page 12bcba not present in the dump file. Type ".hh dbgerr004" for
>> details
>> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
>> PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
>>
>> BUGCHECK_STR: 0xC5_D0000002
>>
>> CURRENT_IRQL: 2
>>
>> FAULTING_IP:
>> nt!ExDeferredFreePool+1d7
>> 808921dd 8937 mov dword ptr [edi],esi
>>
>> DEFAULT_BUCKET_ID: DRIVER_FAULT
>>
>> PROCESS_NAME: vssvc.exe
>>
>> IRP_ADDRESS: 88bbce00
>>
>> TRAP_FRAME: b9368804 -- (.trap 0xffffffffb9368804)
>> ErrCode = 00000002
>> eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0
>> edi=00000000
>> eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac
>> pe cy
>> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
>> efl=00010297
>> nt!ExDeferredFreePool+0x1d7:
>> 808921dd 8937 mov dword ptr [edi],esi
>> ds:0023:00000000=????????
>> Resetting default scope
>>
>> LAST_CONTROL_TRANSFER: from 808921dd to 8088c963
>>
>> STACK_TEXT:
>> b9368804 808921dd badb0d00 8b459c88 b936883c nt!KiTrap0E+0x2a7
>> b93688b0 808928c3 808aeae0 00000000 88bbce00 nt!ExDeferredFreePool+0x1d7
>> b9368908 8081c3e3 88bbce00 00000000 8b23fcb8 nt!ExFreePoolWithTag+0x57f
>> b9368924 80821957 88bbce00 88bbce40 88db2ae0 nt!IopFreeIrp+0xe9
>> b9368974 8082dfc3 88bbce40 b93689c0 b93689b4 nt!IopCompleteRequest+0x3db
>> b93689c4 80a5c199 00000000 00000000 00000000 nt!KiDeliverApc+0xbb
>> b93689e4 80a5c3d9 88db2b01 00000000 00000000
>> hal!HalpDispatchSoftwareInterrupt+0x49
>> b9368a00 80a5c456 00000001 88db2b00 b9368a2c
>> hal!HalpCheckForSoftwareInterrupt+0x81
>> b9368a10 8083129e 88db2ae0 88bbce40 808b43c0 hal!KfLowerIrql+0x62
>> b9368a2c 8082ab7b 88bbce40 88bbce00 00000000 nt!KiExitDispatcher+0x130
>> b9368a4c 8081e237 88bbce40 8b23fcb8 00000000 nt!KeInsertQueueApc+0x57
>> b9368a80 80982ed1 00000001 b9368b88 809830d1 nt!IopfCompleteRequest+0x201
>> b9368a8c 809830d1 8901e700 8b5a0230 88ac6000
>> nt!WmipCompleteGuidIrpWithError+0x2d
>> b9368b88 809810fc 88ac6000 b9368bd8 88249780
>> nt!WmipReceiveNotifications+0x193
>> b9368c3c 8081df65 8b5a0230 88249780 88bbce10 nt!WmipIoControl+0x5e8
>> b9368c50 808f5437 88249958 8b23fcb8 88249780 nt!IofCallDriver+0x45
>> b9368c64 808f61bf 8b5a0230 88249780 8b23fcb8
>> nt!IopSynchronousServiceTail+0x10b
>> b9368d00 808eed08 00000060 00000078 00000000 nt!IopXxxControlFile+0x5e5
>> b9368d34 8088978c 00000060 00000078 00000000
>> nt!NtDeviceIoControlFile+0x2a
>> b9368d34 7c8285ec 00000060 00000078 00000000 nt!KiFastCallEntry+0xfc
>> WARNING: Frame IP not in any known module. Following frames may be wrong.
>> 0073fef4 00000000 00000000 00000000 00000000 0x7c8285ec
>>
>>
>> STACK_COMMAND: kb
>>
>> FOLLOWUP_IP:
>> nt!ExDeferredFreePool+1d7
>> 808921dd 8937 mov dword ptr [edi],esi
>>
>> SYMBOL_STACK_INDEX: 1
>>
>> SYMBOL_NAME: nt!ExDeferredFreePool+1d7
>>
>> FOLLOWUP_NAME: Pool_corruption
>>
>> IMAGE_NAME: Pool_Corruption
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 0
>>
>> MODULE_NAME: Pool_Corruption
>>
>> FAILURE_BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
>>
>> BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
>>
>> Followup: Pool_corruption
>> ---------
>>
>> 3: kd> .trap 0xffffffffb9368804
>> ErrCode = 00000002
>> eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0
>> edi=00000000
>> eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac
>> pe cy
>> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
>> efl=00010297
>> nt!ExDeferredFreePool+0x1d7:
>> 808921dd 8937 mov dword ptr [edi],esi
>> ds:0023:00000000=????????
>> 3: kd> lmvm Pool_Corruption
>> start end module name
>> 3: kd> lmvm Pool_Corruption
>> start end module name
>>

Duncan
Fri May 09 18:09:11 PDT 2008

I'd go with what Cliff's saying. And add...

And if it's not the NIC(s) - then you're prolly going to have to bring
th server down for some further h/w testing. Change everything you can,
or take out what can be taken out, hopefully you'll find the offending
h/w. If you're down to a different vid card and one stick of RAM and
it's still doing it, you've got problems.

--
Duncan

In article <484E0016-36D2-479B-BD6C-E04EFD6FBFCB@microsoft.com>,
Ken@discussions.microsoft.com says...
> Thanks for the replies ..
> I would absolutely agree about a driver, and i would have went directly
> after a driver for some new hardware added, however ...
> There has not been any added hardware or changes to the system since its
> rollout.
> Its been running without this issue for about 2 months now ... this issue
> has just started in the last 2 weeks or so.
> Thats why im a bit baffled as to the culprit.
> Automatic updates are off.
> I thought to post the debug to see if anyone sees something im missing,
> because its not giving a clear indication of what driver, (if indeed a
> driver) is the cause.
> The only other thing i saw was the vssvc.exe, which is shadow copy.
> Any insights there?
> Thanks again
>
> "Ken" wrote:
>
> > We are recieving a blue screen and having to reboot the server periodically;
> > I have run a debug on the memory dump, but cannot ascertain the root of the
> > problem.
> > Could someone take a look and provide some more insight?
> >
> >
> > Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
> > Copyright (c) Microsoft Corporation. All rights reserved.
> >
> >
> > Loading Dump File [C:\WINDOWS\MEMORY.DMP]
> > Kernel Summary Dump File: Only kernel address space is available
> >
> > Symbol search path is:
> > SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
> > Executable search path is:
> > Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free
> > x86 compatible
> > Product: LanManNt, suite: SmallBusiness TerminalServer
> > SmallBusinessRestricted SingleUserTS
> > Built by: 3790.srv03_sp2_gdr.070304-2240
> > Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
> > Debug session time: Wed May 7 23:00:35.312 2008 (GMT-4)
> > System Uptime: 1 days 14:14:54.843
> > Loading Kernel Symbols
> > ....................................................................................................................
> > Loading User Symbols
> > PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> > Loading unloaded module list
> > ...
> > *******************************************************************************
> > *
> > *
> > * Bugcheck Analysis
> > *
> > *
> > *
> > *******************************************************************************
> >
> > Use !analyze -v to get detailed debugging information.
> >
> > BugCheck C5, {0, d0000002, 1, 808921dd}
> >
> > Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
> > Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
> > PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> > PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> > Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+1d7 )
> >
> > Followup: Pool_corruption
> > ---------
> >
> > 3: kd> !analyze -v
> > *******************************************************************************
> > *
> > *
> > * Bugcheck Analysis
> > *
> > *
> > *
> > *******************************************************************************
> >
> > DRIVER_CORRUPTED_EXPOOL (c5)
> > An attempt was made to access a pageable (or completely invalid) address at an
> > interrupt request level (IRQL) that is too high. This is
> > caused by drivers that have corrupted the system pool. Run the driver
> > verifier against any new (or suspect) drivers, and if that doesn't turn up
> > the culprit, then use gflags to enable special pool.
> > Arguments:
> > Arg1: 00000000, memory referenced
> > Arg2: d0000002, IRQL
> > Arg3: 00000001, value 0 = read operation, 1 = write operation
> > Arg4: 808921dd, address which referenced memory
> >
> > Debugging Details:
> > ------------------
> >
> > Page 12ba89 not present in the dump file. Type ".hh dbgerr004" for details
> > Page 12bcba not present in the dump file. Type ".hh dbgerr004" for details
> > PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> > PEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for details
> >
> > BUGCHECK_STR: 0xC5_D0000002
> >
> > CURRENT_IRQL: 2
> >
> > FAULTING_IP:
> > nt!ExDeferredFreePool+1d7
> > 808921dd 8937 mov dword ptr [edi],esi
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > PROCESS_NAME: vssvc.exe
> >
> > IRP_ADDRESS: 88bbce00
> >
> > TRAP_FRAME: b9368804 -- (.trap 0xffffffffb9368804)
> > ErrCode = 00000002
> > eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0 edi=00000000
> > eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe cy
> > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
> > nt!ExDeferredFreePool+0x1d7:
> > 808921dd 8937 mov dword ptr [edi],esi
> > ds:0023:00000000=????????
> > Resetting default scope
> >
> > LAST_CONTROL_TRANSFER: from 808921dd to 8088c963
> >
> > STACK_TEXT:
> > b9368804 808921dd badb0d00 8b459c88 b936883c nt!KiTrap0E+0x2a7
> > b93688b0 808928c3 808aeae0 00000000 88bbce00 nt!ExDeferredFreePool+0x1d7
> > b9368908 8081c3e3 88bbce00 00000000 8b23fcb8 nt!ExFreePoolWithTag+0x57f
> > b9368924 80821957 88bbce00 88bbce40 88db2ae0 nt!IopFreeIrp+0xe9
> > b9368974 8082dfc3 88bbce40 b93689c0 b93689b4 nt!IopCompleteRequest+0x3db
> > b93689c4 80a5c199 00000000 00000000 00000000 nt!KiDeliverApc+0xbb
> > b93689e4 80a5c3d9 88db2b01 00000000 00000000
> > hal!HalpDispatchSoftwareInterrupt+0x49
> > b9368a00 80a5c456 00000001 88db2b00 b9368a2c
> > hal!HalpCheckForSoftwareInterrupt+0x81
> > b9368a10 8083129e 88db2ae0 88bbce40 808b43c0 hal!KfLowerIrql+0x62
> > b9368a2c 8082ab7b 88bbce40 88bbce00 00000000 nt!KiExitDispatcher+0x130
> > b9368a4c 8081e237 88bbce40 8b23fcb8 00000000 nt!KeInsertQueueApc+0x57
> > b9368a80 80982ed1 00000001 b9368b88 809830d1 nt!IopfCompleteRequest+0x201
> > b9368a8c 809830d1 8901e700 8b5a0230 88ac6000
> > nt!WmipCompleteGuidIrpWithError+0x2d
> > b9368b88 809810fc 88ac6000 b9368bd8 88249780 nt!WmipReceiveNotifications+0x193
> > b9368c3c 8081df65 8b5a0230 88249780 88bbce10 nt!WmipIoControl+0x5e8
> > b9368c50 808f5437 88249958 8b23fcb8 88249780 nt!IofCallDriver+0x45
> > b9368c64 808f61bf 8b5a0230 88249780 8b23fcb8
> > nt!IopSynchronousServiceTail+0x10b
> > b9368d00 808eed08 00000060 00000078 00000000 nt!IopXxxControlFile+0x5e5
> > b9368d34 8088978c 00000060 00000078 00000000 nt!NtDeviceIoControlFile+0x2a
> > b9368d34 7c8285ec 00000060 00000078 00000000 nt!KiFastCallEntry+0xfc
> > WARNING: Frame IP not in any known module. Following frames may be wrong.
> > 0073fef4 00000000 00000000 00000000 00000000 0x7c8285ec
> >
> >
> > STACK_COMMAND: kb
> >
> > FOLLOWUP_IP:
> > nt!ExDeferredFreePool+1d7
> > 808921dd 8937 mov dword ptr [edi],esi
> >
> > SYMBOL_STACK_INDEX: 1
> >
> > SYMBOL_NAME: nt!ExDeferredFreePool+1d7
> >
> > FOLLOWUP_NAME: Pool_corruption
> >
> > IMAGE_NAME: Pool_Corruption
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 0
> >
> > MODULE_NAME: Pool_Corruption
> >
> > FAILURE_BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
> >
> > BUCKET_ID: 0xC5_D0000002_nt!ExDeferredFreePool+1d7
> >
> > Followup: Pool_corruption
> > ---------
> >
> > 3: kd> .trap 0xffffffffb9368804
> > ErrCode = 00000002
> > eax=8b459db0 ebx=00000000 ecx=000001ff edx=8b459c88 esi=8b434ee0 edi=00000000
> > eip=808921dd esp=b9368878 ebp=b93688b0 iopl=0 nv up ei ng nz ac pe cy
> > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
> > nt!ExDeferredFreePool+0x1d7:
> > 808921dd 8937 mov dword ptr [edi],esi
> > ds:0023:00000000=????????
> > 3: kd> lmvm Pool_Corruption
> > start end module name
> > 3: kd> lmvm Pool_Corruption
> > start end module name
> >
>