BSOD, bad pool caller

saphire 199

Distinguished Member
Ok, I have a dual boot system, Vista/XP using Easy BCD. Been using this for about a month, no new programs, normal updates. In other words, I didn't make any major changes. Things seemed to be fine, then I started getting a BSOD with error bad pool caller. This happens sometimes, not all the time, I notice it most when I first turn on computer and a couple times when I went to shut it down. I can't get into the minidump file, I get a 8070005 error (permission stuff, looks like) when I try to open the file so that I could attach it. I do have the details of the error message itself here:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: c2
BCP1: 00000007
BCP2: 0000113D
BCP3: 900008C2
BCP4: 824B0978
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\Mini053008-01.dmp
C:\Users\Brian\AppData\Local\Temp\WER-152818-0.sysdata.xml
C:\Users\Brian\AppData\Local\Temp\WER3699.tmp.version.txt

I'd like to get this resolved if I could. (Also, as an aside, I don't have SP1, doesn't show up in my auto updates but I am assuming would be a good idea to clear up this BSOD thing before I try to figure out the SP1 issue.)

Thanks,

Saphire 199
 
Thanks for reply.

Well, that's a problem as when I try to send it as an attachment, I don't have permission. How do you open a file/folder as administrator? I tried to change permissions on Security tab but won't let me. Is there a command prompt that will do this as I know how to get into DOS as Administrator? If I try to send as email, won't I have the same problem?

Saphire 199
 
Mak, that was great! I notice once you handle the ownership issue you can change permissions. That was a big help as I've run into this before. OK, now the only problem is the file type (.dmp) is not one of the accepted types for attachments. So I just copied it here. Hope this helps.

Saphire 199
Analysis Summary TypeDescriptionRecommendation
warning.png
Warning
DebugDiag failed to locate the PEB (Process Environment Block) in Mini053008-01.dmp, and as a result, debug analysis for this dump may be incomplete or inaccurate.

It is recommended that you get another dump of the target process when the issue occurs to ensure accurate data is reported
Analysis Details




Table Of Contents

Mini053008-01.dmp
Top 5 threads by CPU time
Thread report

Report for Mini053008-01.dmp

Report for Mini053008-01.dmp

Type of Analysis Performed Hang AnalysisMachine Name Operating System Windows Vista Number Of Processors Process ID 455792Process Image ntkrpamp.exeSystem Up-Time 00:03:10Process Up-Time 00:00:00
Top 5 Threads by CPU time

Note - Times include both user mode and kernel mode for each thread
Extended thread information (including thread CPU times) is unavailable in this dump



Script Summary Script NameStatusError CodeError SourceError DescriptionSource LineCrashHangAnalysis.aspFailed0x80010105Line 9186, Column 3
 
Yeah, this is another learning experience. I didn't think of that. Here is the attached zip file.
 

Attachments

  • Mini053008-01.zip
    26.4 KB · Views: 2
saphire:

Your problem is caused by Lavasoft Ad-Watch and their real-time monitoring drivers which have an invalid memory reference in them somewhere.

Uninstall Ad-Watch (w/ Windows Vista's "Windows Defender" you don't need a 3rd party adware monitoring program anyway) and that should take care of the problem.

Full log:
Code:
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000113d, (reserved)
Arg3: 900008c2, Memory contents of the pool block
Arg4: 824b0978, Address of the block of pool being deallocated

Debugging Details:
------------------

GetPointerFromAddress: unable to read from 825315ac
Unable to read MiSystemVaType memory at 825117e0



POOL_ADDRESS: GetPointerFromAddress: unable to read from 825315ac
Unable to read MiSystemVaType memory at 825117e0
 824b0978 

BUGCHECK_STR:  0xc2_7

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

LAST_CONTROL_TRANSFER:  from 824e7ce8 to 824d8681

STACK_TEXT:  
b53ab6bc 824e7ce8 000000c2 00000007 0000113d nt!KeBugCheckEx+0x1e
b53ab730 824acc25 824b0978 00000000 ba586780 nt!ExFreePoolWithTag+0x17f
b53ab760 a5a1c7ca 84f5d690 84fff468 b53ab8d4 nt!IopfCompleteRequest+0x227
WARNING: Stack unwind information not available. Following frames may be wrong.
b53ab770 82625101 00000914 00001634 00000001 AWRTPD+0x7ca
b53ab8d4 82622c86 84fff468 b53ab90c b53aba1c nt!PspInsertThread+0x56e
b53abd30 8248caaa 025ef69c 025ef680 02000000 nt!NtCreateUserProcess+0x6df
b53abd30 77800f34 025ef69c 025ef680 02000000 nt!KiFastCallEntry+0x12a
025ef958 00000000 00000000 00000000 00000000 0x77800f34


STACK_COMMAND:  kb

FOLLOWUP_IP: 
AWRTPD+7ca
a5a1c7ca ??              ???

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  AWRTPD+7ca

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: AWRTPD

IMAGE_NAME:  AWRTPD.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4664104f

FAILURE_BUCKET_ID:  0xc2_7_AWRTPD+7ca

BUCKET_ID:  0xc2_7_AWRTPD+7ca

Followup: MachineOwner
 
MAhmoud what applicaiton do you use to open the minidumps? I tried notepad and notepad++ but neither worked. :S
 
The dumps are binary dumps of the Windows memory at the time of the application crash, not text.

You have to open them with a debugger and analyze the symbols. The best tool for the job is WinDBG.
 
Yeah, I hope so too! OK, now I only have two questions :smile: 1. From the log file above, how did you get that it was the lavasoft program, or is it that the debug program has additional data not posted?
2. Now about the Vista SP1 - since this is not coming up on my updates, should I just install it, do i need it? I read the artciles on installing and the fact that it does not show up on my auto updates is not covered by any of the scenarios MS gives, so I'm wondering what gives.

Saphire 199
 
1. Look for this line: IMAGE_NAME: AWRTPD.sys That tells you what application caused this error. A quick google search shows that it is related to Ad Watch.

AWRTPD.SYS driver information from Lavasoft AB

That is why the dump is more important. It can give you the info you need. The other info you gave did not give us that info.

2. This situation is covered by Microsoft. The thing is you have a driver conflict and that is why it is not showing up for you. I know i posted that article somehwere on this forum...

http://support.microsoft.com/?kbid=948343

There it is. Check thru that and you should see it show up on your Windows Update.
 
OK, it happened again, though this is after SP 1 install. Attached the minidump file. I tried to open with Win Dbg and got error message "%1 is not a valid Win32 application".

Saphire
 

Attachments

  • Mini060908-01.zip
    20.9 KB · Views: 1
Did you fully uninstall the Lavasoft software?

Addendum:

Are you sure you're using SP1 final and not some leaked version or something? I can't debug your dump file, it's saying the version you're using doesn't match what Microsoft has as the latest version?

Addendum:

Try deleting c:\Windows\system32\drivers\pxhelp20.sys
 
Last edited:
I fully uninstalled the Ad-Watch software (not the whole Ad-Aware, just the software that had the offending driver.) Should I just uninstall Ad-Aware? It did a good job in the past, but I have noticed problems with their newer versions, and I have other spyware software.

On SP1, this is what was given to me by Microsoft itself. SP 1 was not showing up on auto update, even when I followed all the steps on their article (see Mak's link), so I called them. They checked out my system, but could not debug why it was not showing up on auto updates, and told me to download it and install from their link anyway, which I did. So the version I have and installed was from them.

By the way, when I was looking for C:\Windows\system32\drivers\pxhelp20.sys, I noticed that the awrtpd.sys driver was still there! So I deleted that. Should I still delete the pxhelp20.sys driver?

Thank you,

Saphire
 
Back
Top