Question
871 views

I keep running into Bad Pool Header

teves153XC asked on

Whenever I try to watch a video on Youtube, I keep running into the blue screen of death and the problem is always Bad Pool Header. It's been happening for a while now but I've had enough of it now. I go onto the internet and I find the instructions to either be completely different from each other, I have to reset my whole computer or I don't understand them.

Is there anyway of solving Bad Pool Header without having to reset my computer to factory setting?

Thanks.

6 people had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on
Hi,

In order to assist you, we will need the .DMP files to analyze what exactly occurred at the time of the crash, etc.

If you don't know where .DMP files are located, here's how to get to them:

1. Navigate to the %systemroot%\Minidump folder.

2. Copy any and all DMP files in the Minidump folder to your Desktop and then zip up these files.

3. Upload the zip containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply. Prefered sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers.

4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel-Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference between Small Memory Dumps and Kernel-Dumps in the simplest definition is a Kernel-Dump contains much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel-Dump is the best choice. Do note that Kernel-Dumps are much larger in size due to containing much more info, which is why I mentioned upload speed, etc.

If you are going to use Onedrive but don't know how to upload to it, please visit the following:

Upload photos and files to Onedrive.

Please note that any "cleaner" programs such as TuneUp Utilities, CCleaner, etc, by default will delete .DMP files upon use.

If your computer is not generating .DMP files, please do the following:

1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.

2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all drives'.

3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.

Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.

4. Double check that the WERS is ENABLED:

Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.

If you cannot get into normal mode to do any of this, please do this via Safe Mode.

Regards,

Patrick
Debugger/Reverse Engineer.
1 person found this helpful

Abuse history


The answered status icon Answer
Patrick Barker replied on

Great, thanks.

All of the attached DMP files are of the BAD_POOL_HEADER (19) bug check.

This indicates that a pool header is corrupt.

BugCheck 19, {d, ffffe0010a4a646f, 4a223bda747def70, f24a223bda747df0}

2: kd> !pool ffffe0010a4a646f
GetPointerFromAddress: unable to read from fffff802d7bd1138
Pool page ffffe0010a4a646f region is unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
Unknown
 ffffe0010a4a6000 size:  250 previous size:    0  (Allocated)  klxm
 ffffe0010a4a6250 size:   10 previous size:  250  (Free)       Free
 ffffe0010a4a6260 size:   90 previous size:   10  (Allocated)  KLsm
 ffffe0010a4a62f0 size:   20 previous size:   90  (Free)       Free
 ffffe0010a4a6310 size:   d0 previous size:   20  (Allocated)  KLsc
*ffffe0010a4a63e0 size:   90 previous size:   d0  (Allocated) *KLsm
        Owning component : Unknown (update pooltag.txt)
 ffffe0010a4a6470 size:   50 previous size:   90  (Free )  KLWp
 ffffe0010a4a64c0 size:  4b0 previous size:   50  (Allocated)  dlib
 ffffe0010a4a6970 size:   d0 previous size:  4b0  (Allocated)  KLsc
 ffffe0010a4a6a40 size:  250 previous size:   d0  (Allocated)  klxm
 ffffe0010a4a6c90 size:  250 previous size:  250  (Allocated)  klxm
 ffffe0010a4a6ee0 size:   50 previous size:  250  (Allocated)  KLNc
 ffffe0010a4a6f30 size:   d0 previous size:   50  (Allocated)  KLsc

2: kd> k
Child-SP          RetAddr           Call Site
ffffd000`f383ba08 fffff802`d7b12cf3 nt!KeBugCheckEx
ffffd000`f383ba10 fffff802`d7b12a24 nt!ExFreePoolWithTag+0xa13
ffffd000`f383ba90 fffff800`44637b56 nt!ExFreePoolWithTag+0x744
ffffd000`f383bb60 fffff800`446b2110 klif+0x37b56
ffffd000`f383bb68 fffff800`446b2110 klflt+0xd110
ffffd000`f383bb70 ffffe001`103e5880 klflt+0xd110
ffffd000`f383bb78 00000000`6d786c6b 0xffffe001`103e5880
ffffd000`f383bb80 ffffe001`09feef30 0x6d786c6b
ffffd000`f383bb88 fffff800`446380f3 0xffffe001`09feef30
ffffd000`f383bb90 ffffe001`103e5880 klif+0x380f3
ffffd000`f383bb98 ffffe001`103e5880 0xffffe001`103e5880
ffffd000`f383bba0 ffffe001`09feef30 0xffffe001`103e5880
ffffd000`f383bba8 ffffe001`6d734c4b 0xffffe001`09feef30
ffffd000`f383bbb0 fffff800`446b3d60 0xffffe001`6d734c4b
ffffd000`f383bbb8 00000000`00000004 klflt+0xed60
ffffd000`f383bbc0 00000000`00000080 0x4
ffffd000`f383bbc8 fffff800`446cbf51 0x80
ffffd000`f383bbd0 ffffe001`0b276ef0 klflt+0x26f51
ffffd000`f383bbd8 ffffe001`09feef30 0xffffe001`0b276ef0
ffffd000`f383bbe0 ffffe001`0b21b910 0xffffe001`09feef30
ffffd000`f383bbe8 ffffe001`0b276ef0 0xffffe001`0b21b910
ffffd000`f383bbf0 00000000`00000000 0xffffe001`0b276ef0

We can see klif.sys calls into the nt!ExFreePoolWithTag routine which deallocates a block of pool memory allocated with the specified tag. We can see directly afterwards the bug check was called because the pool header of the freed block has been modified after it was freed, thus the reason I believe it was called twice in this instance. With this said, what's the klif.sys driver? It's a Kaspersky driver, although I cannot find any documentation on what specifically this driver is in charge of.

This is no surprise to me, as I see Kaspersky do this very often in Windows 8/8.1.

--------------------------

Remove and replace Kaspersky with Windows 8's built-in Windows Defender for temporary troubleshooting purposes:

Kaspersky removal - http://support.kaspersky.com/common/service.aspx?el=1464

Windows Defender (how to turn on after removal) - http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html

Regards,

Patrick

Debugger/Reverse Engineer.
Be the first person to mark this helpful

Abuse history


progress