Random BSODs due to BAD_POOL_CALLER

GTM · 10 Sep 2018

Two more BSOD's today. I will upload the collected data. Hopefully this will help debug the problem and figure out which app/driver/process is the root cause.

George

Ztruker · 11 Sep 2018

Both dumps from 9/10 indicate a problem with mwac.sys. tcpip.sts and netio.sys are OS modules and not the cause.

Code:

BugCheck C2, {4, c43741b6, 9d45ad55, ffff81855fe5c838}
*** ERROR: Module load completed but symbols could not be loaded for tcpip.sys
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioFreeMdl+1a380 )

Driver Description: Malwarebytes Web Access Control
Driver Update Site: Support: http://www.malwarebytes.org/support/consumer/
Download: http://www.malwarebytes.org/downloads/

Uninstall Malwarebytes anti-malware. If it's not installed, the mwac.sys driver is still installed so you could try installing then uninstalling Malwarebytes anti-malware, see if that gets rid of it.

C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
C:\WINDOWS\system32\DRIVERS\mwac.sys

GTM · 13 Sep 2018

Thank you for taking the time to analyze the dumps. Is there an offset in MWAC.SYS which would be pointing to the failing instruction?

George

Ztruker · 13 Sep 2018

GTM said:

Thank you for taking the time to analyze the dumps. Is there an offset in MWAC.SYS which would be pointing to the failing instruction?

George

None that I see.

cwsink · 13 Sep 2018

Hi GTM,

The first parameter with a value of 0x4 for that bugcheck means Windows detected a pool header had been overwritten. My understanding is that any driver using pool memory could have potentially corrupted the pool header and the recommendation is to turn on Driver Verifier with special pool enabled to hopefully more accurately determine the culprit. Have you already tried enabling DV with special pool? I would have though Microsoft would suggest doing so. If not and before doing so, please make sure you create a restore point and know how to roll back to a restore point in case the system ends up in a boot/crash loop.

edit: Actually, I'd suggest first updating your Ethernet driver to the latest version available from here (10.028). The version showing in the dump files (rt640x64.sys - timestamp: Tue May 5 09:21:03 2015) was notoriously buggy.

GTM · 15 Sep 2018

Hi cwsink,

Thanks for the suggestion to update the Ethernet driver. It's a good idea to update drivers, especially if they're buggy.
Actually, I had contacted Microsoft support before I tried to get help here at the forum. The person I was chatting with asked me to allow them to investigate the problem by taking over my pc and (against my better judgement) I accepted to do so. They started Driver Verifier and rebooted the pc. After running for a while (it was over an hour) it finally booted to the sign-on screen but the pc was extremely sluggish, and I could not do anything. I wasted another hour or so with the pc being almost unusable, and then I restored it to a previous image I had taken the day before.
Running with Driver Verifier enabled it rendered my pc unusable, so I am a bit leery repeating that experiment.

BTW, I updated the Ethernet driver (10.28.615.2018).

I want to thank all you guys for helping debug this problem.

George

cwsink · 16 Sep 2018

It took an hour to get to the login screen after DV was enabled and restarted? That would make me wonder if it was installing a Windows 10 update. There will be a performance hit with DV turned on but if you're selective about what you enable and only have it monitor non-Microsoft drivers it shouldn't render the computer unusable. If you do try DV again I'd recommend following the instructions here but only enabling special pool and pool tracking in step 2. If it does induce a bugcheck triggered by the DV checks there's a good chance it will allow us to find the buggy driver. If the crashes continue after updating the Ethernet driver please let us know.

zbook · 16 Sep 2018

This is the first time I've read that a Microsoft employee ran windows driver verifier.
That is the opposite of their training as they typiclly will not perform steps that could cause failures.
Most don't have the training to interpret the dump files.

GTM · 16 Sep 2018

Enabled Driver Verifier with the recommended settings and rebooted. I did not experience significant performance degradation. Took this dump with Driver Verifier enabled.

George

zbook · 16 Sep 2018

There are two log collectors: DM and BETA.
At sometime the BETA log collector will replace the DM log collector.
The BETA log collector will collect more useful folders and files.
Please run the BETA log collector on the bottom of this webpage and post a zip into the thread before making any changes to the computer:

BSOD - Posting Instructions - Windows 10 Forums

1) In post #12 it was requested to uninstall Malwarebytes.
a) Was this step performed?
b) Was Malwarbytes uninstalled and then reinstalled?
c) If Malwarebytes was uninstalled what method was used?

2) The latest crash was using Windows driver verifier.

3) Which link was used to customize the settings for the test?

4) Before turning on Windows driver verifier always create a brand new restore point.

5) Make sure that important files are backed up to another drive or to the cloud.

6) Make a backup image using Macrium.
Macrium Software | Macrium Reflect Free

7) Save the backup image to another drive or to the cloud.

8) Many computers have performance sluggishness or delayed boot while using windows driver verifier.

9) The performance and boot problems can be modified by changing the customized tests.

10) In general windows driver verifier is used for 48 hours.
Then after the last BSOD it is used for an additional 36 hours.
If there are no further BSOD then this completes the troubleshooting with this tool.

11) Please use these settings:
Driver Verifier-- tracking down a mis-behaving driver. - Microsoft Community

12) To turn off Windows driver verifier or to recover from using the tool use the information in this link:
Enable and Disable Driver Verifier in Windows 10 | Windows 10 Tutorials

13) When viewing this post please run the BETA log collector at the bottom of this webpage:
BSOD - Posting Instructions - Windows 10 Forums

14) For any new BSOD please run the beta log collector and post a new zip into this thread.

15) And for any new BSOD open file explorer > this PC > C: > in the right upper corner search for: C:\windows\memory.dmp > if the size is < 2GB > zip > post a share link into this thread.
For share links please use one of these three options: one drive, drop box, or google drive.

Code:

mwac.sys     Mon Aug 06 15:16:49 2018 (5B68ACB1)

Code:

MBAMWebProte MBAMWebProtection      MBAMWebProtection      Kernel        Manual     Running    OK         TRUE        FALSE        8,192             61,440      0          8/6/2018 4:16:49 PM    C:\WINDOWS\system32\DRIVERS\mwac.sys             8,192

Code:

mbamwebprotection    MBAMWebProtection    c:\windows\system32\drivers\mwac.sys    Kernel Driver    Yes    Manual    Running    OK    Normal    No    Yes

Code:

mwaccontrollerimpl    3.1.0.295    3.11 MB (3,266,120 bytes)    5/10/2018 8:23 PM    Malwarebytes    c:\program files\malwarebytes\anti-malware\mwaccontrollerimpl.dll

Code:

mwacsdkshim    3.1.0.299    2.07 MB (2,169,600 bytes)    5/10/2018 8:23 PM    Malwarebytes    c:\program files\malwarebytes\anti-malware\mwacsdkshim.dll

Code:

mwaclib    3.1.0.452    2.64 MB (2,769,768 bytes)    5/10/2018 8:23 PM    Malwarebytes    c:\program files\malwarebytes\anti-malware\mwaclib.dll