Plagued by Bad_pool_caller BSOD

Toggle sidebar Toggle sidebar
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Every time I boot up normally, I get this BSOD almost as soon as I log in. I can boot in safe mode with no problems though.

I made a panicked thread already but no one responded. Sorry I'm being so demanding, but you've got to understand that this is happening to a super expensive laptop I bought from PC Specialist. I was saving for over a year to be able to afford it.

The minidumps should give you a better idea of what's wrong (I hope), but this started happening after a botched installation of Daemon Tools Lite. Bullguard flagged an exe in the installation called Soft Disc Bus Service, which I believe is a driver that DT uses. I blocked it as per Bullguard's advice, and the installation hung, so I ended the task and tried to uninstall / reinstall, both of which also hung. I tried a manual uninstall suggested by Soft Disc themselves, and found I couldn't delete the program folder because of soft disc bus service.exe, which weirdly was being used by soft disc bus service.exe. So then, I decided to use Revo to clean uninstall, opting to not use Daemon Tools' uninstaller and letting Revo handle it. I had "make a system restore point" turned off because it was making Revo hang, but I kept back-up registry ticked. I didn't check and delete any of the registry stuff that Revo gave me the option of deleting, but I deleted the stuff on the next prompt which seemed to be mostly "Local App" stuff, I think. Then, the system had to restart. Revo told me that some files would be removed upon restarting, and among these files was Soft Disc Bus Service.exe. The aforementioned BSOD started happening after this restart.

So I tried booting in safe mode, and found I was BSOD-free. I was actually able to delete the rest of the contents of the DT program file (Soft Disc Bus Service.exe included), and they're in my recycle bin now, but that didn't rectify the issue, and I'm still getting the BSOD. I system restored to a time earlier this evening before I'd installed Daemon Tools, but that also hasn't helped.

I'm terrified I've deleted something vital and that my computer is f**ked. Please, please help me out here.

Here are some minidumps: https://www.dropbox.com/sh/gebarvf1w7xt5ma/AAC_Tgb-3FKCG1N7OHRSgxPUa?dl=0
 
Solution
J
a device driver freed the same memory twice and caused this bugcheck.
the driver was
\SystemRoot\system32\DRIVERS\NSKernel.sys Wed Mar 18 01:13:08 2015
NovaShield Kernel Module driver Believed to be a part of BullGuard Internet Security

the process accessing the driver was BullGuardBhvSc
most likely bullguardbhvscanner.exe

your system uptimer was 22 seconds
I would suspect you will have to boot into save mode and delete the .exe file or remove the software from your system. (or boot in safe mode and delete the driver)



Sort by date Sort by votes
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
a device driver freed the same memory twice and caused this bugcheck.
the driver was
\SystemRoot\system32\DRIVERS\NSKernel.sys Wed Mar 18 01:13:08 2015
NovaShield Kernel Module driver Believed to be a part of BullGuard Internet Security

the process accessing the driver was BullGuardBhvSc
most likely bullguardbhvscanner.exe

your system uptimer was 22 seconds
I would suspect you will have to boot into save mode and delete the .exe file or remove the software from your system. (or boot in safe mode and delete the driver)



 
Upvote 0 Downvote
Solution
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
your Intel(R) 82579V Gigabit Network Connection driver
is also pretty old and you should update it
\SystemRoot\system32\DRIVERS\e1c62x64.sys Fri Aug 10 15:44:15 2012
https://downloadcenter.intel.com/

you also have some old finger print reader software from 2011 you might want to look for a update.
EgisTec Inc. Fingerprint Biometrics/MyWinLocker

here is a link but it did not work for me: http://www.egistec.com/en/index.aspx
 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Hi everyone. Thanks for the replies, and thanks Popatim for making this thread. I made two because I felt my other one lacked composure and was getting ignored, so thanks for replying. I've been losing my mind this evening posting on other forums like this, and a poster over at Tech Support Guy also suspects Bullguard as being the culprit.

It's funny though that you should mention that Bullguard driver "NovaShield." Earlier on I was looking at Device Manager, and I displayed the hidden devices and found that two non-plug and play drivers were having problems: NovaShield and "Security Processor Loader Driver," whatever that one is.

Since then, I've run chkdsk and sfc \verifyonly via safe mode with command prompt, and the former turned up no problems, while the latter found integrity violations. I then ran sfc \scannow, which found corrupt files some of which it was unable to fix (I have the CBS log and a narrowed down text document called sfcdetails which detail that scan, I could post them here if you're willing to study them - they're pretty long, but I also didn't notice anything glaringly negative in the latter text document), and this made me suspect I might have to put the OS disc in to restore some system files. However, I don't have that disc to hand at the moment. I should be able to get it tomorrow if it becomes necessary.

Anyway, when you mentioned NovaShield, I decided to check those drivers again, and NovaShield is no longer having problems. This is since I ran sfc \scannow. However "Security Processor Loader Driver" is still flagged. I'll consider uninstalling Bullguard, but I'll hold off for the time being in case anything else comes up.
 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Okay so I read a bit about Security Processor Loader Driver, otherwise known as spldr.sys, here:http://www.dlltool.com/articles/how_to_fix_spldr_sys_errors/ and here: http://www.sevenforums.com/hardware-devices/91275-security-processor-loader-driver.html

People have had luck uninstalling it and then updating their graphics drivers, but the first link cautions against uninstalling it, despite saying at the end that drivers with small yellow exclamation mark icons beside them should be uninstalled (as my spldr.sys is), before advising, as in the sevenforums link, to download the latest patch for your graphics card. I don't know, it's another avenue to consider exploring I suppose.
 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Okay, I'd really appreciate if someone could look at this latest minidump: https://www.dropbox.com/s/1b73v5c098...52-01.dmp?dl=0

Here's why: After running sfc /scannow, the NovaShield driver for the Bullguard Scanner, which was identified as problematic here no longer has an exclamation mark beside it in Device Manager, nor is it listed as a "problem" under components in System Information. Previously, it's status read "This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)" but this is no longer the case. I don't know if sfc /scannow rectified this, but whatever the case, it doesn't seem to have anything wrong with it anymore.

However, despite the fact that there are no longer any problems with NovaShield, the bsod problem persists. This of course created a new minidump, which is the one I've posted, and I'd be very interested to find out what it says went wrong.

The problem with the Security Processor Loader Driver that I mentioned has been a constant throughout all of this, so I suspect that it might have something to do with why I keep crashing. Perhaps the dmp file will detail what's happening?

One last thing: The Bullguard Scanner process that accessed the NovaShield driver was among the services I disabled when I tried a clean boot, and like I said the bluescreen problem persisted despite this. However, one thing I noticed when I booted via Safe Mode afterwards was that the scanner process was still running somehow. Or at least, when I looked at the services tab in msconfig, all those services I'd unchecked and disabled were still unchecked and disabled, but the status of "Bullguard scanning service", despite being disabled, was "Running," whilst pretty much everything else was "Stopped." So, this suggests that perhaps Bullguard is still the culprit despite the fact that the problem with the NovaShield driver seems to have been rectified. Again, I'm hoping this new minidump might enlighten us as to whether or not this is the case.

Thanks for reading. I feel like I might be closer to the solution now. I just want to make sure I don't do anything rash. If uninstalling Bullguard is all that needs to be done, I'd like to know that rather than repairing the OS and all that stuff. Also, those links I posted above describing problems with the Security Processor Loader Driver suggest a similarly simple solution that doesn't require anything too extreme. If that's also all that needs to be done to solve this, I'd love to know. I might seem like I'm being hyper-fastidious, but remember this is a super expensive machine, and ideally I'd like to solve this problem with the exact solution, rather than going too far or not doing enough.
 
Upvote 0 Downvote
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
bad link? file not found



 
Upvote 0 Downvote
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
note: very suspect driver installed (based on the driver date)
\SystemRoot\system32\DRIVERS\IFXTPM.SYS Sun Dec 16 15:52:49 2007
find out what it is, update or remove if not needed

tixhci.sys these are old texas instruments usb 3.0 drivers. USB 3.0 drivers dated 2013 and newer tend to work, older drivers tend to corrupt memory. Update the drivers for your motherboad.
------------
bugcheck was in NSKernel.sys because it attempted to free memory address that turned out to be invalid.

So, something corrupted memory or the program made a programming mistake.

to figure out this type of problem you have to change your memory dump type to full or kernel, then run cmd.exe as an admin then run
verifier.exe /standard /all
reboot and run until you get another bugcheck.

this has a chance of catching the corruption as it occurs. (if the corruption is caused by a different driver)

having the kernel dump will help to determine who owned the memory that was released (helps to determine if it is just a programming mistake in the suspect driver)

note: you have a lot of suspect 3rd party drivers installed;
\SystemRoot\system32\DRIVERS\tihub3.sys Tue Nov 22 21:50:16 2011
\SystemRoot\system32\DRIVERS\tixhci.sys Tue Nov 22 21:50:09 2011
\SystemRoot\system32\DRIVERS\mwlPSDVDisk.sys Fri Mar 25 00:12:23 2011
\SystemRoot\system32\DRIVERS\mwlPSDVDisk.sys Fri Mar 25 00:12:23 2011
\SystemRoot\system32\DRIVERS\mwlPSDFilter.sys Fri Mar 25 00:12:11 2011
\SystemRoot\system32\DRIVERS\IFXTPM.SYS Sun Dec 16 15:52:49 2007
\SystemRoot\system32\DRIVERS\e1c62x64.sys Fri Aug 10 15:44:15 2012
SystemRoot\system32\DRIVERS\1394ohci.sys Sat Nov 20 02:44:56 2010
 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Thanks, I'll give that a try now.

EDIT: Sorry, I was reading the wiki for Driver Verifier, and it's recommended that you don't use it for all the drivers at once. Would it be okay to use it just for NSKernal and spldr.sys?

Do you have any idea what those suspect drivers are or what program they relate to? Also those usb drivers probably came with the machine. Weird that PC Specialist wouldn't put in up to date drivers for the usb ports .
 
Upvote 0 Downvote
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
you can look here: http://www.carrona.org/drivers/driver.php?id=mwlPSDVDisk.sys
and just look for your various driver names, often it will have a suggested website for updates but often
the driver will be for a custom chip supplied to a motherboard manufacture and you can only get the driver from that manufacture.

I would turn on driver verifier for all drivers. The worst case is if the system goes into the debugger immediately in a required driver that you just can not get a update to. Then you would start excluding drivers.

Also, the corruption is in driver shared memory and verifier would not detect a corruption if you only have it working on your nskernal.sys drivers. it would miss the cases of external drivers corrupting memory. It would catch nskernal.sys only if it released the memory twice (most likely case)





 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Okay, but how exactly do I turn off driver verifier when I'm done using it? What's the command for viewing the list and unchecking verifier for them? Leaving it on can affect your system's stability, or so I've read...
 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Alright, the bluescreen this time reads: "The IO manager has detected a violation by a driver that is being verified. The faulty driver that is being verified must be debugged and replaced with a working version." It's currently doing a complete memory dump.

EDIT: Hmmm, it appears to be hanging on the bluescreen at 100% of the memory dump. Do I wait? Or should I hold down the power button?
 
Upvote 0 Downvote
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
the 100% should mean it has completed writing it disk. power cycle and upload the very big memory dump to a server and post a link



 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Okay, no dump was made. It seems power cycling prevented it from finishing. Using driver verifier made the bluescreen hang. Could I try a complete dump without driver verifier and see if that creates a useful dump? I'll need to know how to turn off verifier for all drivers first though.

Note: I should also add that power cycling lead to a few hiccups at launch. I had to power cycle a few times to actually successfully get into my computer. I'd very much like to turn off driver verifier now.

Does "delete existing settings" undo the driver verifier command prompt I used? Or do I have to undo from within an elevated command prompt? I accessed verifier from the start menu from within regular safe mode to delete the existing settings. Sorry for the questions, I'm just trying to be super careful with this valuable laptop.
 
Upvote 0 Downvote
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
sure turn off verifier
use cmd.exe as an admin, then
verifier.exe /reset
and it will turn off.

if you get a kernel memory dump I can still look at it but verifier has a chance of catching the corruption when it occurs.
otherwise you may catch it 5 minutes later when the memory belongs to another process and it dies.

Also, full memory dumps are not stored in the same directory as a minidump so make sure you check the correct place for the memory dump file. memory.dmp in the windows directory (not c:\windows\minidump directory)
I guess you should also make sure there is plenty of space to store the large files on your system.



 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
Ooooh, okay. I found the complete dump, and yes it's pretty massive: 820MB. Also I'm pretty sure that by default, the memory dump was set to kernel. I actually had to use regedit to enable complete dump. In other words, the dumps I posted already are kernal dumps. I'll upload the complete one shortly. Oh and you're okay to download and trawl through it right? It's not too much hassle is it?
 
Upvote 0 Downvote
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
should be ok, I have a high speed link so the download is fast. if verifier is turned on the debugging is mostly automated.



 
Upvote 0 Downvote
J

johnbl

Polypheme
Nov 4, 2012
10,072
185
67,090
here is info on how to disable a filter driver:
https://support.microsoft.com/en-us/kb/816071/
basically, stop the service and make a registry change to disable the driver.

-----------
note: you might also want to update this file:
\SystemRoot\system32\mcupdate_GenuineIntel.dll Sat Nov 20 05:03:51 2010
you have a intel Xeon i7-4960X CPU @ 3.60GHz (6 real cores)
it came out at the end of 2013 or so, you might want to update the intel chipset drivers in case there were microcode fixes. mcupdate_GenuineIntel.dll contains any CPU microcode overrides to patch any broken CPU functions in various CPU steppings (if any). generally you get the updated via BIOS updates or from a updated mcupdate_GenuineIntel.dll file that is loaded when windows loads.


system has a device called PCI\VEN_8086&DEV_0E30&SUBSYS_02701558&REV_04\3&4f11e61&0&71
that is uninitialized and in a unknown state. You should look at device manager and see if you can figure out what it is.
-----------
put it another way one of the first 5 of the 6 listed drivers most likely corrupted memory,
You can try and remove them. I turn off any of the software pertaining to these before I tried to uninstall them.
for example, turn off the services, reboot and then attempt to uninstall the drivers. If there is corruptions the uninstall programs are not likely to work.
------------
your system has various filter drivers installed here is the order:
nskernel.sys
bdspy.sys
truefos.sys
bdagent.sys
mwlPSDFilter.sys
luafv.sys

problem is that after BdAgent.sys was inserted the data for mwlpswdfiler.sys became corrupted. I would assume it is a bug in the program that installed. I really don't know much how this stuff works but I assume it is a linked list and any functions after the bad link just will not work. in this case i would assume EgisTec Inc. Fingerprint Biometrics/MyWinLocker will not work and windows luafv.sys would be broken. luafv.sys provides a means to elevate a user to adminitrative level UAC prompts.

So, i would be looking for a updated installer for BdAgent.sys and I would remove your fingerprint scanner if it is not working anyway. or attempt to reinstall them both. Generally the older the driver the higher likely hood of a bug and also new drivers generally try to install them in front of other drivers in the chain. This means if you install a broken driver first, the the other drivers next the chain will have the broken driver last and you might never see a problem.
ie a chain like this good driver 1-> good driver 2 ->bad driver 3-> good driver 4->good driver 5
you would find driver 1, 2, and the bad driver would work but driver 4 and 5 would not

you might be able to reinstall good driver 4 and good driver 5 and they would be inserted at the start of the chain.
and you would get
good driver 5->good driver 4-> good driver 1-> good driver 2-> bad driver 3

this would let all the drivers work, even the bad driver but depends on the order of the install.
and your last driver was luafv.sys and I don't know how to re rerun the setup for that driver.

I would just uninstall mwlpsdfilter.sys or BdAgent.sys or both, reboot and reinstall one at a time reboot and see if I get a bugcheck.

here is a better stack trace showing what is going on: (read from the bottom up, it shows filtmgr was involved before the crash in nskernel)
2: kd> kc
Call Site
nt!KeBugCheckEx
nt! ?? ::FNODOBFM::`string'
nt!ExFreePoolWithTag
NSKernel
NSKernel
fltmgr!FltpFilterMessage
fltmgr!FltpMsgDeviceControl
fltmgr!FltpMsgDispatch
fltmgr! ?? ::FNODOBFM::`string'
nt!IopXxxControlFile
nt!NtDeviceIoControlFile
nt!KiSystemServiceCopyEnd
0x0

 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
So in other words, luafv.sys was the "first" driver installed, and therefore the oldest "link", while nskernel.sys was the latest and newest one installed? You believe bdagent.sys is like "bad driver 3" in your example, corrupting good drivers 4 and 5 (the first and oldest drivers in the chain, i.e. mwlPSDFilter.sys and luafv.sys)?

Ideally then I'd reinstall mwlPSDFilter.sys and luafv.sys, putting them at the top of the chain and leaving bdagent.sys with nothing older than it to corrupt (i.e. like the way bad driver 3 can no longer corrupt good drivers 4 and 5). But, you're saying you don't know how to re-run the setup for luafv.sys which has been corrupted, and so instead, it would be better if I pushed bdagent.sys and mwlPSDFilter.sys to the top of the chain by reinstalling them, leaving luafv.sys at the bottom of the chain, like bad driver 3 in your example? That, or simply uninstall mwlPSDFilter.sys, and reinstall / update bdagent.sys so that there's only 5 drivers in the chain (rather than 6 including mwlPSDFilter), with luafv.sys at the bottom not causing any corruption? Sorry about this by the way, I just want to make sure I understand what you're saying.

Also, is the implication that the activity of fltmgr.sys lead to the crash because it was dealing with the problematic filter drivers in the chain that were older than (installed before) NSKernel.sys? In other words, is NSkernel.sys kind of like a "good driver" in your example? And so are you saying that the culprit must be among those first 5 drivers (starting with the oldest, luafv.sys, and ending with the latest, which is bdspy.sys)? But you also seem to think that BdAgent.sys had the corrupting influence on the drivers before it, so would that not make IT the culprit?

Could I not instead just uninstall Bullguard and the drivers for Fingerprint Scanner / MyWinLocker permanently? Bullguard is a trial that came free with the machine, and I was planning to replace it with Avast or AVG anyway. Would this work do you think? Your advice here presumes that I want to keep both Bullguard and Fingerprint Scanner / MyWinLocker drivers, but I'm not really that fussed about them. I didn't know the laptop had a fingerprint scanner when I bought it - the fingerprint scanner had no role to play in my decision to buy it, nor did MyWinLocker, whatever that is. What do you think? Would just uninstalling them both be unwise?

Also, by "truefos.sys" do you mean "trufos.sys" which is apparently a driver associated with BitDefender? Is the extra "e" a typo? Because I couldn't find information on "truefos.sys." Incidentally, if the culprit driver is one of the first 5 in the list, I have to say that trufos.sys is pretty suspicious to me, because I don't have and never have had BitDefender on this machine, so where would a BitDefender driver have come from?

Anyway, thanks for everything so far. Hopefully we're closing in on the problem. I'll give your advice a try.
 
Upvote 0 Downvote
C

ChrisLPlumb

Honorable
Jan 23, 2014
36
0
10,530
PCI\VEN_8086&DEV_0E30&SUBSYS_02701558&REV_04 refers to "Intel(R) Xeon(R) E5 v2/Core i7 Home Agent 0 - 0E30", as far as I can tell. It's a "system device," and there's one more like it called ""Intel(R) Xeon(R) E5 v2/Core i7 Home Agent 0 - 0ECA."
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom