Well, it did the trick for me; got multiple SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION crashes this morning. So from all the reading I've been doing, something is touching memory it shouldn't and is causing the dump. I'm not sure how I tie bea06ff8 back to the offender though:
Kernel Summary Dump File: Only kernel address space is available ************************************************************************ WARNING: Dump file has inconsistent set-bit count. Data may be missing. ************************************************************************ Symbol search path is: C:\WINDOWS\Symbols Executable search path is: Windows 2000 Kernel Version 2195 (Service Pack 4) MP (4 procs) Free x86 compatible Product: Server, suite: TerminalServer Kernel base = 0x80400000 PsLoadedModuleList = 0x80485b80 Debug session time: Wed Jul 1 08:16:02.250 2009 (GMT-4) System Uptime: 0 days 0:24:10.125 Loading Kernel Symbols ......................................................................................................... Loading User Symbols PEB address is NULL ! Loading unloaded module list .... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck C1, {bea06ff8, bea06ffb, 88000003, 24} PEB address is NULL ! PEB address is NULL ! *** WARNING: nt!MmPoisonedTb is non-zero: *** The machine has been manipulated using the kernel debugger. *** MachineOwner should be contacted first Probably caused by : ntkrnlmp.exe ( nt!NtRequestWaitReplyPort+7d0 ) Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1) Special pool has detected memory corruption. Typically the current thread's stack backtrace will reveal the guilty party. Arguments: Arg1: bea06ff8, address trying to free Arg2: bea06ffb, address where bits are corrupted Arg3: 88000003, (reserved) Arg4: 00000024, caller is freeing an address where bytes after the end of the allocation have been overwritten Debugging Details: ------------------ PEB address is NULL ! PEB address is NULL ! POISONED_TB: nt!MmPoisonedTb is non-zero: BUGCHECK_STR: 0xC1_24 SPECIAL_POOL_CORRUPTION_TYPE: 24 DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO PROCESS_NAME: LAST_CONTROL_TRANSFER: from 8046e272 to 8053987c STACK_TEXT: eb49bcd0 8046e272 bea06ff8 00000000 bea06ff8 nt!NtRequestWaitReplyPort+0x7d0 eb49bcfc 80532cbb bea06ff8 00000000 eb49bd78 nt!ExpGetLookasideInformation+0x148 eb49bd0c 80532c99 bea06ff8 00000000 b9db1fbc nt!CmSetValueKey+0x550 eb49bd78 80417b47 880810e8 00000000 00000000 nt!CmSetValueKey+0x52f eb49bda8 804578ca 880810e8 00000000 00000000 nt!MiInsertImageSectionObject+0x11 eb49bddc 8046c966 80417a98 00000000 00000000 nt!FsRtlRemoveBaseMcbEntry+0x380 eb49be04 00000000 00000000 00000000 00000000 nt!RawCheckForDismount+0x7a STACK_COMMAND: kb FOLLOWUP_IP: nt!NtRequestWaitReplyPort+7d0 8053987c 8b4dfc mov ecx,dword ptr [ebp-4] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!NtRequestWaitReplyPort+7d0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4344ec59 FAILURE_BUCKET_ID: 0xC1_24_VFL_nt!NtRequestWaitReplyPort+7d0 BUCKET_ID: 0xC1_24_VFL_nt!NtRequestWaitReplyPort+7d0 *** WARNING: nt!MmPoisonedTb is non-zero: *** The machine has been manipulated using the kernel debugger. *** MachineOwner should be contacted first Followup: MachineOwner --------- 0: kd> lm start end module name 80062000 80076460 hal (deferred) 80400000 805a29c0 nt M (pdb symbols) C:\WINDOWS\Symbols\exe\ntkrnlmp.pdb a0000000 a0190000 win32k (deferred) a0190000 a01e7000 ati2drad (deferred) a01e7000 a01eb000 DamewareDisp (deferred) b9da6000 b9dbfa20 WDICA (deferred) b9e08000 b9e15980 pdcrypt2 (deferred) b9e88000 b9e9df00 RDPWD (deferred) b9eee000 b9ef0a20 IcaReduc (deferred) ba02e000 ba0429e0 naiavf5x (deferred) ba76b000 ba77aa20 ipsec (deferred) ba813000 ba8353c0 Fastfat (deferred) bac46000 bac80440 srv (deferred) bae61000 bae8c160 cdm (deferred) bafc5000 bafcd240 Fips (deferred) bb01d000 bb03a4a0 afd (deferred) bb12b000 bb18fca0 mrxsmb (deferred) bb1a2000 bb1cb900 rdbss (deferred) bb1dc000 bb1eafe0 Cdfs (deferred) bb25c000 bb264a60 termdd (deferred) bb26c000 bb293e00 netbt (deferred) bb294000 bb2e21a0 tcpip (deferred) bb3c3000 bb3c66c0 dump_diskdump (deferred) bbbf3000 bbc1d3a0 update (deferred) bbc1e000 bbc39b40 ks (deferred) bbc4c000 bbc6f060 rdpdr (deferred) bbc70000 bbc86ba0 ndiswan (deferred) bbc87000 bbcac100 q57w2k (deferred) bbcad000 bbcedf00 cpqasm2 (deferred) bbcee000 bbd43600 ati2mpad (deferred) bbd54000 bbd57580 vga (deferred) bbdf4000 bbdf7e60 TDI (deferred) bbe00000 bbe022e0 ndistapi (deferred) bbe0c000 bbe0f640 serenum (deferred) bfe60000 bfe75be0 Mup (deferred) bfe76000 bfe9faa0 NDIS (deferred) bfea0000 bff225a0 Ntfs (deferred) bff23000 bff347c0 KSecDD (deferred) bff35000 bff471c0 Dfs (deferred) bff48000 bff5a0c0 SCSIPORT (deferred) bff5b000 bff82140 LsiCsb6 (deferred) bff83000 bff98180 atapi (deferred) bff99000 bffba9c0 dmio (deferred) bffbb000 bffd7220 ftdisk (deferred) bffd8000 bffffc20 ACPI (deferred) eb000000 eb00e6a0 pci (deferred) eb010000 eb01b680 isapnp (deferred) eb020000 eb02faa0 adpu160m (deferred) eb030000 eb03b2c0 symmpi (deferred) eb040000 eb048700 CLASSPNP (deferred) eb050000 eb05c4c0 VIDEOPRT (deferred) eb060000 eb06e580 CPQCISSE (deferred) eb0a0000 eb0ab680 i8042prt (deferred) eb0b0000 eb0bf400 serial (deferred) eb0c0000 eb0ca000 dwvkbd (deferred) eb0d0000 eb0dca80 rasl2tp (deferred) eb0e0000 eb0ebc40 raspptp (deferred) eb100000 eb109be0 usbhub (deferred) eb120000 eb129ce0 NDProxy (deferred) eb130000 eb138fa0 Npfs (deferred) eb140000 eb148680 msgpc (deferred) eb150000 eb1581a0 netbios (deferred) eb280000 eb285520 PCIIDEX (deferred) eb288000 eb28f4c0 MountMgr (deferred) eb290000 eb296320 symc8xx (deferred) eb298000 eb29d180 sym_hi (deferred) eb2a0000 eb2a4080 cpqcissm (deferred) eb2a8000 eb2af720 disk (deferred) eb2d8000 eb2de900 CpqCiDrv (deferred) eb2e8000 eb2edec0 kbdclass (deferred) eb2f8000 eb2fd400 mouclass (deferred) eb310000 eb316580 fdc (deferred) eb318000 eb31c080 dump_cpqcissm (deferred) eb320000 eb326c40 cdrom (deferred) eb330000 eb335fc0 openhci (deferred) eb348000 eb34cfc0 USBD (deferred) eb368000 eb36f000 sysmgmt (deferred) eb370000 eb374400 ptilink (deferred) eb380000 eb3840e0 raspti (deferred) eb398000 eb39ca60 flpydisk (deferred) eb3a0000 eb3a49a0 regdrv (deferred) eb3a8000 eb3aea20 EFS (deferred) eb3b8000 eb3bc8c0 TDTCP (deferred) eb3c8000 eb3cd240 Msfs (deferred) eb3e8000 eb3efd00 wanarp (deferred) eb410000 eb412a20 BOOTVID (deferred) eb414000 eb416d00 PartMgr (deferred) eb418000 eb41bfe0 symc810 (deferred) eb41c000 eb41f360 cpqarry2 (deferred) eb500000 eb501d20 Diskperf (deferred) eb502000 eb503b80 dmload (deferred) eb50e000 eb50fca0 Fs_Rec (deferred) eb516000 eb517e40 rasacd (deferred) eb556000 eb557640 PDRFRAME (deferred) eb56e000 eb56fa60 uphcleanhlp (deferred) eb5c6000 eb5c71c0 ctxsmcdrv (deferred) eb5c8000 eb5c8f80 WMILIB (deferred) eb5c9000 eb5c9b00 pciide (deferred) eb5cf000 eb5cf900 VNLPciMap (deferred) eb5f4000 eb5f4e80 DamewareMini (deferred) eb5f7000 eb5f7a40 audstub (deferred) eb601000 eb601d80 swenum (deferred) eb616000 eb6169e0 Null (deferred) eb618000 eb618ee0 Beep (deferred) eb61b000 eb61bf80 mnmdd (deferred) eb753000 eb753b60 VNLMemReader (deferred) Unloaded modules: eb74a000 eb74b000 VNL1394.sys eb160000 eb169000 redbook.sys eb3b8000 eb3bd000 Cdaudio.SYS bbd5c000 bbd5f000 Sfloppy.SYS On Tue, Jun 30, 2009 at 7:24 PM, Ben Scott <mailvor...@gmail.com> wrote: > On Tue, Jun 30, 2009 at 12:27 PM, Brian Desmond<br...@briandesmond.com> > wrote: > > If you can enable Driver Verifier with Special Pool on this box and wait > for > > it to crash again, that would be great: > > I highly recommend this. I enabled Driver Verifier on a laptop that > was crashing and it hasn't crashed since. ;-) > > I think this is the same phenomenon that means if you carry an > umbrella with you, it won't rain. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~