Announcement

Collapse
No announcement yet.

Enabling Special Pool causes Daemon Tools to crash

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enabling Special Pool causes Daemon Tools to crash

    Operating System: Windows XP SP2
    Burning Software: Nero 6
    Anti-virus Software: Avast!
    DAEMON Tools Version: 3.47

    I've been having occasional random crashes while booting for a while now, so today I decided to track down the culprit. I followed Microsoft's instructions for enabling special pool and rebooted. I was quickly met with STOP code 0x000000C1 - SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION, before the boot logo screen even appeared. I couldn't get any minidumps (sorry), so I hooked up my other machine with a null-modem cable and ran WinDbg on that and rebooted Windows with the /debug option.

    At the time of the crash, apparently during Stage 1 Initialization, the only non-Microsoft modules loaded were d437bus.sys, d437prt.sys, imagedrv.sys, imagesrv.sys, and pxhelp20.sys. I tried uninstalling Daemon Tools, but still got the memory corruption error. Then I disabled Nero ImageDrive, and was able to successfully boot into Windows with the special pool option enabled. I decided it must be ImageDrive that was the problem, so I tried reinstalling Daemon Tools and got STOP 0x000000C1 again toward the end of the installation. So I rebooted with special pool disabled. I had to manually remove the pieces left behind by the failed installation before the installer would let me install Daemon Tools again. After completing the installation, I re-enabled special pool before rebooting, and it crashed again just as before.

    So, I concluded that both Nero ImageDrive and Daemon Tools have buffer overruns that are revealed by the special pool. I found a Virtual CD-ROM Control Panel buried on Microsoft's site that doesn't crash with special pool and am using that for the time being.

  • #2
    We normally test driver with all verifier options and this problem did not occur. Can you also tell please what Imagedrive version you use?

    Comment


    • #3
      ImageDrive was the version included with the latest Nero 6.6.0.3 update. The driver files were version 2.27.0.0, I believe. I'm not sure because I even tried uninstalling Nero, so the files aren't even present on my system right now. If it helps, here's some analysis from the debugger at the time of the crash.

      If I have special pool enabled when I install Daemon Tools, I get this:
      Code:
      *** Fatal System Error: 0x000000c1
                             (0xA67D4FF8,0xA67D4FFF,0x00FD8007,0x00000024)
      
      Break instruction exception - code 80000003 (first chance)
      
      A fatal system error has occurred.
      Debugger entered on first try; Bugcheck callbacks have not been invoked.
      
      A fatal system error has occurred.
      
      Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
      Loading Kernel Symbols
      ..................................................
      Loading unloaded module list
      ..........
      Loading User Symbols
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
      
      Use !analyze -v to get detailed debugging information.
      
      BugCheck C1, {a67d4ff8, a67d4fff, fd8007, 24}
      
      Probably caused by : memory_corruption ( nt!MmFreeSpecialPool+2e3 )
      
      Followup: MachineOwner
      ---------
      
      nt!RtlpBreakWithStatusInstruction:
      80526da8 cc               int     3
      kd> !analyze -v
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
      
      SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
      Special pool has detected memory corruption.  Typically the current thread's
      stack backtrace will reveal the guilty party.
      Arguments:
      Arg1: a67d4ff8, address trying to free
      Arg2: a67d4fff, address where bits are corrupted
      Arg3: 00fd8007, (reserved)
      Arg4: 00000024, caller is freeing an address where bytes after the end of the allocation have been overwritten
      
      Debugging Details:
      ------------------
      
      
      BUGCHECK_STR:  0xC1_24
      
      SPECIAL_POOL_CORRUPTION_TYPE:  24
      
      DEFAULT_BUCKET_ID:  DRIVER_FAULT
      
      LAST_CONTROL_TRANSFER:  from 804f780d to 80526da8
      
      STACK_TEXT:  
      f7a635d0 804f780d 00000003 f7a6392c 00000000 nt!RtlpBreakWithStatusInstruction
      f7a6361c 804f83fa 00000003 c0533ea0 00000007 nt!KiBugCheckDebugBreak+0x19
      f7a639fc 804f8925 000000c1 a67d4ff8 a67d4fff nt!KeBugCheck2+0x574
      f7a63a1c 80660325 000000c1 a67d4ff8 a67d4fff nt!KeBugCheckEx+0x1b
      f7a63a68 80543a30 a67d4ff8 8586c2b0 00000001 nt!MmFreeSpecialPool+0x2e3
      f7a63aa8 804f4bbb a67d4ff8 00000000 00000001 nt!ExFreePoolWithTag+0x4a
      f7a63ac8 80586563 00000000 85a7daf8 8586c2b0 nt!PipEnumerateCompleted+0xcf
      f7a63d1c 805869f4 8586c2b0 00000001 00000000 nt!PipProcessDevNodeTree+0x2a9
      f7a63d4c 804f5590 00000003 80551240 8055a1fc nt!PiRestartDevice+0x80
      f7a63d74 80533dd0 00000000 00000000 8751ada8 nt!PipDeviceActionWorker+0x15e
      f7a63dac 805c4a28 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
      f7a63ddc 80540fa2 80533cd0 00000001 00000000 nt!PspSystemThreadStartup+0x34
      00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
      
      
      FOLLOWUP_IP: 
      nt!MmFreeSpecialPool+2e3
      80660325 8b4708           mov     eax,[edi+0x8]
      
      SYMBOL_STACK_INDEX:  4
      
      FOLLOWUP_NAME:  MachineOwner
      
      SYMBOL_NAME:  nt!MmFreeSpecialPool+2e3
      
      MODULE_NAME:  nt
      
      DEBUG_FLR_IMAGE_TIMESTAMP:  41107b0c
      
      STACK_COMMAND:  kb
      
      IMAGE_NAME:  memory_corruption
      
      BUCKET_ID:  0xC1_24_nt!MmFreeSpecialPool+2e3
      
      Followup: MachineOwner
      ---------
      If I turn off special pool, I can install Daemon Tools fine, but this is what I get the next time I boot with special pool enabled:
      Code:
      Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
      Kernel Debugger connection established.
      Symbol search path is: SRV**http://msdl.microsoft.com/download/symbols
      Executable search path is: 
      Windows XP Kernel Version 2600 UP Free x86 compatible
      Built by: 2600.xpsp_sp2_rtm.040803-2158
      Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
      System Uptime: not available
      Symbol search path is: SRV**http://msdl.microsoft.com/download/symbols
      
      *** Fatal System Error: 0x000000c1
                             (0x886D6FF8,0x886D6FFF,0x004D8007,0x00000024)
      
      Break instruction exception - code 80000003 (first chance)
      
      A fatal system error has occurred.
      Debugger entered on first try; Bugcheck callbacks have not been invoked.
      
      A fatal system error has occurred.
      
      Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
      Loading Kernel Symbols
      .............................
      Loading unloaded module list
      
      Loading User Symbols
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
      
      Use !analyze -v to get detailed debugging information.
      
      BugCheck C1, {886d6ff8, 886d6fff, 4d8007, 24}
      
      Probably caused by : memory_corruption ( nt!MmFreeSpecialPool+2e3 )
      
      Followup: MachineOwner
      ---------
      
      nt!RtlpBreakWithStatusInstruction:
      80526da8 cc               int     3
      kd> !analyze -v
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
      
      SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
      Special pool has detected memory corruption.  Typically the current thread's
      stack backtrace will reveal the guilty party.
      Arguments:
      Arg1: 886d6ff8, address trying to free
      Arg2: 886d6fff, address where bits are corrupted
      Arg3: 004d8007, (reserved)
      Arg4: 00000024, caller is freeing an address where bytes after the end of the allocation have been overwritten
      
      Debugging Details:
      ------------------
      
      
      BUGCHECK_STR:  0xC1_24
      
      SPECIAL_POOL_CORRUPTION_TYPE:  24
      
      DEFAULT_BUCKET_ID:  DRIVER_FAULT
      
      LAST_CONTROL_TRANSFER:  from 804f780d to 80526da8
      
      STACK_TEXT:  
      f7a36e88 804f780d 00000003 f7a371e4 00000000 nt!RtlpBreakWithStatusInstruction
      f7a36ed4 804f83fa 00000003 c04436b0 00000007 nt!KiBugCheckDebugBreak+0x19
      f7a372b4 804f8925 000000c1 886d6ff8 886d6fff nt!KeBugCheck2+0x574
      f7a372d4 80660325 000000c1 886d6ff8 886d6fff nt!KeBugCheckEx+0x1b
      f7a37320 80543a30 886d6ff8 8818aee8 00000001 nt!MmFreeSpecialPool+0x2e3
      f7a37360 804f4bbb 886d6ff8 00000000 00000001 nt!ExFreePoolWithTag+0x4a
      f7a37380 80586563 00000000 00000000 00000000 nt!PipEnumerateCompleted+0xcf
      f7a375d4 804f54d5 87f72ee8 00000000 00000000 nt!PipProcessDevNodeTree+0x2a9
      f7a37618 804f5765 00000000 00000000 88340fe0 nt!PipDeviceActionWorker+0xa3
      f7a37630 80688bc2 00000000 00000006 00000000 nt!PipRequestDeviceAction+0x107
      f7a37694 80685a48 80087000 f7a376b0 00034000 nt!IopInitializeBootDrivers+0x376
      f7a3783c 80683edd 80087000 00000000 87520da8 nt!IoInitSystem+0x712
      f7a37dac 805c4a28 80087000 00000000 00000000 nt!Phase1Initialization+0x9b5
      f7a37ddc 80540fa2 80683528 80087000 00000000 nt!PspSystemThreadStartup+0x34
      00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
      
      
      FOLLOWUP_IP: 
      nt!MmFreeSpecialPool+2e3
      80660325 8b4708           mov     eax,[edi+0x8]
      
      SYMBOL_STACK_INDEX:  4
      
      FOLLOWUP_NAME:  MachineOwner
      
      SYMBOL_NAME:  nt!MmFreeSpecialPool+2e3
      
      MODULE_NAME:  nt
      
      DEBUG_FLR_IMAGE_TIMESTAMP:  41107b0c
      
      STACK_COMMAND:  kb
      
      IMAGE_NAME:  memory_corruption
      
      BUCKET_ID:  0xC1_24_nt!MmFreeSpecialPool+2e3
      
      Followup: MachineOwner
      ---------
      
      kd> lm t n
      start    end        module name
      804d7000 806cd280   nt       ntkrnlpa.exe Wed Aug 04 00:58:36 2004 (41107B0C)
      806ce000 806ee380   hal      halaacpi.dll Wed Aug 04 00:59:05 2004 (41107B29)
      bad0c000 bad26580   Mup      Mup.sys      Wed Aug 04 01:15:20 2004 (41107EF8)
      bad27000 bad53a80   NDIS     NDIS.sys     Wed Aug 04 01:14:27 2004 (41107EC3)
      bad54000 bade0480   Ntfs     Ntfs.sys     Wed Aug 04 01:15:06 2004 (41107EEA)
      bade1000 badf7780   KSecDD   KSecDD.sys   Wed Aug 04 00:59:45 2004 (41107B51)
      badf8000 bae09f00   sr       sr.sys       Wed Aug 04 01:06:22 2004 (41107CDE)
      bae0a000 bae28780   fltmgr   fltmgr.sys   Wed Aug 04 01:01:17 2004 (41107BAD)
      bae29000 bae40800   SCSIPORT SCSIPORT.SYS Wed Aug 04 00:59:39 2004 (41107B4B)
      bae41000 bae54600   nvatabus nvatabus.sys Thu Jun 03 12:40:44 2004 (40BF629C)
      bae55000 bae7a700   dmio     dmio.sys     Wed Aug 04 01:07:13 2004 (41107D11)
      bae7b000 bae99880   ftdisk   ftdisk.sys   Fri Aug 17 15:52:41 2001 (3B7D8419)
      bae9a000 baeaaa80   pci      pci.sys      Wed Aug 04 01:07:45 2004 (41107D31)
      baeab000 baed8d80   ACPI     ACPI.sys     Wed Aug 04 01:07:35 2004 (41107D27)
      baed9000 baefee00   d347bus  d347bus.sys  Sun Aug 22 08:31:09 2004 (4128A01D)
      f761c000 f7624c00   isapnp   isapnp.sys   Fri Aug 17 15:58:01 2001 (3B7D8559)
      f762c000 f763ae80   ohci1394 ohci1394.sys Wed Aug 04 01:10:05 2004 (41107DBD)
      f763c000 f7649000   1394BUS  1394BUS.SYS  Wed Aug 04 01:10:03 2004 (41107DBB)
      f764c000 f7656500   MountMgr MountMgr.sys Wed Aug 04 00:58:29 2004 (41107B05)
      f765c000 f7668c80   VolSnap  VolSnap.sys  Wed Aug 04 01:00:14 2004 (41107B6E)
      f766c000 f7674e00   disk     disk.sys     Wed Aug 04 00:59:53 2004 (41107B59)
      f767c000 f7688200   CLASSPNP CLASSPNP.SYS Wed Aug 04 01:14:26 2004 (41107EC2)
      f789c000 f78a0900   PartMgr  PartMgr.sys  Fri Aug 17 20:32:23 2001 (3B7DC5A7)
      f78a4000 f78a8bc0   PxHelp20 PxHelp20.sys Tue Oct 28 12:25:49 2003 (3F9EB4AD)
      f78ac000 f78b1280   nv_agp   nv_agp.sys   Wed Oct 29 14:58:11 2003 (3FA029E3)
      f7a2c000 f7a2f000   BOOTVID  BOOTVID.dll  Fri Aug 17 15:49:09 2001 (3B7D8345)
      f7b1c000 f7b1db80   kdcom    kdcom.dll    Fri Aug 17 15:49:10 2001 (3B7D8346)
      f7b1e000 f7b1f100   WMILIB   WMILIB.SYS   Fri Aug 17 16:07:23 2001 (3B7D878B)
      f7b20000 f7b21700   dmload   dmload.sys   Fri Aug 17 15:58:15 2001 (3B7D8567)
      f7b22000 f7b23480   d347prt  d347prt.sys  Sun Aug 22 08:31:48 2004 (4128A044)
      I noticed I was loading ntkrnlpa.exe, so I tried adding /kernel=ntoskrnl.exe to my boot options to force the other version of the NT kernel to load, but that didn't help any.

      Comment


      • #4
        Try to remove completely pxhelp20.sys from list of filters in registry and check what happens.

        Comment


        • #5
          Okay, I tried removing pxhelp20, but it made no difference. The special pool still detects memory corruption.

          Comment


          • #6
            Update: Not only did removing pxhelp20 not help, but it also hid my burners from Windows. They showed up in device viewer but not in the disk management console.

            Comment


            • #7
              If you remove file only all your CDROMs will stop working because filter will fail to load - you need remove it in registry.

              Comment


              • #8
                That's what I did. I removed it from the registry but left the file around.

                Comment

                Working...
                X