Windows System Blue Screen Crash (BSOD) with BugCheck C2, {44, 0, 80000000, 0}

Article:TECH144915  |  Created: 2010-11-24  |  Updated: 2010-12-15  |  Article URL http://www.symantec.com/docs/TECH144915
Article Type
Technical Solution


Issue



You have Symantec Endpoint Protection 11.x (SEP) or Symantec AntiVirus Corporate Edition 10.x (SAV) installed on a Windows Server or Workstation. When the system is under heavy load, it may crash with a so called  Blue Screen  of Death (BSOD), and the reported BugCheck is C2, {44, 0, 80000000, 0}.


Error



If the system is not configured to create a memory dump file, you may see the following Events in the Windows Event Viewer:

System Error 1003 Error code 000000c2, parameter1 00000044, parameter2 00000000, parameter3 80000000, parameter4 00000000

If you have a memory dump file and the ability to analyze it with Debugging Tools for Windows, you may see data similar to the following:

BAD_POOL_CALLER (c2)

The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.

Arguments:

Arg1: 00000044, Attempt to free a non-allocated nonpaged pool address

Arg2: 00000000, Starting address

Arg3: 80000000, (reserved)

Arg4: 00000000, 0

Debugging Details:

------------------

FAULTING_IP: 

SRTSP!

 

STACK_TEXT:  

b8e7e884 8085c453 000000c2 00000044 00000000 nt!KeBugCheckEx+0x1b

b8e7e8b0 80892541 00000000 00000000 e17d5368 nt!MmGetSizeOfBigPoolAllocation+0x203

b8e7e908 b7007eb1 20474942 00000000 b8e7e940 nt!ExFreePoolWithTag+0x1fd

b8e7e918 b6582a33 00000000 00000000 00000000 SRTSP!

b8e7e928 b65829fb 00000001 e17d5368 b8e7e974 NAVEX15!

b8e7e940 b6582fb7 b6670bc0 e1d0c008 e5a41008 NAVEX15!

b8e7e95c b6587133 b8e7e974 e23d3c98 00000000 NAVEX15!

b8e7e9a0 b6586ebf e17d5368 b6670bc0 00000000 NAVEX15!

b8e7e9e8 b6555fb3 b6670bc0 e5a418b8 e5a41008 NAVEX15!

b8e7ea0c b654756a b6670bc0 00000001 e5a41008 NAVEX15!

b8e7ea38 b65476a9 e1d634c0 e55d08e4 e14d6ec8 NAVEX15!

b8e7ea64 b65476f1 00000001 b65294c8 e55d08e4 NAVEX15!

b8e7ea7c b6feb302 b7026858 00000000 b65294c8 NAVEX15!

b8e7ea9c b70096db ef2063d0 00000000 e55d08e4 SRTSP!

b8e7eac8 b700695a e14b3ea0 00000003 ef2063d0 SRTSP!

b8e7eaf8 b6ff64b0 ea9ceae0 e84818d8 00000003 SRTSP!

b8e7eb60 b6ff6f80 b868cfc6 e291c7b8 00000000 SRTSP!

b8e7ebb4 b700126b 84cd3550 b8e7ec04 b8e7ebd8 SRTSP!

b8e7ebc4 b7001a22 00000010 b8e7ec04 86cd8428 SRTSP!

b8e7ebd8 b701c955 86cd8450 00000010 b8e7ec04 SRTSP!

b8e7ec08 b701cb00 b8e7ec1c 84cd34e0 b6fee434 SRTSP!

b8e7ec20 b701c6f3 890238b8 b8e7ec3c b6ffea8c SRTSP!

b8e7ec2c b6ffea8c 88277030 84cd34e0 b8e7ec50 SRTSP!

b8e7ec3c 8081df85 88277030 84cd34e0 882e2f90 SRTSP!

b8e7ec50 808f5511 84cd3550 882e2f90 84cd34e0 nt!IofCallDriver+0x45

b8e7ec64 808f6299 88277030 84cd34e0 882e2f90 nt!IopSynchronousServiceTail+0x10b

b8e7ed00 808eede2 00000690 00000000 00000000 nt!IopXxxControlFile+0x5e5

b8e7ed34 808897cc 00000690 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

b8e7ed34 7c82860c 00000690 00000000 00000000 nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

0163fd60 00000000 00000000 00000000 00000000 0x7c82860c

Additional  issue identifiers include:

Paged Pool allocation failures:

kd> !vm

 

*** Virtual Memory Usage ***

 

********** 11858 pool allocations have failed **********

And finally, the largest Paged Pool consumer will be Microsoft's Memory allocation pooltag:

 kd> !poolused 4

   Sorting by  Paged Pool Consumed

 Pool Used:

            NonPaged            Paged

 Tag    Allocs     Used    Allocs     Used

 MmSt        0        0     17475 179623336 Mm section object prototype ptes , Binary: nt!mm


Cause



 Limited Paged Pool Resources in combination with an identified AVEngine component may cause these crashes when the system is under heavy load.


Solution



The AVEngine with the fix included was released for SEP 11 on December 9. Definitions dated 20101208.036 or later contain this updated AVEngine.

These AVEngine updates occur periodically - typically once a quarter - and are distributed automatically via a Virus Definition update. No other specific action is required.

To identify if your SEP or SAV client has been updated automatically  to the AVEngine in question, you could verify the file version of the following files:

 

32-bit AVEngine File Versions
NAVEX15.SYS 20101.3.0.103
NAVENG32.DLL 20101.3.0.103

 

64-bit AVEngine File Versions

ex64.sys 20101.3.0.103
eng64.sys 20101.3.0.103

The Definitions for SAV 10 are expected to be available on December 10. 

As a temporary workaround, you could apply the workaround as documented on support.microsoft.com/kb/312362 to modify the system's Paged Pool Memory settings.




Article URL http://www.symantec.com/docs/TECH144915


Terms of use for this information are found in Legal Notices