Bug Check Server 2012 R2

Question

Hi,
I had a bug check on a 2012R2 How can i found the driver that is involved ?

Answer 1

---

• *
• Bugcheck Analysis *
• *

  ---

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001200, Pool tag value from the pool header
Arg3: 0000000004070010, Contents of the first 4 bytes of the pool header
Arg4: ffffe0001dae3f50, Address of the block of pool being deallocated

Debugging Details:

---

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 4952

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 6579

Key  : Analysis.Init.CPU.mSec
Value: 1140

Key  : Analysis.Init.Elapsed.mSec
Value: 271828

Key  : Analysis.Memory.CommitPeak.Mb
Value: 66

Key  : WER.OS.Branch
Value: winblue_ltsb_escrow

Key  : WER.OS.Timestamp
Value: 2021-03-31T16:13:00Z

Key  : WER.OS.Version
Value: 8.1.9600.19994

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: c2

BUGCHECK_P1: 7

BUGCHECK_P2: 1200

BUGCHECK_P3: 4070010

BUGCHECK_P4: ffffe0001dae3f50

POOL_ADDRESS: ffffe0001dae3f50 Nonpaged pool

FREED_POOL_TAG: VNet

PROCESS_NAME: System

STACK_TEXT:
ffffd00027922928 fffff800e508db68 : 00000000000000c2 0000000000000007 0000000000001200 0000000004070010 : nt!KeBugCheckEx
ffffd00027922930 fffff8007acf15cc : fffff800e509e480 ffffe0001dae3f50 ffffaa1800000000 ffffe00000000007 : nt!ExFreePoolWithTag+0xb68
ffffd000279229d0 fffff8007acf1634 : 0000000000027df5 fffff8007acf5200 ffffe0001dae3f50 00000000000659e3 : vnetWFP+0x35cc
ffffd00027922a00 fffff8007acf017f : 0000000000027df5 0000000000000000 00000000000659e3 ffffe0001e4218d0 : vnetWFP+0x3634
ffffd00027922a30 fffff8007acf0696 : fffff800e509e480 fffff8007acf4ed0 0000000000000000 fffff80000000006 : vnetWFP+0x217f
ffffd00027922a60 fffff800e4e6e410 : ffffe0001d8e9690 fffff8007a5ec1ac 0000000000000000 0000000000000000 : vnetWFP+0x2696
ffffd00027922ae0 fffff800e4e6d5bf : fffff800e51c0500 fffff800e4e6e390 ffffe000301144c0 0000000000000000 : nt!IopProcessWorkItem+0x80
ffffd00027922b50 fffff800e4ec393e : 0000000000000000 ffffd001579d3180 0000000000000080 ffffe00019e33840 : nt!ExpWorkerThread+0x69f
ffffd00027922c00 fffff800e4f47f66 : ffffd001579d3180 ffffe000301144c0 ffffe00019f3d040 ffffe00019f3d000 : nt!PspSystemThreadStartup+0x18a
ffffd00027922c60 0000000000000000 : ffffd00027923000 ffffd0002791d000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

SYMBOL_NAME: vnetWFP+35cc

MODULE_NAME: vnetWFP

IMAGE_NAME: vnetWFP.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 35cc

FAILURE_BUCKET_ID: 0xc2_7_VNet_vnetWFP!unknown_function

OS_VERSION: 8.1.9600.19994

BUILDLAB_STR: winblue_ltsb_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

FAILURE_ID_HASH: {37f13964-1f3e-141f-898f-73552c705edc}

Followup: MachineOwner

Answer 2

@Stephane Mayer
Hi,
Bug Check 0xC2: BAD_POOL_CALLER
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xc2--bad-pool-caller

To track down the specific problem driver, you’ll need to run Driver Verifier, an application included with Windows.
For more information, see Driver Verifier:
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/driver-verifier

1. Remember only to use it when you've exhausted ALL other options for diagnosing a blue screen error.
2. It's advisable to not use it in safe mode because Windows doesn't load all drivers when in safe mode.
3. We strongly suggest creating a Restore Point and backing-up important data in case things go south.
4. Ensure you have administrator privileges before running the utility.

There is also a simpler solution is to revert to a previous configuration of your PC:
https://support.microsoft.com/en-us/windows/fix-error-0xc2-bad-pool-caller-15ec7543-3c71-fe98-1917-436f694cae47

Hope above information can help you.

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

Answer 3

Can you uninstall or uninstall and reinstall VMWare software then reevaluate?

Plan significant downtime while using Windows Driver Verifier (WDV).

The tool is restarted after each BSOD to test for additional misbehaving drivers.

Learn the reset and bootmode commands to turn off the tool and to return to the desktop.

These tutorials may be useful:

https://www.tenforums.com/tutorials/5470-enable-disable-driver-verifier-windows-10-a.html
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/driver-verifier-tracking-down-a-mis-behaving/f5cb4faf-556b-4b6d-95b3-c48669e4c983
https://www.tenforums.com/tutorials/2304-boot-into-safe-mode-windows-10-a.html
https://www.tenforums.com/tutorials/4588-system-restore-windows-10-a.html
https://www.tenforums.com/tutorials/4571-create-system-restore-point-windows-10-a.html

Run the V2 log collector > post a share link

https://www.windowsq.com/resources/v2-log-collector.8/
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.

Answer 4

Hi,
i've updated the hardware version (vmware) of the VM. Was 8, now it's 15. I also installed the latest windows update and the CU21 (Exch2016). We had a new dump this morning :
The faulty driver is not the same, but still belonging to VMware tools.

1: kd> !analyze -v

---

• *
• Bugcheck Analysis *
• *

  ---

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common BugCheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800054f2b7d, The address that the exception occurred at
Arg3: ffffd000262f77c8, Exception Record Address
Arg4: ffffd000262f6fe0, Context Record Address

Debugging Details:

---

Unable to load image \SystemRoot\system32\DRIVERS\vnetWFP.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

Key  : AV.Fault
Value: Read

Key  : Analysis.CPU.mSec
Value: 2327

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 4932

Key  : Analysis.Init.CPU.mSec
Value: 671

Key  : Analysis.Init.Elapsed.mSec
Value: 2821

Key  : Analysis.Memory.CommitPeak.Mb
Value: 70

Key  : WER.OS.Branch
Value: winblue_ltsb_escrow

Key  : WER.OS.Timestamp
Value: 2021-06-16T17:39:00Z

Key  : WER.OS.Version
Value: 8.1.9600.20065

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 7e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff800054f2b7d

BUGCHECK_P3: ffffd000262f77c8

BUGCHECK_P4: ffffd000262f6fe0

EXCEPTION_RECORD: ffffd000262f77c8 -- (.exr 0xffffd000262f77c8)
ExceptionAddress: fffff800054f2b7d (vsepflt+0x000000000000eb7d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000010006005c
Attempt to read from address 000000010006005c

CONTEXT: ffffd000262f6fe0 -- (.cxr 0xffffd000262f6fe0)
rax=0000000100060000 rbx=ffffe000e3e84f10 rcx=0000000000000010
rdx=fffff80005512050 rsi=0000000000000000 rdi=0000000000000010
rip=fffff800054f2b7d rsp=ffffd000262f7a00 rbp=0000000000000000
r8=ffffe000e3e84f58 r9=0000000000000000 r10=0000000000000003
r11=ffffd000262f79f8 r12=fffff8025091d480 r13=ffffe000e2ff61c0
r14=00000000ffffe000 r15=0000000000000002
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
vsepflt+0xeb7d:
fffff800054f2b7d 440fb7405c movzx r8d,word ptr [rax+5Ch] ds:002b:000000010006005c=????
Resetting default scope

PROCESS_NAME: System

READ_ADDRESS: 000000010006005c

ERROR_CODE: (NTSTATUS) 0xc0000005 - L'instruction 0x%p emploie l'adresse m moire 0x%p. L' tat de la m moire ne peut pas tre %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 000000010006005c

EXCEPTION_STR: 0xc0000005

STACK_TEXT:
ffffd000262f7a00 fffff800054f2762 : ffffe000e3e84f10 fffff800055122d0 00000000000c1176 0000000000000000 : vsepflt+0xeb7d
ffffd000262f7a30 fffff80006338532 : ffffe000e3fc10f0 ffffe000f1b99140 0000000000000000 0000000000000000 : vsepflt+0xe762
ffffd000262f7a60 fffff802506e37e4 : ffffe000df62bcd0 ffffe000dd7a98e0 0000000000000000 ffffd000262f7b10 : vnetWFP+0x2532
ffffd000262f7ae0 fffff802506e334f : 0000000000000000 fffff802506e3764 ffffe000e2ff61c0 ffffe000de6f2e40 : nt!IopProcessWorkItem+0x80
ffffd000262f7b50 fffff80250751bae : ffffe00000000000 ffffd000d73e9180 0000000000000080 ffffe000dc02a480 : nt!ExpWorkerThread+0x69f
ffffd000262f7c00 fffff802507c7666 : ffffd000d73e9180 ffffe000e2ff61c0 ffffe000f8abf040 ffffd0002abd2770 : nt!PspSystemThreadStartup+0x18a
ffffd000262f7c60 0000000000000000 : ffffd000262f8000 ffffd000262f2000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

SYMBOL_NAME: vsepflt+eb7d

MODULE_NAME: vsepflt

IMAGE_NAME: vsepflt.sys

STACK_COMMAND: .cxr 0xffffd000262f6fe0 ; kb

BUCKET_ID_FUNC_OFFSET: eb7d

FAILURE_BUCKET_ID: AV_vsepflt!unknown_function

OS_VERSION: 8.1.9600.20065

BUILDLAB_STR: winblue_ltsb_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

FAILURE_ID_HASH: {c13bc55f-f0e5-ed3d-0c0d-0f4115ea2f82}

Followup: MachineOwner

Answer 5

When available please post V2 results from the earlier post.

https://www.windowsq.com/resources/v2-log-collector.8/
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html
https://www.elevenforum.com/t/bsod-posting-instructions.103/

Which non-Microsoft antivirus and / or firewall were / are installed?

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.