Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,091 questions
Sysmon 13.30 BSOD with Excel 365
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 25%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Chris Maiura
6
Reputation points
We have been having sporadic reports with our Windows 10 computers BSOD related to the sysmon driver and excel. This is behavior that was not there with Office 2016. The error shows chrome, but the user was copening an excel file downloaded internally.
- *
- Bugcheck Analysis *
- *
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 000000000000000d, Attempt to release quota on a corrupted pool allocation.
Arg2: ffffb70284657620, Address of pool
Arg3: 00000000fffff804, Pool allocation's tag
Arg4: d043bb0a529e74d8, Quota process pointer (bad).
Debugging Details:
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4046
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 32538
Key : Analysis.Init.CPU.mSec
Value: 655
Key : Analysis.Init.Elapsed.mSec
Value: 3279
Key : Analysis.Memory.CommitPeak.Mb
Value: 78
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
FILE_IN_CAB: 121021-24484-01.dmp
BUGCHECK_CODE: c2
BUGCHECK_P1: d
BUGCHECK_P2: ffffb70284657620
BUGCHECK_P3: fffff804
BUGCHECK_P4: d043bb0a529e74d8
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: chrome.exe
STACK_TEXT:
ffffed867f796358 fffff8047783d460 : 00000000000000c2 000000000000000d ffffb70284657620 00000000fffff804 : nt!KeBugCheckEx
ffffed867f796360 fffff80477db2149 : 0000000000000010 0000000000040082 ffffed867f796468 0100000000100000 : nt!ExFreeHeapPool+0x1b43b0
ffffed867f796440 fffff8047d3a82bc : ffffed867f796570 0000000000000000 000000000000056a fffff80400000000 : nt!ExFreePool+0x9
ffffed867f796470 ffffed867f796570 : 0000000000000000 000000000000056a fffff80400000000 ffffed867f7964c4 : SysmonDrv+0x82bc
ffffed867f796478 0000000000000000 : 000000000000056a fffff80400000000 ffffed867f7964c4 ffffed867f796550 : 0xffffed86`7f796570
SYMBOL_NAME: SysmonDrv+82bc
MODULE_NAME: SysmonDrv
IMAGE_NAME: SysmonDrv.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 82bc
FAILURE_BUCKET_ID: 0xc2_d_SysmonDrv!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {7fed9f86-89f9-24bf-7bdf-bc0a6eb2fdea}
Followup: MachineOwner
Sysinternals
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 22%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JM 1 Reputation point2022-01-31T15:54:54.82+00:00 @Chris Maiura are you able to confirm the exact cause or steps for BSOD with sysmon 13.30? I did try to reproduce by opening an excel file in Office 2016 but no luck.
-
Chris Maiura 6 Reputation points
2022-02-02T16:01:24.33+00:00 Unfortunately I cannot reproduce it reliably on our computers. I have never experienced the problem. Some users have it on an xls, others on a csv and those same files will open fine for others. The latest debug is included below (after updating to the newest version of sysmon that was just released. This particular user opened the csv from outlook.
PROCESS_NAME: OUTLOOK.EXE
STACK_TEXT:
ffffd20c0bd3dbe8 fffff8007478e5b8 : : nt!KeBugCheckEx
ffffd20c0bd3dbf0 fffff8007478e618 : 0000000000000012 ffffd20c0bd3dd00 ffff9b0d7fc00100 ffffdd88e6f08220 : nt!RtlpHeapHandleError+0x40
ffffd20c0bd3dc30 fffff8007478e245 : ffff9b0d939a0000 ffff9b0d7fc00280 ffffdd8800000000 ffff9b0d7fc00280 : nt!RtlpHpHeapHandleError+0x58
ffffd20c0bd3dc60 fffff8007463d996 : ffffdd88dae3b080 fffff80074608cb5 ffffdd88ca40e100 0000000000000000 : nt!RtlpLogHeapFailure+0x45
ffffd20c0bd3dc90 fffff80074489554 : ffff9b0d00000000 ffffd20c0bd3df40 ffff9b0d93a0943a 0000000000000000 : nt!RtlpHpVsContextFree+0x1b2f56
ffffd20c0bd3dd30 fffff80074bb1149 : 000000000007cc00 0000000000040086 ffffd20c0bd3de38 0100000000100000 : nt!ExFreeHeapPool+0x4d4
ffffd20c0bd3de10 fffff80083f77a7d : 0000000000000000 ffffdd88d0a8cf10 ffffd20c0bd3df40 0000000000000000 : nt!ExFreePool+0x9
ffffd20c0bd3de40 0000000000000000 : ffffdd88d0a8cf10 ffffd20c0bd3df40 0000000000000000 ffffd20c00000054 : SysmonDrv+0x7a7d
SYMBOL_NAME: nt!ExFreePool+9
IMAGE_NAME: Pool_Corruption
Sign in to comment