ntkrnlmp.exe causes windows2012R2 restart

Question

27: kd> !analyze -v

---

• *
• Bugcheck Analysis *
• *

  ---

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000003, the pool freelist is corrupt.
Arg2: ffffc0006c5d1de0, the pool entry being checked.
Arg3: ffffbffe6c5d1de0, the read back flink freelist value (should be the same as 2).
Arg4: ffffc0006c5d1de0, the read back blink freelist value (should be the same as 2).

Debugging Details:

---

GetUlongPtrFromAddress: unable to read from fffff803e1965308

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 2124

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 10811

Key  : Analysis.Init.CPU.mSec
Value: 843

Key  : Analysis.Init.Elapsed.mSec
Value: 16874

Key  : Analysis.Memory.CommitPeak.Mb
Value: 71

Key  : WER.OS.Branch
Value: winblue_ltsb_escrow

Key  : WER.OS.Timestamp
Value: 2022-02-22T11:58:00Z

Key  : WER.OS.Version
Value: 8.1.9600.20302

FILE_IN_CAB: 041922-149187-01.dmp

BUGCHECK_CODE: 19

BUGCHECK_P1: 3

BUGCHECK_P2: ffffc0006c5d1de0

BUGCHECK_P3: ffffbffe6c5d1de0

BUGCHECK_P4: ffffc0006c5d1de0

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: svchost.exe

STACK_TEXT:
ffffd001b25acbb8 fffff803e18a52fb : 0000000000000019 0000000000000003 ffffc0006c5d1de0 ffffbffe6c5d1de0 : nt!KeBugCheckEx
ffffd001b25acbc0 fffff803e1a0f02f : ffffc00000000002 0000000000000000 ffffc00000000001 ffffe00100000001 : nt!ExAllocatePoolWithTag+0x126b
ffffd001b25acc90 fffff803e1a0ed9c : 0000000000000001 ffffd001b25acd40 ffffd001b25acdb9 ffffe801acc53080 : nt!MiCreateDataFileMap+0x67
ffffd001b25accf0 fffff803e1a9f79b : ffffe80195535900 ffffd001b25acf00 0000000000000001 0000000000000001 : nt!MiCreateNewSection+0x70
ffffd001b25ace00 fffff803e1a0ed1f : ffffe801aca34418 0000000000000000 ffffe00100000002 ffffd001b25ad0c8 : nt!MiCreateSection+0x477
ffffd001b25acff0 fffff803e167abef : 0000000000000001 0000000000000000 0000000000000208 fffff80300000000 : nt!MmCreateSection+0x87
ffffd001b25ad050 fffff8008597150b : ffffc0009092a150 ffffd001b25ad730 ffffc0009092a150 ffffc0009092a150 : nt!CcInitializeCacheMap+0x60f
ffffd001b25ad130 ffffc0009092a150 : ffffd001b25ad730 ffffc0009092a150 ffffc0009092a150 ffffc0009092a150 : Ntfs+0xbf50b
ffffd001b25ad138 ffffd001b25ad730 : ffffc0009092a150 ffffc0009092a150 ffffc0009092a150 ffffc0009092a010 : 0xffffc0009092a150 ffffd001b25ad140 ffffc0009092a150 : ffffc0009092a150 ffffc0009092a150 ffffc0009092a010 ffffd001b25ad301 : 0xffffd001b25ad730
ffffd001b25ad148 ffffc0009092a150 : ffffc0009092a150 ffffc0009092a010 ffffd001b25ad301 ffffd001b25ad1a0 : 0xffffc0009092a150 ffffd001b25ad150 ffffc0009092a150 : ffffc0009092a010 ffffd001b25ad301 ffffd001b25ad1a0 ff01000028000001 : 0xffffc0009092a150
ffffd001b25ad158 ffffc0009092a010 : ffffd001b25ad301 ffffd001b25ad1a0 ff01000028000001 ffffe80195535900 : 0xffffc0009092a150 ffffd001b25ad160 ffffd001b25ad301 : ffffd001b25ad1a0 ff01000028000001 ffffe80195535900 0000000000000000 : 0xffffc0009092a010
ffffd001b25ad168 ffffd001b25ad1a0 : ff01000028000001 ffffe80195535900 0000000000000000 0000001800000000 : 0xffffd001b25ad301 ffffd001b25ad170 ff01000028000001 : ffffe80195535900 0000000000000000 0000001800000000 ffffe801a40a1ca0 : 0xffffd001b25ad1a0
ffffd001b25ad178 ffffe80195535900 : 0000000000000000 0000001800000000 ffffe801a40a1ca0 ffffe00116ce8180 : 0xff01000028000001 ffffd001b25ad180 0000000000000000 : 0000001800000000 ffffe801a40a1ca0 ffffe00116ce8180 ffffc0009092a150 : 0xffffe80195535900

SYMBOL_NAME: nt!ExAllocatePoolWithTag+126b

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 6.3.9600.20302

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 126b

FAILURE_BUCKET_ID: 0x19_3_nt!ExAllocatePoolWithTag

OS_VERSION: 8.1.9600.20302

BUILDLAB_STR: winblue_ltsb_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

FAILURE_ID_HASH: {4b68972e-e926-5fd8-7b97-1ce977bc62b9}

Followup: MachineOwner

---

27: kd> lmvm nt
Browse full module list
start end module name
fffff803e1618000 fffff803e1d92000 nt (pdb symbols) C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\C8539FFDFDA646A794016F13DD5EC9411\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Mapped memory image file: C:\ProgramData\Dbg\sym\ntkrnlmp.exe\6215660977a000\ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Wed Feb 23 06:39:05 2022 (62156609)
CheckSum: 00709129
ImageSize: 0077A000
File version: 6.3.9600.20302
Product version: 6.3.9600.20302
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.3.9600.20302
FileVersion: 6.3.9600.20302 (winblue_ltsb_escrow.220222-1158)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.

Answer 1

Please run the DM log collector and post a share link into this thread using one drive, drop box, or google drive.

If the server can run the V2 log collector it will collect more useful files for troubleshooting.

https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

https://www.elevenforum.com/t/bsod-posting-instructions.103/

Indicate whether you're able to create server downtime.

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post there is /\ with a number: click = a helpful post
.
.
.
.
.

Answer 2

Hello

Thank you for your question and reaching out.

I can understand you are facing BSOD error. The ntkrnlmp.exe BSOD could be caused by missing, corrupt or damaged system files on your server.
BSODs are caused by driver software errors or hardware problems. A BSOD is a full system failure caused by a problem with Windows drivers and/or hardware at the kernel level. It isn't a software failure. Windows continues to execute even if the browser crashes. Because apps run at a higher level in the operating system, they are extremely rare to create a blue screen.

As per log The ntkrnlmp.exe BSOD could be caused by missing, corrupt or damaged system files on your computer. To see if this is the case, you should run a Windows repair.

1. Remove any unnecessary hardware such as external hard drives, headphones, cameras, USB drives, etc. Sometimes, blue screens are triggered by faulty devices or device operators.
2. It's highly likely that the root cause of any given Blue Screen of Death is a failing piece of hardware. If a test fails, replace the RAM in your computer or replace the hard drive as soon as possible
3. Disable any Antivirus program or Windows firewall you may have for temporary purpose.
4. Cleanup below Temp folders to cleanup cache
   C:\Windows\Temp
   %USERPROFILE%\AppData\Local\Temp
5. Run Disk Cleanup from Select C:\ Drive from Properties- > General -> Disk Cleanup - >Cleanup system files

6.. Run sfc /scannow

7. Run below DISM command from elevated prompt.

DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth

8. Driver Verifier monitors Windows kernel-mode drivers and graphics drivers to detect illegal function calls or actions that might corrupt the system. Verify all drivers using below command

verifier.exe /all

9. Uninstall and Install Latest version of Video drivers.
10. Run Windows Memory Diagnostics Tool from windows to check Memory related errors.

Reference : https://support.microsoft.com/en-us/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad

---

--If the reply is helpful, please Upvote and Accept as answer--