question

WilliamWei-4192 avatar image
0 Votes"
WilliamWei-4192 asked CarlFan-MSFT answered

Bluescreen for Windows 2012 R2

Hello team,
We happened blue screen for several server 2012,you can see below information which I used the Winbdg to find,could you help us to find the root-cause?




  •                      Bugcheck Analysis                                    *
    



AD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 000000000000000e,
Arg2: ffffe000a522fe10
Arg3: 0000000000000000
Arg4: 065e3f0fa6a87097

Debugging Details:




KEY_VALUES_STRING: 1

 Key  : Analysis.CPU.Sec
 Value: 2

 Key  : Analysis.DebugAnalysisProvider.CPP
 Value: Create: 8007007e on SHL1132W

 Key  : Analysis.DebugData
 Value: CreateObject

 Key  : Analysis.DebugModel
 Value: CreateObject

 Key  : Analysis.Elapsed.Sec
 Value: 12

 Key  : Analysis.Memory.CommitPeak.Mb
 Value: 67

 Key  : Analysis.System
 Value: CreateObject


VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 19

BUGCHECK_P1: e

BUGCHECK_P2: ffffe000a522fe10

BUGCHECK_P3: 0

BUGCHECK_P4: 65e3f0fa6a87097

PROCESS_NAME: check_mk_agent.exe

STACK_TEXT:
ffffd001`acdf4ea8 fffff800`0c0b061c : 00000000`00000019 00000000`0000000e ffffe000`a522fe10 00000000`00000000 : nt!KeBugCheckEx
ffffd001`acdf4eb0 fffff801`07107ede : ffffe000`a5d89de0 ffffe000`a54ce860 ffffd001`acdf5090 fffff801`070ed5d3 : nt!ExDeferredFreePool+0xdac
ffffd001`acdf4f80 fffff801`070eca70 : ffffe000`a9767440 ffffe000`a5d89d00 00000000`00000001 fffff801`070e9a1a : mfeaack+0x56ede
ffffd001`acdf4fb0 fffff801`070ee0eb : 00000000`00000000 ffffd001`acdf5090 ffffd001`acdf50b0 ffffe000`a54ce8f8 : mfeaack+0x3ba70
ffffd001`acdf5000 fffff801`070ee5b7 : ffffe000`a2381010 ffffe000`a976c000 00000000`00000000 ffffe000`a5d89de0 : mfeaack+0x3d0eb
ffffd001`acdf5050 fffff801`070d114d : ffffe000`a2381010 ffffe000`a54ce8f8 ffffe000`a54ce860 ffffe000`a950eb10 : mfeaack+0x3d5b7
ffffd001`acdf5140 fffff801`070c8013 : ffffe000`00000000 ffffe000`a54ce8f8 ffffe000`a54ce800 ffffe000`a950eb10 : mfeaack+0x2014d
ffffd001`acdf51c0 fffff801`060dc531 : ffffe000`a57e4508 ffffe000`00000000 ffffe000`a57e4498 00000000`00000002 : mfeaack+0x17013
ffffd001`acdf5280 fffff801`061321d5 : 00000000`00000001 ffffe000`a57e4470 00000000`00000002 ffffe000`a56edd78 : mfehidk+0x37531
ffffd001`acdf52c0 fffff801`05f3c28a : ffffe000`a5b61070 00000000`00000000 00000000`00000000 ffffd001`acdf53b9 : mfehidk+0x8d1d5
ffffd001`acdf5310 fffff801`05f3d7bc : ffffd001`acdf5490 ffffd001`acdf5400 ffffe000`a836f400 00000000`00000000 : fltmgr!FltpPerformPreCallbacks+0x31a
ffffd001`acdf5420 fffff801`05f6532d : ffffe000`a1ce5740 ffffe000`a836f4c0 00000000`00000090 00000000`00000801 : fltmgr!FltpPassThroughInternal+0x8c
ffffd001`acdf5450 fffff800`0c1ae809 : 00000000`00000000 00000000`00000005 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x32e
ffffd001`acdf5500 fffff800`0c2af6ce : 00000000`00000000 00000000`00000000 ffffc001`921536a0 ffffe000`a1cfc980 : nt!IopParseDevice+0x6c9
ffffd001`acdf56f0 fffff800`0c1b28e3 : 00000000`00000000 ffffd001`acdf58a8 00000000`00000042 ffffe000`a14b8350 : nt!ObpLookupObjectName+0x7be
ffffd001`acdf5830 fffff800`0c26a3bb : 00000000`00000001 ffffe000`a836f558 00000000`00000001 00000000`00000020 : nt!ObOpenObjectByName+0x1e3
ffffd001`acdf5960 fffff800`0c26a040 : 0000008c`1ca3e678 00000000`40100080 0000008c`1ca3e6d0 00000000`00000000 : nt!IopCreateFile+0x36b
ffffd001`acdf5a00 fffff800`0bf6aab3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x78
ffffd001`acdf5a90 00007ffb`4e030c0a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
0000008c`1ca3e5f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`4e030c0a


SYMBOL_NAME: nt!ExDeferredFreePool+dac

IMAGE_NAME: Pool_Corruption

MODULE_NAME: Pool_Corruption

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: dac

FAILURE_BUCKET_ID: 0x19_e_nt!ExDeferredFreePool

OS_VERSION: 8.1.9600.18589

BUILDLAB_STR: winblue_ltsb

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

FAILURE_ID_HASH: {652ef998-c993-02e1-bea8-9dbeb0e887a3}

Followup: Pool_corruption

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Docs-4663 avatar image
0 Votes"
Docs-4663 answered WilliamWei-4192 commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks! Could you tell me how you find the McAfee make the bluescreen?

0 Votes 0 ·
CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered WilliamWei-4192 commented

Hi,
Mfehidk.sys is a system process that runs in the computer background and maintains the host intrusion detection system for McAfee Antivirus.
Mfehidk.sys works in the same way that most antivirus programs do and uses large amounts of CPU memory. This can cause the computer to slow down or crash.
So we could try to uninstall McAfee then reinstall. Or try update McAfee software version to check.
Also you could type "msconfig" in Search Bar. Select "Service" Option, Hide all Microsoft Service Option. Then disable all No-Microsoft service to check.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks!Could you tell me how do you find the Mfehidk.sys to make the bluescreen?

0 Votes 0 ·
Docs-4663 avatar image
0 Votes"
Docs-4663 answered WilliamWei-4192 commented

For this crash view the stack text:

mfehidk
mfeaack

These are McAfee drivers:

mfehidk.sys
mfeaack.sys


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks!,We will try to disable McAfee service if the bluescreen happened again, we had happened several bluescreen cases for server2012 R2,I checked the McAfee,it had been updated for the least version and installed mcafee firewall by itself.

0 Votes 0 ·
CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
I consider you can contact the technical support of the product of McAfee to see if there is an incompatibility between the software version or if the software automatically blocks some processes.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.