WARNING: NtUnloadKey2 at ..\..\ntoskrnl\config\ntapi.c:1359 is UNIMPLEMENTED! WARNING: HvpWriteLog at ..\..\lib\cmlib\hivewrt.c:26 is UNIMPLEMENTED! (..\..\ntoskrnl\mm\ARM3\expool.c:274) Entry BlockSize 29, tag TOKu. NextEntry PreviousSize 11, tag None *** Fatal System Error: 0x00000019 (0x00000005,0xE1235CC0,0x00000116,0xE1235BD8) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows Server 2003 3790 x86 compatible target at (Wed Sep 19 17:39:59.975 2012 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ................................................... Loading User Symbols ................................................. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 19, {5, e1235cc0, 116, e1235bd8} Probably caused by : ntoskrnl.dll ( nt!ExpCheckPoolHeader+2e5 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 80514a08 cc int 3 kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* BAD_POOL_HEADER (19) The pool is already corrupt at the time of the current request. This may or may not be due to the caller. The internal pool links must be walked to figure out a possible cause of the problem, and then special pool applied to the suspect tags or the driver verifier to a suspect driver. Arguments: Arg1: 00000005, the adjacent pool block headers are corrupt. Arg2: e1235cc0, One entry whose headers are not consistent. Arg3: 00000116, (reserved) Arg4: e1235bd8, Another entry whose headers are not consistent. Debugging Details: ------------------ BUGCHECK_STR: 0x19_5 DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO PROCESS_NAME: setup.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 8047d9f6 to 80514a08 STACK_TEXT: 00000003 f83b28dc ffdff408 nt!RtlpBreakWithStatusInstruction 00000003 f83b2d04 00d9eb50 nt!KiBugCheckDebugBreak(unsigned long StatusCode = 3)+0x36 [p:\trunk_slave\x86_msvc\build\ntoskrnl\ke\bug.c @ 535] 00000019 00000005 e1235cc0 nt!KeBugCheckWithTf(unsigned long BugCheckCode = 0x19, unsigned long BugCheckParameter1 = 5, unsigned long BugCheckParameter2 = 0xe1235cc0, unsigned long BugCheckParameter3 = 0x116, unsigned long BugCheckParameter4 = 0xe1235bd8, struct _KTRAP_FRAME * TrapFrame = 0x00000000)+0x4f2 [p:\trunk_slave\x86_msvc\build\ntoskrnl\ke\bug.c @ 1083] 00000019 00000005 e1235cc0 nt!KeBugCheckEx(unsigned long BugCheckCode = 0x19, unsigned long BugCheckParameter1 = 5, unsigned long BugCheckParameter2 = 0xe1235cc0, unsigned long BugCheckParameter3 = 0x116, unsigned long BugCheckParameter4 = 0xe1235bd8)+0x1e [p:\trunk_slave\x86_msvc\build\ntoskrnl\ke\bug.c @ 1411] e1235bd8 00000001 013b29e8 nt!ExpCheckPoolHeader(struct _POOL_HEADER * Entry = 0xe1235bd8)+0x2e5 [p:\trunk_slave\x86_msvc\build\ntoskrnl\mm\arm3\expool.c @ 282] e12354d0 e11a3dd8 0000000c nt!ExpCheckPoolBlocks(void * Block = 0xe12354d0)+0x72 [p:\trunk_slave\x86_msvc\build\ntoskrnl\mm\arm3\expool.c @ 306] 00000001 0000000a 434d3235 nt!ExAllocatePoolWithTag(_POOL_TYPE PoolType = PagedPool (0n1), unsigned long NumberOfBytes = 0xa, unsigned long Tag = 0x434d3235)+0x4f0 [p:\trunk_slave\x86_msvc\build\ntoskrnl\mm\arm3\expool.c @ 1681] 0000000a 00000001 434d3235 nt!CmpAllocate(unsigned long Size = 0xa, unsigned char Paged = 0x01 '', unsigned long Tag = 0x434d3235)+0x1b [p:\trunk_slave\x86_msvc\build\ntoskrnl\config\cmwraprs.c @ 61] b0f37008 00018170 000136a0 nt!CmpAddSubKey(struct _HHIVE * Hive = 0xb0f37008, unsigned long Parent = 0x18170, unsigned long Child = 0x136a0)+0xd2 [p:\trunk_slave\x86_msvc\build\ntoskrnl\config\cmindex.c @ 1554] b0f37008 00018170 b0fcdce8 nt!CmpDoCreate(struct _HHIVE * Hive = 0xb0f37008, unsigned long Cell = 0x18170, struct _ACCESS_STATE * AccessState = 0xb0fcdce8, struct _UNICODE_STRING * Name = 0xf83b2b40 "Sizes", char AccessMode = 0n1 '', struct _CM_PARSE_CONTEXT * ParseContext = 0xf83b2ca0, struct _CM_KEY_CONTROL_BLOCK * ParentKcb = 0xe12e7e40, void ** Object = 0xf83b2ba8)+0x1a1 [p:\trunk_slave\x86_msvc\build\ntoskrnl\config\cmparse.c @ 489] e13e50b0 b129d230 b0fcdce8 nt!CmpParseKey(void * ParseObject = 0xe13e50b0, void * ObjectType = 0xb129d230, struct _ACCESS_STATE * AccessState = 0xb0fcdce8, char AccessMode = 0n1 '', unsigned long Attributes = 0x40, struct _UNICODE_STRING * CompleteName = 0xf83b2c30 "Sizes", struct _UNICODE_STRING * RemainingName = 0xf83b2be4 "Sizes", void * Context = 0xf83b2ca0, struct _SECURITY_QUALITY_OF_SERVICE * SecurityQos = 0x00000000, void ** Object = 0xf83b2ba8)+0x4ae [p:\trunk_slave\x86_msvc\build\ntoskrnl\config\cmparse.c @ 1276] 000004d4 f83b2c30 00000040 nt!ObpLookupObjectName(void * RootHandle = 0x000004d4, struct _UNICODE_STRING * ObjectName = 0xf83b2c30 "Sizes", unsigned long Attributes = 0x40, struct _OBJECT_TYPE * ObjectType = 0xb129d230, char AccessMode = 0n1 '', void * ParseContext = 0xf83b2ca0, struct _SECURITY_QUALITY_OF_SERVICE * SecurityQos = 0x00000000, void * InsertObject = 0x00000000, struct _ACCESS_STATE * AccessState = 0xb0fcdce8, struct _OBP_LOOKUP_CONTEXT * LookupContext = 0xb0fcdd8c, void ** FoundObject = 0xf83b2c2c)+0x1fc [p:\trunk_slave\x86_msvc\build\ntoskrnl\ob\obname.c @ 385] 00d9ebb8 b129d230 00000001 nt!ObOpenObjectByName(struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00d9ebb8, struct _OBJECT_TYPE * ObjectType = 0xb129d230, char AccessMode = 0n1 '', struct _ACCESS_STATE * PassedAccessState = 0xb0fcdce8, unsigned long DesiredAccess = 0x20006, void * ParseContext = 0xf83b2ca0, void ** Handle = 0xf83b2c9c)+0x195 [p:\trunk_slave\x86_msvc\build\ntoskrnl\ob\obhandle.c @ 2514] 00d9ec24 00020006 00d9ebb8 nt!NtCreateKey(void ** KeyHandle = 0x00d9ec24, unsigned long DesiredAccess = 0x20006, struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00d9ebb8, unsigned long TitleIndex = 0, struct _UNICODE_STRING * Class = 0x00000000, unsigned long CreateOptions = 0, unsigned long * Disposition = 0x00d9ec34)+0x209 [p:\trunk_slave\x86_msvc\build\ntoskrnl\config\ntapi.c @ 89] 80420550 00d9eb34 0000001c nt!KiSystemCallTrampoline(void * Handler = 0x80420550, void * Arguments = 0x00d9eb34, unsigned long StackBytes = 0x1c)+0x19 [p:\trunk_slave\x86_msvc\build\ntoskrnl\include\internal\i386\ke.h @ 668] f83b2d64 00d9eb34 00d9eb34 nt!KiSystemCall(struct _KTRAP_FRAME * TrapFrame = 0xf83b2d64, void * Arguments = 0x00d9eb34)+0x1f2 [p:\trunk_slave\x86_msvc\build\ntoskrnl\ke\i386\traphdlr.c @ 1629] 00d9eb88 77f2c26e badb0d00 nt!KiFastCallEntryHandler(struct _KTRAP_FRAME * TrapFrame = 0xf83b2d64, void * Arguments = 0x00d9eb34)+0x6d [p:\trunk_slave\x86_msvc\build\ntoskrnl\ke\i386\traphdlr.c @ 1675] 00d9eb88 77f2c26e badb0d00 nt!KiFastCallEntry+0x71 77c6d9d6 00d9ec24 00020006 ntdll!KiFastSystemCallRet 00d9ec24 00020006 00d9ebb8 ntdll!NtCreateKey+0xc 00d9ec24 00d9ebb8 00000000 advapi32!CreateNestedKey(struct HKEY__ ** KeyHandle = 0x00d9ec24, struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00d9ebb8, struct _UNICODE_STRING * ClassString = 0x00000000, unsigned long dwOptions = 0, unsigned long samDesired = 0x20006, unsigned long * lpdwDisposition = 0x00d9ec34)+0x26 [p:\trunk_slave\x86_msvc\build\dll\win32\advapi32\reg\reg.c @ 920] 000004d4 0003b728 00000000 advapi32!RegCreateKeyExW(struct HKEY__ * hKey = 0x000004d4, wchar_t * lpSubKey = 0x0003b728 "Sizes", unsigned long Reserved = 0, unsigned short * lpClass = 0x00000000, unsigned long dwOptions = 0, unsigned long samDesired = 0x20006, struct _SECURITY_ATTRIBUTES * lpSecurityAttributes = 0x00000000, struct HKEY__ ** phkResult = 0x00d9ec24, unsigned long * lpdwDisposition = 0x00d9ec34)+0x162 [p:\trunk_slave\x86_msvc\build\dll\win32\advapi32\reg\reg.c @ 1139] 000004d4 00000488 00000488 userenv!CopyKey(struct HKEY__ * hDstKey = 0x000004d4, struct HKEY__ * hSrcKey = 0x00000488)+0x235 [p:\trunk_slave\x86_msvc\build\dll\win32\userenv\registry.c @ 141] 0000068c 00000588 00000588 userenv!CopyKey(struct HKEY__ * hDstKey = 0x0000068c, struct HKEY__ * hSrcKey = 0x00000588)+0x32b [p:\trunk_slave\x86_msvc\build\dll\win32\userenv\registry.c @ 169] 0000066c 00000660 00000660 userenv!CopyKey(struct HKEY__ * hDstKey = 0x0000066c, struct HKEY__ * hSrcKey = 0x00000660)+0x32b [p:\trunk_slave\x86_msvc\build\dll\win32\userenv\registry.c @ 169] 000006f8 000006d0 000006d0 userenv!CopyKey(struct HKEY__ * hDstKey = 0x000006f8, struct HKEY__ * hSrcKey = 0x000006d0)+0x32b [p:\trunk_slave\x86_msvc\build\dll\win32\userenv\registry.c @ 169] 00000324 00000328 00000324 userenv!CopyKey(struct HKEY__ * hDstKey = 0x00000324, struct HKEY__ * hSrcKey = 0x00000328)+0x32b [p:\trunk_slave\x86_msvc\build\dll\win32\userenv\registry.c @ 169] 00049d78 00d9ede4 003a0043 userenv!CreateUserHive(wchar_t * lpKeyName = 0x00049d78 "S-1-5-21-284239813-1680421834-363658563-500", wchar_t * lpProfilePath = 0x00d9ede4 "C:\Documents and Settings\Administrator")+0x9c [p:\trunk_slave\x86_msvc\build\dll\win32\userenv\registry.c @ 309] 0003c4f8 00056b38 00056b38 userenv!CreateUserProfileW(void * Sid = 0x0003c4f8, wchar_t * lpUserName = 0x00056b38 "Administrator")+0x897 [p:\trunk_slave\x86_msvc\build\dll\win32\userenv\profile.c @ 372] 0000009c 00d9fc90 00000020 userenv!LoadUserProfileW(void * hToken = 0x0000009c, struct _PROFILEINFOW * lpProfileInfo = 0x00d9fc90)+0x48a [p:\trunk_slave\x86_msvc\build\dll\win32\userenv\profile.c @ 1160] 00400000 71c21af0 71c20000 syssetup!InstallReactOS(struct HINSTANCE__ * hInstance = 0x00400000)+0x203 [p:\trunk_slave\x86_msvc\build\dll\win32\syssetup\install.c @ 898] 00400000 000205f4 00020600 setup!RunNewSetup(struct HINSTANCE__ * hInstance = 0x00400000)+0x83 [p:\trunk_slave\x86_msvc\build\base\setup\setup\setup.c @ 82] 00400000 00000000 000309b4 setup!wWinMain(struct HINSTANCE__ * hInstance = 0x00400000, struct HINSTANCE__ * hPrevInstance = 0x00000000, unsigned short * lpCmdLine = 0x000309b4, int nShowCmd = 0n10)+0x5d [p:\trunk_slave\x86_msvc\build\base\setup\setup\setup.c @ 132] 00000002 00030ab8 00030ef0 setup!wmain(int flags = 0n2, unsigned short ** cmdline = 0x00030ab8, unsigned short ** inst = 0x00030ef0)+0x1e [p:\trunk_slave\x86_msvc\build\lib\sdk\crt\startup\crt0_w.c @ 25] 000000ff 00d9fff0 77dae275 setup!__tmainCRTStartup(void)+0x248 [p:\trunk_slave\x86_msvc\build\lib\sdk\crt\startup\crtexe.c @ 307] 024cf644 024cf658 7ffba000 setup!wWinMainCRTStartup(void)+0x1f [p:\trunk_slave\x86_msvc\build\lib\sdk\crt\startup\crtexe.c @ 168] 004012c0 00000000 e10100e0 kernel32!BaseProcessStartup( * lpStartAddress = 0x004012c0)+0x55 [p:\trunk_slave\x86_msvc\build\dll\win32\kernel32\client\proc.c @ 473] STACK_COMMAND: kb FOLLOWUP_IP: nt!ExpCheckPoolHeader+2e5 [p:\trunk_slave\x86_msvc\build\ntoskrnl\mm\arm3\expool.c @ 282] 804913b5 8be5 mov esp,ebp FAULTING_SOURCE_CODE: 278: __LINE__, 279: (ULONG_PTR)Entry); 280: } 281: } > 282: } 283: 284: VOID 285: NTAPI 286: ExpCheckPoolBlocks(IN PVOID Block) 287: { SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: nt!ExpCheckPoolHeader+2e5 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntoskrnl.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5059ce1f FAILURE_BUCKET_ID: 0x19_5_nt!ExpCheckPoolHeader+2e5 BUCKET_ID: 0x19_5_nt!ExpCheckPoolHeader+2e5 Followup: MachineOwner ---------