[vpn-help] vfilter.sys, Blue Screen of Death, BSOD, Windows 7, BAD_POOL_CALLER

Thu Aug 11 16:50:21 CDT 2011

Hi all,

first let me say Thank you for this software!
I have had it installed in several versions over the past year or so. I 
don't use it very often, but it still is quite useful!

For a long time I have been bugged by occasional BSOD with a 
BAD_POOL_CALLER. I have tried various methods to reduce them to no avail.
So I finally dug into the subject of Debugging under Windows (I am no 
programmer). There the culprit turned out to be vfilter.sys from the 
Shrew Soft VPN client. Something I had never suspected.

BTW the installation routine seems to ignore the vfilter.sys under 
<windows>/system32. One has to manually replace or delete it. But it 
probably doesn't get used anyway if the software finds it in the program 
directory first...

The debugging results for the crash dumps for v2.1.7, 2.2.0 beta1 and 
2.2.0 beta 2 are as follows:

===============================================================================

Shrew Soft VPN

vfilter.sys
17.12.2010	2.2.0.4
from 2.2.0 beta1

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64

Loading Dump File [C:\Windows\Minidump\080811-25849-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Machine Name:
Kernel base = 0xfffff800`03451000 PsLoadedModuleList = 0xfffff800`03696650
Debug session time: Mon Aug  8 21:20:59.309 2011 (UTC + 12:00)

Unable to load image vfilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for vfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for 
vfilter.sys
GetPointerFromAddress: unable to read from fffff80003700100
Probably caused by : vfilter.sys ( vfilter+2ea7 )

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a 
bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 000000000000109b, (reserved)
Arg3: 00000000040d0010, Memory contents of the pool block
Arg4: fffffa800791e550, Address of the block of pool being deallocated

Debugging Details:
------------------

POOL_ADDRESS:  fffffa800791e550
FREED_POOL_TAG:  atfv
BUGCHECK_STR:  0xc2_7_atfv
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
PROCESS_NAME:  System
CURRENT_IRQL:  0
LAST_CONTROL_TRANSFER:  from fffff800035fbbe9 to fffff800034d0d00
STACK_TEXT:
fffff880`03f69938 fffff800`035fbbe9 : 00000000`000000c2 
00000000`00000007 00000000`0000109b 00000000`040d0010 : nt!KeBugCheckEx
fffff880`03f69940 fffff880`016b3195 : 00000000`00000000 
fffffa80`00000003 0000057f`f22053e8 fffffa80`10f65540 : 
nt!ExDeferredFreePool+0x1201
fffff880`03f699f0 fffff880`050dbea7 : 00000000`00000000 
fffffa80`0de35130 00000000`000000c8 00000000`00000000 : 
ndis!NdisFreeMemory+0x15
fffff880`03f69a20 00000000`00000000 : fffffa80`0de35130 
00000000`000000c8 00000000`00000000 ffffea33`d5427046 : vfilter+0x2ea7
STACK_COMMAND:  kb

FOLLOWUP_IP:
vfilter+2ea7
fffff880`050dbea7 ??              ???
SYMBOL_STACK_INDEX:  3
SYMBOL_NAME:  vfilter+2ea7
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: vfilter
IMAGE_NAME:  vfilter.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4d0af841
FAILURE_BUCKET_ID:  X64_0xc2_7_atfv_vfilter+2ea7
BUCKET_ID:  X64_0xc2_7_atfv_vfilter+2ea7

==============================================================================

vfilter.sys
manually updated in system32/drivers
01.07.2011	still 2.2.0.4 (!)
from 2.2.0 beta2

Loading Dump File [C:\Windows\Minidump\080911-37097-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows 
(x64)\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Machine Name:
Kernel base = 0xfffff800`0345e000 PsLoadedModuleList = 0xfffff800`036a3650
Debug session time: Tue Aug  9 13:14:35.724 2011 (UTC + 12:00)
System Uptime: 0 days 1:55:30.645

BugCheck C2, {7, 109b, 4200000, fffffa800f5e0010}

Unable to load image vfilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for vfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for 
vfilter.sys
GetPointerFromAddress: unable to read from fffff8000370d100
Probably caused by : vfilter.sys ( vfilter+2ea7 )

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a 
bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 000000000000109b, (reserved)
Arg3: 0000000004200000, Memory contents of the pool block
Arg4: fffffa800f5e0010, Address of the block of pool being deallocated

Debugging Details:
------------------
POOL_ADDRESS:  fffffa800f5e0010
FREED_POOL_TAG:  atfv
BUGCHECK_STR:  0xc2_7_atfv
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
PROCESS_NAME:  System
CURRENT_IRQL:  0
LAST_CONTROL_TRANSFER:  from fffff80003608be9 to fffff800034ddd00

STACK_TEXT:
fffff880`03f62938 fffff800`03608be9 : 00000000`000000c2 
00000000`00000007 00000000`0000109b 00000000`04200000 : nt!KeBugCheckEx
fffff880`03f62940 fffff880`01708195 : 00000000`00000000 
00000000`00000000 00000000`00000000 fffffa80`10e87460 : 
nt!ExDeferredFreePool+0x1201
fffff880`03f629f0 fffff880`05544ea7 : 00000000`00000000 
fffffa80`0d822e31 00000000`000001f1 00000000`00000000 : 
ndis!NdisFreeMemory+0x15
fffff880`03f62a20 00000000`00000000 : fffffa80`0d822e31 
00000000`000001f1 00000000`00000000 ffffea12`29ce39d8 : vfilter+0x2ea7

STACK_COMMAND:  kb
FOLLOWUP_IP:
vfilter+2ea7
fffff880`05544ea7 ??              ???
SYMBOL_STACK_INDEX:  3
SYMBOL_NAME:  vfilter+2ea7
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: vfilter
IMAGE_NAME:  vfilter.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4d0af841
FAILURE_BUCKET_ID:  X64_0xc2_7_atfv_vfilter+2ea7
BUCKET_ID:  X64_0xc2_7_atfv_vfilter+2ea7

===========================================================================================

vfilter.sys from 2.1.7 release
v 2.2.0.3

Loading Dump File [C:\Windows\Minidump\081211-26176-01.dmp]

Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`0340b000 PsLoadedModuleList = 0xfffff800`03650670
Debug session time: Fri Aug 12 08:59:37.525 2011 (UTC + 12:00)

Unable to load image vfilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for vfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for 
vfilter.sys
GetPointerFromAddress: unable to read from fffff800036ba100
Probably caused by : vfilter.sys ( vfilter+2db7 )

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a 
bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 000000000000109b, (reserved)
Arg3: 000000000417000a, Memory contents of the pool block
Arg4: fffffa800e6bd4f0, Address of the block of pool being deallocated

Debugging Details:
------------------
POOL_ADDRESS:  fffffa800e6bd4f0
FREED_POOL_TAG:  atfv
BUGCHECK_STR:  0xc2_7_atfv
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
PROCESS_NAME:  System
CURRENT_IRQL:  0
LAST_CONTROL_TRANSFER:  from fffff800035b5be9 to fffff80003487c40
STACK_TEXT:
fffff880`03f62938 fffff800`035b5be9 : 00000000`000000c2 
00000000`00000007 00000000`0000109b 00000000`0417000a : nt!KeBugCheckEx
fffff880`03f62940 fffff880`016b1195 : 00000000`00000000 
00001f80`00dd0000 00000000`00000000 fffffa80`06dc4970 : 
nt!ExDeferredFreePool+0x1201
fffff880`03f629f0 fffff880`05418db7 : 00000000`00000000 
fffffa80`0de861d5 00000000`0000016d 00000000`00000000 : 
ndis!NdisFreeMemory+0x15
fffff880`03f62a20 00000000`00000000 : fffffa80`0de861d5 
00000000`0000016d 00000000`00000000 ffffea3e`0b657c3e : vfilter+0x2db7

STACK_COMMAND:  kb
FOLLOWUP_IP:
vfilter+2db7
fffff880`05418db7 ??              ???
SYMBOL_STACK_INDEX:  3
SYMBOL_NAME:  vfilter+2db7
FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: vfilter
IMAGE_NAME:  vfilter.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4c3686f5
FAILURE_BUCKET_ID:  X64_0xc2_7_atfv_vfilter+2db7
BUCKET_ID:  X64_0xc2_7_atfv_vfilter+2db7

======================================================================

I hope I can help to improve this fine peace of software a bit by 
submitting this bug report.
I am looking forward to v2.2.0.5 of vfilter.sys :-)