aswSP.SYS causing BSOD

[JayC]

I initially started getting these BSODs around the time 4.8 was released. I had checked other threads about the same file causing other people BSODs. I thought it was fixed, but I just got another one. It happens at random times, and aswSP.SYS is always the file indicated in the BSOD. My Avast is up to date (4.8.1201) with latest virus definition updates, too. I really like Avast. I never had a problem with it until version 4.8 was released. I don't want to use anything else, either, as Avast just saved my computer when a safe site I visit recently got hacked. It stopped the threat before it even got through. I don't know what to do. I don't want to keep experiencing BSODs. Any help is appreciated!

[Lisandro]

Please, go to folder \windows\minidump and send the newest (recent) .mdmp files for analysis. There is also C:\Windows\Memory.dmp file.
Better if you can compress (zip) them and add some information about the BSOD and the link for this thread. 

Send an email to: vlk (at) avast.com
Or upload it to this anonymous ftp server: ftp://ftp.asw.cz/incoming

Don't you have more info about the BSOD? Error numbers? Control Panel > System > Advanced > Initialization & restoring Settings > Choose the dump options (removing the autorestart in case of failure)

[igor]

It's quite likely that the latest pre-release version fixes the problem:
http://forum.avast.com/index.php?topic=36639.0

[JayC]

Don't you have more info about the BSOD? Error numbers? Control Panel > System > Advanced > Initialization & restoring Settings > Choose the dump options (removing the autorestart in case of failure)

Sorry. I forgot about the Event Viewer. I already have the computer set to not reboot at a BSOD, but I didn't take down the numbers. Here is the event message from Event Viewer:

Event Type:   Information
Event Source:   Save Dump
Event Category:   None
Event ID:   1001
Date:      7/3/2008
Time:      11:43:29 AM
User:      N/A
Computer:   JEREMY-C32C1DAF
Description:
The computer has rebooted from a bugcheck.  The bugcheck was: 0x1000008e (0xc0000005, 0xeb3295c6, 0xf6c1ac80, 0x00000000). A dump was saved in: C:\WINDOWS\Minidump\Mini070308-01.dmp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'll get the info to the e-mail address, too.

I should also say that I am running Windows XP Pro with SP2.

[Heater]

Same thing here: I have the Kernel dump (134 MB in size) (40 MB zipped) here is the debug out put:

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: set _NT_SYMBOL_PATH=srv*D:\applications\windows\symbols*http://msdl.microsoft.com/download/symbols
:\Applications\Symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805634c0
Debug session time: Fri Jul  4 17:19:57.015 2008 (GMT+2)
System Uptime: 0 days 8:23:13.752
Loading Kernel Symbols
...
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for details
Loading unloaded module list
....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, 8056ca09, b55aeb8c, 0}

*** ERROR: Module load completed but symbols could not be loaded for aswSP.SYS

PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for details

PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for details
Probably caused by : aswSP.SYS ( aswSP+854a )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8056ca09, The address that the exception occurred at
Arg3: b55aeb8c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for details

PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!SeCreateAccessStateEx+36
8056ca09 f3ab            rep stos dword ptr es:[edi]

TRAP_FRAME:  b55aeb8c -- (.trap 0xffffffffb55aeb8c)
ErrCode = 00000002
eax=00000000 ebx=00000001 ecx=0000001d edx=000000d6 esi=8a7b2630 edi=00000001
eip=8056ca09 esp=b55aec00 ebp=b55aec10 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!SeCreateAccessStateEx+0x36:
8056ca09 f3ab            rep stos dword ptr es:[edi]  es:0023:00000001=??
Resetting default scope

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  iexplore.exe

LAST_CONTROL_TRANSFER:  from 805221e9 to 80537672

STACK_TEXT: 
b55ae754 805221e9 0000008e c0000005 8056ca09 nt!KeBugCheckEx+0x1b
b55aeb1c 804de3f3 b55aeb38 00000000 b55aeb8c nt!KiDispatchException+0x3b1
b55aeb84 804de3a4 b55aec10 8056ca09 badb0d00 nt!CommonDispatchException+0x4d
b55aec10 8056ca93 88f2b190 890f7c88 00000001 nt!Kei386EoiHelper+0x18a
b55aec10 8056ca93 88f2b190 890f7c88 00000001 nt!SeCreateAccessState+0x28
b55aec30 805703a9 00000001 8a7b2630 00000000 nt!SeCreateAccessState+0x28
b55aec60 80572cfe 00000000 8a7b25c8 00000001 nt!ObOpenObjectByName+0x8f
b55aed34 b76f054a 01aec804 00000001 01aec770 nt!NtOpenKey+0x1af
WARNING: Stack unwind information not available. Following frames may be wrong.
b55aed50 804dd98f 01aec804 00000001 01aec770 aswSP+0x854a
b55aed50 7c90e4f4 01aec804 00000001 01aec770 nt!KiFastCallEntry+0xfc
01aec7b0 00000000 00000000 00000000 00000000 0x7c90e4f4


STACK_COMMAND:  kb

FOLLOWUP_IP:
aswSP+854a
b76f054a ff75fc          push    dword ptr [ebp-4]

SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  aswSP+854a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: aswSP

IMAGE_NAME:  aswSP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  482cc53e

FAILURE_BUCKET_ID:  0x8E_aswSP+854a

BUCKET_ID:  0x8E_aswSP+854a

Followup: MachineOwner
---------

0: kd> .trap 0xffffffffb55aeb8c
ErrCode = 00000002
eax=00000000 ebx=00000001 ecx=0000001d edx=000000d6 esi=8a7b2630 edi=00000001
eip=8056ca09 esp=b55aec00 ebp=b55aec10 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!SeCreateAccessStateEx+0x36:
8056ca09 f3ab            rep stos dword ptr es:[edi]  es:0023:00000001=??
0: kd> lmvm aswSP
start    end        module name
b76e8000 b76ff000   aswSP      (no symbols)           
    Loaded symbol image file: aswSP.SYS
    Image path: \SystemRoot\System32\Drivers\aswSP.SYS
    Image name: aswSP.SYS
    Timestamp:        Fri May 16 01:20:30 2008 (482CC53E)
    CheckSum:         00022AA0
    ImageSize:        00017000
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0

[igor]

Can you upload the zipped dump to ftp://ftp.avast.com/incoming please?
Thanks.

[Heater]

Ok,
File is uploaded, the file is named Heater_Dump.rar

Cheers

[Raht]

Good morning

From yesterdays upgrade to v4.8.1229, I am experiencing same-looking issue. On doing certain tasks, system gets bsoded and aswSP.SYS seems to be at fault here. Bugcheck goes as follows:

0x000000c2 (0x00000007, 0x00000cd4, 0x04030201, 0xe359c908)

I don't have full kernel dump, but I can provoke the bsod ant receive it, if required. Minidump points at aswSP.SYS.

[xdcdx]

Hello,

I am experiencing the same problem.

I got a BSOD on aswSP.sys with the code BAD_POOL_CALLER, and error codes: 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 04030205, parameter4 e1a98588.

Specifically, I can reproduce this, it always happens when I try to install the Internet Explorer 7 binaries retrieved from: http://www.microsoft.com/downloads/details.aspx?FamilyId=9AE91EBE-3385-447C-8A30-081805B2F90B&displaylang=en

I have Avast v4.8.1229 and Windows XP SP2. I have attached two minidumps that happened when trying to install IE7.

[Vlk]

Please send the minidumps to my email address instead. Attaching them to the forum doesn't work as they're transcoded to text-only content.

Thanks
Vlk

[xdcdx]

I just sent the minidumps by email.

Anyway, I think that if you download the files and rename them again from .log to .dmp, they remain identical to the original ones.

Thanks.

[nvb]

Same Problem here (since two weeks).
BSOD (STOP: 0x000000C2 BAD_POOL_CALLER) and the DUMP says

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 04030401, Memory contents of the pool block
Arg4: e37e0d68, Address of the block of pool being deallocated

Debugging Details:
------------------

GetUlongFromAddress: unable to read from e0c30d50

POOL_ADDRESS:  e37e0d68

BUGCHECK_STR:  0xc2_7

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

LAST_CONTROL_TRANSFER:  from e0c16583 to e0bc4f33

STACK_TEXT: 
f1bb0b6c e0c16583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f1bb0bbc f27ada0a e37e0d68 00000000 e0c2e9e4 nt!ExFreePoolWithTag+0x2a3
WARNING: Stack unwind information not available. Following frames may be wrong.
f1bb0be8 e0c9b0b0 00000944 0000097c f1bb0ce0 aswSP+0x5a0a
f1bb0c08 e0d0e5a9 f1bb0c28 0000097c f1bb0ce0 nt!PsCallImageNotifyRoutines+0x36
f1bb0d0c e0c9ae6b 7c8106f5 00000000 00000000 nt!DbgkCreateThread+0x125
f1bb0d50 e0c110de 00000000 7c8106f5 00000001 nt!PspUserThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
aswSP+5a0a
f27ada0a ??             

SYMBOL_STACK_INDEX:  2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: aswSP

IMAGE_NAME:  aswSP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4881fba3

SYMBOL_NAME:  aswSP+5a0a

FAILURE_BUCKET_ID:  0xc2_7_aswSP+5a0a

BUCKET_ID:  0xc2_7_aswSP+5a0a

Followup: MachineOwner
---------

If always happens, when i try to start an *.exe on an EXT2 Partition under Windows XP SP3 (mounted via IFS Drivers).
I am very tired with this bug (otherwise, i am happy with the avast Scanner).
Can i exlude the *.exe-files, placed on a special place (e.g. f:\)?

I will send Vlk the minidump via e-mail.

[xdcdx]

I also have several EXT3 partitions mounted via the IFS drivers. Maybe this is causing the problem?

[nvb]

I have uninstalled IFS and used Ext2fsd to mount one ore all partitions. The same BSOD with Ext2fsd. Also an fsck.ext2 under linux didn't improve my situation ;-).
The BSOD-problem started, after installing the game "Dawn of War" with the first both expension sets. After unstalling the game, the problem stays.

I also reinstalled my graficcard etc., nearly everything (except windows ).

IFS-drivers worked fine before.

[xdcdx]

What I meant is that maybe what causes the problem is the conjunction of Avast plus mounted EXT3/2 partitions. Hope this is fixed soon.