I'm working on a computer running Windows 10 (Build 16299) that keeps crashing with a KERNEL_SECURITY_CHECK_FAILURE code. I've done quite a bit of research, but this crash seems pretty unique. Microsoft has a list of the bugcheck parameters, but the one that I'm seeing, 1e
(or presumably its decimal equivalent, 30) doesn't show up on that list. Turns out it's an internal code used by Microsoft and will not be documented publicly (although someone recently commented on that, so I wonder if it's becoming a more common crash).
So far I have:
DISM /Online /Cleanup-Image /RestoreHealth
and sfc /scannow
There doesn't seem to be any rhyme or reason to the crash; it just happens randomly. No single app is causing it in specific as far as we can tell. Each crash dump lists a different process. One thing I've noticed in common between all of the minidumps I've looked at for this computer is LAST_CONTROL_TRANSFER: from fffff80174793f69 to fffff801747833c0
. I only have a fairly basic understanding of computer architecture, so I'm not totally sure how to interpret that.
Below is the output of the most recent minidump that was generated:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001e, Type of memory safety violation
Arg2: fffff8038e9fca40, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff8038e9fc998, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 16299.637.amd64fre.rs3_release_svc.180808-1748
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: Precision 3510
SYSTEM_SKU: 06E0
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: 1.21.6
BIOS_DATE: 10/02/2019
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 0PVGJH
BASEBOARD_VERSION: A00
DUMP_TYPE: 2
BUGCHECK_P1: 1e
BUGCHECK_P2: fffff8038e9fca40
BUGCHECK_P3: fffff8038e9fc998
BUGCHECK_P4: 0
TRAP_FRAME: fffff8038e9fca40 -- (.trap 0xfffff8038e9fca40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff850743100400 rbx=0000000000000000 rcx=000000000000001e
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8038b7a314d rsp=fffff8038e9fcbd0 rbp=fffff8038e9fcc50
r8=0000000000000084 r9=00000000000000ff r10=fffff8038b608000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
nt!KiDeferredReadyThread+0x12840d:
fffff803`8b7a314d cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffff8038e9fc998 -- (.exr 0xfffff8038e9fc998)
ExceptionAddress: fffff8038b7a314d (nt!KiDeferredReadyThread+0x000000000012840d)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001e
Subcode: 0x1e FAST_FAIL_INVALID_NEXT_THREAD
CPU_COUNT: 8
CPU_MHZ: a98
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: CC'00000000 (cache) CC'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXPNP: 1 (!blackboxpnp)
CUSTOMER_CRASH_COUNT: 1
BUGCHECK_STR: 0x139
PROCESS_NAME: chrome.exe
CURRENT_IRQL: 2
DEFAULT_BUCKET_ID: FAIL_FAST_INVALID_NEXT_THREAD
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000001e
ANALYSIS_SESSION_HOST: XXXXXXXX
ANALYSIS_SESSION_TIME: 05-06-2020 14:39:39.0266
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
DPC_STACK_BASE: FFFFF8038E9FCFB0
LAST_CONTROL_TRANSFER: from fffff8038b799f69 to fffff8038b7893c0
STACK_TEXT:
fffff803`8e9fc718 fffff803`8b799f69 : 00000000`00000139 00000000`0000001e fffff803`8e9fca40 fffff803`8e9fc998 : nt!KeBugCheckEx
fffff803`8e9fc720 fffff803`8b79a310 : 00000000`00000000 ffff8507`24354370 ffff8507`24a0e000 fffff803`8b78fdab : nt!KiBugCheckDispatch+0x69
fffff803`8e9fc860 fffff803`8b798925 : 00000000`00000000 ffff8507`24bde000 ffff8507`24a5d800 fffff803`8b623078 : nt!KiFastFailDispatch+0xd0
fffff803`8e9fca40 fffff803`8b7a314d : ffff8507`2cc6d080 ffff8507`00000000 ffff8507`00000015 fffff803`8e9fcca8 : nt!KiRaiseSecurityCheckFailure+0x2e5
fffff803`8e9fcbd0 fffff803`8b69b3e3 : fffff803`8974b180 00000000`00000002 fffff803`00000000 00000175`00000001 : nt!KiDeferredReadyThread+0x12840d
fffff803`8e9fcc90 fffff803`8b69bd1e : fffff803`8974b180 ffff8507`2cc6d1f0 fffff803`8e9fce68 ffff8507`00000000 : nt!KiReadyThread+0x33
fffff803`8e9fccc0 fffff803`8b69cc8d : 00000000`00000000 00000000`00000000 00000000`00286978 fffff803`8974b180 : nt!KiProcessExpiredTimerList+0x27e
fffff803`8e9fcdb0 fffff803`8b790365 : 00000000`00000000 fffff803`8974b180 ffff8286`55608a80 fffff803`8bf39890 : nt!KiRetireDpcList+0x43d
fffff803`8e9fcfb0 fffff803`8b790170 : 00000000`00000000 fffff803`8bee6356 ffff8507`2e0a2700 00000000`0a23fe60 : nt!KxRetireDpcList+0x5
ffff8286`556089c0 fffff803`8b78faa5 : 00000000`09bdd918 fffff803`8b78b1d1 00000000`ffffffff ffff8507`2e0a2700 : nt!KiDispatchInterruptContinue
ffff8286`556089f0 fffff803`8b78b1d1 : 00000000`ffffffff ffff8507`2e0a2700 ffff8286`00000000 ffff8507`34701890 : nt!KiDpcInterruptBypass+0x25
ffff8286`55608a00 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiInterruptDispatchNoLockNoEtw+0xb1
THREAD_SHA1_HASH_MOD_FUNC: 153280be3df77d976d88771fbe16e1f2f8a7b37f
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 536a7bc8cbbd2ddc7135b6f3fadef41d0a0bae49
THREAD_SHA1_HASH_MOD: dc844b1b94baa204d070855e43bbbd27eee98b94
FOLLOWUP_IP:
nt!KiFastFailDispatch+d0
fffff803`8b79a310 c644242000 mov byte ptr [rsp+20h],0
FAULT_INSTR_CODE: 202444c6
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiFastFailDispatch+d0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5e7ad045
IMAGE_VERSION: 10.0.16299.1776
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_1e_INVALID_NEXT_THREAD_nt!KiFastFailDispatch
BUCKET_ID: 0x139_1e_INVALID_NEXT_THREAD_nt!KiFastFailDispatch
PRIMARY_PROBLEM_CLASS: 0x139_1e_INVALID_NEXT_THREAD_nt!KiFastFailDispatch
TARGET_TIME: 2020-05-06T18:50:16.000Z
OSBUILD: 16299
OSSERVICEPACK: 1776
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2020-03-24 22:30:13
BUILDDATESTAMP_STR: 180808-1748
BUILDLAB_STR: rs3_release_svc
BUILDOSVER_STR: 10.0.16299.637.amd64fre.rs3_release_svc.180808-1748
ANALYSIS_SESSION_ELAPSED_TIME: 378c
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x139_1e_invalid_next_thread_nt!kifastfaildispatch
FAILURE_ID_HASH: {bef176cd-c482-4279-6644-552334c6dc54}
Followup: MachineOwner
---------
User contributions licensed under CC BY-SA 3.0