KERNEL_SECURITY_CHECK_FAILURE BSOD

[yatagarasu]

Got a BSOD earlier, KERNEL_SECURITY_CHECK_FAILURE. Put it through the analyzer and found that Everything seems to have caused it? Using 1.3.4.686 (x64) & Win10 64-bit. I have gotten the same error on my desktop (which also uses Everything) but have not analyzed the dump.

Code: Select all

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd0002e60d3b0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd0002e60d308, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

TRAP_FRAME:  ffffd0002e60d3b0 -- (.trap 0xffffd0002e60d3b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe00079566788 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80153a020f8 rsp=ffffd0002e60d540 rbp=0000000000000002
 r8=0000000000000001  r9=0000000000000002 r10=0000000000000000
r11=ffffd0002e60d620 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
nt! ?? ::FNODOBFM::`string'+0x1c2f8:
fffff801`53a020f8 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd0002e60d308 -- (.exr 0xffffd0002e60d308)
ExceptionAddress: fffff80153a020f8 (nt! ?? ::FNODOBFM::`string'+0x000000000001c2f8)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  Everything.exe

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

EXCEPTION_STR:  0x0

LAST_CONTROL_TRANSFER:  from fffff801539e1ba9 to fffff801539d7240

STACK_TEXT:  
ffffd000`2e60d088 fffff801`539e1ba9 : 00000000`00000139 00000000`00000003 ffffd000`2e60d3b0 ffffd000`2e60d308 : nt!KeBugCheckEx
ffffd000`2e60d090 fffff801`539e1ed0 : ffffe000`317cd080 fffff801`53bef780 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd000`2e60d1d0 fffff801`539e10f4 : 0000003e`1db96b00 fffff801`53819854 ffffe000`66d54001 fffff801`53bec180 : nt!KiFastFailDispatch+0xd0
ffffd000`2e60d3b0 fffff801`53a020f8 : 00000000`00000000 ffffd000`2e60db00 fffff901`41d77b20 fffff960`216b4dae : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`2e60d540 fffff801`538d0b76 : ffffe000`00000000 ffffe000`70c40ad0 ffffd000`2048b180 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x1c2f8
ffffd000`2e60d5a0 fffff960`2165dfff : fffff901`41d77b20 ffffd000`2e60db80 00000000`00000200 fffff901`437266b0 : nt!KeSetEvent+0x106
ffffd000`2e60d630 fffff960`2165cc1b : fffff901`41e453b0 fffff801`00000403 00000000`00000000 00000000`00000000 : win32kfull!xxxInterSendMsgEx+0x123f
ffffd000`2e60d780 fffff960`21658a78 : 00000000`00000000 00000000`00003dbf 00000000`00003dff fffff801`538db47f : win32kfull!xxxReceiveMessage+0x87b
ffffd000`2e60d8d0 fffff960`21657d84 : ffffd000`2e60da48 ffffd000`2e60c240 00000000`00000000 00000000`ffffffff : win32kfull!xxxRealInternalGetMessage+0x468
ffffd000`2e60da00 fffff801`539e1863 : ffffe000`317cd080 00000000`0014fc18 ffffd000`2e60daa8 00000000`00000000 : win32kfull!NtUserPeekMessage+0x94
ffffd000`2e60da90 00007ffa`b1fffc6a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0014fbf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`b1fffc6a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32kfull!xxxInterSendMsgEx+123f
fffff960`2165dfff 488bcf          mov     rcx,rdi

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  win32kfull!xxxInterSendMsgEx+123f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32kfull

IMAGE_NAME:  win32kfull.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  56048272

IMAGE_VERSION:  10.0.10240.16520

BUCKET_ID_FUNC_OFFSET:  123f

FAILURE_BUCKET_ID:  0x139_3_win32kfull!xxxInterSendMsgEx

BUCKET_ID:  0x139_3_win32kfull!xxxInterSendMsgEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_win32kfull!xxxintersendmsgex

FAILURE_ID_HASH:  {591121ac-11b4-e8c1-11b2-cc0061dde8bf}

Followup: MachineOwner

[void]

Thanks for the bug report.
I'll look into the issue.

This issue might be caused by Everything and some system driver, possibly an obscure multi-threaded issue trying to free a kernel resource at the same time.

If the problem persists, please try the latest beta.

[surfer]

This same version of Everything was causing my machine running 64-bit Windows 10 Pro to crash abruptly shortly after startup. It was difficult to track down the culprit; but once I removed this program, all was well again. It was causing the CPU to spike too.

[therube]

Does it happen consistently?

Any change if you try "Everything" version 1.4 Beta?