*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 139, {3, ffff8d86d041eaf0, ffff8d86d041ea48, 0}
*** WARNING: Unable to verify timestamp for win32k.sys
*** ERROR: Module load completed but symbols could not be loaded for win32k.sys
Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )
Followup: MachineOwner
---------
nt!KeBugCheckEx:
fffff803`e3633330 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8d86`d041e7d0=0000000000000139
6: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffff8d86d041eaf0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffff8d86d041ea48, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804
SYSTEM_MANUFACTURER:
SYSTEM_PRODUCT_NAME:
SYSTEM_SKU:
SYSTEM_VERSION:
BIOS_VENDOR: Intel Corp.
BIOS_VERSION: KYSKLi70.86A.0058.2018.0911.1509
BIOS_DATE: 09/11/2018
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: NUC6i7KYB
BASEBOARD_VERSION: H90766-404
DUMP_TYPE: 2
BUGCHECK_P1: 3
BUGCHECK_P2: ffff8d86d041eaf0
BUGCHECK_P3: ffff8d86d041ea48
BUGCHECK_P4: 0
TRAP_FRAME: ffff8d86d041eaf0 -- (.trap 0xffff8d86d041eaf0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffa40412233010 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803e3790e55 rsp=ffff8d86d041ec80 rbp=ffff8d86d041ed09
r8=0000000000000000 r9=0000000000000001 r10=0000000000000001
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!ExAllocatePoolWithTag+0x1a45:
fffff803`e3790e55 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffff8d86d041ea48 -- (.exr 0xffff8d86d041ea48)
ExceptionAddress: fffff803e3790e55 (nt!ExAllocatePoolWithTag+0x0000000000001a45)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
CPU_COUNT: 8
CPU_MHZ: a20
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: C6'00000000 (cache) C6'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXPNP: 1 (!blackboxpnp)
CUSTOMER_CRASH_COUNT: 1
BUGCHECK_STR: 0x139
PROCESS_NAME: Registry
CURRENT_IRQL: 1
DEFAULT_BUCKET_ID: FAIL_FAST_CORRUPT_LIST_ENTRY
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
ANALYSIS_SESSION_HOST: NEMESIS
ANALYSIS_SESSION_TIME: 11-15-2018 03:17:30.0813
ANALYSIS_VERSION: 10.0.18239.1000 amd64fre
LAST_CONTROL_TRANSFER: from fffff803e3643e69 to fffff803e3633330
STACK_TEXT:
ffff8d86`d041e7c8 fffff803`e3643e69 : 00000000`00000139 00000000`00000003 ffff8d86`d041eaf0 ffff8d86`d041ea48 : nt!KeBugCheckEx
ffff8d86`d041e7d0 fffff803`e3644210 : 00000000`00000001 00000000`00000000 ffffa404`0f421590 ffff8d86`d041e9c9 : nt!KiBugCheckDispatch+0x69
ffff8d86`d041e910 fffff803`e364281f : 00000000`00020019 ffffb880`e424e080 ffffb880`ea759e50 fffff803`e3522b98 : nt!KiFastFailDispatch+0xd0
ffff8d86`d041eaf0 fffff803`e3790e55 : ffffc980`6351d750 ffffc980`6351d500 ffffa404`0dbb4720 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0x2df
ffff8d86`d041ec80 fffff803`e3994644 : 00000000`00000004 00000000`00001000 00000000`2079654b ffff8d86`00000000 : nt!ExAllocatePoolWithTag+0x1a45
ffff8d86`d041ed70 fffff803`e39a58c6 : 00000000`00000010 ffffb880`e9c70601 00000000`00000030 ffff8d86`d041ee48 : nt!ObpAllocateObject+0x1a4
ffff8d86`d041edf0 fffff803`e3999351 : ffff8d86`d041f0b0 00000000`00000001 ffff8d86`d041f840 00000000`00000000 : nt!CmpCreateKeyBody+0x126
ffff8d86`d041eea0 fffff803`e3990e1d : 00000000`0000001c ffff8d86`d041f330 ffff8d86`d041f2e8 00000000`00000000 : nt!CmpDoParseKey+0xa31
ffff8d86`d041f270 fffff803`e39973eb : ffffb880`ea647cd0 ffffa404`0f421501 00000000`00000000 00000000`00000001 : nt!CmpParseKey+0x26d
ffff8d86`d041f450 fffff803`e39a8e5f : ffffb880`ea647b10 ffff8d86`d041f6c8 00000165`00000040 ffffb880`e3701b30 : nt!ObpLookupObjectName+0x73b
ffff8d86`d041f630 fffff803`e39a8b08 : 00000000`00000001 ffffb880`e3701b30 00000000`00000000 00000000`00000001 : nt!ObOpenObjectByNameEx+0x1df
ffff8d86`d041f770 fffff803`e39a517a : 0000001e`032fe408 00000000`00000000 ffff4eee`2351d295 00000000`00000000 : nt!CmOpenKey+0x298
ffff8d86`d041f9c0 fffff803`e3643943 : 0000001e`032fe550 00000000`00000000 ffffb880`e424e080 00000165`134427c0 : nt!NtOpenKey+0x12
ffff8d86`d041fa00 00007ffa`351fa0f4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
0000001e`032fed78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`351fa0f4
THREAD_SHA1_HASH_MOD_FUNC: bef96c157fdb4b2a1ce59fed61b22e46f9faca3a
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 3cd3cf6839c9f818dac85acc2ad77561d80ff290
THREAD_SHA1_HASH_MOD: 7f608ac2fbce9034a3386b1d51652e4911d30234
FOLLOWUP_IP:
nt!KiFastFailDispatch+d0
fffff803`e3644210 c644242000 mov byte ptr [rsp+20h],0
FAULT_INSTR_CODE: 202444c6
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiFastFailDispatch+d0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b1a4590
IMAGE_VERSION: 10.0.17134.112
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_nt!KiFastFailDispatch
BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_nt!KiFastFailDispatch
PRIMARY_PROBLEM_CLASS: 0x139_3_CORRUPT_LIST_ENTRY_nt!KiFastFailDispatch
TARGET_TIME: 2018-11-15T00:56:07.000Z
OSBUILD: 17134
OSSERVICEPACK: 112
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-06-08 05:00:00
BUILDDATESTAMP_STR: 180410-1804
BUILDLAB_STR: rs4_release
BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804
ANALYSIS_SESSION_ELAPSED_TIME: 9e5
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x139_3_corrupt_list_entry_nt!kifastfaildispatch
FAILURE_ID_HASH: {3aede96a-54dd-40d6-d4cb-2a161a843851}
Followup: MachineOwner
---------