CRITICAL_PROCESS_DIED (ef)
A critical system process died
Arguments:
Arg1: ffffd80373d0c340, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
*** WARNING: Unable to verify checksum for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 5843
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 11659
Key : Analysis.Init.CPU.mSec
Value: 577
Key : Analysis.Init.Elapsed.mSec
Value: 10035
Key : Analysis.Memory.CommitPeak.Mb
Value: 78
Key : CriticalProcessDied.ExceptionCode
Value: 67e93080
Key : CriticalProcessDied.Process
Value: svchost.exe
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: ef
BUGCHECK_P1: ffffd80373d0c340
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 0
PROCESS_NAME: svchost.exe
CRITICAL_PROCESS: svchost.exe
ERROR_CODE: (NTSTATUS) 0x67e93080 - <Unable to get error code text>
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
STACK_TEXT:
ffffcf8a`9b14f938 fffff802`5b3069e2 : 00000000`000000ef ffffd803`73d0c340 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
ffffcf8a`9b14f940 fffff802`5b249f75 : 00000000`00000000 fffff802`5ad597ad 00000000`00000002 fffff802`5ad58dc7 : nt!PspCatchCriticalBreak+0x10e
ffffcf8a`9b14f9e0 fffff802`5b109cc4 : ffffd803`00000000 00000000`00000000 ffffd803`73d0c340 ffffd803`73d0c778 : nt!PspTerminateAllThreads+0x1409e9
ffffcf8a`9b14fa50 fffff802`5b109fec : ffffd803`73d0c340 00000000`00000000 00000035`241ff6cc fffff802`5b035d5a : nt!PspTerminateProcess+0xe0
ffffcf8a`9b14fa90 fffff802`5ae075b8 : ffffd803`73d0c340 ffffd803`67e93080 ffffcf8a`9b14fb80 ffffd803`73d0c340 : nt!NtTerminateProcess+0x9c
ffffcf8a`9b14fb00 00007ffd`52acd194 : 00007ffd`52b42943 00007ffd`52b76710 00000035`241ff690 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
00000035`241fd2a8 00007ffd`52b42943 : 00007ffd`52b76710 00000035`241ff690 00000000`00000000 00007ffd`52a30000 : 0x00007ffd`52acd194
00000035`241fd2b0 00007ffd`52b76710 : 00000035`241ff690 00000000`00000000 00007ffd`52a30000 00000000`00000004 : 0x00007ffd`52b42943
00000035`241fd2b8 00000035`241ff690 : 00000000`00000000 00007ffd`52a30000 00000000`00000004 00007ffd`52ad51ad : 0x00007ffd`52b76710
00000035`241fd2c0 00000000`00000000 : 00007ffd`52a30000 00000000`00000004 00007ffd`52ad51ad 00007ffd`52b76710 : 0x00000035`241ff690
SYMBOL_NAME: nt!PspCatchCriticalBreak+10e
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.867
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 10e
FAILURE_BUCKET_ID: 0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_67e93080_nt!PspCatchCriticalBreak
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {b205271e-7b75-db2a-657d-822f5d973c1b}
Followup: MachineOwner
---------
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000000003a4, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8017f4a2c8b, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4858
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 9656
Key : Analysis.Init.CPU.mSec
Value: 515
Key : Analysis.Init.Elapsed.mSec
Value: 13345
Key : Analysis.Memory.CommitPeak.Mb
Value: 77
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: a
BUGCHECK_P1: 3a4
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff8017f4a2c8b
READ_ADDRESS: fffff8017fefb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
00000000000003a4
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: lsass.exe
TRAP_FRAME: fffffd86eb63e400 -- (.trap 0xfffffd86eb63e400)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=00000000ffffff01
rdx=00000000000003a4 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8017f4a2c8b rsp=fffffd86eb63e590 rbp=0000000000000000
r8=00000000000000a5 r9=ffffb081b6b2bd70 r10=0000000000000001
r11=ffffb081b1d969d8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!RtlAvlInsertNodeEx+0x6b:
fffff801`7f4a2c8b 48391a cmp qword ptr [rdx],rbx ds:00000000`000003a4=????????????????
Resetting default scope
STACK_TEXT:
fffffd86`eb63e2b8 fffff801`7f607b69 : 00000000`0000000a 00000000`000003a4 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffffd86`eb63e2c0 fffff801`7f603e69 : 00000000`00000000 ffff8558`0c084020 00000000`00000002 ffff8542`ac060420 : nt!KiBugCheckDispatch+0x69
fffffd86`eb63e400 fffff801`7f4a2c8b : ffffb081`b1d96200 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiPageFault+0x469
fffffd86`eb63e590 fffff801`7f4a2b63 : 00000007`fff70142 ffffb081`b1d96200 ffffb081`bf96b7e0 ffffb081`b1453f18 : nt!RtlAvlInsertNodeEx+0x6b
fffffd86`eb63e5d0 fffff801`7f4a277d : ffffb081`bf96b7e0 fffffd86`eb63e780 ffffb081`bf96b7e0 ffffb081`bf96b7e0 : nt!MiInsertVad+0x163
fffffd86`eb63e620 fffff801`7f836734 : 00000000`00000842 fffffd86`eb63e780 ffffb081`bf96b7e0 fffffd86`eb63e900 : nt!MiGetWsAndInsertVad+0x2d
fffffd86`eb63e680 fffff801`7f8323bc : ffffb081`b3ba7520 00000000`00000000 fffffd86`eb63e858 fffffd86`eb63e9b8 : nt!MiMapViewOfImageSection+0x514
fffffd86`eb63e800 fffff801`7f833d79 : 00000000`00000000 fffffd86`eb63eb80 00000264`ed8d8610 00000000`00000000 : nt!MiMapViewOfSection+0x3fc
fffffd86`eb63e950 fffff801`7f6075b8 : ffffb081`bbecb040 000000dd`91b3dea8 00000000`00000000 00000000`00000000 : nt!NtMapViewOfSection+0x159
fffffd86`eb63ea90 00007fff`8deed114 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000dd`91b3de88 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`8deed114
SYMBOL_NAME: nt!RtlAvlInsertNodeEx+6b
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.867
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 6b
FAILURE_BUCKET_ID: AV_nt!RtlAvlInsertNodeEx
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {5534c61b-8588-1c8e-dde4-5603d0a8d33b}
Followup: MachineOwner
---------
INTERNAL_POWER_ERROR (a0)
The power policy manager experienced a fatal error.
Arguments:
Arg1: 000000000000010e, The disk subsystem returned corrupt data while reading from the
hibernation file.
Arg2: 000000000000000a
Arg3: 000000000000f4b6, Incorrect checksum
Arg4: 000000000000c0aa, Previous disk read's checksum
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2640
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 4800
Key : Analysis.Init.CPU.mSec
Value: 1015
Key : Analysis.Init.Elapsed.mSec
Value: 21327
Key : Analysis.Memory.CommitPeak.Mb
Value: 74
DUMP_FILE_ATTRIBUTES: 0x9
Hiber Crash Dump
Kernel Generated Triage Dump
BUGCHECK_CODE: a0
BUGCHECK_P1: 10e
BUGCHECK_P2: a
BUGCHECK_P3: f4b6
BUGCHECK_P4: c0aa
CUSTOMER_CRASH_COUNT: 1
STACK_TEXT:
ffffea0b`9a110648 fffff801`425a07ee : 00000000`000000a0 00000000`0000010e 00000000`0000000a 00000000`0000f4b6 : nt!KeBugCheckEx
ffffea0b`9a110650 fffff801`425adc01 : 00000000`00000001 ffffc18a`d16de050 00000001`c9e2c000 ffffc18a`f23d2000 : nt!PopHiberChecksumHiberFileData+0x103ae
ffffea0b`9a1106b0 fffff801`4259fdc7 : 00000000`00000000 ffff9408`11139f38 00000000`00000001 00000000`00000001 : nt!PopRequestRead+0x7d
ffffea0b`9a110720 fffff801`4258f5d0 : 00015bae`a4ee301d ffff9408`11139f38 00000000`00000000 00000000`00000000 : nt!PopRestoreHiberContext+0x1069f
ffffea0b`9a1107b0 fffff801`4258f316 : fffff801`428504e0 ffffea0b`9a110930 fffff801`428504e0 00000000`00000100 : nt!PopHandleNextState+0x210
ffffea0b`9a110800 fffff801`4258f093 : 00000000`00000100 fffff801`428504e0 00000189`a8130def 00000000`00989680 : nt!PopIssueNextState+0x1a
ffffea0b`9a110830 fffff801`42591c99 : ffffea0b`9a110b20 00000000`00000000 00000000`00000000 fffff801`42591a1f : nt!PopInvokeSystemStateHandler+0x33b
ffffea0b`9a110a30 fffff801`4258c98a : ffffffff`00000000 ffffffff`ffffffff 00000000`00000000 00000000`00000000 : nt!PopEndMirroring+0x1e9
ffffea0b`9a110af0 fffff801`4258c675 : 00000000`00000000 00000000`00000000 00000000`00000001 ffffc18a`cc48a040 : nt!MmDuplicateMemory+0x2be
ffffea0b`9a110b80 fffff801`41f17e25 : ffffc18a`dba0c000 ffffc18a`dba0c040 fffff801`4258c540 00000000`00000001 : nt!PopTransitionToSleep+0x135
ffffea0b`9a110c10 fffff801`41ffd0d8 : ffffab01`a29c0180 ffffc18a`dba0c040 fffff801`41f17dd0 00000000`00000246 : nt!PspSystemThreadStartup+0x55
ffffea0b`9a110c60 00000000`00000000 : ffffea0b`9a111000 ffffea0b`9a10b000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
SYMBOL_NAME: nt!PopHiberChecksumHiberFileData+103ae
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.804
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 103ae
FAILURE_BUCKET_ID: 0xa0_10e_nt!PopHiberChecksumHiberFileData
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {28ba2091-a476-6f77-2dec-6241bccd4685}
Followup: MachineOwner
---------
INTERNAL_POWER_ERROR (a0)
The power policy manager experienced a fatal error.
Arguments:
Arg1: 000000000000010e, The disk subsystem returned corrupt data while reading from the
hibernation file.
Arg2: 000000000000000a
Arg3: 0000000000001f90, Incorrect checksum
Arg4: 0000000000000a0f, Previous disk read's checksum
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3311
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 6692
Key : Analysis.Init.CPU.mSec
Value: 609
Key : Analysis.Init.Elapsed.mSec
Value: 18890
Key : Analysis.Memory.CommitPeak.Mb
Value: 75
DUMP_FILE_ATTRIBUTES: 0x9
Hiber Crash Dump
Kernel Generated Triage Dump
BUGCHECK_CODE: a0
BUGCHECK_P1: 10e
BUGCHECK_P2: a
BUGCHECK_P3: 1f90
BUGCHECK_P4: a0f
CUSTOMER_CRASH_COUNT: 1
STACK_TEXT:
ffffc302`beb252e8 fffff800`3dba07ee : 00000000`000000a0 00000000`0000010e 00000000`0000000a 00000000`00001f90 : nt!KeBugCheckEx
ffffc302`beb252f0 fffff800`3dbadc01 : 00000000`00000001 ffff8e08`276e7310 00000002`fa0e7000 ffff8e08`47b52000 : nt!PopHiberChecksumHiberFileData+0x103ae
ffffc302`beb25350 fffff800`3dbad5b6 : 00000000`00000000 ffffc80f`37139f38 ffffc302`beb25450 00000000`00000002 : nt!PopRequestRead+0x7d
ffffc302`beb253c0 fffff800`3d5856e4 : ffffc80f`37139dd0 00000000`00000000 fffff800`4dad1010 fffff800`4bfc905f : nt!PopDecompressCallback+0x16
ffffc302`beb253f0 fffff800`3d78ca26 : ffff8e08`47b92d21 ffffdb81`43a0c070 00000000`00000000 00000000`00000000 : nt!RtlpMakeXpressCallback+0x24
ffffc302`beb25420 fffff800`3d78c122 : ffffdb81`43a00000 ffffdb81`43a00000 ffffc302`beb25600 00000000`00000000 : nt!RtlDecompressBufferXpressLzProgress+0x26e
ffffc302`beb254a0 fffff800`3db9eacb : 00000000`00000001 ffffc302`beb25600 00000000`00000000 00000000`00010000 : nt!RtlDecompressBufferProgress+0x62
ffffc302`beb25500 fffff800`3db9fde4 : 00000000`00000000 ffffc80f`37139f38 00000000`00000001 00000000`00000001 : nt!PopDecompressHiberBlocks+0x111df
ffffc302`beb25720 fffff800`3db8f5d0 : 0001ac53`633d7ffe ffffc80f`37139f38 00000000`00000000 00000000`00000000 : nt!PopRestoreHiberContext+0x106bc
ffffc302`beb257b0 fffff800`3db8f316 : fffff800`3de50620 ffffc302`beb25930 fffff800`3de50620 00000000`00000100 : nt!PopHandleNextState+0x210
ffffc302`beb25800 fffff800`3db8f093 : 00000000`00000100 fffff800`3de50620 000001b4`06b82fb9 00000000`00989680 : nt!PopIssueNextState+0x1a
ffffc302`beb25830 fffff800`3db91c99 : ffffc302`beb25b20 00000000`00000000 00000000`00000000 fffff800`3db91a1f : nt!PopInvokeSystemStateHandler+0x33b
ffffc302`beb25a30 fffff800`3db8c98a : ffffffff`00000000 ffffffff`ffffffff 00000000`00000000 00000000`00000000 : nt!PopEndMirroring+0x1e9
ffffc302`beb25af0 fffff800`3db8c675 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!MmDuplicateMemory+0x2be
ffffc302`beb25b80 fffff800`3d517e85 : ffff8e08`27e93000 ffff8e08`27e93040 fffff800`3db8c540 00000000`00000001 : nt!PopTransitionToSleep+0x135
ffffc302`beb25c10 fffff800`3d5fd2a8 : ffffdb81`415dd180 ffff8e08`27e93040 fffff800`3d517e30 00000000`00000246 : nt!PspSystemThreadStartup+0x55
ffffc302`beb25c60 00000000`00000000 : ffffc302`beb26000 ffffc302`beb20000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
SYMBOL_NAME: nt!PopHiberChecksumHiberFileData+103ae
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.867
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 103ae
FAILURE_BUCKET_ID: 0xa0_10e_nt!PopHiberChecksumHiberFileData
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {28ba2091-a476-6f77-2dec-6241bccd4685}
Followup: MachineOwner
---------
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00008a1afb507778, Actual security check cookie from the stack
Arg2: 0000fffffb507778, Expected security check cookie
Arg3: ffff75e504af8887, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3937
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 4827
Key : Analysis.Init.CPU.mSec
Value: 593
Key : Analysis.Init.Elapsed.mSec
Value: 16317
Key : Analysis.Memory.CommitPeak.Mb
Value: 74
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: f7
BUGCHECK_P1: 8a1afb507778
BUGCHECK_P2: fffffb507778
BUGCHECK_P3: ffff75e504af8887
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 0000fffffb507778 found 00008a1afb507778
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: Corsair.Service.exe
STACK_TEXT:
fffffa89`2d18e2c8 fffff805`5e0b0cd5 : 00000000`000000f7 00008a1a`fb507778 0000ffff`fb507778 ffff75e5`04af8887 : nt!KeBugCheckEx
fffffa89`2d18e2d0 fffff805`5e1f7b2a : fffffa89`2d18e5c0 00000000`00000001 ffffdc8d`4901e040 00000000`00000000 : nt!_report_gsfailure+0x25
fffffa89`2d18e310 fffff805`5e2c339b : ffff8004`495a0820 fffff805`5e5b1019 00000000`00000002 ffff8004`495a07f0 : nt!ObWaitForMultipleObjects+0x35a
fffffa89`2d18e810 fffff805`5e0075b8 : fffffa89`2d18eb18 ffffdc8d`4891f080 00000000`0625ec08 fffffa89`2d18eaa8 : nt!NtWaitForMultipleObjects32+0x11b
fffffa89`2d18ea90 00000000`76fb1cfc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
00000000`0625ebe8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76fb1cfc
SYMBOL_NAME: nt!_report_gsfailure+25
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.867
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 25
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_nt!_report_gsfailure
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {82d2c1b5-b0cb-60a5-9a5d-78c8c4284f84}
Followup: MachineOwner
---------
drive.google.com
