************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`41800000 PsLoadedModuleList = 0xfffff805`4242a2b0
Debug session time: Sat Jan 9 08:24:07.212 2021 (UTC + 3:00)
System Uptime: 0 days 1:20:00.180
Loading Kernel Symbols
...............................................................
................................................................
.................................................
Loading User Symbols
Loading unloaded module list
..............
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff805`41bf5780 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffef89`82e1ae30=0000000000000109
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a39ff6e39278d4fd, Reserved
Arg2: b3b70369e4f71db5, Reserved
Arg3: fffff80542009d54, Failure type dependent information
Arg4: 0000000000000001, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
8 : Object type
9 : A processor IVT
a : Modification of a system service function
b : A generic session data region
c : Modification of a session function or .pdata
d : Modification of an import table
e : Modification of a session import table
f : Ps Win32 callout modification
10 : Debug switch routine modification
11 : IRP allocator modification
12 : Driver call dispatcher modification
13 : IRP completion dispatcher modification
14 : IRP deallocator modification
15 : A processor control register
16 : Critical floating point control register modification
17 : Local APIC modification
18 : Kernel notification callout modification
19 : Loaded module list modification
1a : Type 3 process list corruption
1b : Type 4 process list corruption
1c : Driver object corruption
1d : Executive callback object modification
1e : Modification of module padding
1f : Modification of a protected process
20 : A generic data region
21 : A page hash mismatch
22 : A session page hash mismatch
23 : Load config directory modification
24 : Inverted function table modification
25 : Session configuration modification
26 : An extended processor control register
27 : Type 1 pool corruption
28 : Type 2 pool corruption
29 : Type 3 pool corruption
2a : Type 4 pool corruption
2b : Modification of a function or .pdata
2c : Image integrity corruption
2d : Processor misconfiguration
2e : Type 5 process list corruption
2f : Process shadow corruption
30 : Retpoline code page corruption
101 : General pool corruption
102 : Modification of win32k.sys
Debugging Details:
------------------
*** WARNING: Unable to verify checksum for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 11984
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-G2EFLS9
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 19811
Key : Analysis.Memory.CommitPeak.Mb
Value: 82
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 109
BUGCHECK_P1: a39ff6e39278d4fd
BUGCHECK_P2: b3b70369e4f71db5
BUGCHECK_P3: fffff80542009d54
BUGCHECK_P4: 1
MEMORY_CORRUPTOR: ONE_BIT
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
ffffef89`82e1ae28 00000000`00000000 : 00000000`00000109 a39ff6e3`9278d4fd b3b70369`e4f71db5 fffff805`42009d54 : nt!KeBugCheckEx
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
fffff80542009dca - nt!PiCMOpenObjectKey+164b62
[ e9:c9 ]
1 error : !nt (fffff80542009dca)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}
Followup: memory_corruption
---------
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\maksu\Downloads\Compressed\dmp\010121-58218-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`42000000 PsLoadedModuleList = 0xfffff805`42c2a3b0
Debug session time: Sat Jan 2 05:43:03.932 2021 (UTC + 3:00)
System Uptime: 0 days 0:53:33.610
Loading Kernel Symbols
...............................................................
................................................................
........................................
Loading User Symbols
Loading unloaded module list
..........................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff805`423f5210 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffffc03`0f133950=0000000000000139
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000000, A stack-based buffer has been overrun.
Arg2: 0000000000000000, Address of the trap frame for the exception that caused the bugcheck
Arg3: 0000000000000000, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000004000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 10734
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-G2EFLS9
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 15498
Key : Analysis.Memory.CommitPeak.Mb
Value: 78
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 139
BUGCHECK_P1: 0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 4000000
TRAP_FRAME: 0000000000000000 -- (.trap 0x0)
EXCEPTION_RECORD: 0000000000000000 -- (.exr 0x0)
Cannot read Exception record @ 0000000000000000
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: explorer.exe
STACK_TEXT:
fffffc03`0f133948 fffff805`423fdd1b : 00000000`00000139 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
fffffc03`0f133950 fffff805`409f53a6 : ffffe288`76ece000 fffffc03`0f133a00 ffffe288`7179ebf0 00000000`00000000 : nt!guard_icall_bugcheck+0x1b
fffffc03`0f133980 fffff805`409f43bc : fffffc03`0f12e000 fffffc03`0f134000 ffffffff`c0000120 00000000`00000000 : FLTMGR!FltpPassThroughCompletionWorker+0x486
fffffc03`0f133a20 fffff805`422c2fce : 00000000`00000002 ffffe288`74f8fe70 00000000`00000000 ffffe288`6fcc2140 : FLTMGR!FltpPassThroughCompletion+0xc
fffffc03`0f133a50 fffff805`422c2e97 : 00000000`0000009c 00000000`00000001 00000000`00000000 ffff8301`2ad6a770 : nt!IopfCompleteRequest+0x11e
fffffc03`0f133b40 fffff805`42287aa3 : ffffe288`74b31080 ffff8301`00000000 00000000`00000000 fffff805`426c00f4 : nt!IofCompleteRequest+0x17
fffffc03`0f133b70 fffff805`4229598f : ffffe288`74110010 ffffe288`74110010 ffff8301`2ad6a770 ffffe288`76fac680 : nt!FsRtlCancelNotify+0xf3
fffffc03`0f133c30 fffff805`422958da : ffffe288`74b31080 ffffe288`74110030 ffffe288`74b316d0 fffff805`422db39b : nt!IoCancelIrp+0x6f
fffffc03`0f133c70 fffff805`42676184 : fffffc03`0f133d50 ffffe288`74b31500 ffffe288`7b292dd0 fffff805`42212900 : nt!IopCancelIrpsInCurrentThreadList+0x106
fffffc03`0f133ce0 fffff805`425e9df8 : ffffe288`74b31000 ffffe288`74b31080 ffffe288`7773c080 00000000`00000000 : nt!IopCancelIrpsInThreadList+0x3c
fffffc03`0f133d30 fffff805`42676066 : 00000000`00000000 fffffc03`0f133ec0 00000000`0404ee30 ffffe288`7b292dd0 : nt!IopCancelIrpsInThreadListForCurrentProcess+0xc4
fffffc03`0f133df0 fffff805`42406bb8 : ffffe288`74b31080 ffffffff`ffffffff 00000000`00000000 ffffe288`00000000 : nt!NtCancelIoFileEx+0xc6
fffffc03`0f133e40 00007ffb`2ed6cfd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
00000000`0404ee08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`2ed6cfd4
SYMBOL_NAME: nt!guard_icall_bugcheck+1b
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.630
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 1b
FAILURE_BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {9bee41a7-2ef9-07ca-7e59-7d5a0c6e2d05}
Followup: MachineOwner
---------
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\maksu\Downloads\Compressed\dmp\010921-25171-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff803`80600000 PsLoadedModuleList = 0xfffff803`8122a2b0
Debug session time: Sat Jan 9 13:00:16.635 2021 (UTC + 3:00)
System Uptime: 0 days 0:49:55.312
Loading Kernel Symbols
...............................................................
................................................................
...................................................
Loading User Symbols
Loading unloaded module list
...............
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`809f5780 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffcf0d`1326ce00=0000000000000109
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a00fd9bc87e896, Reserved
Arg2: b3b71c600f06314e, Reserved
Arg3: fffff80380e09d54, Failure type dependent information
Arg4: 0000000000000001, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
8 : Object type
9 : A processor IVT
a : Modification of a system service function
b : A generic session data region
c : Modification of a session function or .pdata
d : Modification of an import table
e : Modification of a session import table
f : Ps Win32 callout modification
10 : Debug switch routine modification
11 : IRP allocator modification
12 : Driver call dispatcher modification
13 : IRP completion dispatcher modification
14 : IRP deallocator modification
15 : A processor control register
16 : Critical floating point control register modification
17 : Local APIC modification
18 : Kernel notification callout modification
19 : Loaded module list modification
1a : Type 3 process list corruption
1b : Type 4 process list corruption
1c : Driver object corruption
1d : Executive callback object modification
1e : Modification of module padding
1f : Modification of a protected process
20 : A generic data region
21 : A page hash mismatch
22 : A session page hash mismatch
23 : Load config directory modification
24 : Inverted function table modification
25 : Session configuration modification
26 : An extended processor control register
27 : Type 1 pool corruption
28 : Type 2 pool corruption
29 : Type 3 pool corruption
2a : Type 4 pool corruption
2b : Modification of a function or .pdata
2c : Image integrity corruption
2d : Processor misconfiguration
2e : Type 5 process list corruption
2f : Process shadow corruption
30 : Retpoline code page corruption
101 : General pool corruption
102 : Modification of win32k.sys
Debugging Details:
------------------
*** WARNING: Unable to verify checksum for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 11968
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-G2EFLS9
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 16159
Key : Analysis.Memory.CommitPeak.Mb
Value: 82
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 109
BUGCHECK_P1: a3a00fd9bc87e896
BUGCHECK_P2: b3b71c600f06314e
BUGCHECK_P3: fffff80380e09d54
BUGCHECK_P4: 1
MEMORY_CORRUPTOR: ONE_BIT
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
ffffcf0d`1326cdf8 00000000`00000000 : 00000000`00000109 a3a00fd9`bc87e896 b3b71c60`0f06314e fffff803`80e09d54 : nt!KeBugCheckEx
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
fffff80380e09dca - nt!PiCMOpenObjectKey+164b62
[ e9:c9 ]
1 error : !nt (fffff80380e09dca)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}
Followup: memory_corruption
---------