*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffe60917f4ac34, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8076631bde8, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
ffffe60917f4ac34
FAULTING_IP:
Ntfs!NtfsFilterCallbackAcquireForCreateSection+a8
fffff807`6631bde8 41f744240400200000 test dword ptr [r12+4],2000h
MM_INTERNAL_CODE: 2
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: AV
PROCESS_NAME: services.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: ffff890bde74ab90 -- (.trap 0xffff890bde74ab90)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe60915f4a9c0 rbx=0000000000000000 rcx=ffff890bde74aef0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8076631bde8 rsp=ffff890bde74ad20 rbp=ffff890bde74ad60
r8=ffff9d81eec7e180 r9=ffffe60915f4a860 r10=0000fffff8076631
r11=ffffc5faf0400000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
Ntfs!NtfsFilterCallbackAcquireForCreateSection+0xa8:
fffff807`6631bde8 41f744240400200000 test dword ptr [r12+4],2000h ds:00000000`00000004=00000000
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80763635d15 to fffff807635ddb60
STACK_TEXT:
ffff890b`de74a8e8 fffff807`63635d15 : 00000000`00000050 ffffe609`17f4ac34 00000000`00000000 ffff890b`de74ab90 : nt!KeBugCheckEx
ffff890b`de74a8f0 fffff807`63412d00 : ffff890b`de74a9f0 00000000`00000000 ffff890b`de74ac10 00000000`00000000 : nt!MiSystemFault+0x1ad5c5
ffff890b`de74a9f0 fffff807`635ebc1e : ffff9d81`fd612080 ffff9d81`f8ba2588 ffff9d81`f4dffac0 ffff9d81`ff8eab08 : nt!MmAccessFault+0x400
ffff890b`de74ab90 fffff807`6631bde8 : 00000000`00000000 ffff890b`de74ae40 ffff890b`de74adc9 00000000`00000000 : nt!KiPageFault+0x35e
ffff890b`de74ad20 fffff807`634d5527 : ffff890b`de74aef0 ffff9d81`eec7e030 00000000`00000000 ffff890b`de74aef0 : Ntfs!NtfsFilterCallbackAcquireForCreateSection+0xa8
ffff890b`de74ae30 fffff807`6386d561 : 00000000`00000000 00000000`00000000 00000000`00000001 fffff807`6631bd40 : nt!FsFilterPerformCallbacks+0xe7
ffff890b`de74aea0 fffff807`6386d257 : 00000000`00000000 ffff9d81`f42df6e0 00000000`00011000 80000010`000000a0 : nt!FsRtlAcquireFileExclusiveCommon+0x121
ffff890b`de74b190 fffff807`634d5871 : ffff9d81`f42df720 fffff807`634926e3 ffff9d81`f4dffac0 ffff9d81`f42df6e0 : nt!FsRtlAcquireFileExclusive+0x17
ffff890b`de74b1d0 fffff807`6388dcb6 : ffff9d81`f4dffac0 00000000`01000000 ffff890b`de74b5a8 00000000`00000001 : nt!CcZeroEndOfLastPage+0x45
ffff890b`de74b220 fffff807`6388e544 : 00000000`fd612000 ffff890b`de74b350 00000000`00000000 00000000`00000000 : nt!MmCreateSpecialImageSection+0xee
ffff890b`de74b2d0 fffff807`635ef9b1 : 00000164`ebca4040 fffff807`637b2fc0 00000000`00000000 00000000`c0000034 : nt!NtCreateUserProcess+0x574
ffff890b`de74ba90 00007ffb`26d4c684 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExitPico+0x2bc
0000000f`83c7ced8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`26d4c684
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !FLTMGR
fffff8075ff048fa-fffff8075ff048fb 2 bytes - FLTMGR!FltpDispatch+ca
[ 48 ff:4c 8b ]
fffff8075ff04901-fffff8075ff04905 5 bytes - FLTMGR!FltpDispatch+d1 (+0x07)
[ 0f 1f 44 00 00:e8 ea 23 54 03 ]
fffff8075ff08a63-fffff8075ff08a64 2 bytes - FLTMGR!FltpPostFsFilterOperation+43 (+0x4162)
[ 48 ff:4c 8b ]
fffff8075ff08a6a-fffff8075ff08a6e 5 bytes - FLTMGR!FltpPostFsFilterOperation+4a (+0x07)
[ 0f 1f 44 00 00:e8 41 22 53 03 ]
fffff8075ff3b9a4-fffff8075ff3b9a5 2 bytes - FLTMGR!FltpCreate+f4
[ 48 ff:4c 8b ]
fffff8075ff3b9ab-fffff8075ff3b9af 5 bytes - FLTMGR!FltpCreate+fb (+0x07)
[ 0f 1f 44 00 00:e8 50 37 4e 03 ]
fffff8075ff3cd05-fffff8075ff3cd06 2 bytes - FLTMGR!DeleteStreamListCtrlCallback+35 (+0x135a)
[ 48 ff:4c 8b ]
fffff8075ff3cd0c - FLTMGR!DeleteStreamListCtrlCallback+3c (+0x07)
[ 0f:e8 ]
fffff8075ff3cd0e-fffff8075ff3cd10 3 bytes - FLTMGR!DeleteStreamListCtrlCallback+3e (+0x02)
[ 44 00 00:5b 5d 03 ]
fffff8075ff3cd1a-fffff8075ff3cd1b 2 bytes - FLTMGR!DeleteStreamListCtrlCallback+4a (+0x0c)
[ 48 ff:4c 8b ]
fffff8075ff3cd21-fffff8075ff3cd25 5 bytes - FLTMGR!DeleteStreamListCtrlCallback+51 (+0x07)
[ 0f 1f 44 00 00:e8 fa 63 4e 03 ]
fffff8075ff3cd6a-fffff8075ff3cd6b 2 bytes - FLTMGR!DeleteStreamListCtrlCallback+9a (+0x49)
[ 48 ff:4c 8b ]
fffff8075ff3cd71-fffff8075ff3cd77 7 bytes - FLTMGR!DeleteStreamListCtrlCallback+a1 (+0x07)
[ 0f 1f 44 00 00 48 ff:e8 fa 5b 4e 03 4c 8b ]
fffff8075ff3cd7d-fffff8075ff3cd81 5 bytes - FLTMGR!DeleteStreamListCtrlCallback+ad (+0x0c)
[ 0f 1f 44 00 00:e8 5e eb 5b 03 ]
48 errors : !FLTMGR (fffff8075ff048fa-fffff8075ff3cd81)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:memory_corruption_large
FAILURE_ID_HASH: {e29154ac-69a4-0eb8-172a-a860f73c0a3c}
Followup: memory_corruption
---------
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff20b4fdfc750, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff20b4fdfc6a8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
TRAP_FRAME: fffff20b4fdfc750 -- (.trap 0xfffff20b4fdfc750)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffdd8483d2c660 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffdd84e495a560 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80785c1e698 rsp=fffff20b4fdfc8e0 rbp=fffff80785c1e450
r8=0000000000000000 r9=0000000000000008 r10=0000000000000001
r11=000000000000006a r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
Ntfs!NtfsMcbCleanupLruQueue+0x248:
fffff807`85c1e698 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffff20b4fdfc6a8 -- (.exr 0xfffff20b4fdfc6a8)
ExceptionAddress: fffff80785c1e698 (Ntfs!NtfsMcbCleanupLruQueue+0x0000000000000248)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x139
PROCESS_NAME: System
CURRENT_IRQL: 1
ERROR_CODE: (NTSTATUS) 0xc0000409 - Sistem, bu uygulamada y
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - Sistem, bu uygulamada y
EXCEPTION_PARAMETER1: 0000000000000003
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
EXCEPTION_STR: 0x0
LAST_CONTROL_TRANSFER: from fffff80781befa29 to fffff80781bddb60
STACK_TEXT:
fffff20b`4fdfc428 fffff807`81befa29 : 00000000`00000139 00000000`00000003 fffff20b`4fdfc750 fffff20b`4fdfc6a8 : nt!KeBugCheckEx
fffff20b`4fdfc430 fffff807`81befe50 : 00000000`00025ef0 00000000`00000280 00000000`00000000 ffffdd84`e55aa170 : nt!KiBugCheckDispatch+0x69
fffff20b`4fdfc570 fffff807`81bee1e3 : 00000000`00000000 fffff807`85c1e450 ffffdd84`78e00100 fffff807`81a40a92 : nt!KiFastFailDispatch+0xd0
fffff20b`4fdfc750 fffff807`85c1e698 : ffffdd84`8deaa2b0 fffff807`85c1e450 ffffdd84`8deaa2b0 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0x323
fffff20b`4fdfc8e0 fffff807`81a33f45 : ffffcb0c`bb892040 ffffcb0c`bb892040 ffffcb0c`a56a4c90 fffff807`85c95be0 : Ntfs!NtfsMcbCleanupLruQueue+0x248
fffff20b`4fdfcb70 fffff807`81b46735 : ffffcb0c`bb892040 00000000`00000080 ffffcb0c`a567a040 00000000`05cec188 : nt!ExpWorkerThread+0x105
fffff20b`4fdfcc10 fffff807`81be51b8 : ffffa900`dcbc0180 ffffcb0c`bb892040 fffff807`81b466e0 00000000`00000065 : nt!PspSystemThreadStartup+0x55
fffff20b`4fdfcc60 00000000`00000000 : fffff20b`4fdfd000 fffff20b`4fdf7000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
fffff80781b467b5-fffff80781b467b6 2 bytes - nt!MiDeleteNonPagedPoolTail+45
[ 80 fa:00 f9 ]
fffff80781b84f3e-fffff80781b84f41 4 bytes - nt!MiFreeUltraMapping+32 (+0x3e789)
[ a0 7d fb f6:c0 a2 45 8b ]
6 errors : !nt (fffff80781b467b5-fffff80781b84f41)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:memory_corruption_large
FAILURE_ID_HASH: {e29154ac-69a4-0eb8-172a-a860f73c0a3c}
Followup: memory_corruption
---------