KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000004, The thread's stack pointer was outside the legal stack
extents for the thread.
Arg2: ffffed001a844c20, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffed001a844b78, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for rt640x64.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 7858
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 25770
Key : Analysis.Init.CPU.mSec
Value: 953
Key : Analysis.Init.Elapsed.mSec
Value: 2378
Key : Analysis.Memory.CommitPeak.Mb
Value: 83
Key : FailFast.Name
Value: INCORRECT_STACK
Key : FailFast.Type
Value: 4
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 139
BUGCHECK_P1: 4
BUGCHECK_P2: ffffed001a844c20
BUGCHECK_P3: ffffed001a844b78
BUGCHECK_P4: 0
TRAP_FRAME: ffffed001a844c20 -- (.trap 0xffffed001a844c20)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffed001b1a1000 rbx=0000000000000000 rcx=0000000000000004
rdx=ffffed001b1a7000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8073249ecc0 rsp=ffffed001a844db0 rbp=ffffed001a844db0
r8=ffffed001b1a7000 r9=ffffed001a844de8 r10=fffff80732354470
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!KiExpandKernelStackAndCalloutSwitchStack+0x14a740:
fffff807`3249ecc0 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffed001a844b78 -- (.exr 0xffffed001a844b78)
ExceptionAddress: fffff8073249ecc0 (nt!KiExpandKernelStackAndCalloutSwitchStack+0x000000000014a740)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000004
Subcode: 0x4 FAST_FAIL_INCORRECT_STACK
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: csrss.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - Sistem, bu uygulamada y n tabanl bir arabelle in ta t n alg lad . Bu ta ma, k t niyetli bir kullan c n n bu uygulaman n denetimini ele ge irmesine olanak verebilir.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000004
EXCEPTION_STR: 0xc0000409
BAD_STACK_POINTER: ffffed001a8448f8
STACK_TEXT:
ffffed00`1a8448f8 fffff807`32407d69 : 00000000`00000139 00000000`00000004 ffffed00`1a844c20 ffffed00`1a844b78 : nt!KeBugCheckEx
ffffed00`1a844900 fffff807`32408190 : ffffdc89`00000001 00000000`00000001 ffffdc89`fd3041a0 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffed00`1a844a40 fffff807`32406523 : ffffed00`1a844cc9 fffff807`35fe25dd 00000000`00000000 ffffdc89`fd3041a0 : nt!KiFastFailDispatch+0xd0
ffffed00`1a844c20 fffff807`3249ecc0 : 00000000`00004800 ffffed00`1b1a1000 ffffed00`1a844db0 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0x323
ffffed00`1a844db0 fffff807`323544d3 : ffffdc89`fabd0c60 00000000`00000002 00000000`00000003 ffffed00`1a844fc8 : nt!KiExpandKernelStackAndCalloutSwitchStack+0x14a740
ffffed00`1a844e20 fffff807`3235448d : fffff807`365cf5c0 ffffed00`1a844fc8 ffffdc89`fa6f9060 fffff807`361523d3 : nt!KeExpandKernelStackAndCalloutInternal+0x33
ffffed00`1a844e90 fffff807`365c26dd : 00000000`00000000 00000000`00000000 ffffdc8a`05780bb0 fffff807`3684142f : nt!KeExpandKernelStackAndCalloutEx+0x1d
ffffed00`1a844ed0 fffff807`365c1dbd : 00000000`00000001 ffffed00`1a845030 ffffdc8a`01b66620 ffffed00`1a845040 : tcpip!NetioExpandKernelStackAndCallout+0x8d
ffffed00`1a844f30 fffff807`35fe1eb0 : ffffdc89`fd9f82a1 00000000`00000001 ffffdc8a`01b56e90 ffffed00`1a845340 : tcpip!FlReceiveNetBufferListChain+0x46d
ffffed00`1a8451e0 fffff807`35fe1ccb : ffffdc8a`01b63c30 ffffed00`00000001 ffffed00`00000000 ffffed00`00000001 : ndis!ndisMIndicateNetBufferListsToOpen+0x140
ffffed00`1a8452c0 fffff807`35fe7ef0 : ffffdc89`fd3041a0 ffffdc8a`01a7b001 ffffdc89`fd3041a0 00000000`00000001 : ndis!ndisMTopReceiveNetBufferLists+0x22b
ffffed00`1a845340 fffff807`3601dd73 : ffffdc8a`01a7b030 ffffed00`1a845411 00000000`00000000 ffffb980`675d5180 : ndis!ndisCallReceiveHandler+0x60
ffffed00`1a845390 fffff807`35fe4a94 : 00000000`0000283c 00000000`00000001 ffffdc89`fd3041a0 00000000`00000001 : ndis!ndisInvokeNextReceiveHandler+0x1df
ffffed00`1a845460 fffff807`3ea76a28 : ffffdc89`fd725000 ffffdc89`fd725000 00000000`00000003 00000000`00000000 : ndis!NdisMIndicateReceiveNetBufferLists+0x104
ffffed00`1a8454f0 ffffdc89`fd725000 : ffffdc89`fd725000 00000000`00000003 00000000`00000000 00000000`00000001 : rt640x64+0x26a28
ffffed00`1a8454f8 ffffdc89`fd725000 : 00000000`00000003 00000000`00000000 00000000`00000001 fffff807`41b82d6d : 0xffffdc89`fd725000
ffffed00`1a845500 00000000`00000003 : 00000000`00000000 00000000`00000001 fffff807`41b82d6d 00000003`00000001 : 0xffffdc89`fd725000
ffffed00`1a845508 00000000`00000000 : 00000000`00000001 fffff807`41b82d6d 00000003`00000001 80000000`00000001 : 0x3
SYMBOL_NAME: rt640x64+26a28
MODULE_NAME: rt640x64
IMAGE_NAME: rt640x64.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 26a28
FAILURE_BUCKET_ID: 0x139_MISSING_GSFRAME_STACKPTR_ERROR_rt640x64!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {2d897507-49ab-71dc-8bde-2cb7a3ca8901}
Followup: MachineOwner
---------
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: 0000000000000008, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ExceptionRecord ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ContextRecord ***
*** ***
*************************************************************************
*** WARNING: Unable to verify timestamp for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 6328
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 21885
Key : Analysis.Init.CPU.mSec
Value: 781
Key : Analysis.Init.Elapsed.mSec
Value: 2379
Key : Analysis.Memory.CommitPeak.Mb
Value: 73
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 1e
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: 0
BUGCHECK_P3: 8
BUGCHECK_P4: 0
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: Registry
TRAP_FRAME: ffff800000000000 -- (.trap 0xffff800000000000)
Unable to read trap frame at ffff8000`00000000
STACK_TEXT:
ffffad05`0b6c7bf8 fffff800`39a9177f : 00000000`0000001e ffffffff`c0000005 00000000`00000000 00000000`00000008 : nt!KeBugCheckEx
ffffad05`0b6c7c00 fffff800`39a07eac : 00000000`00001000 ffffad05`0b6c84a0 ffff8000`00000000 00000000`00000000 : nt!KiDispatchException+0x166d1f
ffffad05`0b6c82c0 fffff800`39a04043 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0x12c
ffffad05`0b6c84a0 00000000`00000000 : ffffad05`0b6c8730 00000000`00000000 ffffad05`0b6c8718 00000000`00000000 : nt!KiPageFault+0x443
SYMBOL_NAME: nt!KiDispatchException+166d1f
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.928
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 166d1f
FAILURE_BUCKET_ID: 0x1E_nt!KiDispatchException
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {4c003660-11e1-3fb7-2474-3522eb7ee67b}
Followup: MachineOwner
---------
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffe200000000c0, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8021f13223f, address which referenced memory
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 5702
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 17283
Key : Analysis.Init.CPU.mSec
Value: 906
Key : Analysis.Init.Elapsed.mSec
Value: 2106
Key : Analysis.Memory.CommitPeak.Mb
Value: 73
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: a
BUGCHECK_P1: ffffe200000000c0
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff8021f13223f
READ_ADDRESS: fffff8021fafb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
ffffe200000000c0
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
TRAP_FRAME: ffff82874267d6d0 -- (.trap 0xffff82874267d6d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000004 rbx=0000000000000000 rcx=0000000000000009
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8021f13223f rsp=ffff82874267d860 rbp=ffff82874267d8a0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000037
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!KiCheckPreferredHeteroProcessor+0x4f:
fffff802`1f13223f 4c8bbfc0000000 mov r15,qword ptr [rdi+0C0h] ds:00000000`000000c0=????????????????
Resetting default scope
STACK_TEXT:
ffff8287`4267d588 fffff802`1f207d69 : 00000000`0000000a ffffe200`000000c0 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffff8287`4267d590 fffff802`1f204069 : 00000000`00000002 00000000`00000000 00000000`0000c000 00000000`00080000 : nt!KiBugCheckDispatch+0x69
ffff8287`4267d6d0 fffff802`1f13223f : 00000000`00008000 fffff802`00000000 ffff8d0f`a982c790 fffff802`1f060ace : nt!KiPageFault+0x469
ffff8287`4267d860 fffff802`1f31a646 : 00000000`00000000 ffff8d0f`b4b5a080 00000000`00000000 00000000`00000000 : nt!KiCheckPreferredHeteroProcessor+0x4f
ffff8287`4267d8d0 fffff802`1f31a4a4 : 00000000`00000004 ffff8287`4267d998 ffff8287`4267d990 ffffe200`2c3d5180 : nt!KiSendHeteroRescheduleIntRequestHelper+0x156
ffff8287`4267d960 fffff802`1f235634 : ffffe200`ffffffff 00000000`00000000 ffff5422`d9b134f2 00000000`00080000 : nt!KiSendHeteroRescheduleIntRequest+0x74
ffff8287`4267d990 fffff802`1f064d7f : ffff8d0f`00000003 00000000`00000002 00000000`00000000 ffffffff`00000000 : nt!KiSwapThread+0x1d02e4
ffff8287`4267da40 fffff802`1f0686b3 : 00000154`00000000 ffff8287`00000000 ffff8287`4267db00 00000000`00000001 : nt!KiCommitThreadWait+0x14f
ffff8287`4267dae0 fffff802`1f10a567 : fffff802`1fa16560 00000000`00000000 00000000`00000000 ffff8d0f`00000000 : nt!KeRemoveQueueEx+0x263
ffff8287`4267db80 fffff802`1f1b27db : ffff8d0f`b46f54b0 00000000`00000080 00000000`00000000 00000000`00000000 : nt!KeRemoveQueue+0x27
ffff8287`4267dbc0 fffff802`1f117e85 : ffff8d0f`a982c140 fffff802`1f1b27a0 00000000`00000000 01153782`01040106 : nt!ExpWorkerFactoryManagerThread+0x3b
ffff8287`4267dc10 fffff802`1f1fd498 : ffffe200`2c3d5180 ffff8d0f`a982c140 fffff802`1f117e30 03060f30`86010203 : nt!PspSystemThreadStartup+0x55
ffff8287`4267dc60 00000000`00000000 : ffff8287`4267e000 ffff8287`42678000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
SYMBOL_NAME: nt!KiCheckPreferredHeteroProcessor+4f
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.928
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 4f
FAILURE_BUCKET_ID: AV_nt!KiCheckPreferredHeteroProcessor
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {068240a0-d6bc-90c5-8c43-0941c938c453}
Followup: MachineOwner
---------
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000007ec0, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 00000000000000c4, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8022e006b1c, address which referenced memory
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 7812
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 21397
Key : Analysis.Init.CPU.mSec
Value: 952
Key : Analysis.Init.Elapsed.mSec
Value: 2150
Key : Analysis.Memory.CommitPeak.Mb
Value: 74
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: a
BUGCHECK_P1: 7ec0
BUGCHECK_P2: ff
BUGCHECK_P3: c4
BUGCHECK_P4: fffff8022e006b1c
READ_ADDRESS: fffff8022eafb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
0000000000007ec0
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
TRAP_FRAME: ffffa088e4445840 -- (.trap 0xffffa088e4445840)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000668be88418d2 rbx=0000000000000000 rcx=9dd4346e11160000
rdx=0000668b00000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8022e006b1c rsp=ffffa088e44459d0 rbp=ffffa088e4445ad0
r8=0000668be88418d2 r9=0000668be88418d2 r10=0000000000000000
r11=fffff80232b5eeb0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na po nc
nt!KiRetireDpcList+0x20c:
fffff802`2e006b1c 4c2b87c07e0000 sub r8,qword ptr [rdi+7EC0h] ds:00000000`00007ec0=????????????????
Resetting default scope
STACK_TEXT:
ffffa088`e44456f8 fffff802`2e207d69 : 00000000`0000000a 00000000`00007ec0 00000000`000000ff 00000000`000000c4 : nt!KeBugCheckEx
ffffa088`e4445700 fffff802`2e204069 : ffffad01`51fd5180 00000000`00000004 ffffa088`e4445960 fffff802`2e007970 : nt!KiBugCheckDispatch+0x69
ffffa088`e4445840 fffff802`2e006b1c : 00000000`00000000 00000000`00000000 00000000`00140001 00000000`00000000 : nt!KiPageFault+0x469
ffffa088`e44459d0 fffff802`2e1f99ae : ffffffff`00000000 ffffad01`51fd5180 ffffad01`51fe01c0 ffffda89`46a61080 : nt!KiRetireDpcList+0x20c
ffffa088`e4445c60 00000000`00000000 : ffffa088`e4446000 ffffa088`e4440000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e
SYMBOL_NAME: nt!KiRetireDpcList+20c
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.928
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 20c
FAILURE_BUCKET_ID: AV_nt!KiRetireDpcList
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {ed0bb485-7f7e-1f95-20ce-1dac811ad862}
Followup: MachineOwner
---------
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: fff02664ef1fe70f, Actual security check cookie from the stack
Arg2: 00006ffb091cf538, Expected security check cookie
Arg3: ffff9004f6e30ac7, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4780
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 16116
Key : Analysis.Init.CPU.mSec
Value: 983
Key : Analysis.Init.Elapsed.mSec
Value: 2001
Key : Analysis.Memory.CommitPeak.Mb
Value: 73
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: f7
BUGCHECK_P1: fff02664ef1fe70f
BUGCHECK_P2: 6ffb091cf538
BUGCHECK_P3: ffff9004f6e30ac7
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 00006ffb091cf538 found fff02664ef1fe70f
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
ffffa603`5ba45aa8 fffff800`42eb0ec5 : 00000000`000000f7 fff02664`ef1fe70f 00006ffb`091cf538 ffff9004`f6e30ac7 : nt!KeBugCheckEx
ffffa603`5ba45ab0 fffff800`42c70188 : 00000000`00000000 00001f80`00d3009b 00000000`00000003 00000000`00000002 : nt!_report_gsfailure+0x25
ffffa603`5ba45af0 fffff800`42df9964 : ffffffff`00000000 ffffd901`74fe01c0 ffffac0d`46c63080 00000000`00000264 : nt!PoIdle+0x3a8
ffffa603`5ba45c60 00000000`00000000 : ffffa603`5ba46000 ffffa603`5ba40000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x54
SYMBOL_NAME: nt!_report_gsfailure+25
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.928
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 25
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_nt!_report_gsfailure
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {82d2c1b5-b0cb-60a5-9a5d-78c8c4284f84}
Followup: MachineOwner
---------