Описание проблемы
Я сталкивался с некоторыми неустойчивыми голубыми экранами 0x139
KERNEL_SECURITY_CHECK_FAILURE
с первым параметром 0x3 на моем ноутбуке с Windows 8.1, каждые 20 минут или час. Эти сбои происходят вNETIO.SYS
, вNsiEnumerateObjectsAllParametersEx
илиNsiGetParameterEx
.Система работает нормально в безопасном режиме с сетевым подключением.
У меня есть несколько дампов сбоя, доступных для скачивания здесь , а также полный дамп памяти одного сбоя, хранящийся внутри для дальнейшего анализа.
Анализ 1: NsiEnumerateObjectsAllParametersEx
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Machine Name:
Kernel base = 0xfffff802`44e1f000 PsLoadedModuleList = 0xfffff802`450f8250
Debug session time: Fri Jan 2 16:52:43.919 2015 (UTC - 5:00)
System Uptime: 0 days 0:25:05.631
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
................................................................
...........................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 139, {3, ffffd000d8d4f1b0, ffffd000d8d4f108, 0}
Probably caused by : NETIO.SYS ( NETIO!NsiEnumerateObjectsAllParametersEx+20d )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000d8d4f1b0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000d8d4f108, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
DUMP_FILE_ATTRIBUTES: 0xc
Insufficient Dumpfile Size
Kernel Generated Triage Dump
TRAP_FRAME: ffffd000d8d4f1b0 -- (.trap 0xffffd000d8d4f1b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0019759fef0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00194b53ef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80110e5f30d rsp=ffffd000d8d4f340 rbp=ffffe00194b5ea20
r8=0000000000000000 r9=0000000000000002 r10=ffffe0019635db50
r11=ffffe00192d21fbc r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d:
fffff801`10e5f30d cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd000d8d4f108 -- (.exr 0xffffd000d8d4f108)
ExceptionAddress: fffff80110e5f30d (ndis!ndisNsiEnumerateAllInterfaceInformation+0x0000000000025c0d)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT
BUGCHECK_STR: 0x139
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000003
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
LAST_CONTROL_TRANSFER: from fffff80244f7b5e9 to fffff80244f6faa0
STACK_TEXT:
ffffd000`d8d4ee88 fffff802`44f7b5e9 : 00000000`00000139 00000000`00000003 ffffd000`d8d4f1b0 ffffd000`d8d4f108 : nt!KeBugCheckEx
ffffd000`d8d4ee90 fffff802`44f7b910 : ffff6bcf`07601f7c ffffd000`d8d4f278 ffffc001`d1bcd060 ffffe001`92d1c698 : nt!KiBugCheckDispatch+0x69
ffffd000`d8d4efd0 fffff802`44f7ab34 : 00000000`00000000 ffffe001`99965501 ffffd000`d8d4f3d4 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffd000`d8d4f1b0 fffff801`10e5f30d : 00000000`ffffe001 00000000`00000000 ffffe001`94b5ea20 ffffe001`94b5eef0 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`d8d4f340 fffff801`10f4e308 : ffffd000`d8d4f580 00000000`00000000 ffffe001`92d1c002 00000000`00000008 : ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d
ffffd000`d8d4f460 fffff801`11664fc1 : ffffe001`92d1c000 00000000`00000070 00000065`7450f270 ffffd000`d8d4f668 : NETIO!NsiEnumerateObjectsAllParametersEx+0x20d
ffffd000`d8d4f650 fffff801`11664bea : 00000000`00000000 ffffe001`99a432a0 ffffe001`99a431d0 00000000`00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201
ffffd000`d8d4f840 fffff802`452001ef : 00000000`00000000 ffffe001`99a431d0 ffffe001`99a431d0 00000000`00000001 : nsiproxy!NsippDispatch+0x5a
ffffd000`d8d4f880 fffff802`451ff78e : ffffd000`d8d4fa38 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`d8d4fa20 fffff802`44f7b2b3 : ffffe001`999a4080 fffff6fb`001f0003 00000065`7450f0e8 fffff680`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`d8d4fa90 00007ffe`07350cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000065`7450f168 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`07350cba
STACK_COMMAND: kb
FOLLOWUP_IP:
NETIO!NsiEnumerateObjectsAllParametersEx+20d
fffff801`10f4e308 8bd8 mov ebx,eax
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: NETIO!NsiEnumerateObjectsAllParametersEx+20d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NETIO
IMAGE_NAME: NETIO.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 546029c5
IMAGE_VERSION: 6.3.9600.17485
BUCKET_ID_FUNC_OFFSET: 20d
FAILURE_BUCKET_ID: 0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx
BUCKET_ID: 0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x139_3_netio!nsienumerateobjectsallparametersex
FAILURE_ID_HASH: {647902b7-14c2-326a-6aea-d9b7b6d3d895}
Followup: MachineOwner
---------
Выход из WhoCrashed Professional
Crash dump file: E:\sysdebug\dumps\010215-8234-01.dmp
Date/time: 1/2/2015 4:20:01 PM GMT
Uptime: 00:20:35
Machine: DRAGON
Bug check name: KERNEL_SECURITY_CHECK_FAILURE
Bug check code: 0x139
Bug check parm 1: 0x3
Bug check parm 2: 0xFFFFD0002E50A1B0
Bug check parm 3: 0xFFFFD0002E50A108
Bug check parm 4: 0x0
Probably caused by: ndis.sys
Driver description: Network Driver Interface Specification (NDIS)
Driver product: Microsoft® Windows® Operating System
Driver company: Microsoft Corporation
OS build: Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Architecture: x64 (64 bit)
CPU count: 8
Page size: 4096
Bug check description:
The kernel has detected the corruption of a critical data structure.
Comments:
The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time.
Анализ 2: NsiGetParameterEx
полный дамп памяти
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Loading Dump File [E:\sysdebug\MEMORY.DMP]
Kernel Bitmap Dump File: Full address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Machine Name:
Kernel base = 0xfffff801`dde72000 PsLoadedModuleList = 0xfffff801`de14b250
Debug session time: Fri Jan 2 17:17:38.437 2015 (UTC - 5:00)
System Uptime: 0 days 0:22:01.150
Loading Kernel Symbols
...............................................................
................................................................
...........................................................
Loading User Symbols
................................................................
...................................
Loading unloaded module list
..............................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 139, {3, ffffd001cb3d0310, ffffd001cb3d0268, 0}
Probably caused by : NETIO.SYS ( NETIO!NsiGetParameterEx+222 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd001cb3d0310, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd001cb3d0268, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
TRAP_FRAME: ffffd001cb3d0310 -- (.trap 0xffffd001cb3d0310)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe00059100980 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00055dbbef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80084085a29 rsp=ffffd001cb3d04a0 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000002 r10=ffffe000587d9040
r11=ffffe000591004b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
ndis!ndisNsiGetInterfaceInformation+0x22b49:
fffff800`84085a29 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd001cb3d0268 -- (.exr 0xffffd001cb3d0268)
ExceptionAddress: fffff80084085a29 (ndis!ndisNsiGetInterfaceInformation+0x0000000000022b49)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT
BUGCHECK_STR: 0x139
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000003
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
LAST_CONTROL_TRANSFER: from fffff801ddfce5e9 to fffff801ddfc2aa0
STACK_TEXT:
ffffd001`cb3cffe8 fffff801`ddfce5e9 : 00000000`00000139 00000000`00000003 ffffd001`cb3d0310 ffffd001`cb3d0268 : nt!KeBugCheckEx
ffffd001`cb3cfff0 fffff801`ddfce910 : 00000000`00000000 ffffd001`00000001 ffffd001`cb3d01d8 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd001`cb3d0130 fffff801`ddfcdb34 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffd001`cb3d0310 fffff800`84085a29 : 00000000`fffff801 00000000`00000000 ffffd001`cb3d0610 00000000`00000004 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd001`cb3d04a0 fffff800`8417b572 : ffffd001`cb3d0610 ffffe000`5d2f1602 ffffe000`5d2f1700 00000000`00000000 : ndis!ndisNsiGetInterfaceInformation+0x22b49
ffffd001`cb3d0550 fffff800`851cda25 : 00000000`00000050 00000000`00000050 ffffe000`55dc2010 00000000`00000000 : NETIO!NsiGetParameterEx+0x222
ffffd001`cb3d06b0 fffff800`851cdbe3 : 00000000`00000000 ffffe000`54a3c6b0 ffffe000`54a3c5e0 00000000`00000000 : nsiproxy!NsippGetParameter+0x195
ffffd001`cb3d0840 fffff801`de2531ef : 00000000`00000000 ffffe000`54a3c5e0 ffffe000`54a3c5e0 00000000`00000001 : nsiproxy!NsippDispatch+0x53
ffffd001`cb3d0880 fffff801`de25278e : ffffd001`cb3d0a38 00007fff`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd001`cb3d0a20 fffff801`ddfce2b3 : ffffe000`5a9ba080 000000d2`001f0003 000000d2`37e5ea98 fffff801`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd001`cb3d0a90 00007fff`3ef90cba : 00007fff`3eef15f5 00000000`00000004 000000d2`37e5eba1 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000d2`37e5eb18 00007fff`3eef15f5 : 00000000`00000004 000000d2`37e5eba1 00000000`00000000 00000000`00000000 : ntdll!NtDeviceIoControlFile+0xa
000000d2`37e5eb20 00007fff`3b245e0a : 00000000`00000001 000000d2`39ca0990 00000000`00000000 00000000`00000000 : NSI!NsiGetParameter+0xf5
000000d2`37e5ebe0 00007fff`3b245b86 : 00000000`00000001 00007fff`00000000 00000000`00000000 000000d2`37e5ecb0 : DNSAPI!IsInterfaceConnected+0x4e
000000d2`37e5ec40 00007fff`3b2464bf : 00000000`00000000 000000d2`00000007 00000000`00000000 000000d2`39c307f0 : DNSAPI!DnsUpdateMachinePresence+0x106
000000d2`37e5ed10 00007fff`3b24613d : 000000d2`3742eb50 000000d2`37e5f9a0 00000000`00000000 00000000`00000000 : DNSAPI!Query_InProcess+0xf9
000000d2`37e5ed40 00007fff`3b245fcc : 00000000`00000000 000000d2`37e5ee90 000000d2`39c307f0 000000d2`37e5fa18 : DNSAPI!InProc_InitiateQuery+0x15c
000000d2`37e5ed90 00007fff`3b243c3d : 00000000`00000000 00000008`00000002 00000000`00000000 00000000`00000001 : DNSAPI!Query_PrivateExW+0x961
000000d2`37e5f940 00007fff`3b244389 : 00003195`00000001 00001000`00440668 00000000`000000ff 000000d2`39c307f0 : DNSAPI!Query_Shim+0xd5
000000d2`37e5fa10 00007fff`34facfc4 : 00000000`00000010 000000d2`37e5f968 00000000`00000000 00000000`00010004 : DNSAPI!DnsQuery_W+0x39
000000d2`37e5fa60 00007fff`34fad037 : 000000d2`39c01f50 00000000`00000000 00000000`80000000 00000000`00000000 : dnsrslvr!Mcast_VerifyName+0x70
000000d2`37e5fab0 00007fff`34fad22e : 00000000`00000000 00007fff`34facf1e 00000000`00000000 00007fff`3c46158a : dnsrslvr!Mcast_VerifyEx+0x102
000000d2`37e5fd30 00007fff`34fad17b : 00000000`ffffffff 00000000`00000000 00000000`00000001 00000000`00000001 : dnsrslvr!Mcast_Verify+0x8e
000000d2`37e5fd80 00007fff`3edb13d2 : 00007fff`34faccc0 00000000`00000000 00000000`00000000 00000000`00000000 : dnsrslvr!Mcast_Thread+0x186
000000d2`37e5fdf0 00007fff`3ef703c4 : 00007fff`3edb13b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
000000d2`37e5fe20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
STACK_COMMAND: kb
FOLLOWUP_IP:
NETIO!NsiGetParameterEx+222
fffff800`8417b572 8bd8 mov ebx,eax
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: NETIO!NsiGetParameterEx+222
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NETIO
IMAGE_NAME: NETIO.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 546029c5
BUCKET_ID_FUNC_OFFSET: 222
FAILURE_BUCKET_ID: 0x139_3_NETIO!NsiGetParameterEx
BUCKET_ID: 0x139_3_NETIO!NsiGetParameterEx
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x139_3_netio!nsigetparameterex
FAILURE_ID_HASH: {863902cf-27d7-671f-3d7f-44a47e15711d}
Followup: MachineOwner
---------
Выход из WhoCrashed Professional
Crash dump file: E:\sysdebug\dumps\MEMORY.DMP
Date/time: 1/2/2015 10:17:38 PM GMT
Uptime: 00:22:01
Machine: DRAGON
Bug check name: KERNEL_SECURITY_CHECK_FAILURE
Bug check code: 0x139
Bug check parm 1: 0x3
Bug check parm 2: 0xFFFFD001CB3D0310
Bug check parm 3: 0xFFFFD001CB3D0268
Bug check parm 4: 0x0
Probably caused by: ntdll.sys
Driver description:
Driver product:
Driver company:
OS build: Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Architecture: x64 (64 bit)
CPU count: 8
Page size: 4096
Bug check description:
The kernel has detected the corruption of a critical data structure.
Comments:
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: ntdll.sys .