BSOD KERNEL_SECURITY_CHECK_FAILURE (139) with process msedge.exe on Server 2022 Terminalserver

Question

Dear community,

we have a few Server 2022 Terminalserver, crashing ranmdomly with "BSOD KERNEL_SECURITY_CHECK_FAILURE (139)" caused by "msedge.exe" and error code "(NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application."

By company-policy Users have msedge.exe in autostart, showing them the local sharepoint intranet site with news when logging in.

We can reproduce BSOD by doing automated login / logoff using a tool after around 50 logins and there are no productive users working on it - just the testuser. We disabled autostart of msedge and now without edge we have done 400 logins without crash.

Any ideas why msedge.exe is crashing the server? Could it be smartscreen?

This setup is a combination of server 2022 terminalserver, with fslogix and crowdstrike.

---

This is the result from the minidump:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffbd0fe3c09530, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffffbd0fe3c09488, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 1937

    Key  : Analysis.Elapsed.mSec
    Value: 2038

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 405

    Key  : Analysis.Init.Elapsed.mSec
    Value: 25691

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 97

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x139

    Key  : Dump.Attributes.AsUlong
    Value: 1008

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0

    Key  : Dump.Attributes.KernelGeneratedTriageDump
    Value: 1

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 0

    Key  : FailFast.Name
    Value: CORRUPT_LIST_ENTRY

    Key  : FailFast.Type
    Value: 3

    Key  : Failure.Bucket
    Value: 0x139_3_CORRUPT_LIST_ENTRY_csagent!unknown_function

    Key  : Failure.Hash
    Value: {7426b4cc-64fd-f44e-8cfd-be51c497bc7e}

    Key  : Hypervisor.Enlightenments.Value
    Value: 13088

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 3320

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 0

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 1

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 0

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 0

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 1

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 536632

    Key  : Hypervisor.Flags.ValueHex
    Value: 83038

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffbd0fe3c09530

BUGCHECK_P3: ffffbd0fe3c09488

BUGCHECK_P4: 0

FILE_IN_CAB:  112123-20828-01.dmp

DUMP_FILE_ATTRIBUTES: 0x1008
  Kernel Generated Triage Dump

TRAP_FRAME:  ffffbd0fe3c09530 -- (.trap 0xffffbd0fe3c09530)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff8008a02cb290 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8047f3fb270 rsp=ffffbd0fe3c096c0 rbp=ffff8008959b05f0
 r8=00000000ffffffff  r9=7fff8008a13a4c50 r10=7ffffffffffffffc
r11=0000000000000784 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
FLTMGR!FltpGetFileListCtrl+0x1a8:
fffff804`7f3fb270 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffbd0fe3c09488 -- (.exr 0xffffbd0fe3c09488)
ExceptionAddress: fffff8047f3fb270 (FLTMGR!FltpGetFileListCtrl+0x00000000000001a8)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY 

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  msedge.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffffbd0f`e3c09208 fffff804`7e443f69     : 00000000`00000139 00000000`00000003 ffffbd0f`e3c09530 ffffbd0f`e3c09488 : nt!KeBugCheckEx
ffffbd0f`e3c09210 fffff804`7e4444f2     : 00000000`00000001 fffff804`7e28295b ffffffff`ffffffff ffffbd0f`0000003a : nt!KiBugCheckDispatch+0x69
ffffbd0f`e3c09350 fffff804`7e44239e     : ffffbd0f`e3c098d8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xb2
ffffbd0f`e3c09530 fffff804`7f3fb270     : 00000000`00000000 ffff8008`959b05f0 ffff8008`a193e480 fffff804`7f3f9daf : nt!KiRaiseSecurityCheckFailure+0x31e
ffffbd0f`e3c096c0 fffff804`7f3faf06     : ffffc002`84b4add0 ffff8008`a02cb260 00000000`00000000 ffffbd0f`e3c097f0 : FLTMGR!FltpGetFileListCtrl+0x1a8
ffffbd0f`e3c09710 fffff804`7f3fae83     : ffffbd0f`e3c09880 ffffbd0f`e3c09840 ffff8008`99d78b00 ffffc002`84b4ae30 : FLTMGR!SetContextIntoFileList+0x6e
ffffbd0f`e3c09780 fffff803`a20ba5dc     : 00210000`00023cf1 ffffbd0f`e3c09840 ffffa32b`8aa3ebae ffffbd0f`e3c09a10 : FLTMGR!FltSetFileContext+0x23
ffffbd0f`e3c097c0 00210000`00023cf1     : ffffbd0f`e3c09840 ffffa32b`8aa3ebae ffffbd0f`e3c09a10 ffffbd0f`e3c097f0 : csagent+0x7a5dc
ffffbd0f`e3c097c8 ffffbd0f`e3c09840     : ffffa32b`8aa3ebae ffffbd0f`e3c09a10 ffffbd0f`e3c097f0 00000000`00000000 : 0x00210000`00023cf1
ffffbd0f`e3c097d0 ffffa32b`8aa3ebae     : ffffbd0f`e3c09a10 ffffbd0f`e3c097f0 00000000`00000000 00000000`00000000 : 0xffffbd0f`e3c09840
ffffbd0f`e3c097d8 ffffbd0f`e3c09a10     : ffffbd0f`e3c097f0 00000000`00000000 00000000`00000000 ffffa32b`8aa3ebee : 0xffffa32b`8aa3ebae
ffffbd0f`e3c097e0 ffffbd0f`e3c097f0     : 00000000`00000000 00000000`00000000 ffffa32b`8aa3ebee ffffc002`84b4ae30 : 0xffffbd0f`e3c09a10
ffffbd0f`e3c097e8 00000000`00000000     : 00000000`00000000 ffffa32b`8aa3ebee ffffc002`84b4ae30 fffff803`a20b9a6d : 0xffffbd0f`e3c097f0

SYMBOL_NAME:  csagent+7a5dc

MODULE_NAME: csagent

IMAGE_NAME:  csagent.sys

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  7a5dc

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_csagent!unknown_function

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {7426b4cc-64fd-f44e-8cfd-be51c497bc7e}

Followup:     MachineOwner
---------

Answer 1

Hello

Thank you for posting in Microsoft Community forum.

It seems like the system encountered a KERNEL_SECURITY_CHECK_FAILURE (139) error. This error often occurs due to corruption in a critical data structure, allowing potential exploitation by a malicious user.

The issue appears to involve a corruption in a LIST_ENTRY, specifically a double removal. This type of corruption could potentially enable a malicious user to gain control of the machine.

The process msedge.exe (Microsoft Edge) was running when this crash occurred, and it seems the faulting module is csagent.sys. Owned by CrowdStrike Ltd.

Here are some steps you might consider:

Update Drivers: Ensure all your drivers, especially the one associated with csagent.sys, are up-to-date. Check the manufacturer's website or use automated driver update tools.

Run Security Checks: Perform a thorough antivirus and antimalware scan to ensure there's no active threat causing this issue.

System File Checker: Run the System File Checker tool (sfc /scannow) in Command Prompt as an administrator to check for and repair any corrupted system files.

Windows Update: Make sure your Windows operating system is fully updated. Sometimes, system updates contain patches for such issues.

Check Hardware: Although less likely, hardware issues could also cause such errors. Running diagnostic tools to check the health of your hardware, especially storage drives, might be a good idea.

If the issue persists even after these steps, it might be helpful to analyze further logs or perform debugging using tools like WinDbg to pinpoint the exact cause.

Answer 2

Hi Wei Li,

thank you for the response.

We already had a case open with Crowdstrike and this is what they tell us:

---

Our internal team has finished reviewing your issue and provided the following feedback.

A filter below us in the stack is using Shadow File Objects.

One of those file objects is finding its way to the top of the stack,

which in turn makes its way to us.

We try to set a context on it, but because that file object isn't valid at our altitude, it crashes the fltmgr.

This is most likely an FsLogix issue and the customer should raise a ticket with Microsoft (who own FsLogix).

---

We also have a case open with Microsoft for FsLogix, but still no response since almost one month.

That is why I tried to exclude msedge.exe, because msedge.exe was listed in most of the dumps as "PROCESS_NAME".

msedge.exe is auto-starting on logon and opening the local sharepoint intranet site. Once I disabled autostart for msedge.exe, the server did not crash anymore for around 500 logins/logoffs (we use a tool to do automated logons and logoffs to reproduce the BSOD).

sfc /scannow did tell me "Windows Resource Protection did not find any integrity violations."

I reenabled autostart of medge.exe and the server started crashing again - so I disabled SmartScreen, because I found some discussions from where Cylance and Crowdstrike had some incompatibilities:

https://www.reddit.com/r/crowdstrike/comments/muul48/might_have_found_a_bug_w_win10_20h2_cs_edge/

But even after disabling SmartScreen the server crashed once unil now ( started the test 1 hour ago and have it still running) - but this time it was not msedge.exe - but "PROCESS_NAME: svchost.exe".

Here the full details from minidump:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffff9b8edcc7c530, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff9b8edcc7c488, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2171

    Key  : Analysis.Elapsed.mSec
    Value: 3399

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 249

    Key  : Analysis.Init.Elapsed.mSec
    Value: 10257

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 87

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x139

    Key  : Dump.Attributes.AsUlong
    Value: 1008

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0

    Key  : Dump.Attributes.KernelGeneratedTriageDump
    Value: 1

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 0

    Key  : FailFast.Name
    Value: CORRUPT_LIST_ENTRY

    Key  : FailFast.Type
    Value: 3

    Key  : Failure.Bucket
    Value: 0x139_3_CORRUPT_LIST_ENTRY_csagent!unknown_function

    Key  : Failure.Hash
    Value: {7426b4cc-64fd-f44e-8cfd-be51c497bc7e}

    Key  : Hypervisor.Enlightenments.Value
    Value: 13088

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 3320

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 0

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 1

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 0

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 0

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 1

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 536632

    Key  : Hypervisor.Flags.ValueHex
    Value: 83038

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: ffff9b8edcc7c530

BUGCHECK_P3: ffff9b8edcc7c488

BUGCHECK_P4: 0

FILE_IN_CAB:  112423-24906-01.dmp

DUMP_FILE_ATTRIBUTES: 0x1008
  Kernel Generated Triage Dump

TRAP_FRAME:  ffff9b8edcc7c530 -- (.trap 0xffff9b8edcc7c530)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffd389a752b4a0 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80079b2b270 rsp=ffff9b8edcc7c6c0 rbp=ffffd389a26635b0
 r8=00000000ffffffff  r9=7fffc204a15a55b8 r10=7ffffffffffffffc
r11=ffff9b8edcc7c678 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
FLTMGR!FltpGetFileListCtrl+0x1a8:
fffff800`79b2b270 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffff9b8edcc7c488 -- (.exr 0xffff9b8edcc7c488)
ExceptionAddress: fffff80079b2b270 (FLTMGR!FltpGetFileListCtrl+0x00000000000001a8)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY 

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  svchost.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - Das System hat in dieser Anwendung den  berlauf eines stapelbasierten Puffers ermittelt. Dieser  berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu  bernehmen.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffff9b8e`dcc7c208 fffff800`78c36f69     : 00000000`00000139 00000000`00000003 ffff9b8e`dcc7c530 ffff9b8e`dcc7c488 : nt!KeBugCheckEx
ffff9b8e`dcc7c210 fffff800`78c374f2     : ffffd389`a7513000 fffff800`78a7595b ffffffff`ffffffff ffff9b8e`00000028 : nt!KiBugCheckDispatch+0x69
ffff9b8e`dcc7c350 fffff800`78c3539e     : fffff800`79b246a6 fffff800`79b26872 00000000`00000000 fffff800`78a4b205 : nt!KiFastFailDispatch+0xb2
ffff9b8e`dcc7c530 fffff800`79b2b270     : 00000000`00000000 ffffd389`a26635b0 ffffd389`a752b470 fffff800`79b29daf : nt!KiRaiseSecurityCheckFailure+0x31e
ffff9b8e`dcc7c6c0 fffff800`79b2af06     : ffffc204`bc13b470 ffffd389`a752b470 00000000`00000000 ffff9b8e`dcc7c7f0 : FLTMGR!FltpGetFileListCtrl+0x1a8
ffff9b8e`dcc7c710 fffff800`79b2ae83     : ffff9b8e`dcc7c880 ffff9b8e`dcc7c840 ffffd389`ad34eb00 ffffc204`bc13b4d0 : FLTMGR!SetContextIntoFileList+0x6e
ffff9b8e`dcc7c780 fffff800`e48fa5dc     : 00000000`00000000 ffff9b8e`dcc7c840 ffff04d5`cdaea11a fffff800`79b300de : FLTMGR!FltSetFileContext+0x23
ffff9b8e`dcc7c7c0 00000000`00000000     : ffff9b8e`dcc7c840 ffff04d5`cdaea11a fffff800`79b300de ffff9b8e`dcc7c7f0 : csagent+0x7a5dc

SYMBOL_NAME:  csagent+7a5dc

MODULE_NAME: csagent

IMAGE_NAME:  csagent.sys

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  7a5dc

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_csagent!unknown_function

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {7426b4cc-64fd-f44e-8cfd-be51c497bc7e}

Followup:     MachineOwner
---------

Answer 3

If you want to understand the root cause of BSOD, mini dump may not provide enough information. It is recommended to collect kernel dump or full dump, and then contact Microsoft online support engineers for analysis.

Global Customer Service phone numbers - Microsoft Support