BSOD help

Question

My friends pc will bluescreen randomly then start back up fine. I grabbed the latest minidump file and ran it something to do with usb hub can anyone help.

Windows 10 Kernel Version 22621 MP (16 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Edition build lab: 22621.1928.amd64fre.ni_release_svc_prod3.230622-0951

Machine Name:

Kernel base = 0xfffff80759c00000 PsLoadedModuleList = 0xfffff8075a8130e0

Debug session time: Mon Aug 21 23:44:06.988 2023 (UTC + 10:00)

System Uptime: 9 days 23:12:44.416

Loading Kernel Symbols

...............................................................

................................................................

................................................................

.....................

Loading User Symbols

Loading unloaded module list

..................................................

For analysis of this file, run !analyze -v

14: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)

A kernel component has corrupted a critical data structure. The corruption

could potentially allow a malicious user to gain control of this machine.

Arguments:

Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).

Arg2: ffffbc8cab1330e0, Address of the trap frame for the exception that caused the BugCheck

Arg3: ffffbc8cab133038, Address of the exception record for the exception that caused the BugCheck

Arg4: 0000000000000000, Reserved

Debugging Details:

---

*** WARNING: Unable to verify timestamp for hyperxuac_ciiw.sys

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec 

Value: 3484 

Key  : Analysis.DebugAnalysisManager 

Value: Create 

Key  : Analysis.Elapsed.mSec 

Value: 54709 

Key  : Analysis.Init.CPU.mSec 

Value: 984 

Key  : Analysis.Init.Elapsed.mSec 

Value: 111429 

Key  : Analysis.Memory.CommitPeak.Mb 

Value: 111 

Key  : FailFast.Name 

Value: CORRUPT\_LIST\_ENTRY 

Key  : FailFast.Type 

Value: 3 

Key  : WER.OS.Branch 

Value: ni\_release\_svc\_prod3 

Key  : WER.OS.Timestamp 

Value: 2023-06-22T09:51:00Z 

Key  : WER.OS.Version 

Value: 10.0.22621.1928 

FILE_IN_CAB: 082123-43625-01.dmp

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffbc8cab1330e0

BUGCHECK_P3: ffffbc8cab133038

BUGCHECK_P4: 0

TRAP_FRAME: ffffbc8cab1330e0 -- (.trap 0xffffbc8cab1330e0)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000003

rdx=ffff93049baf6658 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8076a0f02ea rsp=ffffbc8cab133270 rbp=fffff807c133d4a0

r8=ffff9304b0214a02 r9=ffff93049d099fb0 r10=fffff80759e852c0

r11=ffff6ffae9c00000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz ac pe cy

ucx01000!RootHub_USBDInterfaceV1Unregister+0xfa:

fffff807`6a0f02ea cd29 int 29h

Resetting default scope

EXCEPTION_RECORD: ffffbc8cab133038 -- (.exr 0xffffbc8cab133038)

ExceptionAddress: fffff8076a0f02ea (ucx01000!RootHub_USBDInterfaceV1Unregister+0x00000000000000fa)

ExceptionCode: c0000409 (Security check failure or stack buffer overrun)

ExceptionFlags: 00000001

NumberParameters: 1

Parameter[0]: 0000000000000003

Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:

ffffbc8cab132db8 fffff8075a0468a9 : 0000000000000139 0000000000000003 ffffbc8cab1330e0 ffffbc8cab133038 : nt!KeBugCheckEx

ffffbc8cab132dc0 fffff8075a046e32 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69

ffffbc8cab132f00 fffff8075a044c06 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiFastFailDispatch+0xb2

ffffbc8cab1330e0 fffff8076a0f02ea : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiRaiseSecurityCheckFailure+0x346

ffffbc8cab133270 fffff8075f35d46d : ffff9304b0f46210 ffff9304967ae630 ffff9304967ae610 0000000000000005 : ucx01000!RootHub_USBDInterfaceV1Unregister+0xfa

ffffbc8cab1332b0 fffff8075f303f70 : ffff9304967ae610 0000000000000000 ffff9304b7b44348 0000000000000000 : Wdf01000!FxUsbDevice::Dispose+0x7d [minkernel\wdf\framework\shared\targets\usb\fxusbdevice.cpp @ 419]

ffffbc8cab1332e0 fffff8075f30341d : fffff807c133d4a0 0000000000000000 0000000000000000 ffff93048a29fda0 : Wdf01000!FxObject::DisposeChildrenWorker+0xa0 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 1212]

ffffbc8cab133330 fffff8075f301d85 : ffff9304967ae610 ffff9304967ae600 ffff9304967ae658 ffff93049f27fa40 : Wdf01000!FxObject::PerformDisposingDisposeChildrenLocked+0x35 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 846]

ffffbc8cab133360 fffff8075f303fc1 : ffff93049f27fa20 ffffcc8b0f600000 ffff9304967ae658 ffffbc8cab13341c : Wdf01000!FxObject::PerformEarlyDisposeWorkerAndUnlock+0x39 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 926]

ffffbc8cab133390 fffff8075f30341d : fffff807c133d4a0 0000000000000000 0000000000000000 ffffbc8cab1333f0 : Wdf01000!FxObject::DisposeChildrenWorker+0xf1 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 1191]

ffffbc8cab1333e0 fffff8075f301d85 : ffff93049f27fa20 ffff93049f27fa00 ffff93049f27fa68 ffff93049821b980 : Wdf01000!FxObject::PerformDisposingDisposeChildrenLocked+0x35 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 846]

ffffbc8cab133410 fffff8075f303fc1 : ffff93049821b960 ffff93048a0fd000 ffff93049f27fa68 0000000000000000 : Wdf01000!FxObject::PerformEarlyDisposeWorkerAndUnlock+0x39 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 926]

ffffbc8cab133440 fffff8075f3034a6 : fffff807c133d4a0 0000000000000000 0000000000000000 0000000000000000 : Wdf01000!FxObject::DisposeChildrenWorker+0xf1 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 1191]

ffffbc8cab133490 fffff8075f303336 : ffff93049821b960 0000000000000000 ffffbc8cab1335c8 0000000000000000 : Wdf01000!FxObject::DeleteWorkerAndUnlock+0x46 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 968]

ffffbc8cab1334c0 fffff8075f340029 : ffff93049c7b4dd0 ffff93049c7b4f90 0000000000000000 ffff93049f9592f0 : Wdf01000!FxObject::DeleteObject+0x76 [minkernel\wdf\framework\shared\object\fxobjectstatemachine.cpp @ 169]

ffffbc8cab1334f0 fffff8075f32c6e8 : 0000000000000000 ffff93049f959310 ffffcc8b0ff76260 fffff80759e21720 : Wdf01000!FxDriver::DeleteObject+0x9 [minkernel\wdf\framework\shared\inc\private\common\FxDriver.hpp @ 398]

ffffbc8cab133520 fffff8075f317859 : ffff93048a0d3640 fffff8075f3dc008 fffff8075f3dc000 ffff93048a29fda0 : Wdf01000!FxLibraryCommonUnregisterClient+0x98 [minkernel\wdf\framework\kmdf\src\librarycommon\fxlibrarycommon.cpp @ 649]

ffffbc8cab133550 fffff8075f3d85e4 : ffff93049f9592f0 0000000000000001 0000000000006ca8 ffff93049f9592f0 : Wdf01000!LibraryUnregisterClient+0x9 [minkernel\wdf\framework\kmdf\src\dynamic\version\version.cpp @ 555]

ffffbc8cab133580 fffff8075f3e0431 : ffff93049f959340 00000000fffffff7 ffffbc8cab133830 00000000c0000001 : WDFLDR!DereferenceVersion+0x48 [minkernel\wdf\framework\kmdf\src\dynamic\loader\wdfldr.cpp @ 1828]

ffffbc8cab1335e0 fffff807c13360c2 : ffff93049f959340 ffffbc8cab133830 0000000000000000 ffff10a41fc93185 : WDFLDR!WdfVersionUnbind+0x11 [minkernel\wdf\framework\kmdf\src\dynamic\loader\wdfldr.cpp @ 2088]

ffffbc8cab133640 ffff93049f959340 : ffffbc8cab133830 0000000000000000 ffff10a41fc93185 ffffbc8cab133810 : hyperxuac_ciiw+0x60c2

ffffbc8cab133648 ffffbc8cab133830 : 0000000000000000 ffff10a41fc93185 ffffbc8cab133810 fffff807c1336259 : 0xffff9304`9f959340

ffffbc8cab133650 0000000000000000 : ffff10a41fc93185 ffffbc8cab133810 fffff807c1336259 0000000000000000 : 0xffffbc8c`ab133830

FAULTING_SOURCE_LINE: minkernel\wdf\framework\kmdf\src\dynamic\loader\wdfldr.cpp

FAULTING_SOURCE_FILE: minkernel\wdf\framework\kmdf\src\dynamic\loader\wdfldr.cpp

FAULTING_SOURCE_LINE_NUMBER: 1828

SYMBOL_NAME: WDFLDR!DereferenceVersion+48

MODULE_NAME: WDFLDR

IMAGE_NAME: WDFLDR.SYS

IMAGE_VERSION: 1.33.22621.2134

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 48

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_WDFLDR!DereferenceVersion

OS_VERSION: 10.0.22621.1928

BUILDLAB_STR: ni_release_svc_prod3

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {05b3a41d-5f76-3f27-c187-97391536a12f}

Followup: MachineOwner

---

Answer 1

Hi Kobie,

Welcome to Microsoft Community.

I'm Hahn and I'm here to help you with your concern.

It looks like you've provided a crash dump analysis from a Windows system that encountered a KERNEL_SECURITY_CHECK_FAILURE (Bugcheck 0x139) error. This type of error typically occurs when a kernel component has corrupted a critical data structure, potentially allowing a malicious user to gain control of the system. In your specific case, the corruption seems to involve a LIST_ENTRY data structure.

Here's a breakdown of the information you've provided:

1. Bugcheck Code: 0x139 - KERNEL_SECURITY_CHECK_FAILURE
2. Exception Information:
   • Arg1: 0x0000000000000003 - A LIST_ENTRY has been corrupted (double remove).
   • Arg2: 0xffffbc8cab1330e0 - Address of the trap frame for the exception.
   • Arg3: 0xffffbc8cab133038 - Address of the exception record.
   • Arg4: 0x0000000000000000 - Reserved
3. Exception Details:
   • Exception Address: fffff8076a0f02ea (ucx01000!RootHub_USBDInterfaceV1Unregister+0xfa)
   • Exception Code: c0000409 - Security check failure or stack buffer overrun
   • Exception Parameter: 0x0000000000000003
4. Stack Text: The stack text provides a trace of the program execution leading up to the crash. It shows the sequence of function calls and their memory addresses.
5. Symbol Information:
   • Module Name: WDFLDR.SYS (WDF Loader)
   • Image Version: 1.33.22621.2134
6. Faulting Source:
   • File: minkernel\wdf\framework\kmdf\src\dynamic\loader\wdfldr.cpp
   • Line Number: 1828
7. Operating System Information:
   • OS Version: 10.0.22621.1928 (Windows 10)
   • Build Lab: ni_release_svc_prod3

The crash appears to be related to the Windows Driver Framework Loader (WDFLDR.SYS) and the USB driver (ucx01000!RootHub_USBDInterfaceV1Unregister) used in the system. So, it seems like there was some kind of memory corruption or invalid pointer usage that caused a linked list data structure in the WDFLDR driver to become corrupted. This then triggered the kernel security check when it tried to traverse the list.

To troubleshoot further, I would recommend checking the WDFLDR driver version and updating it if an update is available. Also checking the system event logs for any prior errors related to WDFLDR or the USB drivers.

• Update BIOS/chipset/USB drivers - outdated system drivers like the BIOS, chipset, or USB drivers can sometimes cause issues for Windows drivers. Updating these may help.

Disclaimer: Microsoft provides no assurances and/or warranties, implied or otherwise, and is not responsible for the information you receive from the third-party linked sites or any support related to technology. If you are going to modify BIOS Settings, please back up all your personal files first to ensure you do not lose data.

• Disable unnecessary USB devices - remove extra USB devices to see if that has any effect. The crash seems tied to USB based on the module name.
• You could also try running driver verifier to stress test the drivers and see if it reproduces the issue. Driver Verifier - Windows drivers | Microsoft Learn
• Run sfc /scannow - scan system files and replace corrupted ones. A damaged Windows system file could potentially cause driver issues. Use the System File Checker tool to repair missing or corrupted system files - Microsoft Support
• Hardware Testing: Perform hardware diagnostics to rule out any hardware-related issues, such as memory problems or failing hardware components.

I hope this helps.  If there is anything not clear, please do not hesitate to let me know.

Your Sincerely

Hahn - MSFT | Microsoft Community Support Specialist