BSOD KERNEL_SECURITY_CHECK_FAILURE

Question

Hi Guys

I have a user getting a BSOD "BSOD KERNEL_SECURITY_CHECK_FAILURE" once or twice a week

I managed to grab the minidump file and run it through the analysis tool below.

Am i right in assuming Teams is causing the BSOD ?

Cheers

Adam

*****************************************************

* *

* Bugcheck Analysis *

* *

*****************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)

A kernel component has corrupted a critical data structure. The corruption

could potentially allow a malicious user to gain control of this machine.

Arguments:

Arg1: 000000000000001d, An RTL_BALANCED_NODE RBTree entry has been corrupted.

Arg2: ffffa40d82f471c0, Address of the trap frame for the exception that caused the BugCheck

Arg3: ffffa40d82f47118, Address of the exception record for the exception that caused the BugCheck

Arg4: 0000000000000000, Reserved

Debugging Details:

---

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec 

Value: 3624 

Key  : Analysis.DebugAnalysisManager 

Value: Create 

Key  : Analysis.Elapsed.mSec 

Value: 30901 

Key  : Analysis.Init.CPU.mSec 

Value: 3734 

Key  : Analysis.Init.Elapsed.mSec 

Value: 54424 

Key  : Analysis.Memory.CommitPeak.Mb 

Value: 101 

Key  : FailFast.Name 

Value: INVALID\_BALANCED\_TREE 

Key  : FailFast.Type 

Value: 29 

Key  : WER.OS.Branch 

Value: co\_release 

Key  : WER.OS.Timestamp 

Value: 2021-06-04T16:28:00Z 

Key  : WER.OS.Version 

Value: 10.0.22000.1 

FILE_IN_CAB: 082222-7703-01.dmp

BUGCHECK_CODE: 139

BUGCHECK_P1: 1d

BUGCHECK_P2: ffffa40d82f471c0

BUGCHECK_P3: ffffa40d82f47118

BUGCHECK_P4: 0

TRAP_FRAME: ffffa40d82f471c0 -- (.trap 0xffffa40d82f471c0)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d

rdx=ffff940fe9f27110 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8002bc668bf rsp=ffffa40d82f47350 rbp=ffffd58ffc87b080

r8=ffff9400033236d0 r9=0000000000000000 r10=0000000000000000

r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz na po cy

nt!RtlAvlRemoveNode+0x23f05f:

fffff800`2bc668bf cd29 int 29h

Resetting default scope

EXCEPTION_RECORD: ffffa40d82f47118 -- (.exr 0xffffa40d82f47118)

ExceptionAddress: fffff8002bc668bf (nt!RtlAvlRemoveNode+0x000000000023f05f)

ExceptionCode: c0000409 (Security check failure or stack buffer overrun)

ExceptionFlags: 00000001

NumberParameters: 1

Parameter[0]: 000000000000001d

Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: Teams.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 000000000000001d

EXCEPTION_STR: 0xc0000409

STACK_TEXT:

ffffa40d82f46e98 fffff8002bc2a9a9 : 0000000000000139 000000000000001d ffffa40d82f471c0 ffffa40d82f47118 : nt!KeBugCheckEx

ffffa40d82f46ea0 fffff8002bc2adf2 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69

ffffa40d82f46fe0 fffff8002bc290d2 : ffffbddeef77b028 ffffbddeef605578 0000000000000000 0000000000000000 : nt!KiFastFailDispatch+0xb2

ffffa40d82f471c0 fffff8002bc668bf : 0000000000000000 0000000000155fa0 0000000000155fa0 fffff8002ba7e491 : nt!KiRaiseSecurityCheckFailure+0x312

ffffa40d82f47350 fffff8002bee72b4 : ffffd58ffd5a4061 ffffd58ffc87b080 ffffd58ff113c6d0 ffff9400033236d0 : nt!RtlAvlRemoveNode+0x23f05f

ffffa40d82f473a0 fffff8002bee7325 : ffffd58ffc87b080 ffff94000aa8bee8 ffffd58ff113c6d0 ffffd58ffd5a4060 : nt!MiRemoveSharedCommitNode+0x1c4

ffffa40d82f47410 fffff8002be98bf0 : 000002abf4050000 ffff94000aa8bee8 0000000000000000 0000000000000000 : nt!MiRemoveSharedCommitNode+0x235

ffffa40d82f47480 fffff8002be7f589 : ffffd58004df1180 ffffd58ffd038360 ffffd58000000000 ffffd58ff113c750 : nt!MiDeleteVad+0x300

ffffa40d82f47540 fffff8002be7f117 : ffffd58ffd038360 ffffd58ffa6b9050 ffffd58ffc87b080 0000000000000000 : nt!MiUnmapVad+0x49

ffffa40d82f47570 fffff8002bee63f9 : ffffd58ffd039a80 ffffd58ffd039a80 ffffd58ffc87b080 ffffd58004df1180 : nt!MiCleanVad+0x2f

ffffa40d82f475a0 fffff8002bf0dbc3 : ffffffff00000000 ffffffffffffffff 0000000000000001 ffffd58004df1180 : nt!MmCleanProcessAddressSpace+0x10d

ffffa40d82f47620 fffff8002bf02d73 : ffffd58004df1180 ffff940009d0e060 ffffa40d82f47839 0000000000000000 : nt!PspRundownSingleProcess+0x207

ffffa40d82f476b0 fffff8002bfa5748 : ffff830000000000 fffff8002ba82a01 ffffd58f00000003 000000ea7e091000 : nt!PspExitThread+0x613

ffffa40d82f477a0 fffff8002bad031b : 0000000000000000 0000000040310088 0000000000000000 0000000000000000 : nt!KiSchedulerApcTerminate+0x38

ffffa40d82f477e0 fffff8002bc1cd50 : 00000000000002e4 ffffa40d82f478a0 0000000000000000 000002abf3ddffc0 : nt!KiDeliverApc+0x4db

ffffa40d82f478a0 fffff8002bc2a41f : ffffd58ffc87b080 0000000000000000 ffffa40d82f479f8 ffffffffec549980 : nt!KiInitiateUserApc+0x70

ffffa40d82f479e0 00007ffe992040b4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceExit+0x9f

000000ea007ff558 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`992040b4

SYMBOL_NAME: nt!KiFastFailDispatch+b2

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.22000.856

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: b2

FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch

OS_VERSION: 10.0.22000.1

BUILDLAB_STR: co_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {67ec97ad-ad0b-071e-ab87-6dc661e22d1b}

Followup: MachineOwner

Answer 1

The minidump file still points to "ntkrnlmp.exe".

I will now recommend that you run Driver Verifier to find any misbehaving, corrupted, or outdated driver.

Follow the instructions from this article.

https://www.tenforums.com/tutorials/5470-enable...

Reminders:

=> Disable Driver Verifier after 48 hours or after receiving a BSOD.

=> Create a Restore Point before running Driver Verifier.

Share the minidump file once you receive a BSOD error.

---

Standard Disclaimer: There are links to non-Microsoft websites.

The pages appear to be providing accurate, safe information. Watch out for ads on the sites that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the sites before you decide to download and install it.

Answer 2

Hey Paul

Thanks for the quick reply - minidump uploaded here:-

MS

Cheers

Adam

Answer 3

Hi AdsyD86,

I'm Paul and I'm here to help you with your concern.

The dump report didn't name any driver. It only indicated a system kernel driver "ntkrnlmp.exe". Since it's a system file it means something else drove it into a fault. It could be hardware, software, or driver.

We need further analysis.

Can you share other minidump files that I can also analyze?

1. Open Windows File Explorer
2. Go to C:\Windows\Minidump
3. Zip those files
4. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.).
5. Then share the link here.

Thanks.