Kernel_security_check_failure

Question

Hi everyone,

I am stuck with a problem for a week and would really appreciate any help. I get the following error in the Event Viewer:

The computer has rebooted from a bugcheck. The bugcheck was: 0x00000139 (0x0000000000000003, 0xffffd9069ef8e790, 0xffffd9069ef8e6e8, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 4498bb86-6533-454e-9182-7f4a88300e80.

and a blue screen saying KERNEL_SECURITY_CHECK_FAILURE.

What I have done so far:

1. all Updates (version 21H2)
2. all drivers in device manager seem to be ok,... also checked with a third-party software
3. updated my BIOS from 2.0a to 3.4
4. Allowed for "complete memory dump" and turned off the "automatic restart" option in "Start-up and Recovery"
5. Run the Windows Memory Diagnostic Tool
6. Checked all hard discs on the pc
7. Reinstalled the graphic card drivers
8. did a sfc/scannnow check
9. did a DISM repair
10. run memtest86

11)...and some other things,

I am almost sure that some drivers are causing the problem, however, I did not install any new software, etc. and unfortunately can not see any hint in the dump file when I analyze it with the windows diagnostic tool.

I attached the last dump file and would appreciate it if somebody would check for the possible reason causing the failure:

051022-8265-01 - Copy.zip

Here is the result from WinDbg:

Microsoft (R) Windows Debugger Version 10.0.22549.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\aartinov\Desktop\051022-8265-01 - Copy.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (48 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff802`31600000 PsLoadedModuleList = 0xfffff802`3222a290
Debug session time: Tue May 10 14:58:07.458 2022 (UTC + 2:00)
System Uptime: 0 days 0:39:15.188
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...................
Loading User Symbols
Loading unloaded module list
...........
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff802`319f7d50 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffff8986`1000d3a0=0000000000000139
42: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffff89861000d6c0, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff89861000d618, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 9781

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 11367

    Key  : Analysis.Init.CPU.mSec
    Value: 1296

    Key  : Analysis.Init.Elapsed.mSec
    Value: 19935

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 93

    Key  : FailFast.Name
    Value: CORRUPT_LIST_ENTRY

    Key  : FailFast.Type
    Value: 3

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

FILE_IN_CAB:  051022-8265-01 - Copy.dmp

BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: ffff89861000d6c0

BUGCHECK_P3: ffff89861000d618

BUGCHECK_P4: 0

TRAP_FRAME:  ffff89861000d6c0 -- (.trap 0xffff89861000d6c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffac0bd73191a0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffac0bd74d01a0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80231a320d3 rsp=ffff89861000d850 rbp=000000057c197a6b
 r8=000000057c197a6b  r9=fffff80231600000 r10=fffff8022cc1eac0
r11=ffff89861000d900 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
nt!KiInsertTimerTable+0x1dba63:
fffff802`31a320d3 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffff89861000d618 -- (.exr 0xffff89861000d618)
ExceptionAddress: fffff80231a320d3 (nt!KiInsertTimerTable+0x00000000001dba63)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY 

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME:  sntlsrtsrvr.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffff8986`1000d398 fffff802`31a09c69     : 00000000`00000139 00000000`00000003 ffff8986`1000d6c0 ffff8986`1000d618 : nt!KeBugCheckEx
ffff8986`1000d3a0 fffff802`31a0a090     : 00000000`00000000 ffffe681`3b65f180 00000000`00000000 00000000`00000006 : nt!KiBugCheckDispatch+0x69
ffff8986`1000d4e0 fffff802`31a08423     : ffffd8e3`f647f4da 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffff8986`1000d6c0 fffff802`31a320d3     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0x323
ffff8986`1000d850 fffff802`318549dd     : ffffac0b`d7319080 ffffac0b`d74ce1f0 00000000`00000000 ffffe681`3b71c100 : nt!KiInsertTimerTable+0x1dba63
ffff8986`1000d8d0 fffff802`31854013     : ffffac0b`00000006 fffff802`00000000 00000000`00000001 ffffac0b`d73191c0 : nt!KiCommitThreadWait+0x3bd
ffff8986`1000d970 fffff802`31c188e1     : ffffac0b`d4fa69a0 fffff802`00000006 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x233
ffff8986`1000da60 fffff802`31c1898a     : ffffac0b`d7319080 00000000`00000000 00000000`00000000 00000000`0647fed0 : nt!ObWaitForSingleObject+0x91
ffff8986`1000dac0 fffff802`31a096b8     : ffffac0b`d7319080 00000000`00000000 ffff8986`1000db18 ffffffff`ffb3b4c0 : nt!NtWaitForSingleObject+0x6a
ffff8986`1000db00 00000000`77541cfc     : 00000000`77541b5d 00000023`775c2bbc 00000000`00000023 00000000`00000202 : nt!KiSystemServiceCopyEnd+0x28
00000000`05aef308 00000000`77541b5d     : 00000023`775c2bbc 00000000`00000023 00000000`00000202 00000000`0647fff0 : 0x77541cfc
00000000`05aef310 00000023`775c2bbc     : 00000000`00000023 00000000`00000202 00000000`0647fff0 00000000`0000002b : 0x77541b5d
00000000`05aef318 00000000`00000023     : 00000000`00000202 00000000`0647fff0 00000000`0000002b 00000000`00000000 : 0x00000023`775c2bbc
00000000`05aef320 00000000`00000202     : 00000000`0647fff0 00000000`0000002b 00000000`00000000 00000000`00000000 : 0x23
00000000`05aef328 00000000`0647fff0     : 00000000`0000002b 00000000`00000000 00000000`00000000 00000000`004000e0 : 0x202
00000000`05aef330 00000000`0000002b     : 00000000`00000000 00000000`00000000 00000000`004000e0 00000000`00000000 : 0x647fff0
00000000`05aef338 00000000`00000000     : 00000000`00000000 00000000`004000e0 00000000`00000000 00007ffa`48c93c83 : 0x2b

SYMBOL_NAME:  nt!KiInsertTimerTable+1dba63

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

IMAGE_VERSION:  10.0.19041.1682

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  1dba63

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_KTIMER_LIST_CORRUPTION_nt!KiInsertTimerTable

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {f89e8bcc-9d62-a3aa-7602-6fa1ac774850}

Followup:     MachineOwner

Best regards,

Antoni Artinov

*** moved to english Community ***

Answer 1

Hi,

it's day number 8 of struggles and pain, so thanks for the help! Here you can find the V2 log:

ANTONIS-SUPERPC-(2022-05-12_13-01-59).zip

A short update since yesterday:

1. I deleted the last big Windows update 21H2
2. run chkdsk, scannow, etc. one more time
3. reinstalled the graphics driver
4. let the PC run in safe mode for 6 hours

After safe mode, I started the PC normally and got BSOD within 30 minutes again, this time again a

SYSTEM_SERVICE_EXCEPTION

According to "WhoCrashed":

This is a typical software problem. Most likely this is caused by a bug in a driver.

but "No offending third party drivers have been found" :(. At the same time, I see in device manager -> display adapters -> Microsoft basic display adapter that there is a problem with the driver. However, after updating it, the exclamation mark on the icon remains. Since I updated the BIOS and found out that the motherboard turns off the external PIC for the graphic card per default, I then chose an option in the BIOS for the external graphic card to be preferred, no idea if this could lead to some problems.

I will update the PC to the 21H2 Windows version. I also read that allowing the LAN devices to wake the computer could be a problem, so I disabled this option in device manager -> Network adapters -> Intel I210 Gigabit Network Connection -> Properties -> power management.

I will also run the Driver Verifier today and let the PC crash a couple of times, as suggested by @DaveM121 and upload the dump files again.

Appreciate your help!

Best,

Antoni

Answer 2

Hi Antoni

The new minidump files also just indicated RAM corruption.

To try to force Windows 10 show any faulting drivers, the best option would be to turn on Driver Verifier, let your PC crash 3 times, then you must turn off Driver Verifier, and finally, upload any newly created minidump files

https://answers.microsoft.com/en-us/windows/for...

Answer 3

Please run the V2 log collector and post a share link into this thread using one drive, drop box, or google drive.

https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

https://www.elevenforum.com/t/bsod-posting-instructions.103/

Answer 4

Hi Dave,

thank you for your help! I did some further testing yesterday and got two new bug codes:

051122-9046-01.dmp :

SYSTEM_SERVICE_EXCEPTION

and

051222-8328-01.dmp

CLOCK_WATCHDOG_TIMEOUT

the corresponding dump files can be found here:

dump

I found out yesterday, using third-party software called WhoCrashed, that a Realtek WLAN driver is causing the crashes. Funnily enough, I did not have such a driver, but a Bluetooth driver from Realtek. However, after deleting it, the problem remained under a different bug name. Note that after deleting the Realtek driver I got the SYSTEM_SERVICE_EXCEPTION. The other error, CLOCK_WATCHDOG_TIMEOUT, I got after deleting the driver and the last big Windows update from March - 21H2. Please also note that the errors occur randomly, but mostly within 3 to 5 hours.

Btw. I am wondering about the memory (RAM) corruption you mentioned since I run a 16 hours long memory test the day before using memtest86 and there was no problem with RAM.

I appreciate your help!

Best,

Antoni

Answer 5

Hi Antoni,

I am Dave, I will help you with this.

Your minidump file just indicates memory (RAM) corruption no specific driver is listed

Do you have any other minidump files you can upload for analysis?