Internet Information Services
Microsoft web server software.
1,583 questions
Solution was uninstalling Sysmon Assistant.
BSOD DRIVER_OVERRAN_STACK_BUFFER when attaching to w3wp.exe process with VS2019
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 50%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EED%3C/text%3E%3C/svg%3E)
Elisabeth D
111
Reputation points
Recently (as of 2 days ago), every time I try to attach to the IIS process w3wp.exe with Visual Studio 2019 (running on Windows 10), I get the blue screen of death with the DRIVER_OVERRAN_STACK_BUFFER error. Several other people at my organization have started to see the same behavior. I've installed all the latest Windows and Dell updates. The crash dump file contains the following information, but I haven't been able to track down the root cause.
- *
- Bugcheck Analysis *
- *
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: ff99f2e088c41aef, Actual security check cookie from the stack
Arg2: 0000f8016000f0a2, Expected security check cookie
Arg3: ffff07fe9fff0f5d, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
BUGCHECK_CODE: f7
BUGCHECK_P1: ff99f2e088c41aef
BUGCHECK_P2: f8016000f0a2
BUGCHECK_P3: ffff07fe9fff0f5d
BUGCHECK_P4: 0
PROCESS_NAME: msvsmon.exe
SYMBOL_NAME: SysmonDrv+1056
MODULE_NAME: SysmonDrv
IMAGE_NAME: SysmonDrv.sys
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_SysmonDrv!unknown_function
FAILURE_ID_HASH: {bfcd09b2-c8e3-6711-5ab4-bb081f1f34f2}
Followup: MachineOwner
xecutable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff8015ac00000 PsLoadedModuleList = 0xfffff8015b82a190
Debug session time: Thu Aug 12 10:49:11.047 2021 (UTC - 4:00)
Internet Information Services
Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,088 questions
Accepted answer
4 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 42%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Jonny Wiederholm 11 Reputation points2021-08-31T07:32:33.717+00:00 We are experiencing the same issue with Sysmon 13.23 and 13.24 when using the debugger in Visual Studio 2019.
Uninstalling sysmon is not an option in our case. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor2021-08-13T02:23:39.487+00:00 The DRIVER_OVERRAN_STACK_BUFFER bug check has a value of 0x000000F7. This indicates that a driver has overrun a stack-based buffer.
A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned.
This is the classic "buffer overrun" hacking attack. The system has been brought down to prevent a malicious user from gaining complete control of it.
Use the kb (Display Stack Backtrace) command to get a stack trace.
The last routine on the stack before the buffer overrun handlers and bug check call is the one that overran its local variable.
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 78%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPN%3C/text%3E%3C/svg%3E)
Penning, Nicholas 141 Reputation points2021-09-07T21:15:27.307+00:00 I created a similar ticket here: https://learn.microsoft.com/en-us/answers/questions/538433/sysmon-1324-crashing-on-app-run-with-visual-studio.html
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 86%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Patrick, Keith 0 Reputation points2024-02-27T18:01:18.81+00:00 I get this error every time I try to run the basic C# WPF template out of VS2022. .Net 4.8 or 4.7.x...doesn't matter. I don't even add a single line of code. BTW: My machine is an IT-managed system, so it is as up-to-date as my org allows