Recorrente a BSOD 0x139 KERNEL_SECURITY_CHECK_FAILURE em NETIO.SYS (análises de verificação de erros em)

5

Descrição do problema

  • Eu encontrei alguns 0x139 KERNEL_SECURITY_CHECK_FAILURE telas azuis com o primeiro parâmetro 0x3 no meu laptop Windows 8.1, uma vez a cada 20 minutos a uma hora. Essas falhas estão acontecendo em NETIO.SYS , nas funções NsiEnumerateObjectsAllParametersEx ou NsiGetParameterEx .

  • O sistema parece estar funcionando corretamente no modo de segurança com rede.

  • Tenho vários despejos de memória disponíveis para download aqui , bem como um despejo de memória completo de um acidente mantido internamente para análise posterior.

Análise 1: NsiEnumerateObjectsAllParametersEx minidump

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Machine Name:
Kernel base = 0xfffff802'44e1f000 PsLoadedModuleList = 0xfffff802'450f8250
Debug session time: Fri Jan  2 16:52:43.919 2015 (UTC - 5:00)
System Uptime: 0 days 0:25:05.631
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
...........................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd000d8d4f1b0, ffffd000d8d4f108, 0}

Probably caused by : NETIO.SYS ( NETIO!NsiEnumerateObjectsAllParametersEx+20d )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000d8d4f1b0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000d8d4f108, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


DUMP_FILE_ATTRIBUTES: 0xc
  Insufficient Dumpfile Size
  Kernel Generated Triage Dump

TRAP_FRAME:  ffffd000d8d4f1b0 -- (.trap 0xffffd000d8d4f1b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0019759fef0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00194b53ef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80110e5f30d rsp=ffffd000d8d4f340 rbp=ffffe00194b5ea20
 r8=0000000000000000  r9=0000000000000002 r10=ffffe0019635db50
r11=ffffe00192d21fbc r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d:
fffff801'10e5f30d cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd000d8d4f108 -- (.exr 0xffffd000d8d4f108)
ExceptionAddress: fffff80110e5f30d (ndis!ndisNsiEnumerateAllInterfaceInformation+0x0000000000025c0d)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff80244f7b5e9 to fffff80244f6faa0

STACK_TEXT:  
ffffd000'd8d4ee88 fffff802'44f7b5e9 : 00000000'00000139 00000000'00000003 ffffd000'd8d4f1b0 ffffd000'd8d4f108 : nt!KeBugCheckEx
ffffd000'd8d4ee90 fffff802'44f7b910 : ffff6bcf'07601f7c ffffd000'd8d4f278 ffffc001'd1bcd060 ffffe001'92d1c698 : nt!KiBugCheckDispatch+0x69
ffffd000'd8d4efd0 fffff802'44f7ab34 : 00000000'00000000 ffffe001'99965501 ffffd000'd8d4f3d4 00000000'00000000 : nt!KiFastFailDispatch+0xd0
ffffd000'd8d4f1b0 fffff801'10e5f30d : 00000000'ffffe001 00000000'00000000 ffffe001'94b5ea20 ffffe001'94b5eef0 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000'd8d4f340 fffff801'10f4e308 : ffffd000'd8d4f580 00000000'00000000 ffffe001'92d1c002 00000000'00000008 : ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d
ffffd000'd8d4f460 fffff801'11664fc1 : ffffe001'92d1c000 00000000'00000070 00000065'7450f270 ffffd000'd8d4f668 : NETIO!NsiEnumerateObjectsAllParametersEx+0x20d
ffffd000'd8d4f650 fffff801'11664bea : 00000000'00000000 ffffe001'99a432a0 ffffe001'99a431d0 00000000'00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201
ffffd000'd8d4f840 fffff802'452001ef : 00000000'00000000 ffffe001'99a431d0 ffffe001'99a431d0 00000000'00000001 : nsiproxy!NsippDispatch+0x5a
ffffd000'd8d4f880 fffff802'451ff78e : ffffd000'd8d4fa38 00000000'00000000 00000000'00000000 00000000'00000000 : nt!IopXxxControlFile+0xa4f
ffffd000'd8d4fa20 fffff802'44f7b2b3 : ffffe001'999a4080 fffff6fb'001f0003 00000065'7450f0e8 fffff680'00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000'd8d4fa90 00007ffe'07350cba : 00000000'00000000 00000000'00000000 00000000'00000000 00000000'00000000 : nt!KiSystemServiceCopyEnd+0x13
00000065'7450f168 00000000'00000000 : 00000000'00000000 00000000'00000000 00000000'00000000 00000000'00000000 : 0x00007ffe'07350cba


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NsiEnumerateObjectsAllParametersEx+20d
fffff801'10f4e308 8bd8            mov     ebx,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NsiEnumerateObjectsAllParametersEx+20d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

IMAGE_VERSION:  6.3.9600.17485

BUCKET_ID_FUNC_OFFSET:  20d

FAILURE_BUCKET_ID:  0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx

BUCKET_ID:  0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_netio!nsienumerateobjectsallparametersex

FAILURE_ID_HASH:  {647902b7-14c2-326a-6aea-d9b7b6d3d895}

Followup: MachineOwner
---------

Saída do WhoCrashed Professional

Crash dump file:        E:\sysdebug\dumps0215-8234-01.dmp
Date/time:              1/2/2015 4:20:01 PM GMT
Uptime:                 00:20:35
Machine:                DRAGON
Bug check name:         KERNEL_SECURITY_CHECK_FAILURE
Bug check code:         0x139
Bug check parm 1:       0x3
Bug check parm 2:       0xFFFFD0002E50A1B0
Bug check parm 3:       0xFFFFD0002E50A108
Bug check parm 4:       0x0
Probably caused by:     ndis.sys
Driver description:     Network Driver Interface Specification (NDIS)
Driver product:         Microsoft® Windows® Operating System
Driver company:         Microsoft Corporation
OS build:               Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Architecture:           x64 (64 bit)
CPU count:              8
Page size:              4096

Bug check description: 
The kernel has detected the corruption of a critical data structure.

Comments:

The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time. 

Análise 2: NsiGetParameterEx despejo de memória completo

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols

Loading Dump File [E:\sysdebug\MEMORY.DMP]
Kernel Bitmap Dump File: Full address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Machine Name:
Kernel base = 0xfffff801'dde72000 PsLoadedModuleList = 0xfffff801'de14b250
Debug session time: Fri Jan  2 17:17:38.437 2015 (UTC - 5:00)
System Uptime: 0 days 0:22:01.150
Loading Kernel Symbols
...............................................................
................................................................
...........................................................
Loading User Symbols
................................................................
...................................
Loading unloaded module list
..............................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd001cb3d0310, ffffd001cb3d0268, 0}

Probably caused by : NETIO.SYS ( NETIO!NsiGetParameterEx+222 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd001cb3d0310, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd001cb3d0268, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


TRAP_FRAME:  ffffd001cb3d0310 -- (.trap 0xffffd001cb3d0310)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe00059100980 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00055dbbef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80084085a29 rsp=ffffd001cb3d04a0 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000002 r10=ffffe000587d9040
r11=ffffe000591004b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
ndis!ndisNsiGetInterfaceInformation+0x22b49:
fffff800'84085a29 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd001cb3d0268 -- (.exr 0xffffd001cb3d0268)
ExceptionAddress: fffff80084085a29 (ndis!ndisNsiGetInterfaceInformation+0x0000000000022b49)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff801ddfce5e9 to fffff801ddfc2aa0

STACK_TEXT:  
ffffd001'cb3cffe8 fffff801'ddfce5e9 : 00000000'00000139 00000000'00000003 ffffd001'cb3d0310 ffffd001'cb3d0268 : nt!KeBugCheckEx
ffffd001'cb3cfff0 fffff801'ddfce910 : 00000000'00000000 ffffd001'00000001 ffffd001'cb3d01d8 00000000'00000000 : nt!KiBugCheckDispatch+0x69
ffffd001'cb3d0130 fffff801'ddfcdb34 : 00000000'00000000 00000000'00000000 00000000'00000000 00000000'00000000 : nt!KiFastFailDispatch+0xd0
ffffd001'cb3d0310 fffff800'84085a29 : 00000000'fffff801 00000000'00000000 ffffd001'cb3d0610 00000000'00000004 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd001'cb3d04a0 fffff800'8417b572 : ffffd001'cb3d0610 ffffe000'5d2f1602 ffffe000'5d2f1700 00000000'00000000 : ndis!ndisNsiGetInterfaceInformation+0x22b49
ffffd001'cb3d0550 fffff800'851cda25 : 00000000'00000050 00000000'00000050 ffffe000'55dc2010 00000000'00000000 : NETIO!NsiGetParameterEx+0x222
ffffd001'cb3d06b0 fffff800'851cdbe3 : 00000000'00000000 ffffe000'54a3c6b0 ffffe000'54a3c5e0 00000000'00000000 : nsiproxy!NsippGetParameter+0x195
ffffd001'cb3d0840 fffff801'de2531ef : 00000000'00000000 ffffe000'54a3c5e0 ffffe000'54a3c5e0 00000000'00000001 : nsiproxy!NsippDispatch+0x53
ffffd001'cb3d0880 fffff801'de25278e : ffffd001'cb3d0a38 00007fff'00000000 00000000'00000000 00000000'00000000 : nt!IopXxxControlFile+0xa4f
ffffd001'cb3d0a20 fffff801'ddfce2b3 : ffffe000'5a9ba080 000000d2'001f0003 000000d2'37e5ea98 fffff801'00000001 : nt!NtDeviceIoControlFile+0x56
ffffd001'cb3d0a90 00007fff'3ef90cba : 00007fff'3eef15f5 00000000'00000004 000000d2'37e5eba1 00000000'00000000 : nt!KiSystemServiceCopyEnd+0x13
000000d2'37e5eb18 00007fff'3eef15f5 : 00000000'00000004 000000d2'37e5eba1 00000000'00000000 00000000'00000000 : ntdll!NtDeviceIoControlFile+0xa
000000d2'37e5eb20 00007fff'3b245e0a : 00000000'00000001 000000d2'39ca0990 00000000'00000000 00000000'00000000 : NSI!NsiGetParameter+0xf5
000000d2'37e5ebe0 00007fff'3b245b86 : 00000000'00000001 00007fff'00000000 00000000'00000000 000000d2'37e5ecb0 : DNSAPI!IsInterfaceConnected+0x4e
000000d2'37e5ec40 00007fff'3b2464bf : 00000000'00000000 000000d2'00000007 00000000'00000000 000000d2'39c307f0 : DNSAPI!DnsUpdateMachinePresence+0x106
000000d2'37e5ed10 00007fff'3b24613d : 000000d2'3742eb50 000000d2'37e5f9a0 00000000'00000000 00000000'00000000 : DNSAPI!Query_InProcess+0xf9
000000d2'37e5ed40 00007fff'3b245fcc : 00000000'00000000 000000d2'37e5ee90 000000d2'39c307f0 000000d2'37e5fa18 : DNSAPI!InProc_InitiateQuery+0x15c
000000d2'37e5ed90 00007fff'3b243c3d : 00000000'00000000 00000008'00000002 00000000'00000000 00000000'00000001 : DNSAPI!Query_PrivateExW+0x961
000000d2'37e5f940 00007fff'3b244389 : 00003195'00000001 00001000'00440668 00000000'000000ff 000000d2'39c307f0 : DNSAPI!Query_Shim+0xd5
000000d2'37e5fa10 00007fff'34facfc4 : 00000000'00000010 000000d2'37e5f968 00000000'00000000 00000000'00010004 : DNSAPI!DnsQuery_W+0x39
000000d2'37e5fa60 00007fff'34fad037 : 000000d2'39c01f50 00000000'00000000 00000000'80000000 00000000'00000000 : dnsrslvr!Mcast_VerifyName+0x70
000000d2'37e5fab0 00007fff'34fad22e : 00000000'00000000 00007fff'34facf1e 00000000'00000000 00007fff'3c46158a : dnsrslvr!Mcast_VerifyEx+0x102
000000d2'37e5fd30 00007fff'34fad17b : 00000000'ffffffff 00000000'00000000 00000000'00000001 00000000'00000001 : dnsrslvr!Mcast_Verify+0x8e
000000d2'37e5fd80 00007fff'3edb13d2 : 00007fff'34faccc0 00000000'00000000 00000000'00000000 00000000'00000000 : dnsrslvr!Mcast_Thread+0x186
000000d2'37e5fdf0 00007fff'3ef703c4 : 00007fff'3edb13b0 00000000'00000000 00000000'00000000 00000000'00000000 : KERNEL32!BaseThreadInitThunk+0x22
000000d2'37e5fe20 00000000'00000000 : 00000000'00000000 00000000'00000000 00000000'00000000 00000000'00000000 : ntdll!RtlUserThreadStart+0x34


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NsiGetParameterEx+222
fffff800'8417b572 8bd8            mov     ebx,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NsiGetParameterEx+222

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

BUCKET_ID_FUNC_OFFSET:  222

FAILURE_BUCKET_ID:  0x139_3_NETIO!NsiGetParameterEx

BUCKET_ID:  0x139_3_NETIO!NsiGetParameterEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_netio!nsigetparameterex

FAILURE_ID_HASH:  {863902cf-27d7-671f-3d7f-44a47e15711d}

Followup: MachineOwner
---------

Saída do WhoCrashed Professional

Crash dump file:        E:\sysdebug\dumps\MEMORY.DMP
Date/time:              1/2/2015 10:17:38 PM GMT
Uptime:                 00:22:01
Machine:                DRAGON
Bug check name:         KERNEL_SECURITY_CHECK_FAILURE
Bug check code:         0x139
Bug check parm 1:       0x3
Bug check parm 2:       0xFFFFD001CB3D0310
Bug check parm 3:       0xFFFFD001CB3D0268
Bug check parm 4:       0x0
Probably caused by:     ntdll.sys
Driver description:     
Driver product:         
Driver company:         
OS build:               Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Architecture:           x64 (64 bit)
CPU count:              8
Page size:              4096

Bug check description: 
The kernel has detected the corruption of a critical data structure.

Comments:

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: ntdll.sys . 
    
por bwDraco 03.01.2015 / 00:23

2 respostas

3

Parece que este é um bug no Windows 8.1 / 2012 R2 . A Microsoft corrigiu esse problema por meio do Hotfix KB3055343

Clique no link Hotfix Download Available , preencha seu endereço de e-mail, solicite a correção por e-mail e instale-o para resolver o problema.

    
por 25.03.2015 / 18:48
0

Uma instalação de reparo (atualização in-loco para a mesma versão) resolveu o problema. Eu não tive mais falhas desse tipo desde então, embora um trabalho extenso fosse necessário para atualizar o sistema novamente.

Nunca consegui determinar a causa precisa das falhas.

    
por 03.01.2015 / 18:51