Recurring BSOD 0x139 KERNEL_SECURITY_CHECK_FAILURE in NETIO.SYS (bugcheck analyses within)

5

1

Problem description

  • I've been encountering some intermittent 0x139 KERNEL_SECURITY_CHECK_FAILURE blue screens with first parameter 0x3 on my Windows 8.1 laptop, once every 20 minutes to an hour. These crashes are happening in NETIO.SYS, at either the NsiEnumerateObjectsAllParametersEx or NsiGetParameterEx functions.

  • The system appears to be functioning properly in Safe Mode with Networking.

  • I have multiple crash dumps available for download here, as well as a complete memory dump of one crash kept internally for further analysis.

Analysis 1: NsiEnumerateObjectsAllParametersEx minidump

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Machine Name:
Kernel base = 0xfffff802`44e1f000 PsLoadedModuleList = 0xfffff802`450f8250
Debug session time: Fri Jan  2 16:52:43.919 2015 (UTC - 5:00)
System Uptime: 0 days 0:25:05.631
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
...........................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd000d8d4f1b0, ffffd000d8d4f108, 0}

Probably caused by : NETIO.SYS ( NETIO!NsiEnumerateObjectsAllParametersEx+20d )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000d8d4f1b0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000d8d4f108, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


DUMP_FILE_ATTRIBUTES: 0xc
  Insufficient Dumpfile Size
  Kernel Generated Triage Dump

TRAP_FRAME:  ffffd000d8d4f1b0 -- (.trap 0xffffd000d8d4f1b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0019759fef0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00194b53ef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80110e5f30d rsp=ffffd000d8d4f340 rbp=ffffe00194b5ea20
 r8=0000000000000000  r9=0000000000000002 r10=ffffe0019635db50
r11=ffffe00192d21fbc r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d:
fffff801`10e5f30d cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd000d8d4f108 -- (.exr 0xffffd000d8d4f108)
ExceptionAddress: fffff80110e5f30d (ndis!ndisNsiEnumerateAllInterfaceInformation+0x0000000000025c0d)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff80244f7b5e9 to fffff80244f6faa0

STACK_TEXT:  
ffffd000`d8d4ee88 fffff802`44f7b5e9 : 00000000`00000139 00000000`00000003 ffffd000`d8d4f1b0 ffffd000`d8d4f108 : nt!KeBugCheckEx
ffffd000`d8d4ee90 fffff802`44f7b910 : ffff6bcf`07601f7c ffffd000`d8d4f278 ffffc001`d1bcd060 ffffe001`92d1c698 : nt!KiBugCheckDispatch+0x69
ffffd000`d8d4efd0 fffff802`44f7ab34 : 00000000`00000000 ffffe001`99965501 ffffd000`d8d4f3d4 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffd000`d8d4f1b0 fffff801`10e5f30d : 00000000`ffffe001 00000000`00000000 ffffe001`94b5ea20 ffffe001`94b5eef0 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`d8d4f340 fffff801`10f4e308 : ffffd000`d8d4f580 00000000`00000000 ffffe001`92d1c002 00000000`00000008 : ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d
ffffd000`d8d4f460 fffff801`11664fc1 : ffffe001`92d1c000 00000000`00000070 00000065`7450f270 ffffd000`d8d4f668 : NETIO!NsiEnumerateObjectsAllParametersEx+0x20d
ffffd000`d8d4f650 fffff801`11664bea : 00000000`00000000 ffffe001`99a432a0 ffffe001`99a431d0 00000000`00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201
ffffd000`d8d4f840 fffff802`452001ef : 00000000`00000000 ffffe001`99a431d0 ffffe001`99a431d0 00000000`00000001 : nsiproxy!NsippDispatch+0x5a
ffffd000`d8d4f880 fffff802`451ff78e : ffffd000`d8d4fa38 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`d8d4fa20 fffff802`44f7b2b3 : ffffe001`999a4080 fffff6fb`001f0003 00000065`7450f0e8 fffff680`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`d8d4fa90 00007ffe`07350cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000065`7450f168 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`07350cba


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NsiEnumerateObjectsAllParametersEx+20d
fffff801`10f4e308 8bd8            mov     ebx,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NsiEnumerateObjectsAllParametersEx+20d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

IMAGE_VERSION:  6.3.9600.17485

BUCKET_ID_FUNC_OFFSET:  20d

FAILURE_BUCKET_ID:  0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx

BUCKET_ID:  0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_netio!nsienumerateobjectsallparametersex

FAILURE_ID_HASH:  {647902b7-14c2-326a-6aea-d9b7b6d3d895}

Followup: MachineOwner
---------

Output from WhoCrashed Professional

Crash dump file:        E:\sysdebug\dumps\010215-8234-01.dmp
Date/time:              1/2/2015 4:20:01 PM GMT
Uptime:                 00:20:35
Machine:                DRAGON
Bug check name:         KERNEL_SECURITY_CHECK_FAILURE
Bug check code:         0x139
Bug check parm 1:       0x3
Bug check parm 2:       0xFFFFD0002E50A1B0
Bug check parm 3:       0xFFFFD0002E50A108
Bug check parm 4:       0x0
Probably caused by:     ndis.sys
Driver description:     Network Driver Interface Specification (NDIS)
Driver product:         Microsoft® Windows® Operating System
Driver company:         Microsoft Corporation
OS build:               Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Architecture:           x64 (64 bit)
CPU count:              8
Page size:              4096

Bug check description: 
The kernel has detected the corruption of a critical data structure.

Comments:

The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time. 

Analysis 2: NsiGetParameterEx complete memory dump

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols

Loading Dump File [E:\sysdebug\MEMORY.DMP]
Kernel Bitmap Dump File: Full address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Machine Name:
Kernel base = 0xfffff801`dde72000 PsLoadedModuleList = 0xfffff801`de14b250
Debug session time: Fri Jan  2 17:17:38.437 2015 (UTC - 5:00)
System Uptime: 0 days 0:22:01.150
Loading Kernel Symbols
...............................................................
................................................................
...........................................................
Loading User Symbols
................................................................
...................................
Loading unloaded module list
..............................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd001cb3d0310, ffffd001cb3d0268, 0}

Probably caused by : NETIO.SYS ( NETIO!NsiGetParameterEx+222 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd001cb3d0310, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd001cb3d0268, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


TRAP_FRAME:  ffffd001cb3d0310 -- (.trap 0xffffd001cb3d0310)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe00059100980 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00055dbbef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80084085a29 rsp=ffffd001cb3d04a0 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000002 r10=ffffe000587d9040
r11=ffffe000591004b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
ndis!ndisNsiGetInterfaceInformation+0x22b49:
fffff800`84085a29 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd001cb3d0268 -- (.exr 0xffffd001cb3d0268)
ExceptionAddress: fffff80084085a29 (ndis!ndisNsiGetInterfaceInformation+0x0000000000022b49)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff801ddfce5e9 to fffff801ddfc2aa0

STACK_TEXT:  
ffffd001`cb3cffe8 fffff801`ddfce5e9 : 00000000`00000139 00000000`00000003 ffffd001`cb3d0310 ffffd001`cb3d0268 : nt!KeBugCheckEx
ffffd001`cb3cfff0 fffff801`ddfce910 : 00000000`00000000 ffffd001`00000001 ffffd001`cb3d01d8 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd001`cb3d0130 fffff801`ddfcdb34 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffd001`cb3d0310 fffff800`84085a29 : 00000000`fffff801 00000000`00000000 ffffd001`cb3d0610 00000000`00000004 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd001`cb3d04a0 fffff800`8417b572 : ffffd001`cb3d0610 ffffe000`5d2f1602 ffffe000`5d2f1700 00000000`00000000 : ndis!ndisNsiGetInterfaceInformation+0x22b49
ffffd001`cb3d0550 fffff800`851cda25 : 00000000`00000050 00000000`00000050 ffffe000`55dc2010 00000000`00000000 : NETIO!NsiGetParameterEx+0x222
ffffd001`cb3d06b0 fffff800`851cdbe3 : 00000000`00000000 ffffe000`54a3c6b0 ffffe000`54a3c5e0 00000000`00000000 : nsiproxy!NsippGetParameter+0x195
ffffd001`cb3d0840 fffff801`de2531ef : 00000000`00000000 ffffe000`54a3c5e0 ffffe000`54a3c5e0 00000000`00000001 : nsiproxy!NsippDispatch+0x53
ffffd001`cb3d0880 fffff801`de25278e : ffffd001`cb3d0a38 00007fff`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd001`cb3d0a20 fffff801`ddfce2b3 : ffffe000`5a9ba080 000000d2`001f0003 000000d2`37e5ea98 fffff801`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd001`cb3d0a90 00007fff`3ef90cba : 00007fff`3eef15f5 00000000`00000004 000000d2`37e5eba1 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000d2`37e5eb18 00007fff`3eef15f5 : 00000000`00000004 000000d2`37e5eba1 00000000`00000000 00000000`00000000 : ntdll!NtDeviceIoControlFile+0xa
000000d2`37e5eb20 00007fff`3b245e0a : 00000000`00000001 000000d2`39ca0990 00000000`00000000 00000000`00000000 : NSI!NsiGetParameter+0xf5
000000d2`37e5ebe0 00007fff`3b245b86 : 00000000`00000001 00007fff`00000000 00000000`00000000 000000d2`37e5ecb0 : DNSAPI!IsInterfaceConnected+0x4e
000000d2`37e5ec40 00007fff`3b2464bf : 00000000`00000000 000000d2`00000007 00000000`00000000 000000d2`39c307f0 : DNSAPI!DnsUpdateMachinePresence+0x106
000000d2`37e5ed10 00007fff`3b24613d : 000000d2`3742eb50 000000d2`37e5f9a0 00000000`00000000 00000000`00000000 : DNSAPI!Query_InProcess+0xf9
000000d2`37e5ed40 00007fff`3b245fcc : 00000000`00000000 000000d2`37e5ee90 000000d2`39c307f0 000000d2`37e5fa18 : DNSAPI!InProc_InitiateQuery+0x15c
000000d2`37e5ed90 00007fff`3b243c3d : 00000000`00000000 00000008`00000002 00000000`00000000 00000000`00000001 : DNSAPI!Query_PrivateExW+0x961
000000d2`37e5f940 00007fff`3b244389 : 00003195`00000001 00001000`00440668 00000000`000000ff 000000d2`39c307f0 : DNSAPI!Query_Shim+0xd5
000000d2`37e5fa10 00007fff`34facfc4 : 00000000`00000010 000000d2`37e5f968 00000000`00000000 00000000`00010004 : DNSAPI!DnsQuery_W+0x39
000000d2`37e5fa60 00007fff`34fad037 : 000000d2`39c01f50 00000000`00000000 00000000`80000000 00000000`00000000 : dnsrslvr!Mcast_VerifyName+0x70
000000d2`37e5fab0 00007fff`34fad22e : 00000000`00000000 00007fff`34facf1e 00000000`00000000 00007fff`3c46158a : dnsrslvr!Mcast_VerifyEx+0x102
000000d2`37e5fd30 00007fff`34fad17b : 00000000`ffffffff 00000000`00000000 00000000`00000001 00000000`00000001 : dnsrslvr!Mcast_Verify+0x8e
000000d2`37e5fd80 00007fff`3edb13d2 : 00007fff`34faccc0 00000000`00000000 00000000`00000000 00000000`00000000 : dnsrslvr!Mcast_Thread+0x186
000000d2`37e5fdf0 00007fff`3ef703c4 : 00007fff`3edb13b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
000000d2`37e5fe20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NsiGetParameterEx+222
fffff800`8417b572 8bd8            mov     ebx,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NsiGetParameterEx+222

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

BUCKET_ID_FUNC_OFFSET:  222

FAILURE_BUCKET_ID:  0x139_3_NETIO!NsiGetParameterEx

BUCKET_ID:  0x139_3_NETIO!NsiGetParameterEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_netio!nsigetparameterex

FAILURE_ID_HASH:  {863902cf-27d7-671f-3d7f-44a47e15711d}

Followup: MachineOwner
---------

Output from WhoCrashed Professional

Crash dump file:        E:\sysdebug\dumps\MEMORY.DMP
Date/time:              1/2/2015 10:17:38 PM GMT
Uptime:                 00:22:01
Machine:                DRAGON
Bug check name:         KERNEL_SECURITY_CHECK_FAILURE
Bug check code:         0x139
Bug check parm 1:       0x3
Bug check parm 2:       0xFFFFD001CB3D0310
Bug check parm 3:       0xFFFFD001CB3D0268
Bug check parm 4:       0x0
Probably caused by:     ntdll.sys
Driver description:     
Driver product:         
Driver company:         
OS build:               Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Architecture:           x64 (64 bit)
CPU count:              8
Page size:              4096

Bug check description: 
The kernel has detected the corruption of a critical data structure.

Comments:

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: ntdll.sys . 

bwDraco

Posted 2015-01-02T23:23:22.863

Reputation: 41 701

your Relteak LAN driver Rt630x64.sys is old (from 2013). Make an update and also remove Norton Security and look if you still get crashes. – magicandre1981 – 2015-01-03T07:28:16.797

Already tried removing Norton Security. – bwDraco – 2015-01-03T11:37:58.853

have you tried a newer driver? – magicandre1981 – 2015-01-03T17:46:38.230

I haven't updated the LAN driver. The WiFi driver was updated several times to no avail. – bwDraco – 2015-01-03T17:49:15.153

Answers

3

Looks like this is a bug in Windows 8.1/2012 R2. Microsoft fixed this issue via the Hotfix KB3055343

Click on the Hotfix Download Available link, fill in your email address, request the fix via email and install it to solve the issue.

magicandre1981

Posted 2015-01-02T23:23:22.863

Reputation: 86 560

I seem to be having the same problem, identical dmp trace. – Iris Classon – 2015-04-30T13:07:05.237

@IrisClasson Hi Iris. Copy the Memory.dmp from C:\Windows to your desktop, zip the dmp, upload the zip to OneDrive and write a mail to the blog author (click on the "reach out" at the end of the blog) which includes the link to the dump. Maybe this helps Microsoft to fix the issue. – magicandre1981 – 2015-04-30T17:35:42.447

@IrisClasson Microsoft released a hotfix to solve the issue. I posted the steps to request the hotfix via email – magicandre1981 – 2015-05-17T17:50:48.970

0

A repair-install (in-place upgrade to same version) solved the problem. I haven't had any more crashes of this sort since, although extensive work was needed to bring the system up to date again.

I was never able to determine the precise cause of the crashes.

bwDraco

Posted 2015-01-02T23:23:22.863

Reputation: 41 701