*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck F7, {2fff77e0c3af, 4c69d873d5cd, ffffb396278c2a32, 0}
Probably caused by : ntkrnlmp.exe ( nt!_report_gsfailure+25 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00002fff77e0c3af, Actual security check cookie from the stack
Arg2: 00004c69d873d5cd, Expected security check cookie
Arg3: ffffb396278c2a32, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_MISSING_GSFRAME
SECURITY_COOKIE: Expected 00004c69d873d5cd found 00002fff77e0c3af
CUSTOMER_CRASH_COUNT: 1
BUGCHECK_STR: 0xF7
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
DPC_STACK_BASE: FFFFD000881FAFB0
LAST_CONTROL_TRANSFER: from fffff801cd048f25 to fffff801ccfdcfa0
STACK_TEXT:
ffffd000`881f3c08 fffff801`cd048f25 : 00000000`000000f7 00002fff`77e0c3af 00004c69`d873d5cd ffffb396`278c2a32 : nt!KeBugCheckEx
ffffd000`881f3c10 fffff801`ccf3f1c6 : ffffd000`881c9180 ffffd000`881f3c8c ffffd000`881f3c90 ffffd000`881f3c98 : nt!_report_gsfailure+0x25
ffffd000`881f3c50 fffff801`ccfe0abc : ffffd000`881c9180 ffffd000`881c9180 ffffd000`881d53c0 00000000`00000000 : nt!PoIdle+0x2b6
ffffd000`881f3da0 00000000`00000000 : ffffd000`881f4000 ffffd000`881ee000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x2c
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!_report_gsfailure+25
fffff801`cd048f25 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!_report_gsfailure+25
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 53388e13
IMAGE_VERSION: 6.3.9600.17085
BUCKET_ID_FUNC_OFFSET: 25
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_nt!_report_gsfailure
BUCKET_ID: 0xF7_MISSING_GSFRAME_nt!_report_gsfailure
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xf7_missing_gsframe_nt!_report_gsfailure
FAILURE_ID_HASH: {82d2c1b5-b0cb-60a5-9a5d-78c8c4284f84}
Followup: MachineOwner
---------