Update: Analysis ouptut from WinDbg
Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*
http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Windows\symbol_cache*
http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17415.amd64fre.winblue_r4.141028-1500
Machine Name:
Kernel base = 0xfffff803`e3e07000 PsLoadedModuleList = 0xfffff803`e40e0250
Debug session time: Sun Nov 30 21:40:09.854 2014 (UTC - 5:00)
System Uptime: 0 days 4:45:14.501
Loading Kernel Symbols
...............................................................
................................................................
..................................
Loading User Symbols
Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 139, {3, ffffd00092974680, ffffd000929745d8, 0}
Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )
Followup: MachineOwner
---------
2: kd> analyze -v
Couldn't resolve error at 'nalyze -v'
2: kd> analyze -v
Couldn't resolve error at 'nalyze -v'
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd00092974680, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000929745d8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
TRAP_FRAME: ffffd00092974680 -- (.trap 0xffffd00092974680)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff803e46278b0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00079f58400 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803e3f8f659 rsp=ffffd00092974810 rbp=ffffd00092974860
r8=fffff803e40e78b0 r9=fffff803e46278b0 r10=fffff803e40e78b0
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe cy
nt! ?? ::FNODOBFM::`string'+0x277a9:
fffff803`e3f8f659 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd000929745d8 -- (.exr 0xffffd000929745d8)
ExceptionAddress: fffff803e3f8f659 (nt! ?? ::FNODOBFM::`string'+0x00000000000277a9)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT
BUGCHECK_STR: 0x139
PROCESS_NAME: System
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000003
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
DPC_STACK_BASE: FFFFD0009297BFB0
LAST_CONTROL_TRANSFER: from fffff803e3f634e9 to fffff803e3f579a0
STACK_TEXT:
ffffd000`92974358 fffff803`e3f634e9 : 00000000`00000139 00000000`00000003 ffffd000`92974680 ffffd000`929745d8 : nt!KeBugCheckEx
ffffd000`92974360 fffff803`e3f63810 : 00000000`000085b5 fffff800`3e71bdac ffffe000`7777b180 003158cd`00000001 : nt!KiBugCheckDispatch+0x69
ffffd000`929744a0 fffff803`e3f62a34 : ffffd000`92974698 00000000`00000002 fffffff6`00000008 00000001`ffffffff : nt!KiFastFailDispatch+0xd0
ffffd000`92974680 fffff803`e3f8f659 : ffffd000`92974b01 fffff803`e40c1660 00000000`00000000 fffff803`e3e30f45 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`92974810 fffff803`e3ed1cd0 : ffffd000`9294cf00 ffffd000`92974b60 fffff803`e40e7830 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x277a9
ffffd000`92974890 fffff803`e3ed0f87 : 00000000`00000001 ffffd000`92974b40 ffffd000`9294a180 00000000`00000001 : nt!KiExecuteAllDpcs+0x1b0
ffffd000`929749e0 fffff803`e3f5b4ea : ffffd000`9294a180 ffffd000`9294a180 ffffd000`929563c0 ffffe000`7a7db880 : nt!KiRetireDpcList+0xd7
ffffd000`92974c60 00000000`00000000 : ffffd000`92975000 ffffd000`9296f000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiFastFailDispatch+d0
fffff803`e3f63810 c644242000 mov byte ptr [rsp+20h],0
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiFastFailDispatch+d0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 54503718
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_3_nt!KiFastFailDispatch
BUCKET_ID: 0x139_3_nt!KiFastFailDispatch
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x139_3_nt!kifastfaildispatch
FAILURE_ID_HASH: {36173680-6f08-995f-065a-3d368c996911}
Followup: MachineOwner
---------