Windows 8 and 8.1 Forums


Windows 8.1 - kernel security check failure - BSOD

  1. #1


    Posts : 2
    Win 8.1

    Windows 8.1 - kernel security check failure - BSOD


    I have been having a lot of blue screens on my laptop lately with kernel security check failure error. BlueScrenView software says it is caused by ntoskrnl.exe.

    I am asking this question since I think I ran out of ideas - I have tried scanning windows files with sfc /scannow, Malwarebytes, also cleaned files and registry with CCleaner and updated drivers with Driver Reviver. What I could not do is scan my pc for viruses with Avira - everytime I have tried that, windows crashed.

    What else could I try doing?

    Last edited by neutrino; 10 Jul 2015 at 18:57.

      My System SpecsSystem Spec

  2. #2


    Redmond
    Posts : 651
    Windows 8.1 x64


    This is LIST_ENTRY corruption - almost ALWAYS a driver (and given that the machine is querying interface information when the bugcheck occurs, that's about as smoking gun as you can get):
    Code:
    // First param is 3, or a double-free:
    2: kd> .bugcheckBugcheck code 00000139
    Arguments 00000000`00000003 ffffd000`22031310 ffffd000`22031268 00000000`00000000
    
    // Check the trap and stack:
    2: kd> .trap 0xffffd00022031310
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffffe0004c9904e0 rbx=0000000000000000 rcx=0000000000000003
    rdx=ffffe0004adf64e0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff8010b0e4acd rsp=ffffd000220314a0 rbp=0000000000000000
     r8=0000000000000000  r9=0000000000000002 r10=ffffe0004c4052f0
    r11=ffffe0004c990010 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na pe cy
    ndis!ndisNsiGetInterfaceInformation+0x21b8d:
    fffff801`0b0e4acd cd29            int     29h
    
    // There's the smoking gun:
    2: kd> kn
      *** Stack trace for last set context - .thread/.cxr resets it
     # Child-SP          RetAddr           Call Site
    00 ffffd000`220314a0 fffff801`0ae0e572 ndis!ndisNsiGetInterfaceInformation+0x21b8d
    01 ffffd000`22031550 fffff801`0c168a25 NETIO!NsiGetParameterEx+0x222
    02 ffffd000`220316b0 fffff801`0c168be3 nsiproxy!NsippGetParameter+0x195
    03 ffffd000`22031840 fffff801`74ea577f nsiproxy!NsippDispatch+0x53
    04 ffffd000`22031880 fffff801`74ea4d22 nt!IopXxxControlFile+0xa4f
    05 ffffd000`22031a20 fffff801`74bdc4b3 nt!NtDeviceIoControlFile+0x56
    06 ffffd000`22031a90 00007ffd`879c123a nt!KiSystemServiceCopyEnd+0x13
    07 000000dd`7654e728 00000000`00000000 0x00007ffd`879c123a
    
    // Looks like you're up to date on nsiproxy and NETIO:
    2: kd> lmvm nsiproxy
    start             end                 module name
    fffff801`0c167000 fffff801`0c175000   nsiproxy   (pdb symbols)          C:\ProgramData\dbg\sym\nsiproxy.pdb\F642975D546440B4BA54F2A89C017E9B1\nsiproxy.pdb
        Loaded symbol image file: nsiproxy.sys
        Mapped memory image file: C:\ProgramData\dbg\sym\nsiproxy.sys\545054EBe000\nsiproxy.sys
        Image path: nsiproxy.sys
        Image name: nsiproxy.sys
        Timestamp:        Tue Oct 28 19:46:03 2014 (545054EB)
        CheckSum:         000147DD
        ImageSize:        0000E000
        File version:     6.3.9600.17415
        Product version:  6.3.9600.17415
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        3.6 Driver
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     nsiproxy.sys
        OriginalFilename: nsiproxy.sys
        ProductVersion:   6.3.9600.17415
        FileVersion:      6.3.9600.17415 (winblue_r4.141028-1500)
        FileDescription:  NSI Proxy
        LegalCopyright:   © Microsoft Corporation. All rights reserved.
    
    
    2: kd> lmvm NETIO
    start             end                 module name
    fffff801`0ae00000 fffff801`0ae78000   NETIO      (pdb symbols)          C:\ProgramData\dbg\sym\netio.pdb\873BD5E25CFD43A2A47494662C917A872\netio.pdb
        Loaded symbol image file: NETIO.SYS
        Mapped memory image file: C:\ProgramData\dbg\sym\NETIO.SYS\546029C578000\NETIO.SYS
        Image path: NETIO.SYS
        Image name: NETIO.SYS
        Timestamp:        Sun Nov 09 18:58:13 2014 (546029C5)
        CheckSum:         00076D9B
        ImageSize:        00078000
        File version:     6.3.9600.17485
        Product version:  6.3.9600.17485
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        3.6 Driver
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     netio.sys
        OriginalFilename: netio.sys
        ProductVersion:   6.3.9600.17485
        FileVersion:      6.3.9600.17485 (winblue_r5.141109-1500)
        FileDescription:  Network I/O Subsystem
        LegalCopyright:   © Microsoft Corporation. All rights reserved.
    
    // The only real explanation for this at this point in the stack is a driver has overrun into the LIST_ENTRY and corrupted the linked list:
    2: kd> !error 0xc0000409 
    Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
    
    // Validation that this is what happened:
    2: kd> .exr ffffd00022031268
    ExceptionAddress: fffff8010b0e4acd (ndis!ndisNsiGetInterfaceInformation+0x0000000000021b8d)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 0000000000000003
    
    
    // Your Atheros NIC driver is older:
    2: kd> lmvm L1C60x64
    start             end                 module name
    fffff801`0ce00000 fffff801`0ce20000   L1C60x64 T (no symbols)           
        Loaded symbol image file: L1C60x64.sys
        Image path: L1C60x64.sys
        Image name: L1C60x64.sys
        Timestamp:        Wed May 29 00:16:33 2013 (51A5AB51)
        CheckSum:         0002CD6A
        ImageSize:        00020000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    
    // Intel WiFi driver is older too:
    2: kd> lmvm NETwew00
    start             end                 module name
    fffff801`0d4a0000 fffff801`0d7e7000   NETwew00 T (no symbols)           
        Loaded symbol image file: NETwew00.sys
        Image path: NETwew00.sys
        Image name: NETwew00.sys
        Timestamp:        Tue Feb 25 05:04:56 2014 (530C94F8)
        CheckSum:         0033F502
        ImageSize:        00347000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    
    // You're running virtual networking via VMWare workstation or player too:
    2: kd> lmvm vmci; lmvm vsock; lmvm vmnetbridge; lmvm vmnetuserif
    start             end                 module name
    fffff801`0a8f1000 fffff801`0a90a000   vmci     T (no symbols)           
        Loaded symbol image file: vmci.sys
        Image path: vmci.sys
        Image name: vmci.sys
        Timestamp:        Fri May 17 18:19:18 2013 (5196D716)
        CheckSum:         0001AA2D
        ImageSize:        00019000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    start             end                 module name
    fffff801`0a90a000 fffff801`0a921000   vsock    T (no symbols)           
        Loaded symbol image file: vsock.sys
        Image path: vsock.sys
        Image name: vsock.sys
        Timestamp:        Sun Jun 29 17:37:03 2014 (53B0B12F)
        CheckSum:         0001CD66
        ImageSize:        00017000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    start             end                 module name
    fffff801`0d928000 fffff801`0d939000   vmnetbridge T (no symbols)           
        Loaded symbol image file: vmnetbridge.sys
        Image path: vmnetbridge.sys
        Image name: vmnetbridge.sys
        Timestamp:        Sun Jul 27 06:30:32 2014 (53D4FEF8)
        CheckSum:         00011919
        ImageSize:        00011000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    start             end                 module name
    fffff801`0e574000 fffff801`0e57e000   vmnetuserif T (no symbols)           
        Loaded symbol image file: vmnetuserif.sys
        Image path: vmnetuserif.sys
        Image name: vmnetuserif.sys
        Timestamp:        Thu Nov 20 16:59:48 2014 (546E8E84)
        CheckSum:         00015392
        ImageSize:        0000A000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    
    
    // And you've got the Avira network stack here too:
    2: kd> lmvm avnetflt
    start             end                 module name
    fffff801`0e1ec000 fffff801`0e1fa000   avnetflt T (no symbols)           
        Loaded symbol image file: avnetflt.sys
        Image path: avnetflt.sys
        Image name: avnetflt.sys
        Timestamp:        Thu Nov 20 09:54:02 2014 (546E2ABA)
        CheckSum:         00011251
        ImageSize:        0000E000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    I can't tell you which caused it, but... I'd start with the drivers for the physical devices in the system (Atheros/Intel NICs) and go from there.
      My System SpecsSystem Spec

  3. #3


    Posts : 2
    Win 8.1


    Thanks so much for suggesting VMWare. I have tried uninstalling its network adapter and obviously got a BSOD. Ran windows in safe mode and managed to get rid of this, will mark solved if I do not get any further BSODs.
      My System SpecsSystem Spec

Windows 8.1 - kernel security check failure - BSOD
Related Threads
BSOD Kernel Security Check Failure in BSOD Crashes and Debugging
when i use graphic nvidia, bsod is appear sorry bad english
Hello guys, I am getting BSOD Windows 8.1 Kernel Security Check Failure on my Dell notebook during idle.. I update wireless driver, but it did not help. What I should do?
Hi, I have been using windows 8.1 for a while without any problems, but from a few days occasional kernel security check failure started becoming more and more frequent which is pretty annoying. After it crashes it restarts itself and when i login, it immediately crashes and restarts once again....
On new 8.1 pro PC with windows media center feature added and a tv signal scan started the machines bsod with error. Windows 8.1 pro has been fully reinstalled but same issue. Before re installing 8.1 pro a crash happened when playing media files from a usb. see uploaded file can you help? All...
Hi, I've been getting a BSOD saying Kernel Security Check Failure for quite awhile now and it tends to happen every 2-3 days sometimes less. I'm pretty certain it's happening due to either a Windows update or some driver incompatibility. Let me know if I can provide any other details to help....
Hi, I have been using windows 8.1 pro for a while without any trouble, but from few days ago I seems to be getting bsod screens with Kernel Security Check Failure error 4-5 times a day now :shock: Nothing is overclocked btw. I attached the zip from diagnostic tool, hoping someone can...
After upgrading from 4gb OEM RAM to 8gb Corsair CMSO8GX3M2A1333C9 I get BSOD with kernel_security_check_failure message just as Windows attempts to load. This happens with memory sticks in either slot. Testing memory with Memtest continually hangs on test #2. Memory was tested with Memtest in...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook