Solved Windows 8.1 - kernel security check failure - BSOD

N

neutrino

New Member
Messages
2
I have been having a lot of blue screens on my laptop lately with kernel security check failure error. BlueScrenView software says it is caused by ntoskrnl.exe.

I am asking this question since I think I ran out of ideas - I have tried scanning windows files with sfc /scannow, Malwarebytes, also cleaned files and registry with CCleaner and updated drivers with Driver Reviver. What I could not do is scan my pc for viruses with Avira - everytime I have tried that, windows crashed.

What else could I try doing?

 
Last edited:

My Computer

System One

  • OS
    Win 8.1
This is LIST_ENTRY corruption - almost ALWAYS a driver (and given that the machine is querying interface information when the bugcheck occurs, that's about as smoking gun as you can get):
Code: 
// First param is 3, or a double-free:
2: kd> .bugcheckBugcheck code 00000139
Arguments 00000000`00000003 ffffd000`22031310 ffffd000`22031268 00000000`00000000

// Check the trap and stack:
2: kd> .trap 0xffffd00022031310
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0004c9904e0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe0004adf64e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8010b0e4acd rsp=ffffd000220314a0 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000002 r10=ffffe0004c4052f0
r11=ffffe0004c990010 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
ndis!ndisNsiGetInterfaceInformation+0x21b8d:
fffff801`0b0e4acd cd29            int     29h

// There's the smoking gun:
2: kd> kn
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 ffffd000`220314a0 fffff801`0ae0e572 ndis!ndisNsiGetInterfaceInformation+0x21b8d
01 ffffd000`22031550 fffff801`0c168a25 NETIO!NsiGetParameterEx+0x222
02 ffffd000`220316b0 fffff801`0c168be3 nsiproxy!NsippGetParameter+0x195
03 ffffd000`22031840 fffff801`74ea577f nsiproxy!NsippDispatch+0x53
04 ffffd000`22031880 fffff801`74ea4d22 nt!IopXxxControlFile+0xa4f
05 ffffd000`22031a20 fffff801`74bdc4b3 nt!NtDeviceIoControlFile+0x56
06 ffffd000`22031a90 00007ffd`879c123a nt!KiSystemServiceCopyEnd+0x13
07 000000dd`7654e728 00000000`00000000 0x00007ffd`879c123a

// Looks like you're up to date on nsiproxy and NETIO:
2: kd> lmvm nsiproxy
start             end                 module name
fffff801`0c167000 fffff801`0c175000   nsiproxy   (pdb symbols)          C:\ProgramData\dbg\sym\nsiproxy.pdb\F642975D546440B4BA54F2A89C017E9B1\nsiproxy.pdb
    Loaded symbol image file: nsiproxy.sys
    Mapped memory image file: C:\ProgramData\dbg\sym\nsiproxy.sys\545054EBe000\nsiproxy.sys
    Image path: nsiproxy.sys
    Image name: nsiproxy.sys
    Timestamp:        Tue Oct 28 19:46:03 2014 (545054EB)
    CheckSum:         000147DD
    ImageSize:        0000E000
    File version:     6.3.9600.17415
    Product version:  6.3.9600.17415
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.6 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     nsiproxy.sys
    OriginalFilename: nsiproxy.sys
    ProductVersion:   6.3.9600.17415
    FileVersion:      6.3.9600.17415 (winblue_r4.141028-1500)
    FileDescription:  NSI Proxy
    LegalCopyright:   © Microsoft Corporation. All rights reserved.


2: kd> lmvm NETIO
start             end                 module name
fffff801`0ae00000 fffff801`0ae78000   NETIO      (pdb symbols)          C:\ProgramData\dbg\sym\netio.pdb\873BD5E25CFD43A2A47494662C917A872\netio.pdb
    Loaded symbol image file: NETIO.SYS
    Mapped memory image file: C:\ProgramData\dbg\sym\NETIO.SYS\546029C578000\NETIO.SYS
    Image path: NETIO.SYS
    Image name: NETIO.SYS
    Timestamp:        Sun Nov 09 18:58:13 2014 (546029C5)
    CheckSum:         00076D9B
    ImageSize:        00078000
    File version:     6.3.9600.17485
    Product version:  6.3.9600.17485
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.6 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     netio.sys
    OriginalFilename: netio.sys
    ProductVersion:   6.3.9600.17485
    FileVersion:      6.3.9600.17485 (winblue_r5.141109-1500)
    FileDescription:  Network I/O Subsystem
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

// The only real explanation for this at this point in the stack is a driver has overrun into the LIST_ENTRY and corrupted the linked list:
2: kd> !error 0xc0000409 
Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

// Validation that this is what happened:
2: kd> .exr ffffd00022031268
ExceptionAddress: fffff8010b0e4acd (ndis!ndisNsiGetInterfaceInformation+0x0000000000021b8d)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003


// Your Atheros NIC driver is older:
2: kd> lmvm L1C60x64
start             end                 module name
fffff801`0ce00000 fffff801`0ce20000   L1C60x64 T (no symbols)           
    Loaded symbol image file: L1C60x64.sys
    Image path: L1C60x64.sys
    Image name: L1C60x64.sys
    Timestamp:        Wed May 29 00:16:33 2013 (51A5AB51)
    CheckSum:         0002CD6A
    ImageSize:        00020000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

// Intel WiFi driver is older too:
2: kd> lmvm NETwew00
start             end                 module name
fffff801`0d4a0000 fffff801`0d7e7000   NETwew00 T (no symbols)           
    Loaded symbol image file: NETwew00.sys
    Image path: NETwew00.sys
    Image name: NETwew00.sys
    Timestamp:        Tue Feb 25 05:04:56 2014 (530C94F8)
    CheckSum:         0033F502
    ImageSize:        00347000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

// You're running virtual networking via VMWare workstation or player too:
2: kd> lmvm vmci; lmvm vsock; lmvm vmnetbridge; lmvm vmnetuserif
start             end                 module name
fffff801`0a8f1000 fffff801`0a90a000   vmci     T (no symbols)           
    Loaded symbol image file: vmci.sys
    Image path: vmci.sys
    Image name: vmci.sys
    Timestamp:        Fri May 17 18:19:18 2013 (5196D716)
    CheckSum:         0001AA2D
    ImageSize:        00019000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
start             end                 module name
fffff801`0a90a000 fffff801`0a921000   vsock    T (no symbols)           
    Loaded symbol image file: vsock.sys
    Image path: vsock.sys
    Image name: vsock.sys
    Timestamp:        Sun Jun 29 17:37:03 2014 (53B0B12F)
    CheckSum:         0001CD66
    ImageSize:        00017000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
start             end                 module name
fffff801`0d928000 fffff801`0d939000   vmnetbridge T (no symbols)           
    Loaded symbol image file: vmnetbridge.sys
    Image path: vmnetbridge.sys
    Image name: vmnetbridge.sys
    Timestamp:        Sun Jul 27 06:30:32 2014 (53D4FEF8)
    CheckSum:         00011919
    ImageSize:        00011000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
start             end                 module name
fffff801`0e574000 fffff801`0e57e000   vmnetuserif T (no symbols)           
    Loaded symbol image file: vmnetuserif.sys
    Image path: vmnetuserif.sys
    Image name: vmnetuserif.sys
    Timestamp:        Thu Nov 20 16:59:48 2014 (546E8E84)
    CheckSum:         00015392
    ImageSize:        0000A000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4


// And you've got the Avira network stack here too:
2: kd> lmvm avnetflt
start             end                 module name
fffff801`0e1ec000 fffff801`0e1fa000   avnetflt T (no symbols)           
    Loaded symbol image file: avnetflt.sys
    Image path: avnetflt.sys
    Image name: avnetflt.sys
    Timestamp:        Thu Nov 20 09:54:02 2014 (546E2ABA)
    CheckSum:         00011251
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

I can't tell you which caused it, but... I'd start with the drivers for the physical devices in the system (Atheros/Intel NICs) and go from there.
 

My Computer

System One

  • OS
    Windows 8.1 x64
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom
    CPU
    Intel Core i7 4790K @ 4.5GHz
    Motherboard
    Asus Maximus Hero VII
    Memory
    32GB DDR3
    Graphics Card(s)
    Nvidia GeForce GTX970
    Sound Card
    Realtek HD Audio
    Hard Drives
    1x Samsung 250GB SSD
    4x WD RE 2TB (RAIDZ)
    PSU
    Corsair AX760i
    Case
    Fractal Design Define R4
    Cooling
    Noctua NH-D15
Thanks so much for suggesting VMWare. I have tried uninstalling its network adapter and obviously got a BSOD. Ran windows in safe mode and managed to get rid of this, will mark solved if I do not get any further BSODs.
 

My Computer

System One

  • OS
    Win 8.1
You must log in or register to reply here.
Back
Top