Hi
I have a server running as a Hyper-V guest on Hyper-v 2012 R2 hosting several similar guests, This particular 2012R2 however has on 4 occasions last monthe experienced unexpected reboots
Upon investigation an event 1001 The computer has rebooted from a bugcheck. The bugcheck was: 0x00000139 (0x0000000000000003, 0xffffd0002067bc50, 0xffffd0002067bba8, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id xxx is given in the eventviewer
A debug of the minidump is as follows
Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\ze0163\Desktop\121814-48484-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 9600.17238.amd64fre.winblue_gdr.140723-2018
Machine Name:
Kernel base = 0xfffff802`8ea1a000 PsLoadedModuleList = 0xfffff802`8ece4350
Debug session time: Thu Dec 18 01:39:03.989 2014 (UTC + 1:00)
System Uptime: 20 days 6:09:32.242
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
...............................................................
Loading User Symbols
Loading unloaded module list
...............................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 139, {3, ffffd0002067bc50, ffffd0002067bba8, 0}
Probably caused by : tcpip.sys ( tcpip!WfpAleAuthorizeConnect+1d0 )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd0002067bc50, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd0002067bba8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
TRAP_FRAME: ffffd0002067bc50 -- (.trap 0xffffd0002067bc50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0012e27ef38 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe0012e27ef38 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8028eae9103 rsp=ffffd0002067bde0 rbp=ffffd0002067bf50
r8=000000000004c60b r9=ffffe001310a12e8 r10=0000000000000000
r11=fffff800afcd0083 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac pe cy
nt!RtlInsertEntryHashTable+0x127:
fffff802`8eae9103 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd0002067bba8 -- (.exr 0xffffd0002067bba8)
ExceptionAddress: fffff8028eae9103 (nt!RtlInsertEntryHashTable+0x0000000000000127)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT
BUGCHECK_STR: 0x139
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow
a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow
a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000003
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
LAST_CONTROL_TRANSFER: from fffff8028eb797e9 to fffff8028eb6dca0
STACK_TEXT:
ffffd000`2067b928 fffff802`8eb797e9 : 00000000`00000139 00000000`00000003 ffffd000`2067bc50 ffffd000`2067bba8 : nt!KeBugCheckEx
ffffd000`2067b930 fffff802`8eb79b10 : ffffe001`0a6e8d09 ffffe001`25bf1310 00000000`00001014 ffffe001`25bf1470 : nt!KiBugCheckDispatch+0x69
ffffd000`2067ba70 fffff802`8eb78d34 : 00000000`00000000 00000000`000f01ff ffffe001`00000000 fffff800`00000200 : nt!KiFastFailDispatch+0xd0
ffffd000`2067bc50 fffff802`8eae9103 : ffffe001`2bd25520 fffff802`8eaa07ec ffff43ce`85897c00 ffffc002`0942afc0 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`2067bde0 fffff800`afcc0a10 : ffffe001`2bd95010 00000000`00000480 00000000`000099c4 fffff802`8edffe9a : nt!RtlInsertEntryHashTable+0x127
ffffd000`2067be30 fffff800`afcc506a : 00000000`00000000 00000000`ffffffff ffffd000`2067c390 00000000`ffffffff : tcpip!WfpAleAuthorizeConnect+0x1d0
ffffd000`2067c290 fffff800`afcc281b : ffffe001`2b52d920 ffffe001`2b52db60 00000000`00000002 fffff802`8ecaead5 : tcpip!TcpContinueCreateAndConnect+0x5ba
ffffd000`2067c4c0 fffff800`afcc2e18 : ffffe001`2bdd2160 ffffe001`2bdd2160 ffffe001`2bdd9010 ffffe001`211451b8 : tcpip!TcpCreateAndConnectTcbWorkQueueRoutine+0x347
ffffd000`2067c5b0 fffff800`b0338163 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!TcpCreateAndConnectTcb+0x578
ffffd000`2067c6e0 fffff800`b032d216 : ffffe001`2bd25520 ffffe001`2b536010 ffffe001`23f0ea00 00000000`00000000 : afd!AfdSuperConnect+0x48f
ffffd000`2067c850 fffff802`8edf9872 : 00000000`00000000 ffffd000`2067cb80 ffffe001`2bd25520 00000000`00000004 : afd!AfdDispatchDeviceControl+0x66
ffffd000`2067c880 fffff802`8edfa146 : 00000fea`f03ef162 0000000c`001f0003 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x8d2
ffffd000`2067ca20 fffff802`8eb794b3 : 00000000`00000000 ffffd000`2067cad8 00000000`00000000 000000be`00000002 : nt!NtDeviceIoControlFile+0x56
ffffd000`2067ca90 00007ffe`15da16ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000be`2afdcd58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`15da16ea
STACK_COMMAND: kb
FOLLOWUP_IP:
tcpip!WfpAleAuthorizeConnect+1d0
fffff800`afcc0a10 84c0 test al,al
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: tcpip!WfpAleAuthorizeConnect+1d0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: tcpip
IMAGE_NAME: tcpip.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 53eebd32
IMAGE_VERSION: 6.3.9600.17278
BUCKET_ID_FUNC_OFFSET: 1d0
FAILURE_BUCKET_ID: 0x139_3_tcpip!WfpAleAuthorizeConnect
BUCKET_ID: 0x139_3_tcpip!WfpAleAuthorizeConnect
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x139_3_tcpip!wfpaleauthorizeconnect
FAILURE_ID_HASH: {533cd672-59c8-c1fb-533a-88192fb0f1e9}
Followup: MachineOwner
---------
Have confirmed that the version of Hyper V integration tools is up to date and also same as other 2012R2 Guests
Any input upon the cause of this issues would be helpful, no strange drivers used, network driver and card is standard Hyper-v again same as on other guest,
Thanks