Hi

I have a server running as a Hyper-V guest on Hyper-v 2012 R2 hosting several similar guests, This particular 2012R2 however has on 4 occasions last monthe experienced unexpected reboots

Upon investigation an event 1001 The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000139 (0x0000000000000003, 0xffffd0002067bc50, 0xffffd0002067bba8, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id xxx   is given in the eventviewer

A debug of the minidump is as follows

Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64 
Copyright (c) Microsoft Corporation. All rights reserved. 


Loading Dump File [C:\Users\ze0163\Desktop\121814-48484-01.dmp] 
Mini Kernel Dump File: Only registers and stack trace are available 


************* Symbol Path validation summary ************** 
Response Time (ms) Location 
Deferred SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols 
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols 
Executable search path is: 
Windows 8 Kernel Version 9600 MP (8 procs) Free x64 
Product: Server, suite: TerminalServer SingleUserTS 
Built by: 9600.17238.amd64fre.winblue_gdr.140723-2018 
Machine Name: 
Kernel base = 0xfffff802`8ea1a000 PsLoadedModuleList = 0xfffff802`8ece4350 
Debug session time: Thu Dec 18 01:39:03.989 2014 (UTC + 1:00) 
System Uptime: 20 days 6:09:32.242 
Loading Kernel Symbols 
. 

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. 
Run !sym noisy before .reload to track down problems loading symbols. 

.............................................................. 
............................................................... 
Loading User Symbols 
Loading unloaded module list 
............................... 
******************************************************************************* 
* * 
* Bugcheck Analysis * 
* * 
******************************************************************************* 

Use !analyze -v to get detailed debugging information. 

BugCheck 139, {3, ffffd0002067bc50, ffffd0002067bba8, 0} 

Probably caused by : tcpip.sys ( tcpip!WfpAleAuthorizeConnect+1d0 ) 

Followup: MachineOwner 
--------- 

3: kd> !analyze -v 
******************************************************************************* 
* * 
* Bugcheck Analysis * 
* * 
******************************************************************************* 

KERNEL_SECURITY_CHECK_FAILURE (139) 
A kernel component has corrupted a critical data structure. The corruption 
could potentially allow a malicious user to gain control of this machine. 
Arguments: 
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). 
Arg2: ffffd0002067bc50, Address of the trap frame for the exception that caused the bugcheck 
Arg3: ffffd0002067bba8, Address of the exception record for the exception that caused the bugcheck 
Arg4: 0000000000000000, Reserved 

Debugging Details: 
------------------ 


TRAP_FRAME: ffffd0002067bc50 -- (.trap 0xffffd0002067bc50) 
NOTE: The trap frame does not contain all registers. 
Some register values may be zeroed or incorrect. 
rax=ffffe0012e27ef38 rbx=0000000000000000 rcx=0000000000000003 
rdx=ffffe0012e27ef38 rsi=0000000000000000 rdi=0000000000000000 
rip=fffff8028eae9103 rsp=ffffd0002067bde0 rbp=ffffd0002067bf50 
r8=000000000004c60b r9=ffffe001310a12e8 r10=0000000000000000 
r11=fffff800afcd0083 r12=0000000000000000 r13=0000000000000000 
r14=0000000000000000 r15=0000000000000000 
iopl=0 nv up ei pl nz ac pe cy 
nt!RtlInsertEntryHashTable+0x127: 
fffff802`8eae9103 cd29 int 29h 
Resetting default scope 

EXCEPTION_RECORD: ffffd0002067bba8 -- (.exr 0xffffd0002067bba8) 
ExceptionAddress: fffff8028eae9103 (nt!RtlInsertEntryHashTable+0x0000000000000127) 
ExceptionCode: c0000409 (Security check failure or stack buffer overrun) 
ExceptionFlags: 00000001 
NumberParameters: 1 
Parameter[0]: 0000000000000003 

CUSTOMER_CRASH_COUNT: 1 

DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT 

BUGCHECK_STR: 0x139 

PROCESS_NAME: svchost.exe 

CURRENT_IRQL: 2 

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. 

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. 

EXCEPTION_PARAMETER1: 0000000000000003 

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre 

LAST_CONTROL_TRANSFER: from fffff8028eb797e9 to fffff8028eb6dca0 

STACK_TEXT: 
ffffd000`2067b928 fffff802`8eb797e9 : 00000000`00000139 00000000`00000003 ffffd000`2067bc50 ffffd000`2067bba8 : nt!KeBugCheckEx 
ffffd000`2067b930 fffff802`8eb79b10 : ffffe001`0a6e8d09 ffffe001`25bf1310 00000000`00001014 ffffe001`25bf1470 : nt!KiBugCheckDispatch+0x69 
ffffd000`2067ba70 fffff802`8eb78d34 : 00000000`00000000 00000000`000f01ff ffffe001`00000000 fffff800`00000200 : nt!KiFastFailDispatch+0xd0 
ffffd000`2067bc50 fffff802`8eae9103 : ffffe001`2bd25520 fffff802`8eaa07ec ffff43ce`85897c00 ffffc002`0942afc0 : nt!KiRaiseSecurityCheckFailure+0xf4 
ffffd000`2067bde0 fffff800`afcc0a10 : ffffe001`2bd95010 00000000`00000480 00000000`000099c4 fffff802`8edffe9a : nt!RtlInsertEntryHashTable+0x127 
ffffd000`2067be30 fffff800`afcc506a : 00000000`00000000 00000000`ffffffff ffffd000`2067c390 00000000`ffffffff : tcpip!WfpAleAuthorizeConnect+0x1d0 
ffffd000`2067c290 fffff800`afcc281b : ffffe001`2b52d920 ffffe001`2b52db60 00000000`00000002 fffff802`8ecaead5 : tcpip!TcpContinueCreateAndConnect+0x5ba 
ffffd000`2067c4c0 fffff800`afcc2e18 : ffffe001`2bdd2160 ffffe001`2bdd2160 ffffe001`2bdd9010 ffffe001`211451b8 : tcpip!TcpCreateAndConnectTcbWorkQueueRoutine+0x347 
ffffd000`2067c5b0 fffff800`b0338163 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!TcpCreateAndConnectTcb+0x578 
ffffd000`2067c6e0 fffff800`b032d216 : ffffe001`2bd25520 ffffe001`2b536010 ffffe001`23f0ea00 00000000`00000000 : afd!AfdSuperConnect+0x48f 
ffffd000`2067c850 fffff802`8edf9872 : 00000000`00000000 ffffd000`2067cb80 ffffe001`2bd25520 00000000`00000004 : afd!AfdDispatchDeviceControl+0x66 
ffffd000`2067c880 fffff802`8edfa146 : 00000fea`f03ef162 0000000c`001f0003 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x8d2 
ffffd000`2067ca20 fffff802`8eb794b3 : 00000000`00000000 ffffd000`2067cad8 00000000`00000000 000000be`00000002 : nt!NtDeviceIoControlFile+0x56 
ffffd000`2067ca90 00007ffe`15da16ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 
000000be`2afdcd58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`15da16ea 


STACK_COMMAND: kb 

FOLLOWUP_IP: 
tcpip!WfpAleAuthorizeConnect+1d0 
fffff800`afcc0a10 84c0 test al,al 

SYMBOL_STACK_INDEX: 5 

SYMBOL_NAME: tcpip!WfpAleAuthorizeConnect+1d0 

FOLLOWUP_NAME: MachineOwner 

MODULE_NAME: tcpip 

IMAGE_NAME: tcpip.sys 

DEBUG_FLR_IMAGE_TIMESTAMP: 53eebd32 

IMAGE_VERSION: 6.3.9600.17278 

BUCKET_ID_FUNC_OFFSET: 1d0 

FAILURE_BUCKET_ID: 0x139_3_tcpip!WfpAleAuthorizeConnect 

BUCKET_ID: 0x139_3_tcpip!WfpAleAuthorizeConnect 

ANALYSIS_SOURCE: KM 

FAILURE_ID_HASH_STRING: km:0x139_3_tcpip!wfpaleauthorizeconnect 

FAILURE_ID_HASH: {533cd672-59c8-c1fb-533a-88192fb0f1e9} 

Followup: MachineOwner 
--------- 

Have confirmed that the version of Hyper V integration tools is up to date and also same as other 2012R2 Guests

Any input upon the cause of this issues would be helpful, no strange drivers used, network driver and card is standard Hyper-v again same as on other guest, 

Thanks

Hi,

For Bug Check 0x139, it indicates that the kernel has detected the corruption of a critical data structure. For more details, please refer to following article and check if can help you.

Bug Check 0x139 KERNEL_SECURITY_CHECK_FAILURE

Please check if all necessary Windows updates are installed and necessary drivers are updated. Please run sfc /scannow command to scan all protected system files.

Probably caused by: tcpip.sys

Please also run driver verifier and check if help us to find the underlying cause. For more details, please refer to following article and check if can help you.

Driver Verifier-- tracking down a mis-behaving driver.

By the way, as you know, troubleshoot this kind of kernel crash issue, we need to analyze the crash dump file to narrow down the root cause of the issue. However, it may be not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.

To obtain the phone numbers for specific technology request, please refer to the web site listed below:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607

If any update, please feel free to let me know.

Hope this helps.

Best regards,

Justin Gu

I have an IBM Thinkserver TS100 which I use in my home lab environment.  It has a Xeon 3110 CPU with 8 GB of PC2-6400E RAM which is supported by this IBM motherboard.  I have installed Windows Server 2012 R2 Standard and Hyper-V.  For several weeks, there were no issues. 

Recently I encountered a very similar BugCheck as the one reported here.  It would report the BugCheck and reboot every 15 to 20 minutes, like clock-work.  I tried a lot of things, like un-installing every update on the machine from two weeks before the time the issue began.  It did not help.  No drivers had been updated.  No new or replacement hardware had been installed.  Only Windows updates had been installed automatically.  It had no third-party software installed and only one VM, with a Windows 2012 R2 Standard Server. 

I had a brainstorm and checked my virtual switch settings.  I had configured my second adapter, an Intel Pro/1000 MT as SR-IOV.  The "Allow management operating system to share this network adapter" is not checked.  I know it's a desktop NIC, but this is a lab server and performance is not critical to anything for its function.  Initially, there were no issues and so I 'forgot' about it.  Last night, I checked it again and found that Window's Virtual Switch Properties indicated that card did not support SR-IOV.

I deleted the virtual switch and created a new virtual switch with the same NIC and everything was back to normal.  I have rebooted it one time to complete the installation of Windows updates.  It is now stable again.  There have been no BugChecks since eliminating SR-IOV on that NIC.   Perhaps the behavior is the same with any NIC which does not support SR-IOV?