KERNEL_SECURITY_CHECK_FAILURE (139) A LIST_ENTRY has been corrupted NETIO.SYS

Computer seems to BSOD when going idle. Analysis of MEMORY.DMP is below. Suspect virus, but Windows Defender says no.


Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\xxxxxxxxxxxxxxx\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*DownstreamStore*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*DownstreamStore*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff801`a1e12000 PsLoadedModuleList = 0xfffff801`a20eb850
Debug session time: Sun Jun  7 11:17:58.966 2015 (UTC + 9:30)
System Uptime: 0 days 0:10:58.726
Loading Kernel Symbols
...............................................................
................................................................
...............Page 199085 not present in the dump file. Type ".hh dbgerr004" for details
...................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7eff9018).  Type ".hh dbgerr001" for details
Loading unloaded module list
...........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd000332e01b0, ffffd000332e0108, 0}

Page 197cb6 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : NETIO.SYS ( NETIO!NsiEnumerateObjectsAllParametersEx+20d )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000332e01b0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000332e0108, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

Page 197cb6 not present in the dump file. Type ".hh dbgerr004" for details

TRAP_FRAME:  ffffd000332e01b0 -- (.trap 0xffffd000332e01b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0015402f4e0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00154061ef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801c6c783b1 rsp=ffffd000332e0340 rbp=ffffe00152863010
 r8=0000000000000000  r9=0000000000000002 r10=ffffe00153341180
r11=ffffe0015501400c r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
ndis!ndisNsiEnumerateAllInterfaceInformation+0x24c51:
fffff801`c6c783b1 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd000332e0108 -- (.exr 0xffffd000332e0108)
ExceptionAddress: fffff801c6c783b1 (ndis!ndisNsiEnumerateAllInterfaceInformation+0x0000000000024c51)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  mDNSResponder.

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff801a1f6e7e9 to fffff801a1f62ca0

STACK_TEXT: 
ffffd000`332dfe88 fffff801`a1f6e7e9 : 00000000`00000139 00000000`00000003 ffffd000`332e01b0 ffffd000`332e0108 : nt!KeBugCheckEx
ffffd000`332dfe90 fffff801`a1f6eb10 : ffff5d38`46f78f4f ffffd000`332e0278 ffffc001`f162e060 ffffe001`550096f8 : nt!KiBugCheckDispatch+0x69
ffffd000`332dffd0 fffff801`a1f6dd34 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffd000`332e01b0 fffff801`c6c783b1 : 00000000`ffffe001 00000000`00000000 ffffe001`52863010 ffffe001`528634e0 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`332e0340 fffff801`c6d68308 : ffffd000`332e0580 00000000`00000000 ffffe001`55008002 00000000`00000008 : ndis!ndisNsiEnumerateAllInterfaceInformation+0x24c51
ffffd000`332e0460 fffff801`c81b6fc1 : ffffe001`55008000 ffffe001`00000070 ffffd000`332e07b0 00000000`00000000 : NETIO!NsiEnumerateObjectsAllParametersEx+0x20d
ffffd000`332e0650 fffff801`c81b6bea : 00000000`00000000 ffffe001`55dafe40 ffffe001`55dafd70 00000000`00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201
ffffd000`332e0840 fffff801`a223777f : 00000000`00000000 ffffe001`55dafd70 ffffe001`55dafd70 00000000`00000001 : nsiproxy!NsippDispatch+0x5a
ffffd000`332e0880 fffff801`a2236d22 : ffffd000`332e0a38 ffffe001`00000000 00000000`00000001 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`332e0a20 fffff801`a1f6e4b3 : ffffe001`559fb080 fffff6fb`001f0003 00000000`00a5e7f8 fffff680`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`332e0a90 00000000`771e2352 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00a5f0f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x771e2352


STACK_COMMAND:  kb

FOLLOWUP_IP:
NETIO!NsiEnumerateObjectsAllParametersEx+20d
fffff801`c6d68308 8bd8            mov     ebx,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NsiEnumerateObjectsAllParametersEx+20d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

BUCKET_ID_FUNC_OFFSET:  20d

FAILURE_BUCKET_ID:  0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx

BUCKET_ID:  0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_netio!nsienumerateobjectsallparametersex

FAILURE_ID_HASH:  {647902b7-14c2-326a-6aea-d9b7b6d3d895}

Followup: MachineOwner
---------

June 6th, 2015 10:59pm

Hi & welcome too,

  We do need the actual log files (called a DMP files) as they contain the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.  

Please follow our instructions for finding and uploading the files we need to help you fix your computer.

They can be found here

If you have any questions about the procedure please ask

Free Windows Admin Tool Kit Click here and download it now
June 6th, 2015 11:06pm

Hi,

We hope your issue has been resolved, if you've found solution by yourself. We would appreciate it if you could share with us and we will mark it as answer.

Without actual log file, our help might be limited, based on that debug code, here is some advanced information.

Bug Check 0x139 KERNEL_SECURITY_CHECK_FAILURE Parameters

https://msdn.microsoft.com/en-us/library/windows/hardware/jj569891%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

KERNEL_SECURITY_CHECK_FAILURE 0x139 happening in NETIO.SYS

http://superuser.com/questions/859807/recurring-bsod-0x139-kernel-security-check-failure-in-netio-sys-bugcheck-analys

Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Stop error code 0xD1, 0x139, or 0x3B and random crashes in Windows

https://support.microsoft.com/en-us/kb/3055343

Regards,

D. Wu

June 12th, 2015 1:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics