kernel security check failure (Network Steve Forum)

kernel security check failure

My Sony Vaio Fit 13A keeps shutting down without warning. About once every two days. I can then restart it, with no apparent damage.

I don't know if it's a related problem but today (for the first time) it first gave me a blue screen entitled "kernel security check failure".

I uploaded memory dump etc to https://onedrive.live.com/?id=24E988762E9C6F1%21105&cid=024E988762E9C6F1&group=0 -- can anyone see what my problem might

July 21st, 2015 2:14pm

Your crash is caused by NETwbw02.sys which is an Intel wireless driver, remove it completely and download the latest driver for your wireless NIC. vwififlt.sys is mentioned but is a Windows system driver, if removing NETwbw02.sys does not fix the issue we can pursue the Windows driver. But in my experience I have never seen a system driver be the main cause.

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd000ff1fab90, ffffd000ff1faae8, 0}

*** WARNING: Unable to verify timestamp for NETwbw02.sys
*** ERROR: Module load completed but symbols could not be loaded for NETwbw02.sys
Probably caused by : vwififlt.sys ( vwififlt!FilterSendNetBufferListsComplete+181 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000ff1fab90, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000ff1faae8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

TRAP_FRAME: ffffd000ff1fab90 -- (.trap 0xffffd000ff1fab90)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe000391ea3a8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8018ea99e06 rsp=ffffd000ff1fad20 rbp=ffffd000ff1fadc0
r8=ffffe0003dc23a78 r9=fffff801db817000 r10=ffffe0003694a1c0
r11=ffffd000ff1fad40 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz ac pe nc
ndis!ndisFreeNblToNPagedPool+0x71:
fffff801`8ea99e06 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD: ffffd000ff1faae8 -- (.exr 0xffffd000ff1faae8)
ExceptionAddress: fffff8018ea99e06 (ndis!ndisFreeNblToNPagedPool+0x0000000000000071)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT

BUGCHECK_STR: 0x139

PROCESS_NAME: System

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1: 0000000000000003

LAST_CONTROL_TRANSFER: from fffff801db9737e9 to fffff801db967ca0

STACK_TEXT:
ffffd000`ff1fa868 fffff801`db9737e9 : 00000000`00000139 00000000`00000003 ffffd000`ff1fab90 ffffd000`ff1faae8 : nt!KeBugCheckEx
ffffd000`ff1fa870 fffff801`db973b10 : ffffe000`38a172b0 ffffe000`38a17010 ffffe000`38bc1000 ffffffff`ffffffff : nt!KiBugCheckDispatch+0x69
ffffd000`ff1fa9b0 fffff801`db972d34 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff801`dbb03d88 : nt!KiFastFailDispatch+0xd0
ffffd000`ff1fab90 fffff801`8ea99e06 : 00000000`00000000 fffff801`8ee98146 00000000`00000000 ffffd000`ff1fadf9 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`ff1fad20 fffff801`8ea9386c : ffffe000`391ea3c0 ffffe000`3e82a360 00000000`00000000 ffffe000`3e6bb301 : ndis!ndisFreeNblToNPagedPool+0x71
ffffd000`ff1fad50 fffff801`8f72be19 : ffffe000`3cc70010 ffffe000`3e3238b0 ffffe000`391ea3c0 00000000`00000001 : ndis!NdisFreeCloneNetBufferList+0x18c
ffffd000`ff1fae00 fffff801`8ea97eee : 00000000`00000000 ffffd000`ff1faf50 fffff801`8f72bc98 00000000`00000000 : vwififlt!FilterSendNetBufferListsComplete+0x181
ffffd000`ff1fae50 fffff801`90600671 : ffffe000`38d831a0 ffffe000`391ea3c0 00000000`00000001 00000000`00000000 : ndis!NdisMSendNetBufferListsComplete+0x4de
ffffd000`ff1fafc0 ffffe000`38d831a0 : ffffe000`391ea3c0 00000000`00000001 00000000`00000000 ffffe000`3d64fd30 : NETwbw02+0x1b1671
ffffd000`ff1fafc8 ffffe000`391ea3c0 : 00000000`00000001 00000000`00000000 ffffe000`3d64fd30 fffff801`90471222 : 0xffffe000`38d831a0
ffffd000`ff1fafd0 00000000`00000001 : 00000000`00000000 ffffe000`3d64fd30 fffff801`90471222 ffffe000`3d64ff00 : 0xffffe000`391ea3c0
ffffd000`ff1fafd8 00000000`00000000 : ffffe000`3d64fd30 fffff801`90471222 ffffe000`3d64ff00 fffff801`90470c3f : 0x1

STACK_COMMAND: kb

FOLLOWUP_IP:
vwififlt!FilterSendNetBufferListsComplete+181
fffff801`8f72be19 488b0d40920000 mov     rcx,qword ptr [vwififlt!WPP_GLOBAL_Control (fffff801`8f735060)]

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: vwififlt!FilterSendNetBufferListsComplete+181

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: vwififlt

IMAGE_NAME: vwififlt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 53609ba2

BUCKET_ID_FUNC_OFFSET: 181

FAILURE_BUCKET_ID: 0x139_3_vwififlt!FilterSendNetBufferListsComplete

BUCKET_ID: 0x139_3_vwififlt!FilterSendNetBufferListsComplete

Followup: MachineOwner
---------

Edited by Acreed02 12 hours 59 minutes ago
Proposed as answer by ZigZag3143xMVP, Moderator 12 hours 29 minutes ago

Free Windows Admin Tool Kit Click here and download it now

July 21st, 2015 2:20pm

Many thanks for your help! I will try this and get back to you.

By "remove" do you mean I go to device manager and uninstall the driver for my Intel Dual Band Wireless-N 7260, then restart ?

July 21st, 2015 4:28pm

Yes, then either use your wired NIC to download and install the newest version, or download it from another PC and transfer the install file over via USB.

Free Windows Admin Tool Kit Click here and download it now

July 21st, 2015 4:38pm

Edited by Acreed02 Tuesday, July 21, 2015 6:22 PM
Proposed as answer by ZigZag3143xMVP, Moderator Tuesday, July 21, 2015 6:53 PM

July 21st, 2015 6:19pm

Edited by Acreed02 Tuesday, July 21, 2015 6:22 PM
Proposed as answer by ZigZag3143xMVP, Moderator Tuesday, July 21, 2015 6:53 PM
Marked as answer by rpwt12 5 hours 55 minutes ago

Free Windows Admin Tool Kit Click here and download it now

July 21st, 2015 6:19pm

Edited by Acreed02 Tuesday, July 21, 2015 6:22 PM
Proposed as answer by ZigZag3143xMVP, Moderator Tuesday, July 21, 2015 6:53 PM
Marked as answer by rpwt12 Friday, July 24, 2015 1:27 AM

July 21st, 2015 6:19pm

Edited by Acreed02 Tuesday, July 21, 2015 6:22 PM
Proposed as answer by ZigZag3143xMVP, Moderator Tuesday, July 21, 2015 6:53 PM
Marked as answer by rpwt12 Friday, July 24, 2015 1:27 AM

Free Windows Admin Tool Kit Click here and download it now

July 21st, 2015 6:19pm

Thanks - have now done this. Now I wait to see if my laptop crashes again in the next few days...

July 23rd, 2015 9:30pm

No problem, keep us updated. If it crashes again be sure to load up the most recent dump and link it here.

Free Windows Admin Tool Kit Click here and download it now

July 24th, 2015 7:59am

I have had no more blue screens, but unfortunately my computer still shuts down unexpectedly (and immediately without warning). In fact it has been doing so more regularly today.

When it does so it writes nothing new to MEMORY.DMP, and nothing to the .DMP files in %systemroot%\Minidump

Is there any way of me analysing what is happening ?

Thanks again for your time.

July 27th, 2015 11:10pm

It's good that we at least fixed one issue, lets run SFC /SCANNOW and DISM.

Instructions for both can be found here.

Free Windows Admin Tool Kit Click here and download it now

July 28th, 2015 8:03am

I started with sfc /verifyonly. It found "integrity violations".
I put the logs in https://onedrive.live.com/?id=24E988762E9C6F1%21105&cid=024E988762E9C6F1&group=0

Should I sfc /scannow to try to repair, or does anyone want to look at those logs first ?

Again I can't thank you enough for your time and help.

July 28th, 2015 12:35pm

Run it with a repair, see if it fixes those integrity violations. If you follow the steps I linked you should be in good shape.

Free Windows Admin Tool Kit Click here and download it now

July 28th, 2015 1:04pm

Windows resource protection found corrupt files but was unable to fix some of them. Details in CBS.log in https://onedrive.live.com/?id=24E988762E9C6F1%21105&cid=024E988762E9C6F1&group=0 DISM: the component store corruption was repaired. SFC then confirmed no more corrupt files. Wow, thanks! -- will report back in a few days on whether my computer has stopped crashing.

July 28th, 2015 1:56pm

Perfect! Exactly what I was hoping for! Let us know if you continue to have any issues.

Free Windows Admin Tool Kit Click here and download it now

July 28th, 2015 2:02pm

Unfortunately my laptop is still shutting down without warning. (Perhaps slightly less often than before, not sure.) It then starts up just fine, but whatever I was doing is lost.

I ran sfc /scannnow afterwards, but no violations.

Is there anything else I can do to analyse what might be causing this ? Thanks.

July 30th, 2015 1:50pm

Upload your event viewer logs. Instructions can be found here.

Free Windows Admin Tool Kit Click here and download it now

July 30th, 2015 2:07pm

Here in logs.evtx https://onedrive.live.com/?id=24E988762E9C6F1%21105&cid=024E988762E9C6F1&group=0

Update: my laptop *just* crashed again so I saved the event viewer logs again; this time in Errors.evtx

thanks!

July 30th, 2015 4:23pm

You are continually getting Event ID 41 errors, regarding a missing something from the Kernel. Here's a screenshot of your error.

Unfortunately, that doesn't give us much info. From what you describe it almost seems like an overheating issue, or possibly (but less likely) a RAM issue. Do you have or know of any way to keep an eye on your temp? Are the crashes happening completely randomly, or when you are using the laptop? Does it only crash when you're doing CPU intensive activities? Or does it crash just browsing the web?

In the meantime I'd like to run memtest to verify the integrity of your RAM, and I'd also like to run driver verifier just in case there is something we are missing there.

Instructions for memtest can be found here and instructions for driver verifier can be found here.

Free Windows Admin Tool Kit Click here and download it now

July 31st, 2015 8:19am

Again thanks for all your help.

I am struggling with MEMTEST. I have made the bootable USB with memtest on it, but cannot seem to boot with it.

If I press anything like F11 or Vaio's "assist" button during bootup, I get a "DRIVER_VERIFIER_IOMANAGER_VIOLATION" (with no displayed parameter).

If instead I go into Windows 8.1's "advanced startup options" and select "start up from a device or disk" that then restarts and gives me options; I choose boot from USB and it just seems to boot windows normally, ignoring my MEMTEST USB.

Sorry about this; what do you recommend ?

August 2nd, 2015 4:46pm

Again thanks for all your help.

I am struggling with MEMTEST. I have made the bootable USB with memtest on it, but cannot seem to boot with it.

If I press anything like F11 or Vaio's "assist" button during bootup, I get a "DRIVER_VERIFIER_IOMANAGER_VIOLATION" (with no displayed parameter).

Sorry about this; what do you recommend ?

Update: I didn't answer your question about temperature. The laptop seems to me to fail at random times; sometimes even when completely idle. But it does get hot, and sometimes when it idles the fan races, so maybe some rogue process is flogging the CPU, I don't know.

Free Windows Admin Tool Kit Click here and download it now

August 2nd, 2015 8:44pm

rpwt12,

It sounds like your USB drive isn't bootable. Are you sure you formatted it to be able to boot from it?

August 5th, 2015 8:13am

I did. Anyway my laptop suddenly got so unstable that I was unable to do anything -- within 10 minutes it always crashed.

So I just did a full recovery and now it is stable again. All very odd. Thanks again for your help.

Free Windows Admin Tool Kit Click here and download it now

August 6th, 2015 12:18pm

Not a problem, glad you're stable now.

August 6th, 2015 2:24pm

This topic is archived. No further replies will be accepted.