Wiederkehrender BSOD 0x139 KERNEL_SECURITY_CHECK_FAILURE in NETIO.SYS (Bugcheck-Analysen innerhalb)

6008
bwDraco

Problembeschreibung

  • Ich habe einige intermittierende 0x139-BluescreensKERNEL_SECURITY_CHECK_FAILURE mit dem ersten Parameter 0x3 auf meinem Windows 8.1-Laptop gefunden, einmal alle 20 Minuten bis eine Stunde. Diese Abstürze finden NETIO.SYSentweder in der NsiEnumerateObjectsAllParametersExoder in den NsiGetParameterExFunktionen statt.

  • Das System scheint ordnungsgemäß im abgesicherten Modus mit Netzwerk zu funktionieren.

  • Ich habe mehr Crash - Dumps zum Herunterladen hier, sowie ein vollständiges Speicherabbild von einem Absturz gehalten intern zur weiteren Analyse.

Analyse 1: NsiEnumerateObjectsAllParametersExMinidump

************* Symbol Path validation summary ************** Response Time (ms) Location Deferred SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols Executable search path is:  Windows 8 Kernel Version 9600 MP (8 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9600.17476.amd64fre.winblue_r5.141029-1500 Machine Name: Kernel base = 0xfffff802`44e1f000 PsLoadedModuleList = 0xfffff802`450f8250 Debug session time: Fri Jan 2 16:52:43.919 2015 (UTC - 5:00) System Uptime: 0 days 0:25:05.631 Loading Kernel Symbols .  Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols.  .............................................................. ................................................................ ........................................................... Loading User Symbols Loading unloaded module list ............. ******************************************************************************* * * * Bugcheck Analysis * * * *******************************************************************************  Use !analyze -v to get detailed debugging information.  BugCheck 139,   Probably caused by : NETIO.SYS ( NETIO!NsiEnumerateObjectsAllParametersEx+20d )  Followup: MachineOwner ---------  1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * *******************************************************************************  KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). Arg2: ffffd000d8d4f1b0, Address of the trap frame for the exception that caused the bugcheck Arg3: ffffd000d8d4f108, Address of the exception record for the exception that caused the bugcheck Arg4: 0000000000000000, Reserved  Debugging Details: ------------------   DUMP_FILE_ATTRIBUTES: 0xc Insufficient Dumpfile Size Kernel Generated Triage Dump  TRAP_FRAME: ffffd000d8d4f1b0 -- (.trap 0xffffd000d8d4f1b0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffffe0019759fef0 rbx=0000000000000000 rcx=0000000000000003 rdx=ffffe00194b53ef0 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80110e5f30d rsp=ffffd000d8d4f340 rbp=ffffe00194b5ea20 r8=0000000000000000 r9=0000000000000002 r10=ffffe0019635db50 r11=ffffe00192d21fbc r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d: fffff801`10e5f30d cd29 int 29h Resetting default scope  EXCEPTION_RECORD: ffffd000d8d4f108 -- (.exr 0xffffd000d8d4f108) ExceptionAddress: fffff80110e5f30d (ndis!ndisNsiEnumerateAllInterfaceInformation+0x0000000000025c0d) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000003  CUSTOMER_CRASH_COUNT: 1  DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT  BUGCHECK_STR: 0x139  PROCESS_NAME: svchost.exe  CURRENT_IRQL: 2  ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.  EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.  EXCEPTION_PARAMETER1: 0000000000000003  ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre  LAST_CONTROL_TRANSFER: from fffff80244f7b5e9 to fffff80244f6faa0  STACK_TEXT:  ffffd000`d8d4ee88 fffff802`44f7b5e9 : 00000000`00000139 00000000`00000003 ffffd000`d8d4f1b0 ffffd000`d8d4f108 : nt!KeBugCheckEx ffffd000`d8d4ee90 fffff802`44f7b910 : ffff6bcf`07601f7c ffffd000`d8d4f278 ffffc001`d1bcd060 ffffe001`92d1c698 : nt!KiBugCheckDispatch+0x69 ffffd000`d8d4efd0 fffff802`44f7ab34 : 00000000`00000000 ffffe001`99965501 ffffd000`d8d4f3d4 00000000`00000000 : nt!KiFastFailDispatch+0xd0 ffffd000`d8d4f1b0 fffff801`10e5f30d : 00000000`ffffe001 00000000`00000000 ffffe001`94b5ea20 ffffe001`94b5eef0 : nt!KiRaiseSecurityCheckFailure+0xf4 ffffd000`d8d4f340 fffff801`10f4e308 : ffffd000`d8d4f580 00000000`00000000 ffffe001`92d1c002 00000000`00000008 : ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d ffffd000`d8d4f460 fffff801`11664fc1 : ffffe001`92d1c000 00000000`00000070 00000065`7450f270 ffffd000`d8d4f668 : NETIO!NsiEnumerateObjectsAllParametersEx+0x20d ffffd000`d8d4f650 fffff801`11664bea : 00000000`00000000 ffffe001`99a432a0 ffffe001`99a431d0 00000000`00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201 ffffd000`d8d4f840 fffff802`452001ef : 00000000`00000000 ffffe001`99a431d0 ffffe001`99a431d0 00000000`00000001 : nsiproxy!NsippDispatch+0x5a ffffd000`d8d4f880 fffff802`451ff78e : ffffd000`d8d4fa38 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f ffffd000`d8d4fa20 fffff802`44f7b2b3 : ffffe001`999a4080 fffff6fb`001f0003 00000065`7450f0e8 fffff680`00000001 : nt!NtDeviceIoControlFile+0x56 ffffd000`d8d4fa90 00007ffe`07350cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000065`7450f168 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`07350cba   STACK_COMMAND: kb  FOLLOWUP_IP:  NETIO!NsiEnumerateObjectsAllParametersEx+20d fffff801`10f4e308 8bd8 mov ebx,eax  SYMBOL_STACK_INDEX: 5  SYMBOL_NAME: NETIO!NsiEnumerateObjectsAllParametersEx+20d  FOLLOWUP_NAME: MachineOwner  MODULE_NAME: NETIO  IMAGE_NAME: NETIO.SYS  DEBUG_FLR_IMAGE_TIMESTAMP: 546029c5  IMAGE_VERSION: 6.3.9600.17485  BUCKET_ID_FUNC_OFFSET: 20d  FAILURE_BUCKET_ID: 0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx  BUCKET_ID: 0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx  ANALYSIS_SOURCE: KM  FAILURE_ID_HASH_STRING: km:0x139_3_netio!nsienumerateobjectsallparametersex  FAILURE_ID_HASH:   Followup: MachineOwner ---------

Ausgabe von WhoCrashed Professional

Crash dump file: E:\sysdebug\dumps\010215-8234-01.dmp Date/time: 1/2/2015 4:20:01 PM GMT Uptime: 00:20:35 Machine: DRAGON Bug check name: KERNEL_SECURITY_CHECK_FAILURE Bug check code: 0x139 Bug check parm 1: 0x3 Bug check parm 2: 0xFFFFD0002E50A1B0 Bug check parm 3: 0xFFFFD0002E50A108 Bug check parm 4: 0x0 Probably caused by: ndis.sys Driver description: Network Driver Interface Specification (NDIS) Driver product: Microsoft® Windows® Operating System Driver company: Microsoft Corporation OS build: Built by: 9600.17476.amd64fre.winblue_r5.141029-1500 Architecture: x64 (64 bit) CPU count: 8 Page size: 4096  Bug check description:  The kernel has detected the corruption of a critical data structure.  Comments:  The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time.

Analyse 2: NsiGetParameterExvollständiger Speicherauszug

************* Symbol Path validation summary ************** Response Time (ms) Location Deferred SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols  Loading Dump File [E:\sysdebug\MEMORY.DMP] Kernel Bitmap Dump File: Full address space is available   ************* Symbol Path validation summary ************** Response Time (ms) Location Deferred SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols Executable search path is:  Windows 8 Kernel Version 9600 MP (8 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9600.17476.amd64fre.winblue_r5.141029-1500 Machine Name: Kernel base = 0xfffff801`dde72000 PsLoadedModuleList = 0xfffff801`de14b250 Debug session time: Fri Jan 2 17:17:38.437 2015 (UTC - 5:00) System Uptime: 0 days 0:22:01.150 Loading Kernel Symbols ............................................................... ................................................................ ........................................................... Loading User Symbols ................................................................ ................................... Loading unloaded module list .............................. ******************************************************************************* * * * Bugcheck Analysis * * * *******************************************************************************  Use !analyze -v to get detailed debugging information.  BugCheck 139,   Probably caused by : NETIO.SYS ( NETIO!NsiGetParameterEx+222 )  Followup: MachineOwner ---------  0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * *******************************************************************************  KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). Arg2: ffffd001cb3d0310, Address of the trap frame for the exception that caused the bugcheck Arg3: ffffd001cb3d0268, Address of the exception record for the exception that caused the bugcheck Arg4: 0000000000000000, Reserved  Debugging Details: ------------------   TRAP_FRAME: ffffd001cb3d0310 -- (.trap 0xffffd001cb3d0310) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffffe00059100980 rbx=0000000000000000 rcx=0000000000000003 rdx=ffffe00055dbbef0 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80084085a29 rsp=ffffd001cb3d04a0 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000002 r10=ffffe000587d9040 r11=ffffe000591004b0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc ndis!ndisNsiGetInterfaceInformation+0x22b49: fffff800`84085a29 cd29 int 29h Resetting default scope  EXCEPTION_RECORD: ffffd001cb3d0268 -- (.exr 0xffffd001cb3d0268) ExceptionAddress: fffff80084085a29 (ndis!ndisNsiGetInterfaceInformation+0x0000000000022b49) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000003  DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT  BUGCHECK_STR: 0x139  PROCESS_NAME: svchost.exe  CURRENT_IRQL: 2  ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.  EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.  EXCEPTION_PARAMETER1: 0000000000000003  ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre  LAST_CONTROL_TRANSFER: from fffff801ddfce5e9 to fffff801ddfc2aa0  STACK_TEXT:  ffffd001`cb3cffe8 fffff801`ddfce5e9 : 00000000`00000139 00000000`00000003 ffffd001`cb3d0310 ffffd001`cb3d0268 : nt!KeBugCheckEx ffffd001`cb3cfff0 fffff801`ddfce910 : 00000000`00000000 ffffd001`00000001 ffffd001`cb3d01d8 00000000`00000000 : nt!KiBugCheckDispatch+0x69 ffffd001`cb3d0130 fffff801`ddfcdb34 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0 ffffd001`cb3d0310 fffff800`84085a29 : 00000000`fffff801 00000000`00000000 ffffd001`cb3d0610 00000000`00000004 : nt!KiRaiseSecurityCheckFailure+0xf4 ffffd001`cb3d04a0 fffff800`8417b572 : ffffd001`cb3d0610 ffffe000`5d2f1602 ffffe000`5d2f1700 00000000`00000000 : ndis!ndisNsiGetInterfaceInformation+0x22b49 ffffd001`cb3d0550 fffff800`851cda25 : 00000000`00000050 00000000`00000050 ffffe000`55dc2010 00000000`00000000 : NETIO!NsiGetParameterEx+0x222 ffffd001`cb3d06b0 fffff800`851cdbe3 : 00000000`00000000 ffffe000`54a3c6b0 ffffe000`54a3c5e0 00000000`00000000 : nsiproxy!NsippGetParameter+0x195 ffffd001`cb3d0840 fffff801`de2531ef : 00000000`00000000 ffffe000`54a3c5e0 ffffe000`54a3c5e0 00000000`00000001 : nsiproxy!NsippDispatch+0x53 ffffd001`cb3d0880 fffff801`de25278e : ffffd001`cb3d0a38 00007fff`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f ffffd001`cb3d0a20 fffff801`ddfce2b3 : ffffe000`5a9ba080 000000d2`001f0003 000000d2`37e5ea98 fffff801`00000001 : nt!NtDeviceIoControlFile+0x56 ffffd001`cb3d0a90 00007fff`3ef90cba : 00007fff`3eef15f5 00000000`00000004 000000d2`37e5eba1 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 000000d2`37e5eb18 00007fff`3eef15f5 : 00000000`00000004 000000d2`37e5eba1 00000000`00000000 00000000`00000000 : ntdll!NtDeviceIoControlFile+0xa 000000d2`37e5eb20 00007fff`3b245e0a : 00000000`00000001 000000d2`39ca0990 00000000`00000000 00000000`00000000 : NSI!NsiGetParameter+0xf5 000000d2`37e5ebe0 00007fff`3b245b86 : 00000000`00000001 00007fff`00000000 00000000`00000000 000000d2`37e5ecb0 : DNSAPI!IsInterfaceConnected+0x4e 000000d2`37e5ec40 00007fff`3b2464bf : 00000000`00000000 000000d2`00000007 00000000`00000000 000000d2`39c307f0 : DNSAPI!DnsUpdateMachinePresence+0x106 000000d2`37e5ed10 00007fff`3b24613d : 000000d2`3742eb50 000000d2`37e5f9a0 00000000`00000000 00000000`00000000 : DNSAPI!Query_InProcess+0xf9 000000d2`37e5ed40 00007fff`3b245fcc : 00000000`00000000 000000d2`37e5ee90 000000d2`39c307f0 000000d2`37e5fa18 : DNSAPI!InProc_InitiateQuery+0x15c 000000d2`37e5ed90 00007fff`3b243c3d : 00000000`00000000 00000008`00000002 00000000`00000000 00000000`00000001 : DNSAPI!Query_PrivateExW+0x961 000000d2`37e5f940 00007fff`3b244389 : 00003195`00000001 00001000`00440668 00000000`000000ff 000000d2`39c307f0 : DNSAPI!Query_Shim+0xd5 000000d2`37e5fa10 00007fff`34facfc4 : 00000000`00000010 000000d2`37e5f968 00000000`00000000 00000000`00010004 : DNSAPI!DnsQuery_W+0x39 000000d2`37e5fa60 00007fff`34fad037 : 000000d2`39c01f50 00000000`00000000 00000000`80000000 00000000`00000000 : dnsrslvr!Mcast_VerifyName+0x70 000000d2`37e5fab0 00007fff`34fad22e : 00000000`00000000 00007fff`34facf1e 00000000`00000000 00007fff`3c46158a : dnsrslvr!Mcast_VerifyEx+0x102 000000d2`37e5fd30 00007fff`34fad17b : 00000000`ffffffff 00000000`00000000 00000000`00000001 00000000`00000001 : dnsrslvr!Mcast_Verify+0x8e 000000d2`37e5fd80 00007fff`3edb13d2 : 00007fff`34faccc0 00000000`00000000 00000000`00000000 00000000`00000000 : dnsrslvr!Mcast_Thread+0x186 000000d2`37e5fdf0 00007fff`3ef703c4 : 00007fff`3edb13b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22 000000d2`37e5fe20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34   STACK_COMMAND: kb  FOLLOWUP_IP:  NETIO!NsiGetParameterEx+222 fffff800`8417b572 8bd8 mov ebx,eax  SYMBOL_STACK_INDEX: 5  SYMBOL_NAME: NETIO!NsiGetParameterEx+222  FOLLOWUP_NAME: MachineOwner  MODULE_NAME: NETIO  IMAGE_NAME: NETIO.SYS  DEBUG_FLR_IMAGE_TIMESTAMP: 546029c5  BUCKET_ID_FUNC_OFFSET: 222  FAILURE_BUCKET_ID: 0x139_3_NETIO!NsiGetParameterEx  BUCKET_ID: 0x139_3_NETIO!NsiGetParameterEx  ANALYSIS_SOURCE: KM  FAILURE_ID_HASH_STRING: km:0x139_3_netio!nsigetparameterex  FAILURE_ID_HASH:   Followup: MachineOwner ---------

Ausgabe von WhoCrashed Professional

Crash dump file: E:\sysdebug\dumps\MEMORY.DMP Date/time: 1/2/2015 10:17:38 PM GMT Uptime: 00:22:01 Machine: DRAGON Bug check name: KERNEL_SECURITY_CHECK_FAILURE Bug check code: 0x139 Bug check parm 1: 0x3 Bug check parm 2: 0xFFFFD001CB3D0310 Bug check parm 3: 0xFFFFD001CB3D0268 Bug check parm 4: 0x0 Probably caused by: ntdll.sys Driver description:  Driver product:  Driver company:  OS build: Built by: 9600.17476.amd64fre.winblue_r5.141029-1500 Architecture: x64 (64 bit) CPU count: 8 Page size: 4096  Bug check description:  The kernel has detected the corruption of a critical data structure.  Comments:  A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: ntdll.sys .
5
Ihr Relteak LAN-Treiber Rt630x64.sys ist alt (ab 2013). Nehmen Sie ein Update vor und entfernen Sie auch Norton Security, und prüfen Sie, ob immer noch Abstürze auftreten. magicandre1981 vor 9 Jahren 0
Bereits versucht, Norton Security zu entfernen. bwDraco vor 9 Jahren 0
Hast du einen neueren Treiber ausprobiert? magicandre1981 vor 9 Jahren 0
Ich habe den LAN-Treiber nicht aktualisiert. Der WLAN-Treiber wurde mehrmals ohne Erfolg aktualisiert. bwDraco vor 9 Jahren 0

2 Antworten auf die Frage

3
magicandre1981

Sieht so aus, als wäre dies ein Fehler in Windows 8.1 / 2012 R2 . Microsoft hat dieses Problem mit dem Hotfix KB3055343 behoben

Klicken Sie auf den Hotfix Download AvailableLink, geben Sie Ihre E-Mail-Adresse ein, fordern Sie den Fix per E-Mail an und installieren Sie ihn, um das Problem zu beheben.

Ich scheine das gleiche Problem zu haben, identische Dmp-Spur. Iris Classon vor 9 Jahren 0
@ IrisClasson Hi Iris. Kopieren Sie die Datei "Memory.dmp" von "C: \ Windows" auf Ihren Desktop, verschlüsseln Sie die dmp-Datei, laden Sie die ZIP-Datei in OneDrive hoch und schreiben Sie eine E-Mail an den Blog-Autor (klicken Sie auf "Reichweite" am Ende des Blogs), die den Link enthält auf die Müllkippe Möglicherweise hilft dies Microsoft, das Problem zu beheben. magicandre1981 vor 9 Jahren 0
@IrisClasson Microsoft hat einen Hotfix veröffentlicht, um das Problem zu beheben. Ich habe die Schritte zum Anfordern des Hotfixes per E-Mail bereitgestellt magicandre1981 vor 8 Jahren 0
0
bwDraco

Eine Reparaturinstallation (direkte Aktualisierung auf dieselbe Version) hat das Problem behoben. Ich hatte seitdem keine weiteren Abstürze mehr, obwohl umfangreiche Arbeit nötig war, um das System wieder auf den neuesten Stand zu bringen.

Ich konnte nie die genaue Ursache der Abstürze feststellen.

Verwandte Probleme