*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffffb876b466570, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffffb876b4664c8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 15
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 3063
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 0
Key : Analysis.IO.Write.Mb
Value: 0
Key : Analysis.Init.CPU.mSec
Value: 31
Key : Analysis.Init.Elapsed.mSec
Value: 12849
Key : Analysis.Memory.CommitPeak.Mb
Value: 104
Key : Bugcheck.Code.DumpHeader
Value: 0x139
Key : Bugcheck.Code.Register
Value: 0x139
Key : Dump.Attributes.AsUlong
Value: 1008
Key : Dump.Attributes.DiagDataWrittenToHeader
Value: 1
Key : Dump.Attributes.ErrorCode
Value: 0
Key : Dump.Attributes.KernelGeneratedTriageDump
Value: 1
Key : Dump.Attributes.LastLine
Value: Dump completed successfully.
Key : Dump.Attributes.ProgressPercentage
Value: 0
Key : FailFast.Name
Value: CORRUPT_LIST_ENTRY
Key : FailFast.Type
Value: 3
FILE_IN_CAB: Glasswire.dmp
DUMP_FILE_ATTRIBUTES: 0x1008
Kernel Generated Triage Dump
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: fffffb876b466570
BUGCHECK_P3: fffffb876b4664c8
BUGCHECK_P4: 0
TRAP_FRAME: fffffb876b466570 -- (.trap 0xfffffb876b466570)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffaf0acf9b7120 rbx=0000000000000000 rcx=0000000000000003
rdx=fffffb87678b7130 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8064d161bfe rsp=fffffb876b466700 rbp=ffffaf0acf902e40
r8=0000000000000001 r9=0000000000000000 r10=ffffaf0acf902e10
r11=ffff7478d0800000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
gwdrv+0x1bfe:
fffff806`4d161bfe ?? ???
Resetting default scope
EXCEPTION_RECORD: fffffb876b4664c8 -- (.exr 0xfffffb876b4664c8)
ExceptionAddress: fffff8064d161bfe (gwdrv+0x0000000000001bfe)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: GWCtlSrv.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffffb87`6b466248 fffff806`16240fa9 : 00000000`00000139 00000000`00000003 fffffb87`6b466570 fffffb87`6b4664c8 : nt!KeBugCheckEx
fffffb87`6b466250 fffff806`16241532 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffffb87`6b466390 fffff806`1623f306 : 00000000`00000000 00000000`00000000 ffffaf0a`e82f5e10 00000000`00000014 : nt!KiFastFailDispatch+0xb2
fffffb87`6b466570 fffff806`4d161bfe : ffffaf0a`d9795540 ffffaf0a`d9795540 00000000`00000240 fffff806`1689e1b0 : nt!KiRaiseSecurityCheckFailure+0x346
fffffb87`6b466700 ffffaf0a`d9795540 : ffffaf0a`d9795540 00000000`00000240 fffff806`1689e1b0 fffffb87`6724f020 : gwdrv+0x1bfe
fffffb87`6b466708 ffffaf0a`d9795540 : 00000000`00000240 fffff806`1689e1b0 fffffb87`6724f020 ffffaf0a`cf902e10 : 0xffffaf0a`d9795540
fffffb87`6b466710 00000000`00000240 : fffff806`1689e1b0 fffffb87`6724f020 ffffaf0a`cf902e10 ffffaf0a`49576f00 : 0xffffaf0a`d9795540
fffffb87`6b466718 fffff806`1689e1b0 : fffffb87`6724f020 ffffaf0a`cf902e10 ffffaf0a`49576f00 00000000`00000001 : 0x240
fffffb87`6b466720 fffff806`1c3538ed : ffffaf0a`d500ff00 ffffaf0a`d0c9a010 00000000`0000012a ffffaf0a`d0c9a1b8 : nt!ExFreePoolWithTag+0x1a0
fffffb87`6b4667b0 fffff806`1c35344e : ffffaf0a`cf9b70a0 ffffaf0a`e5bc7d08 ffffaf0a`dddfa110 fffff806`1c44afc9 : NETIO!WfpNotifyFlowContextDelete+0x171
fffffb87`6b4667f0 fffff806`1c48272f : 00000000`0000ff00 ffffaf0a`dddfa110 ffffaf0a`e5bc7cc0 fffffb87`6b466950 : NETIO!KfdAleNotifyFlowDeletion+0x1ae
fffffb87`6b466850 fffff806`1c4824bd : ffffaf0a`e7ae39a0 ffffaf0a`e7ae3c60 ffffaf0a`e7ae39a0 00000000`00000000 : tcpip!TcpCleanupTcbWorkQueueRoutine+0x15f
fffffb87`6b4669c0 fffff806`1c482255 : fffffb87`6b466bf0 fffffb87`6b466bf0 00000000`00000000 00000000`00000000 : tcpip!TcpCloseTcb+0x24d
fffffb87`6b466ae0 fffff806`1604023a : 00000000`00000000 ffffaf0a`e80761c0 fffff806`00000000 00000000`00000009 : tcpip!TcpTlConnectionCloseEndpointCalloutRoutine+0x15
fffffb87`6b466b10 fffff806`160401ad : fffff806`1c482240 fffffb87`6b466bf0 ffffaf0a`d51da0d0 fffff806`160d5b2c : nt!KeExpandKernelStackAndCalloutInternal+0x7a
fffffb87`6b466b80 fffff806`1c4bf663 : 00000000`00000000 ffffaf0a`eee505b0 00000000`00000000 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffffb87`6b466bc0 fffff806`4d08f15f : ffffaf0a`d65ed1a0 00000000`00000436 ffffaf0a`e61bc2c0 ffffaf0a`eb257f38 : tcpip!TcpTlConnectionCloseEndpoint+0x73
fffffb87`6b466c30 fffff806`4d0e41b5 : ffffaf0a`eee50580 ffffe48d`c1321b00 ffffaf0a`e61bc2c0 ffffaf0a`e80761c0 : afd!AfdCloseConnection+0x8f
fffffb87`6b466c70 fffff806`4d0e40f9 : ffffaf0a`eee50580 fffff806`4d08b10f ffffaf0a`f4f0b7e0 ffffaf0a`eee50580 : afd!AfdCloseCore+0xa9
fffffb87`6b466cb0 fffff806`4d08b0f5 : ffffaf0a`f4f0b7e0 ffffe48d`c1321b40 00000000`00000004 fffff806`1603be87 : afd!AfdClose+0x39
fffffb87`6b466ce0 fffff806`1603c275 : ffffaf0a`f4f0b7e0 00000000`00000000 ffffaf0a`e61bc2c0 fffff806`164ac7de : afd!AfdDispatch+0x75
fffffb87`6b466d20 fffff806`164aca2c : ffffaf0a`f4f0b7e0 ffffe48d`c1321b40 00000000`00000000 ffffaf0a`e61bc2c0 : nt!IofCallDriver+0x55
fffffb87`6b466d60 fffff806`164a73ae : ffffaf0a`cf1f5bc0 ffffaf0a`dcc7c0c0 ffffaf0a`f4f0b7b0 ffffe48d`c1321b40 : nt!IopDeleteFile+0x13c
fffffb87`6b466de0 fffff806`1603bd33 : 00000000`00000000 00000000`00000000 ffffe48d`c1321b40 ffffaf0a`f4f0b7e0 : nt!ObpRemoveObjectRoutine+0x7e
fffffb87`6b466e40 fffff806`164973cd : 00000000`ffff81c4 00000000`00000001 00000000`00007e3c 00000000`00000000 : nt!ObfDereferenceObjectWithTag+0xc3
fffffb87`6b466e80 fffff806`16497238 : 00000000`000000a0 fffff806`1689e1b0 ffffe48d`c5ab94d0 00000000`0000000b : nt!ObCloseHandleTableEntry+0x109
fffffb87`6b466f40 fffff806`164d1555 : 00000000`00000000 00000000`00000001 ffffffff`ffffff01 ffffaf0a`dcc7c0c0 : nt!ExSweepHandleTable+0xd8
fffffb87`6b466ff0 fffff806`165a8265 : ffffffff`ffffffff ffffaf0a`dcc7c0c0 ffffffff`ffffffff fffff806`1648b150 : nt!ObKillProcess+0x35
fffffb87`6b467020 fffff806`164965b4 : ffffaf0a`dcc7c0c0 ffffe48d`c17cb630 fffffb87`6b467249 00000000`00000000 : nt!PspRundownSingleProcess+0xb9
fffffb87`6b4670b0 fffff806`165e96e8 : 00000000`000000ff fffffb87`6b467201 ffffaf0a`da5f50f4 00000000`0025c000 : nt!PspExitThread+0x63c
fffffb87`6b4671b0 fffff806`1600d497 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSchedulerApcTerminate+0x38
fffffb87`6b4671f0 fffff806`16231a90 : 00000000`00000001 fffffb87`6b4672b0 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x4a7
fffffb87`6b4672b0 fffff806`1624078f : ffffaf0a`da5f5000 ffffaf0a`da5f5080 00000000`08c5f0e8 00000000`00000000 : nt!KiInitiateUserApc+0x70
fffffb87`6b4673f0 00000000`77871cf3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9f
00000000`08c5f0c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77871cf3
SYMBOL_NAME: gwdrv+1bfe
MODULE_NAME: gwdrv
IMAGE_NAME: gwdrv.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 1bfe
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_gwdrv!unknown_function
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {2387f190-e233-2f40-274b-63fe920aa794}
Followup: MachineOwner