Glasswire 2.2.304 gwdrv + National Instruments mDNS causing BSOD


Microsoft (R) Windows Debugger Version 10.0.21349.1004 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff800`1bc00000 PsLoadedModuleList = 0xfffff800`1c82a1b0
Debug session time: Sat May 29 16:45:10.228 2021 (UTC + 10:00)
System Uptime: 0 days 3:04:56.831
Loading Kernel Symbols
...............................................................
................................................................
.............................................Page fdea1c not present in the dump file. Type ".hh dbgerr004" for details
...................
............................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`01004018).  Type ".hh dbgerr001" for details
Loading unloaded module list
...............
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff800`1bff6cf0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffff8101`d110eb80=0000000000000139
9: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffff8101d110eea0, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff8101d110edf8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 3296

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 23264

    Key  : Analysis.Init.CPU.mSec
    Value: 390

    Key  : Analysis.Init.Elapsed.mSec
    Value: 15690

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 106

    Key  : FailFast.Name
    Value: CORRUPT_LIST_ENTRY

    Key  : FailFast.Type
    Value: 3

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: ffff8101d110eea0

BUGCHECK_P3: ffff8101d110edf8

BUGCHECK_P4: 0

TRAP_FRAME:  ffff8101d110eea0 -- (.trap 0xffff8101d110eea0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9f02d0f832e0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffff8101cd93f950 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80029111bfe rsp=ffff8101d110f030 rbp=ffff9f02d0f66a90
 r8=ffff9f02d0f66a50  r9=ffff9f02d0f83460 r10=0000000000000002
r11=ffffc67bf7200000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
gwdrv+0x1bfe:
fffff800`29111bfe cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffff8101d110edf8 -- (.exr 0xffff8101d110edf8)
ExceptionAddress: fffff80029111bfe (gwdrv+0x0000000000001bfe)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  nimdnsResponder.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffff8101`d110eb78 fffff800`1c008c69     : 00000000`00000139 00000000`00000003 ffff8101`d110eea0 ffff8101`d110edf8 : nt!KeBugCheckEx
ffff8101`d110eb80 fffff800`1c009090     : 00000000`0000000a 00000000`00000050 ffff9f02`d0f7b000 fffff800`1bf16339 : nt!KiBugCheckDispatch+0x69
ffff8101`d110ecc0 fffff800`1c007423     : ffff9f02`f2265000 ffff8101`d110ef10 ffff9f02`cf010280 33333333`33333333 : nt!KiFastFailDispatch+0xd0
ffff8101`d110eea0 fffff800`29111bfe     : ffff9f02`d0f83460 00000000`34616c41 00000000`00000020 00000000`00000a78 : nt!KiRaiseSecurityCheckFailure+0x323
ffff8101`d110f030 fffff800`29113ff9     : ffff9f02`d06288b0 ffff9f02`e5aa82ff 00000000`00000000 01000000`00000000 : gwdrv+0x1bfe
ffff8101`d110f080 fffff800`291136de     : ffff9f02`d06288b0 ffff9f02`e1cf8390 fffff800`291136bc 00000000`00000000 : gwdrv+0x3ff9
ffff8101`d110f0b0 fffff800`18180576     : ffff9f02`d06288b0 fffff800`2900ff02 ffff9f02`d23b22d0 fffff800`18005a4b : gwdrv+0x36de
ffff8101`d110f0e0 fffff800`18180037     : 00000000`00003ecb ffff9f02`ef6e1d20 ffff9f02`e64e1cc0 ffff9f02`d23b22d0 : NETIO!WfpNotifyFlowContextDelete+0x20a
ffff8101`d110f160 fffff800`182fb230     : ffff9f02`e500ff02 ffff9f02`e1cf8390 ffff8101`d110f370 ffff9f02`e64e1cc0 : NETIO!KfdAleNotifyFlowDeletion+0x1c7
ffff8101`d110f1c0 fffff800`182deb6f     : ffff9f02`e64e1d28 ffff9f02`d89f9160 00000000`000ad63b ffff8101`d110f370 : tcpip!WfpAleFreeRemoteEndpoint+0x30
ffff8101`d110f240 fffff800`182de946     : ffff9f02`ef6e1d58 ffff9f02`e64e1cc0 00000000`00000000 ffff9f02`ed9864f0 : tcpip!WfpAleDecrementWaitRef+0x73
ffff8101`d110f270 fffff800`182dde69     : ffffd681`78b00180 ffff9f02`d8bffc20 00000000`00000000 ffff9f02`ec2ce1c0 : tcpip!UdpCloseEndpoint+0xace
ffff8101`d110f5b0 fffff800`290b26a3     : fffff800`1c924400 00000000`00000100 ffff9f02`f29b4bd8 00000000`00000000 : tcpip!UdpTlProviderCloseEndpoint+0x9
ffff8101`d110f5e0 fffff800`29092dc1     : ffff9f02`ec2ce1c0 00000000`00000000 00000000`00000000 00000000`00000000 : afd!AfdTLCloseEndpoint+0x47
ffff8101`d110f620 fffff800`290af824     : ffff9f02`ec2ce1c0 ffff9f02`ec2ce2d0 ffff9f02`ec2ce1c0 ffff8101`d110f738 : afd!AfdCloseTransportEndpoint+0x89
ffff8101`d110f700 fffff800`290afc6c     : ffff9f02`d94e38f0 ffff9f02`ec2ce1c0 ffff9f02`f29b4a30 ffff9f02`d94e38f0 : afd!AfdCleanupCore+0x3b8
ffff8101`d110f800 fffff800`1bf185b5     : ffff9f02`ed9831d0 00000000`00000000 00000000`00000000 ffff9f02`f29b4a30 : afd!AfdDispatch+0xec
ffff8101`d110f840 fffff800`1c2e2b6a     : 00000000`00000000 ffff9f02`ed9831d0 00000000`00000000 00000000`00040000 : nt!IofCallDriver+0x55
ffff8101`d110f880 fffff800`1c1f36dc     : 00000000`00000000 00000000`00007b14 ffffffff`00000000 ffff9f02`d0546980 : nt!IopCloseFile+0x17a
ffff8101`d110f910 fffff800`1c1f73ac     : 00000000`000003d0 00000000`00000000 00000000`00000000 ffff9f02`e6477960 : nt!ObCloseHandleTableEntry+0x24c
ffff8101`d110fa50 fffff800`1c0086b8     : 00000000`00000000 00007ffe`00000001 ffff8101`d110fb40 00000000`00000000 : nt!NtClose+0xec
ffff8101`d110fac0 00000000`77661cfc     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
00000000`01a0efe8 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77661cfc


SYMBOL_NAME:  gwdrv+1bfe

MODULE_NAME: gwdrv

IMAGE_NAME:  gwdrv.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  1bfe

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_gwdrv!unknown_function

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {2387f190-e233-2f40-274b-63fe920aa794}

Followup:     MachineOwner
---------

Happy to share the memory dump with staff - although it is 5GB uncompressed.
image

Please upgrade to GlassWire 2.3.318. If the issue continues please go to add/remove programs and uninstall our app, reboot, then reinstall using the “clean install” option. Your database is most likely corrupted.