Microsoft (R) Windows Debugger Version 10.0.21349.1004 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff800`1bc00000 PsLoadedModuleList = 0xfffff800`1c82a1b0
Debug session time: Sat May 29 16:45:10.228 2021 (UTC + 10:00)
System Uptime: 0 days 3:04:56.831
Loading Kernel Symbols
...............................................................
................................................................
.............................................Page fdea1c not present in the dump file. Type ".hh dbgerr004" for details
...................
............................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`01004018). Type ".hh dbgerr001" for details
Loading unloaded module list
...............
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff800`1bff6cf0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8101`d110eb80=0000000000000139
9: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffff8101d110eea0, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff8101d110edf8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3296
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 23264
Key : Analysis.Init.CPU.mSec
Value: 390
Key : Analysis.Init.Elapsed.mSec
Value: 15690
Key : Analysis.Memory.CommitPeak.Mb
Value: 106
Key : FailFast.Name
Value: CORRUPT_LIST_ENTRY
Key : FailFast.Type
Value: 3
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: ffff8101d110eea0
BUGCHECK_P3: ffff8101d110edf8
BUGCHECK_P4: 0
TRAP_FRAME: ffff8101d110eea0 -- (.trap 0xffff8101d110eea0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9f02d0f832e0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffff8101cd93f950 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80029111bfe rsp=ffff8101d110f030 rbp=ffff9f02d0f66a90
r8=ffff9f02d0f66a50 r9=ffff9f02d0f83460 r10=0000000000000002
r11=ffffc67bf7200000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
gwdrv+0x1bfe:
fffff800`29111bfe cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffff8101d110edf8 -- (.exr 0xffff8101d110edf8)
ExceptionAddress: fffff80029111bfe (gwdrv+0x0000000000001bfe)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: nimdnsResponder.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffff8101`d110eb78 fffff800`1c008c69 : 00000000`00000139 00000000`00000003 ffff8101`d110eea0 ffff8101`d110edf8 : nt!KeBugCheckEx
ffff8101`d110eb80 fffff800`1c009090 : 00000000`0000000a 00000000`00000050 ffff9f02`d0f7b000 fffff800`1bf16339 : nt!KiBugCheckDispatch+0x69
ffff8101`d110ecc0 fffff800`1c007423 : ffff9f02`f2265000 ffff8101`d110ef10 ffff9f02`cf010280 33333333`33333333 : nt!KiFastFailDispatch+0xd0
ffff8101`d110eea0 fffff800`29111bfe : ffff9f02`d0f83460 00000000`34616c41 00000000`00000020 00000000`00000a78 : nt!KiRaiseSecurityCheckFailure+0x323
ffff8101`d110f030 fffff800`29113ff9 : ffff9f02`d06288b0 ffff9f02`e5aa82ff 00000000`00000000 01000000`00000000 : gwdrv+0x1bfe
ffff8101`d110f080 fffff800`291136de : ffff9f02`d06288b0 ffff9f02`e1cf8390 fffff800`291136bc 00000000`00000000 : gwdrv+0x3ff9
ffff8101`d110f0b0 fffff800`18180576 : ffff9f02`d06288b0 fffff800`2900ff02 ffff9f02`d23b22d0 fffff800`18005a4b : gwdrv+0x36de
ffff8101`d110f0e0 fffff800`18180037 : 00000000`00003ecb ffff9f02`ef6e1d20 ffff9f02`e64e1cc0 ffff9f02`d23b22d0 : NETIO!WfpNotifyFlowContextDelete+0x20a
ffff8101`d110f160 fffff800`182fb230 : ffff9f02`e500ff02 ffff9f02`e1cf8390 ffff8101`d110f370 ffff9f02`e64e1cc0 : NETIO!KfdAleNotifyFlowDeletion+0x1c7
ffff8101`d110f1c0 fffff800`182deb6f : ffff9f02`e64e1d28 ffff9f02`d89f9160 00000000`000ad63b ffff8101`d110f370 : tcpip!WfpAleFreeRemoteEndpoint+0x30
ffff8101`d110f240 fffff800`182de946 : ffff9f02`ef6e1d58 ffff9f02`e64e1cc0 00000000`00000000 ffff9f02`ed9864f0 : tcpip!WfpAleDecrementWaitRef+0x73
ffff8101`d110f270 fffff800`182dde69 : ffffd681`78b00180 ffff9f02`d8bffc20 00000000`00000000 ffff9f02`ec2ce1c0 : tcpip!UdpCloseEndpoint+0xace
ffff8101`d110f5b0 fffff800`290b26a3 : fffff800`1c924400 00000000`00000100 ffff9f02`f29b4bd8 00000000`00000000 : tcpip!UdpTlProviderCloseEndpoint+0x9
ffff8101`d110f5e0 fffff800`29092dc1 : ffff9f02`ec2ce1c0 00000000`00000000 00000000`00000000 00000000`00000000 : afd!AfdTLCloseEndpoint+0x47
ffff8101`d110f620 fffff800`290af824 : ffff9f02`ec2ce1c0 ffff9f02`ec2ce2d0 ffff9f02`ec2ce1c0 ffff8101`d110f738 : afd!AfdCloseTransportEndpoint+0x89
ffff8101`d110f700 fffff800`290afc6c : ffff9f02`d94e38f0 ffff9f02`ec2ce1c0 ffff9f02`f29b4a30 ffff9f02`d94e38f0 : afd!AfdCleanupCore+0x3b8
ffff8101`d110f800 fffff800`1bf185b5 : ffff9f02`ed9831d0 00000000`00000000 00000000`00000000 ffff9f02`f29b4a30 : afd!AfdDispatch+0xec
ffff8101`d110f840 fffff800`1c2e2b6a : 00000000`00000000 ffff9f02`ed9831d0 00000000`00000000 00000000`00040000 : nt!IofCallDriver+0x55
ffff8101`d110f880 fffff800`1c1f36dc : 00000000`00000000 00000000`00007b14 ffffffff`00000000 ffff9f02`d0546980 : nt!IopCloseFile+0x17a
ffff8101`d110f910 fffff800`1c1f73ac : 00000000`000003d0 00000000`00000000 00000000`00000000 ffff9f02`e6477960 : nt!ObCloseHandleTableEntry+0x24c
ffff8101`d110fa50 fffff800`1c0086b8 : 00000000`00000000 00007ffe`00000001 ffff8101`d110fb40 00000000`00000000 : nt!NtClose+0xec
ffff8101`d110fac0 00000000`77661cfc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
00000000`01a0efe8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77661cfc
SYMBOL_NAME: gwdrv+1bfe
MODULE_NAME: gwdrv
IMAGE_NAME: gwdrv.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 1bfe
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_gwdrv!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {2387f190-e233-2f40-274b-63fe920aa794}
Followup: MachineOwner
---------
Happy to share the memory dump with staff - although it is 5GB uncompressed.