NETIO.SYS 中反复出现 BSOD 0x139 KERNEL_SECURITY_CHECK_FAILURE(其中有错误检查分析)

NETIO.SYS 中反复出现 BSOD 0x139 KERNEL_SECURITY_CHECK_FAILURE(其中有错误检查分析)

问题描述

  • 我遇到了一些间歇性的0x139KERNEL_SECURITY_CHECK_FAILURE我的 Windows 8.1 笔记本电脑每 20 分钟到 1 小时就会出现一次蓝屏,第一个参数为 0x3。这些崩溃发生在NETIO.SYS、 或NsiEnumerateObjectsAllParametersEx功能中NsiGetParameterEx

  • 系统在带网络连接的安全模式下似乎运行正常。

  • 我有多个崩溃转储可供下载这里,以及一次崩溃的完整内存转储,以供内部进一步分析。

分析一:NsiEnumerateObjectsAllParametersExminidump

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Machine Name:
Kernel base = 0xfffff802`44e1f000 PsLoadedModuleList = 0xfffff802`450f8250
Debug session time: Fri Jan  2 16:52:43.919 2015 (UTC - 5:00)
System Uptime: 0 days 0:25:05.631
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
...........................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd000d8d4f1b0, ffffd000d8d4f108, 0}

Probably caused by : NETIO.SYS ( NETIO!NsiEnumerateObjectsAllParametersEx+20d )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000d8d4f1b0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000d8d4f108, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


DUMP_FILE_ATTRIBUTES: 0xc
  Insufficient Dumpfile Size
  Kernel Generated Triage Dump

TRAP_FRAME:  ffffd000d8d4f1b0 -- (.trap 0xffffd000d8d4f1b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0019759fef0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00194b53ef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80110e5f30d rsp=ffffd000d8d4f340 rbp=ffffe00194b5ea20
 r8=0000000000000000  r9=0000000000000002 r10=ffffe0019635db50
r11=ffffe00192d21fbc r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d:
fffff801`10e5f30d cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd000d8d4f108 -- (.exr 0xffffd000d8d4f108)
ExceptionAddress: fffff80110e5f30d (ndis!ndisNsiEnumerateAllInterfaceInformation+0x0000000000025c0d)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff80244f7b5e9 to fffff80244f6faa0

STACK_TEXT:  
ffffd000`d8d4ee88 fffff802`44f7b5e9 : 00000000`00000139 00000000`00000003 ffffd000`d8d4f1b0 ffffd000`d8d4f108 : nt!KeBugCheckEx
ffffd000`d8d4ee90 fffff802`44f7b910 : ffff6bcf`07601f7c ffffd000`d8d4f278 ffffc001`d1bcd060 ffffe001`92d1c698 : nt!KiBugCheckDispatch+0x69
ffffd000`d8d4efd0 fffff802`44f7ab34 : 00000000`00000000 ffffe001`99965501 ffffd000`d8d4f3d4 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffd000`d8d4f1b0 fffff801`10e5f30d : 00000000`ffffe001 00000000`00000000 ffffe001`94b5ea20 ffffe001`94b5eef0 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`d8d4f340 fffff801`10f4e308 : ffffd000`d8d4f580 00000000`00000000 ffffe001`92d1c002 00000000`00000008 : ndis!ndisNsiEnumerateAllInterfaceInformation+0x25c0d
ffffd000`d8d4f460 fffff801`11664fc1 : ffffe001`92d1c000 00000000`00000070 00000065`7450f270 ffffd000`d8d4f668 : NETIO!NsiEnumerateObjectsAllParametersEx+0x20d
ffffd000`d8d4f650 fffff801`11664bea : 00000000`00000000 ffffe001`99a432a0 ffffe001`99a431d0 00000000`00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201
ffffd000`d8d4f840 fffff802`452001ef : 00000000`00000000 ffffe001`99a431d0 ffffe001`99a431d0 00000000`00000001 : nsiproxy!NsippDispatch+0x5a
ffffd000`d8d4f880 fffff802`451ff78e : ffffd000`d8d4fa38 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`d8d4fa20 fffff802`44f7b2b3 : ffffe001`999a4080 fffff6fb`001f0003 00000065`7450f0e8 fffff680`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`d8d4fa90 00007ffe`07350cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000065`7450f168 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`07350cba


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NsiEnumerateObjectsAllParametersEx+20d
fffff801`10f4e308 8bd8            mov     ebx,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NsiEnumerateObjectsAllParametersEx+20d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

IMAGE_VERSION:  6.3.9600.17485

BUCKET_ID_FUNC_OFFSET:  20d

FAILURE_BUCKET_ID:  0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx

BUCKET_ID:  0x139_3_NETIO!NsiEnumerateObjectsAllParametersEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_netio!nsienumerateobjectsallparametersex

FAILURE_ID_HASH:  {647902b7-14c2-326a-6aea-d9b7b6d3d895}

Followup: MachineOwner
---------

WhoCrashed Professional 的输出

Crash dump file:        E:\sysdebug\dumps\010215-8234-01.dmp
Date/time:              1/2/2015 4:20:01 PM GMT
Uptime:                 00:20:35
Machine:                DRAGON
Bug check name:         KERNEL_SECURITY_CHECK_FAILURE
Bug check code:         0x139
Bug check parm 1:       0x3
Bug check parm 2:       0xFFFFD0002E50A1B0
Bug check parm 3:       0xFFFFD0002E50A108
Bug check parm 4:       0x0
Probably caused by:     ndis.sys
Driver description:     Network Driver Interface Specification (NDIS)
Driver product:         Microsoft® Windows® Operating System
Driver company:         Microsoft Corporation
OS build:               Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Architecture:           x64 (64 bit)
CPU count:              8
Page size:              4096

Bug check description: 
The kernel has detected the corruption of a critical data structure.

Comments:

The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time. 

分析2:NsiGetParameterEx完全内存转储

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols

Loading Dump File [E:\sysdebug\MEMORY.DMP]
Kernel Bitmap Dump File: Full address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\sysdebug\debug-symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Machine Name:
Kernel base = 0xfffff801`dde72000 PsLoadedModuleList = 0xfffff801`de14b250
Debug session time: Fri Jan  2 17:17:38.437 2015 (UTC - 5:00)
System Uptime: 0 days 0:22:01.150
Loading Kernel Symbols
...............................................................
................................................................
...........................................................
Loading User Symbols
................................................................
...................................
Loading unloaded module list
..............................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd001cb3d0310, ffffd001cb3d0268, 0}

Probably caused by : NETIO.SYS ( NETIO!NsiGetParameterEx+222 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd001cb3d0310, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd001cb3d0268, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


TRAP_FRAME:  ffffd001cb3d0310 -- (.trap 0xffffd001cb3d0310)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe00059100980 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00055dbbef0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80084085a29 rsp=ffffd001cb3d04a0 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000002 r10=ffffe000587d9040
r11=ffffe000591004b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
ndis!ndisNsiGetInterfaceInformation+0x22b49:
fffff800`84085a29 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd001cb3d0268 -- (.exr 0xffffd001cb3d0268)
ExceptionAddress: fffff80084085a29 (ndis!ndisNsiGetInterfaceInformation+0x0000000000022b49)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff801ddfce5e9 to fffff801ddfc2aa0

STACK_TEXT:  
ffffd001`cb3cffe8 fffff801`ddfce5e9 : 00000000`00000139 00000000`00000003 ffffd001`cb3d0310 ffffd001`cb3d0268 : nt!KeBugCheckEx
ffffd001`cb3cfff0 fffff801`ddfce910 : 00000000`00000000 ffffd001`00000001 ffffd001`cb3d01d8 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd001`cb3d0130 fffff801`ddfcdb34 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffd001`cb3d0310 fffff800`84085a29 : 00000000`fffff801 00000000`00000000 ffffd001`cb3d0610 00000000`00000004 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd001`cb3d04a0 fffff800`8417b572 : ffffd001`cb3d0610 ffffe000`5d2f1602 ffffe000`5d2f1700 00000000`00000000 : ndis!ndisNsiGetInterfaceInformation+0x22b49
ffffd001`cb3d0550 fffff800`851cda25 : 00000000`00000050 00000000`00000050 ffffe000`55dc2010 00000000`00000000 : NETIO!NsiGetParameterEx+0x222
ffffd001`cb3d06b0 fffff800`851cdbe3 : 00000000`00000000 ffffe000`54a3c6b0 ffffe000`54a3c5e0 00000000`00000000 : nsiproxy!NsippGetParameter+0x195
ffffd001`cb3d0840 fffff801`de2531ef : 00000000`00000000 ffffe000`54a3c5e0 ffffe000`54a3c5e0 00000000`00000001 : nsiproxy!NsippDispatch+0x53
ffffd001`cb3d0880 fffff801`de25278e : ffffd001`cb3d0a38 00007fff`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd001`cb3d0a20 fffff801`ddfce2b3 : ffffe000`5a9ba080 000000d2`001f0003 000000d2`37e5ea98 fffff801`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd001`cb3d0a90 00007fff`3ef90cba : 00007fff`3eef15f5 00000000`00000004 000000d2`37e5eba1 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000d2`37e5eb18 00007fff`3eef15f5 : 00000000`00000004 000000d2`37e5eba1 00000000`00000000 00000000`00000000 : ntdll!NtDeviceIoControlFile+0xa
000000d2`37e5eb20 00007fff`3b245e0a : 00000000`00000001 000000d2`39ca0990 00000000`00000000 00000000`00000000 : NSI!NsiGetParameter+0xf5
000000d2`37e5ebe0 00007fff`3b245b86 : 00000000`00000001 00007fff`00000000 00000000`00000000 000000d2`37e5ecb0 : DNSAPI!IsInterfaceConnected+0x4e
000000d2`37e5ec40 00007fff`3b2464bf : 00000000`00000000 000000d2`00000007 00000000`00000000 000000d2`39c307f0 : DNSAPI!DnsUpdateMachinePresence+0x106
000000d2`37e5ed10 00007fff`3b24613d : 000000d2`3742eb50 000000d2`37e5f9a0 00000000`00000000 00000000`00000000 : DNSAPI!Query_InProcess+0xf9
000000d2`37e5ed40 00007fff`3b245fcc : 00000000`00000000 000000d2`37e5ee90 000000d2`39c307f0 000000d2`37e5fa18 : DNSAPI!InProc_InitiateQuery+0x15c
000000d2`37e5ed90 00007fff`3b243c3d : 00000000`00000000 00000008`00000002 00000000`00000000 00000000`00000001 : DNSAPI!Query_PrivateExW+0x961
000000d2`37e5f940 00007fff`3b244389 : 00003195`00000001 00001000`00440668 00000000`000000ff 000000d2`39c307f0 : DNSAPI!Query_Shim+0xd5
000000d2`37e5fa10 00007fff`34facfc4 : 00000000`00000010 000000d2`37e5f968 00000000`00000000 00000000`00010004 : DNSAPI!DnsQuery_W+0x39
000000d2`37e5fa60 00007fff`34fad037 : 000000d2`39c01f50 00000000`00000000 00000000`80000000 00000000`00000000 : dnsrslvr!Mcast_VerifyName+0x70
000000d2`37e5fab0 00007fff`34fad22e : 00000000`00000000 00007fff`34facf1e 00000000`00000000 00007fff`3c46158a : dnsrslvr!Mcast_VerifyEx+0x102
000000d2`37e5fd30 00007fff`34fad17b : 00000000`ffffffff 00000000`00000000 00000000`00000001 00000000`00000001 : dnsrslvr!Mcast_Verify+0x8e
000000d2`37e5fd80 00007fff`3edb13d2 : 00007fff`34faccc0 00000000`00000000 00000000`00000000 00000000`00000000 : dnsrslvr!Mcast_Thread+0x186
000000d2`37e5fdf0 00007fff`3ef703c4 : 00007fff`3edb13b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
000000d2`37e5fe20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NsiGetParameterEx+222
fffff800`8417b572 8bd8            mov     ebx,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NsiGetParameterEx+222

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

BUCKET_ID_FUNC_OFFSET:  222

FAILURE_BUCKET_ID:  0x139_3_NETIO!NsiGetParameterEx

BUCKET_ID:  0x139_3_NETIO!NsiGetParameterEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_netio!nsigetparameterex

FAILURE_ID_HASH:  {863902cf-27d7-671f-3d7f-44a47e15711d}

Followup: MachineOwner
---------

WhoCrashed Professional 的输出

Crash dump file:        E:\sysdebug\dumps\MEMORY.DMP
Date/time:              1/2/2015 10:17:38 PM GMT
Uptime:                 00:22:01
Machine:                DRAGON
Bug check name:         KERNEL_SECURITY_CHECK_FAILURE
Bug check code:         0x139
Bug check parm 1:       0x3
Bug check parm 2:       0xFFFFD001CB3D0310
Bug check parm 3:       0xFFFFD001CB3D0268
Bug check parm 4:       0x0
Probably caused by:     ntdll.sys
Driver description:     
Driver product:         
Driver company:         
OS build:               Built by: 9600.17476.amd64fre.winblue_r5.141029-1500
Architecture:           x64 (64 bit)
CPU count:              8
Page size:              4096

Bug check description: 
The kernel has detected the corruption of a critical data structure.

Comments:

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: ntdll.sys . 

答案1

好像这是 Windows 8.1/2012 R2 中的一个错误微软通过 Hotfix 修复了这个问题KB3055343

点击链接Hotfix Download Available,填写您的电子邮件地址,通过电子邮件请求修复并安装它以解决问题。

答案2

修复安装(就地升级到相同版本)解决了这个问题。从那以后,我再也没有遇到过这种崩溃,尽管需要大量工作才能使系统再次更新。

我一直无法确定事故发生的确切原因。

相关内容