Jump to content

KERNEL_SECURITY_CHECK_FAILURE (139), System stack overrun, MBAM & Torguard


Recommended Posts

My computer sometimes totally crashes.  Not even a blue screen, I get a no screen: the screen is black, the power is off.  The last 3 times this happened were on 2021-03-20, 2021-07-02, and 2021-07-03.

I have configured my computer to try to generate a memory dump (C:\Windows\MEMORY.DMP) file so that maybe the problem can be traced down.  Unfortunately, that memory dump file is not always created, nor do I really know how to do Windows debugging.  So, I am posting this thread seeking insight from anyone who is a Windows expert.

Below are highlights from using windbg to analyse the MEMORY.DMP file from the last (2021-07-03) crash:

    KERNEL_SECURITY_CHECK_FAILURE (139)
    A kernel component has corrupted a critical data structure.  The corruption
    could potentially allow a malicious user to gain control of this machine.
    ...
    BUGCHECK_CODE:  139
    ...
    BLACKBOXWINLOGON: 1

    PROCESS_NAME:  System

    ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

    EXCEPTION_CODE_STR:  c0000409

    EXCEPTION_PARAMETER1:  000000000000001d

    EXCEPTION_STR:  0xc0000409
    ...
    SYMBOL_NAME:  nt!KiFastFailDispatch+d0

    MODULE_NAME: nt

    IMAGE_NAME:  ntkrnlmp.exe

    STACK_COMMAND:  .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET:  d0

    FAILURE_BUCKET_ID:  0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch


Attached as a text file is the full windbg result of analysing that MEMORY.DMP file.

The results above are exactly what I also saw on 2021-03-20, while the 2021-07-02 crash failed to produce a MEMORY.DMP file.

Does anyone have an insight into what is going on here?

I note this previous post which reported a KERNEL_SECURITY_CHECK_FAILURE, however, its details seem to be different than mine.

That previous did have an intriguing reply by Porthos who suggested that other security software can interfere with MBAM.  He gave a link which specifically mentions several VPNs.  I use Torguard VPN's Windows client, which is not mentioned.

So, does anyone see any indication in the windbg result that MBAM and Torguard may be conflicting?  I will not hesitate to turn off MBAM's Web Protection if if is problematic.

I have had a couple of other strange MBAM issues recently (link1, link2), and in the second one Porthos and I had some discussion about MBAM, Torguard, OpenVPN, and Wireguard.
 

2021-07-03_windbg_analysis.txt

Link to post
Share on other sites

I wanted to keep my initial post as readable as possible, and it was already getting complex.  So I am using this follow up post to satisfy the BSOD posting guidelines.

SysnativeFileCollectionApp output zip is attached.  Not sure how useful this is, since my last crash was ~4 days ago, and I moved the MEMORY.DMP file from its default location to another drive,  The windbg result in my initial post might be better diagnostic information.

Questions:

· OS - Windows 10 for Workstations
· x86 - x64
· What was original installed OS on system - Windows 10
· Is the OS an OEM version (came pre-installed on system) - Yes, my Windows 10 started off with whatever Dell installed on it
· Age of system (hardware) - about 2.5 years
· Age of OS installation - have you re-installed the OS - I have never re-installed the OS, but have continuously applied all Windows 10 updates as they come out

· CPU - Intel Core Xeon E-2176M (Six Core Xeon 2.70GHz, 4.40GHz Turbo, 12MB 45W)
· Video Card - AMD Radeon Pro WX 4150 w/4GB GDDR5
· MotherBoard - (if NOT a laptop) - is a laptop
· Power Supply - brand & wattage (skip if laptop) - is a laptop

· System Manufacturer - Dell
· Exact model number (if laptop, check label on bottom) - Dell Mobile Precision 7530 (bought on 2018-12-13)

· Laptop or Desktop? - laptop workstation


 

SysnativeFileCollectionApp.zip

Link to post
Share on other sites

I had another crash at ~11:05 this morning.

I did a windbg analysis of the MEMORY.DMP file and it reports exactly the same information as what I first reported above ("KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure...").

Since I did that first post above, I went ahead and turned off the Malwarebytes Real Time Web Protection.  Yet a crash still happened this morning.  Maybe Malwarebytes is not involved in the crash, or else some other part of MBAM besides the Real Time Web Protection?

Attached is a SysnativeFileCollectionApp output zip.  This one should be more useful to analyse, since the MEMORY.DMP file is still in its default location.

I would be grateful if anyone could analyse this and give me any insight into the cause of my crashes.  They are driving me nuts!

SysnativeFileCollectionApp.zip

Link to post
Share on other sites

Hello CaptainHindsight,

Unfortunately, I did not find information about the cause of corruption in the dump file.

Could you please enable the Driver Verifier and provide a new dump?

Also I see that a lot of disk errors are logged in the Windows system event log:

Event[238]:
  Log Name: System
  Source: disk
  Date: 2021-07-11T20:44:42.3350000Z
  Event ID: 7
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: DESKTOP-A1VR7HL
  Description:
The device, \Device\Harddisk0\DR0, has a bad block.

 

Edited by SQx
corrected font issue
Link to post
Share on other sites

Yes I am still with you!

Sorry for the tardy response.  I cannot run Driver Verifier right now because I have so much real work to get done.  I am going to try to force time later on tonight.

Hmm, I am disturbed about those bad disk block errors.  How come Windows never notified me?  I am going to have to look into this.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.