Windows crash with home dir/profile dir on network share
Posted by Anonymous on Wed 10th Sep 2025 12:54
raw | new post

#
# Windows crash with home dir/profile dir on network share
#
Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\roland_mainz\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.x86fre.vb_release.191206-1406
Machine Name:
Kernel base = 0x8220a000 PsLoadedModuleList = 0x824d0d58
Debug session time: Wed Sep 10 13:44:31.237 2025 (UTC + 2:00)
System Uptime: 0 days 1:13:47.018
Loading Kernel Symbols
...............................................................
................................................................
.............Page 100b1 not present in the dump file. Type ".hh dbgerr004" for details
..........................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00b4900c).  Type ".hh dbgerr001" for details
Loading unloaded module list
........
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 00000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: 8404acbc, Address of the trap frame for the exception that caused the bugcheck
Arg3: 8404abe0, Address of the exception record for the exception that caused the bugcheck
Arg4: 00000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 4

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on WINGRENDEL02

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 4

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 69

    Key  : Analysis.System
    Value: CreateObject


VIRTUAL_MACHINE:  VMware

BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffffff8404acbc

BUGCHECK_P3: ffffffff8404abe0

BUGCHECK_P4: 0

TRAP_FRAME:  8404acbc -- (.trap 0xffffffff8404acbc)
ErrCode = 00000000
eax=b2f719ec ebx=9b21b800 ecx=00000003 edx=00000001 esi=9b21b8e0 edi=9b21b8f8
eip=82256887 esp=8404ad30 ebp=8404ad50 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206
nt!KiProcessThreadWaitList+0x77:
82256887 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  8404abe0 -- (.exr 0xffffffff8404abe0)
ExceptionAddress: 82256887 (nt!KiProcessThreadWaitList+0x00000077)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 00000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  svchost.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - Das System hat in dieser Anwendung den  berlauf eines stapelbasierten Puffers ermittelt. Dieser  berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu  bernehmen.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  00000003

DPC_STACK_BASE:  FFFFFFFF8404B000

EXCEPTION_STR:  0xc0000409

STACK_TEXT:
8404abc0 823a4240 00000139 00000003 8404acbc nt!KiBugCheck2
8404abc0 82256887 00000139 00000003 8404acbc nt!KiRaiseSecurityCheckFailure+0x2dc
8404ad50 82255cbf 00000000 00000002 811e65f8 nt!KiProcessThreadWaitList+0x77
8404ade0 82255b6d 811e5380 00000003 000293ad nt!KiProcessExpiredTimerList+0xdf
8404ae2c 82255950 c00293ad 00000003 000000c5 nt!KiExpireTimerTable+0x17d
8404aea0 82292788 4eb5590b 0000000a 000293ad nt!KiTimerExpiration+0x100
8404aff4 823abc8e a3747b3c 00000000 00000000 nt!KiRetireDpcList+0x558
a3747b5c 8299c1eb a3747c14 9f9f0680 a3747c14 nt!KiDispatchInterrupt+0x2e
a3747b6c 82988e88 00000001 a3747c14 823a516c hal!HalpInterruptCheckForSoftwareInterrupt+0x28
a3747b78 823a516c 829cb140 a3747c14 0001ae00 hal!HalEndSystemInterrupt+0x78
a3747b78 7791ecda 829cb140 a3747c14 0001ae00 nt!KiUnexpectedInterruptTail+0x41d
WARNING: Frame IP not in any known module. Following frames may be wrong.
0423f5d4 00000000 00000000 00000000 00000000 0x7791ecda


SYMBOL_NAME:  nt!KiProcessExpiredTimerList+df

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  df

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_KTIMER_LIST_CORRUPTION_nt!KiProcessExpiredTimerList

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

FAILURE_ID_HASH:  {9db7945b-255d-24a1-9f2c-82344e883ab8}

Followup:     MachineOwner
---------

0: kd>