Thanks for the tip! I ran the debugger and got this.... Can you help me explain what it means? LOL
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\022821-51218-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff80129800000 PsLoadedModuleList = 0xfffff801
2a42a390
Debug session time: Sun Feb 28 09:49:49.368 2021 (UTC - 5:00)
System Uptime: 0 days 21:01:31.394
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...............................
Loading User Symbols
Loading unloaded module list
......................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff80129bf5a80 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa40c
45a97660=0000000000000139
7: kd> !analyze -v
- *
- Bugcheck Analysis *
- *
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001d, Type of memory safety violation
Arg2: ffffa40c45a97980, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffa40c45a978d8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4125
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on RED-5
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 42105
Key : Analysis.Memory.CommitPeak.Mb
Value: 81
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 139
BUGCHECK_P1: 1d
BUGCHECK_P2: ffffa40c45a97980
BUGCHECK_P3: ffffa40c45a978d8
BUGCHECK_P4: 0
TRAP_FRAME: ffffa40c45a97980 -- (.trap 0xffffa40c45a97980)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
rdx=fffff8012a419660 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80129c2d7d9 rsp=ffffa40c45a97b10 rbp=0000000000000000
r8=fffff8012a4315a0 r9=fffff8012a412440 r10=fffff8012a4ec000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po cy
nt!RtlRbInsertNodeEx+0x1ddfe9:
fffff801`29c2d7d9 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffa40c45a978d8 -- (.exr 0xffffa40c45a978d8)
ExceptionAddress: fffff80129c2d7d9 (nt!RtlRbInsertNodeEx+0x00000000001ddfe9)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001d
Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: esrv_svc.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000001d
DPC_STACK_BASE: FFFFA40C45A97FB0
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffffa40c45a97658 fffff801
29c07a69 : 0000000000000139 00000000
0000001d ffffa40c45a97980 ffffa40c
45a978d8 : nt!KeBugCheckEx
ffffa40c45a97660 fffff801
29c07e90 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiBugCheckDispatch+0x69
ffffa40c45a977a0 fffff801
29c06223 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiFastFailDispatch+0xd0
ffffa40c45a97980 fffff801
29c2d7d9 : fffff8012a431f60 fffff801
29b0e60f fffff8012a412440 00000000
00000000 : nt!KiRaiseSecurityCheckFailure+0x323
ffffa40c45a97b10 fffff801
29b0e60f : fffff8012a412440 00000000
00000000 fffff8012a4ec000 00000000
00001388 : nt!RtlRbInsertNodeEx+0x1ddfe9
ffffa40c45a97b20 fffff801
29d1ac6a : 0000000000000002 00000000
0000000f ffffa40c45a97e70 00000000
00000948 : nt!KiSetClockInterval+0xa3
ffffa40c45a97b50 fffff801
29d1acf4 : ffffa58075d98240 ffffa40c
45a97cb0 0000000000000001 ffffb689
e9a022b8 : nt!KiSetVirtualHeteroClockIntervalRequest+0xc6
ffffa40c45a97b80 fffff801
29a0781e : ffffa58075d98240 ffffa40c
45a97cb0 0000000000000000 ffffb68a
00000002 : nt!KiSetVirtualHeteroClockIntervalRequestDpcRoutine+0x14
ffffa40c45a97bb0 fffff801
29a06b04 : ffffa58075d95180 00000000
00000000 0000000000000000 00000000
002c0780 : nt!KiExecuteAllDpcs+0x30e
ffffa40c45a97d20 fffff801
29bfcac5 : 0000000000000000 ffffa580
75d95180 0000000000000000 ffffb68a
17724e20 : nt!KiRetireDpcList+0x1f4
ffffa40c45a97fb0 fffff801
29bfc8b0 : ffffa58075dc0000 00000000
000223c0 ffffb68a10ec96d0 fffff801
2a4df600 : nt!KxRetireDpcList+0x5
ffffa40c49037050 fffff801
29bfbf7e : ffffb68a10ec96d0 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiDispatchInterruptContinue
ffffa40c49037080 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiDpcInterrupt+0x2ee
SYMBOL_NAME: nt!KiFastFailDispatch+d0
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.804
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {67ec97ad-ad0b-071e-ab87-6dc661e22d1b}
Followup: MachineOwner