Kernel Security Check Failure

Takket 96 Reputation points
2021-02-28T18:53:09.397+00:00

Hello, My computer keeps having a problem where out of the blue I'll get the BSOD for Kernel Security Check Failure. It all started about a month ago when there was a Windows Update. Computer would crash afterwards. I uninstalled the update, left it alone for about a week, then installed the update again.

Everything SEEMED fine but these random crashed keep happening about once a day.

Here's what I have done:
Ran SFC multiple times. The first time I did this it said it found corrupted files, and that it fixed them. Since then, no issues.

Ran DISM, no issues.

Ran System memory checker, no issues

Ran a full virus scan of all files, no issues.

The error that keeps coming up in event viewer is "event ID 6008" Here is what I pulled from event log: Log Name: System Source: EventLog Date: 2/28/2021 9:51:12 AM Event ID: 6008 Task Category: None Level: Error Keywords: Classic User: N/A Computer: Red-5 Description: The previous system shutdown at 9:40:56 AM on 2/28/2021 was unexpected. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="EventLog" /> <EventID Qualifiers="32768">6008</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-02-28T14:51:12.8611111Z" /> <EventRecordID>12259</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>Red-5</Computer> <Security /> </System> <EventData> <Data>9:40:56 AM</Data> <Data>2/28/2021</Data> <Data> </Data> <Data> </Data> <Data>75157</Data> <Data> </Data> <Data> </Data> <Binary>E507020000001C00090028003800F300E507020000001C000E0028003800F300080700003C000000010000000807000001000000840300000000000000000000</Binary> </EventData> </Event> + System - Provider [ Name] EventLog - EventID 6008 [ Qualifiers] 32768 Version 0 Level 2 Task 0 Opcode 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2021-02-28T14:51:12.8611111Z EventRecordID 12259 Correlation - Execution [ ProcessID] 0 [ ThreadID] 0 Channel System Computer Red-5 Security - EventData 9:40:56 AM 2/28/2021 75157 E507020000001C00090028003800F300E507020000001C000E0028003800F300080700003C000000010000000807000001000000840300000000000000000000 ________________________________________ Binary data: In Words 0000: 000207E5 001C0000 00280009 00F30038 0010: 000207E5 001C0000 0028000E 00F30038 0020: 00000708 0000003C 00000001 00000708 0030: 00000001 00000384 00000000 00000000 In Bytes 0000: E5 07 02 00 00 00 1C 00 å....... 0008: 09 00 28 00 38 00 F3 00 ..(.8.ó. 0010: E5 07 02 00 00 00 1C 00 å....... 0018: 0E 00 28 00 38 00 F3 00 ..(.8.ó. 0020: 08 07 00 00 3C 00 00 00 ....<... 0028: 01 00 00 00 08 07 00 00 ........ 0030: 01 00 00 00 84 03 00 00 .... ... 0038: 00 00 00 00 00 00 00 00 ........

ALSO: I have attached my last minidump file from the latest crash. not that i had to break it into two parts to get under the upload size limit on this site, but it is all from a single dump. Thank you for any help!

[72761-022821-51218-01-part-1.txt][1] [72680-022821-51218-01-part-2.txt][2] [1]: /api/attachments/72761-022821-51218-01-part-1.txt?platform=QnA [2]: /api/attachments/72680-022821-51218-01-part-2.txt?platform=QnA

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,573 questions
0 comments
Accepted answer
  1. Takket 96 Reputation points
    2021-03-02T00:08:17.987+00:00

    Thanks for the tip! I ran the debugger and got this.... Can you help me explain what it means? LOL

    Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [C:\Windows\Minidump\022821-51218-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv*
    Executable search path is:
    Windows 10 Kernel Version 19041 MP (8 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
    Machine Name:
    Kernel base = 0xfffff80129800000 PsLoadedModuleList = 0xfffff8012a42a390
    Debug session time: Sun Feb 28 09:49:49.368 2021 (UTC - 5:00)
    System Uptime: 0 days 21:01:31.394
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ................................................................
    ...............................
    Loading User Symbols
    Loading unloaded module list
    ......................
    For analysis of this file, run !analyze -v
    nt!KeBugCheckEx:
    fffff80129bf5a80 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa40c45a97660=0000000000000139
    7: kd> !analyze -v

    • *
    • Bugcheck Analysis *
    • *

    KERNEL_SECURITY_CHECK_FAILURE (139)
    A kernel component has corrupted a critical data structure. The corruption
    could potentially allow a malicious user to gain control of this machine.
    Arguments:
    Arg1: 000000000000001d, Type of memory safety violation
    Arg2: ffffa40c45a97980, Address of the trap frame for the exception that caused the bugcheck
    Arg3: ffffa40c45a978d8, Address of the exception record for the exception that caused the bugcheck
    Arg4: 0000000000000000, Reserved

    Debugging Details:

    KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
Value: 4125

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on RED-5

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.mSec
Value: 42105

Key  : Analysis.Memory.CommitPeak.Mb
Value: 81

Key  : Analysis.System
Value: CreateObject

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

    ADDITIONAL_XML: 1

    OS_BUILD_LAYERS: 1

    BUGCHECK_CODE: 139

    BUGCHECK_P1: 1d

    BUGCHECK_P2: ffffa40c45a97980

    BUGCHECK_P3: ffffa40c45a978d8

    BUGCHECK_P4: 0

    TRAP_FRAME: ffffa40c45a97980 -- (.trap 0xffffa40c45a97980)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
    rdx=fffff8012a419660 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80129c2d7d9 rsp=ffffa40c45a97b10 rbp=0000000000000000
    r8=fffff8012a4315a0 r9=fffff8012a412440 r10=fffff8012a4ec000
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl nz na po cy
    nt!RtlRbInsertNodeEx+0x1ddfe9:
    fffff801`29c2d7d9 cd29 int 29h
    Resetting default scope

    EXCEPTION_RECORD: ffffa40c45a978d8 -- (.exr 0xffffa40c45a978d8)
    ExceptionAddress: fffff80129c2d7d9 (nt!RtlRbInsertNodeEx+0x00000000001ddfe9)
    ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
    ExceptionFlags: 00000001
    NumberParameters: 1
    Parameter[0]: 000000000000001d
    Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE

    BLACKBOXBSD: 1 (!blackboxbsd)

    BLACKBOXNTFS: 1 (!blackboxntfs)

    BLACKBOXPNP: 1 (!blackboxpnp)

    BLACKBOXWINLOGON: 1

    CUSTOMER_CRASH_COUNT: 1

    PROCESS_NAME: esrv_svc.exe

    ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

    EXCEPTION_CODE_STR: c0000409

    EXCEPTION_PARAMETER1: 000000000000001d

    DPC_STACK_BASE: FFFFA40C45A97FB0

    EXCEPTION_STR: 0xc0000409

    STACK_TEXT:
    ffffa40c45a97658 fffff80129c07a69 : 0000000000000139 000000000000001d ffffa40c45a97980 ffffa40c45a978d8 : nt!KeBugCheckEx
    ffffa40c45a97660 fffff80129c07e90 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
    ffffa40c45a977a0 fffff80129c06223 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiFastFailDispatch+0xd0
    ffffa40c45a97980 fffff80129c2d7d9 : fffff8012a431f60 fffff80129b0e60f fffff8012a412440 0000000000000000 : nt!KiRaiseSecurityCheckFailure+0x323
    ffffa40c45a97b10 fffff80129b0e60f : fffff8012a412440 0000000000000000 fffff8012a4ec000 0000000000001388 : nt!RtlRbInsertNodeEx+0x1ddfe9
    ffffa40c45a97b20 fffff80129d1ac6a : 0000000000000002 000000000000000f ffffa40c45a97e70 0000000000000948 : nt!KiSetClockInterval+0xa3
    ffffa40c45a97b50 fffff80129d1acf4 : ffffa58075d98240 ffffa40c45a97cb0 0000000000000001 ffffb689e9a022b8 : nt!KiSetVirtualHeteroClockIntervalRequest+0xc6
    ffffa40c45a97b80 fffff80129a0781e : ffffa58075d98240 ffffa40c45a97cb0 0000000000000000 ffffb68a00000002 : nt!KiSetVirtualHeteroClockIntervalRequestDpcRoutine+0x14
    ffffa40c45a97bb0 fffff80129a06b04 : ffffa58075d95180 0000000000000000 0000000000000000 00000000002c0780 : nt!KiExecuteAllDpcs+0x30e
    ffffa40c45a97d20 fffff80129bfcac5 : 0000000000000000 ffffa58075d95180 0000000000000000 ffffb68a17724e20 : nt!KiRetireDpcList+0x1f4
    ffffa40c45a97fb0 fffff80129bfc8b0 : ffffa58075dc0000 00000000000223c0 ffffb68a10ec96d0 fffff8012a4df600 : nt!KxRetireDpcList+0x5
    ffffa40c49037050 fffff80129bfbf7e : ffffb68a10ec96d0 0000000000000000 0000000000000000 0000000000000000 : nt!KiDispatchInterruptContinue
    ffffa40c49037080 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDpcInterrupt+0x2ee

    SYMBOL_NAME: nt!KiFastFailDispatch+d0

    MODULE_NAME: nt

    IMAGE_NAME: ntkrnlmp.exe

    IMAGE_VERSION: 10.0.19041.804

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: d0

    FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch

    OS_VERSION: 10.0.19041.1

    BUILDLAB_STR: vb_release

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    FAILURE_ID_HASH: {67ec97ad-ad0b-071e-ab87-6dc661e22d1b}

    Followup: MachineOwner

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teemo Tang 11,331 Reputation points
    2021-03-01T02:28:47.25+00:00

    The minidump your uploaded are .txt format, cannot be analyzed by WinDbg, the correct format should be .dmp format or compressed package format.
    You could download WinDbg Preview from Store to analyze dump file by yourself, it is simple.
    https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
    Besides, update system to the latest by Windows Update, also update drivers from Windows Update\View all optional updates\Driver updates.

    Event ID 6008 entries indicate that there was an unexpected shutdown.
    Critical thermal event indicates that the problem is related to one of your hardware components not functioning properly that is triggering the computer to shut down.
    Check if your CPU is overheating. Also check if the heat sink or fan is functioning properly. If the laptop is under warranty, get in touch with the manufacturer.
    If it isn’t, get a good cleaning done for the fan and heat sink with compressed air only if you’re comfortable. Otherwise seek the help of a technician.
    In addition, since power supply plays a major role in cooling the computer’s innards check if PSU (Power Supply Unit) is functioning properly.

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Takket 96 Reputation points
    2021-03-05T03:39:58.16+00:00

    I tracked this down to the "Intel Energy checker" using the file name you provided. I installed their driver updater a few weeks ago, around the same time the BSODs started, and have found online others having the same problem.

    It all makes sense now....... thank you for your help, hopefully this stops the BSODs!!!

    https://www.file.net/process/esrv_svc.exe.html

    0 comments