question

Takket-7702 avatar image
0 Votes"
Takket-7702 asked ·

Kernel Security Check Failure

Hello, My computer keeps having a problem where out of the blue I'll get the BSOD for Kernel Security Check Failure. It all started about a month ago when there was a Windows Update. Computer would crash afterwards. I uninstalled the update, left it alone for about a week, then installed the update again.

Everything SEEMED fine but these random crashed keep happening about once a day.

Here's what I have done:
Ran SFC multiple times. The first time I did this it said it found corrupted files, and that it fixed them. Since then, no issues.

Ran DISM, no issues.

Ran System memory checker, no issues

Ran a full virus scan of all files, no issues.

The error that keeps coming up in event viewer is "event ID 6008" Here is what I pulled from event log: Log Name: System Source: EventLog Date: 2/28/2021 9:51:12 AM Event ID: 6008 Task Category: None Level: Error Keywords: Classic User: N/A Computer: Red-5 Description: The previous system shutdown at 9:40:56 AM on 2/28/2021 was unexpected. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">; <System> <Provider Name="EventLog" /> <EventID Qualifiers="32768">6008</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-02-28T14:51:12.8611111Z" /> <EventRecordID>12259</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>Red-5</Computer> <Security /> </System> <EventData> <Data>9:40:56 AM</Data> <Data>2/28/2021</Data> <Data> </Data> <Data> </Data> <Data>75157</Data> <Data> </Data> <Data> </Data> <Binary>E507020000001C00090028003800F300E507020000001C000E0028003800F300080700003C000000010000000807000001000000840300000000000000000000</Binary> </EventData> </Event> + System - Provider [ Name] EventLog - EventID 6008 [ Qualifiers] 32768 Version 0 Level 2 Task 0 Opcode 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2021-02-28T14:51:12.8611111Z EventRecordID 12259 Correlation - Execution [ ProcessID] 0 [ ThreadID] 0 Channel System Computer Red-5 Security - EventData 9:40:56 AM 2/28/2021 75157 E507020000001C00090028003800F300E507020000001C000E0028003800F300080700003C000000010000000807000001000000840300000000000000000000 Binary data: In Words 0000: 000207E5 001C0000 00280009 00F30038 0010: 000207E5 001C0000 0028000E 00F30038 0020: 00000708 0000003C 00000001 00000708 0030: 00000001 00000384 00000000 00000000 In Bytes 0000: E5 07 02 00 00 00 1C 00 å....... 0008: 09 00 28 00 38 00 F3 00 ..(.8.ó. 0010: E5 07 02 00 00 00 1C 00 å....... 0018: 0E 00 28 00 38 00 F3 00 ..(.8.ó. 0020: 08 07 00 00 3C 00 00 00 ....<... 0028: 01 00 00 00 08 07 00 00 ........ 0030: 01 00 00 00 84 03 00 00 .... ... 0038: 00 00 00 00 00 00 00 00 ........

ALSO: I have attached my last minidump file from the latest crash. not that i had to break it into two parts to get under the upload size limit on this site, but it is all from a single dump. Thank you for any help!

[72761-022821-51218-01-part-1.txt][1] [72680-022821-51218-01-part-2.txt][2] [1]: /answers/storage/attachments/72761-022821-51218-01-part-1.txt [2]: /answers/storage/attachments/72680-022821-51218-01-part-2.txt

windows-10-general
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Takket-7702 avatar image
0 Votes"
Takket-7702 answered ·

Thanks for the tip! I ran the debugger and got this.... Can you help me explain what it means? LOL


Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\022821-51218-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff801`29800000 PsLoadedModuleList = 0xfffff801`2a42a390
Debug session time: Sun Feb 28 09:49:49.368 2021 (UTC - 5:00)
System Uptime: 0 days 21:01:31.394
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...............................
Loading User Symbols
Loading unloaded module list
......................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff801`29bf5a80 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa40c`45a97660=0000000000000139
7: kd> !analyze -v



  •                      Bugcheck Analysis                                    *
    



KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001d, Type of memory safety violation
Arg2: ffffa40c45a97980, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffa40c45a978d8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:




KEY_VALUES_STRING: 1

 Key  : Analysis.CPU.mSec
 Value: 4125

 Key  : Analysis.DebugAnalysisProvider.CPP
 Value: Create: 8007007e on RED-5

 Key  : Analysis.DebugData
 Value: CreateObject

 Key  : Analysis.DebugModel
 Value: CreateObject

 Key  : Analysis.Elapsed.mSec
 Value: 42105

 Key  : Analysis.Memory.CommitPeak.Mb
 Value: 81

 Key  : Analysis.System
 Value: CreateObject

 Key  : WER.OS.Branch
 Value: vb_release

 Key  : WER.OS.Timestamp
 Value: 2019-12-06T14:06:00Z

 Key  : WER.OS.Version
 Value: 10.0.19041.1


ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

BUGCHECK_CODE: 139

BUGCHECK_P1: 1d

BUGCHECK_P2: ffffa40c45a97980

BUGCHECK_P3: ffffa40c45a978d8

BUGCHECK_P4: 0

TRAP_FRAME: ffffa40c45a97980 -- (.trap 0xffffa40c45a97980)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
rdx=fffff8012a419660 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80129c2d7d9 rsp=ffffa40c45a97b10 rbp=0000000000000000
r8=fffff8012a4315a0 r9=fffff8012a412440 r10=fffff8012a4ec000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po cy
nt!RtlRbInsertNodeEx+0x1ddfe9:
fffff801`29c2d7d9 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffa40c45a978d8 -- (.exr 0xffffa40c45a978d8)
ExceptionAddress: fffff80129c2d7d9 (nt!RtlRbInsertNodeEx+0x00000000001ddfe9)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001d
Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: esrv_svc.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 000000000000001d

DPC_STACK_BASE: FFFFA40C45A97FB0

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
ffffa40c`45a97658 fffff801`29c07a69 : 00000000`00000139 00000000`0000001d ffffa40c`45a97980 ffffa40c`45a978d8 : nt!KeBugCheckEx
ffffa40c`45a97660 fffff801`29c07e90 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffa40c`45a977a0 fffff801`29c06223 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffa40c`45a97980 fffff801`29c2d7d9 : fffff801`2a431f60 fffff801`29b0e60f fffff801`2a412440 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0x323
ffffa40c`45a97b10 fffff801`29b0e60f : fffff801`2a412440 00000000`00000000 fffff801`2a4ec000 00000000`00001388 : nt!RtlRbInsertNodeEx+0x1ddfe9
ffffa40c`45a97b20 fffff801`29d1ac6a : 00000000`00000002 00000000`0000000f ffffa40c`45a97e70 00000000`00000948 : nt!KiSetClockInterval+0xa3
ffffa40c`45a97b50 fffff801`29d1acf4 : ffffa580`75d98240 ffffa40c`45a97cb0 00000000`00000001 ffffb689`e9a022b8 : nt!KiSetVirtualHeteroClockIntervalRequest+0xc6
ffffa40c`45a97b80 fffff801`29a0781e : ffffa580`75d98240 ffffa40c`45a97cb0 00000000`00000000 ffffb68a`00000002 : nt!KiSetVirtualHeteroClockIntervalRequestDpcRoutine+0x14
ffffa40c`45a97bb0 fffff801`29a06b04 : ffffa580`75d95180 00000000`00000000 00000000`00000000 00000000`002c0780 : nt!KiExecuteAllDpcs+0x30e
ffffa40c`45a97d20 fffff801`29bfcac5 : 00000000`00000000 ffffa580`75d95180 00000000`00000000 ffffb68a`17724e20 : nt!KiRetireDpcList+0x1f4
ffffa40c`45a97fb0 fffff801`29bfc8b0 : ffffa580`75dc0000 00000000`000223c0 ffffb68a`10ec96d0 fffff801`2a4df600 : nt!KxRetireDpcList+0x5
ffffa40c`49037050 fffff801`29bfbf7e : ffffb68a`10ec96d0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchInterruptContinue
ffffa40c`49037080 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDpcInterrupt+0x2ee


SYMBOL_NAME: nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.19041.804

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: d0

FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {67ec97ad-ad0b-071e-ab87-6dc661e22d1b}

Followup: MachineOwner



· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I see PROCESS_NAME: esrv_svc.exe in your WinDbg log
The genuine esrv_svc.exe file is a software component of Sony® VAIO Care by Sony Corporation.
Sony developed a driver file named "esrv_svc.exe" as part of its "VAIO Care" software for its VAIO laptops. Its function is related to monitoring power usage.
Try to uninstall this driver and restart computer to check result.

0 Votes 0 ·
TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered ·

The minidump your uploaded are .txt format, cannot be analyzed by WinDbg, the correct format should be .dmp format or compressed package format.
You could download WinDbg Preview from Store to analyze dump file by yourself, it is simple.
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
Besides, update system to the latest by Windows Update, also update drivers from Windows Update\View all optional updates\Driver updates.

Event ID 6008 entries indicate that there was an unexpected shutdown.
Critical thermal event indicates that the problem is related to one of your hardware components not functioning properly that is triggering the computer to shut down.
Check if your CPU is overheating. Also check if the heat sink or fan is functioning properly. If the laptop is under warranty, get in touch with the manufacturer.
If it isn’t, get a good cleaning done for the fan and heat sink with compressed air only if you’re comfortable. Otherwise seek the help of a technician.
In addition, since power supply plays a major role in cooling the computer’s innards check if PSU (Power Supply Unit) is functioning properly.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Takket-7702 avatar image
0 Votes"
Takket-7702 answered ·

I tracked this down to the "Intel Energy checker" using the file name you provided. I installed their driver updater a few weeks ago, around the same time the BSODs started, and have found online others having the same problem.

It all makes sense now....... thank you for your help, hopefully this stops the BSODs!!!

https://www.file.net/process/esrv_svc.exe.html

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.