VMware Communities
nkaufman
Enthusiast
Enthusiast
‎02-07-2021 10:10 AM

WS15 Crash on resume

I've been experiencing this issue regularly ever since I migrated from WS-12 and a Win-10 update, Following is what I have from a recent crash.

Any ideas/suggestions?

Spoiler

==========================================================================================
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff807`32800000 PsLoadedModuleList = 0xfffff807`32c461b0
Debug session time: Sat Feb 6 17:41:29.751 2021 (UTC - 5:00)
System Uptime: 0 days 7:09:45.054
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000ca`3261b018). Type ".hh dbgerr001" for details
Loading unloaded module list
........
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff807`329c3b20 48894c2408 mov qword ptr [rsp+8],rcx ss:fffff807`372928d0=0000000000000139
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff80737292bf0, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff80737292b48, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 13952

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-J91JQE3

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.mSec
Value: 14834

Key : Analysis.Memory.CommitPeak.Mb
Value: 73

Key : Analysis.System
Value: CreateObject

Key : WER.OS.Branch
Value: 19h1_release

Key : WER.OS.Timestamp
Value: 2019-03-18T12:02:00Z

Key : WER.OS.Version
Value: 10.0.18362.1


ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: fffff80737292bf0

BUGCHECK_P3: fffff80737292b48

BUGCHECK_P4: 0

TRAP_FRAME: fffff80737292bf0 -- (.trap 0xfffff80737292bf0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8072f41f728 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff8072f41f728 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80732a29400 rsp=fffff80737292d80 rbp=fffff80737292e80
r8=0000003c0916f062 r9=ffffb10c8e948180 r10=fffff8072f41d800
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!KiRetireDpcList+0x167630:
fffff807`32a29400 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: fffff80737292b48 -- (.exr 0xfffff80737292b48)
ExceptionAddress: fffff80732a29400 (nt!KiRetireDpcList+0x0000000000167630)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME: vmtoolsd.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

DPC_STACK_BASE: FFFFF80737292FB0

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
fffff807`372928c8 fffff807`329d5929 : 00000000`00000139 00000000`00000003 fffff807`37292bf0 fffff807`37292b48 : nt!KeBugCheckEx
fffff807`372928d0 fffff807`329d5d50 : 00000000`00000004 00000000`0000001a 40200342`00000000 fffff832`00000000 : nt!KiBugCheckDispatch+0x69
fffff807`37292a10 fffff807`329d40e3 : ffffb10c`00000000 ffffb10c`8d740180 00000000`00000f44 00000000`00400a02 : nt!KiFastFailDispatch+0xd0
fffff807`37292bf0 fffff807`32a29400 : 00000000`00000016 00000000`00989680 00000000`000f0245 fffff807`2f41d800 : nt!KiRaiseSecurityCheckFailure+0x323
fffff807`37292d80 fffff807`329cab25 : 00000000`00000000 fffff807`2f41a180 fffff807`33325100 00000000`104ce33f : nt!KiRetireDpcList+0x167630
fffff807`37292fb0 fffff807`329ca910 : 00000000`00000054 fffff807`329ca1b1 00000000`01000010 00000000`00000286 : nt!KxRetireDpcList+0x5
fffffe0c`327c6ac0 fffff807`329ca1c5 : 00000000`104ce33f fffff807`329c5b91 00000000`00000001 fffffe0c`327c6b80 : nt!KiDispatchInterruptContinue
fffffe0c`327c6af0 fffff807`329c5b91 : 00000000`00000001 fffffe0c`327c6b80 fffff807`33325100 ffffb10c`8eac33e0 : nt!KiDpcInterruptBypass+0x25
fffffe0c`327c6b00 00007ffc`2bff9f50 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiInterruptDispatchNoLockNoEtw+0xb1
000000ca`32bff308 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`2bff9f50


SYMBOL_NAME: nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: d0

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_nt!KiFastFailDispatch

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {3aede96a-54dd-40d6-d4cb-2a161a843851}

Followup: MachineOwner
---------

 

Reply
0 Kudos
3 Replies
wila
Immortal
Immortal
‎02-07-2021 11:32 AM

Hi,

This is obviously more useful for VMware engineers than for any other forum visitor.

I do however have two questions when I see the memory dump output.

1. Are you on the latest vmware tools? (my guess is yes, but.. guessing is dangerous when troubleshooting)
2. Is your VM on the latest virtual hardware?

It would probably also be useful for VMware to attach a vmware.log file that has the crash time in there.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee
‎02-07-2021 12:33 PM

@nkaufman 

Moderator: The “spoiler” function on the extended toolbar of the post creator/editor (a triangle with exclamation mark) is ideal for posting text dumps, making the thread easier to scroll through. I have amended your initial post above.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
nkaufman
Enthusiast
Enthusiast
‎02-10-2021 08:40 AM

Thanks @scott28tt 

Reply
0 Kudos