Reply to Message

==========================================================================================
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff807`32800000 PsLoadedModuleList = 0xfffff807`32c461b0
Debug session time: Sat Feb 6 17:41:29.751 2021 (UTC - 5:00)
System Uptime: 0 days 7:09:45.054
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000ca`3261b018). Type ".hh dbgerr001" for details
Loading unloaded module list
........
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff807`329c3b20 48894c2408 mov qword ptr [rsp+8],rcx ss:fffff807`372928d0=0000000000000139
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff80737292bf0, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff80737292b48, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 13952

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-J91JQE3

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.mSec
Value: 14834

Key : Analysis.Memory.CommitPeak.Mb
Value: 73

Key : Analysis.System
Value: CreateObject

Key : WER.OS.Branch
Value: 19h1_release

Key : WER.OS.Timestamp
Value: 2019-03-18T12:02:00Z

Key : WER.OS.Version
Value: 10.0.18362.1

ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: fffff80737292bf0

BUGCHECK_P3: fffff80737292b48

BUGCHECK_P4: 0

TRAP_FRAME: fffff80737292bf0 -- (.trap 0xfffff80737292bf0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8072f41f728 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff8072f41f728 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80732a29400 rsp=fffff80737292d80 rbp=fffff80737292e80
r8=0000003c0916f062 r9=ffffb10c8e948180 r10=fffff8072f41d800
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!KiRetireDpcList+0x167630:
fffff807`32a29400 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: fffff80737292b48 -- (.exr 0xfffff80737292b48)
ExceptionAddress: fffff80732a29400 (nt!KiRetireDpcList+0x0000000000167630)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME: vmtoolsd.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

DPC_STACK_BASE: FFFFF80737292FB0

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
fffff807`372928c8 fffff807`329d5929 : 00000000`00000139 00000000`00000003 fffff807`37292bf0 fffff807`37292b48 : nt!KeBugCheckEx
fffff807`372928d0 fffff807`329d5d50 : 00000000`00000004 00000000`0000001a 40200342`00000000 fffff832`00000000 : nt!KiBugCheckDispatch+0x69
fffff807`37292a10 fffff807`329d40e3 : ffffb10c`00000000 ffffb10c`8d740180 00000000`00000f44 00000000`00400a02 : nt!KiFastFailDispatch+0xd0
fffff807`37292bf0 fffff807`32a29400 : 00000000`00000016 00000000`00989680 00000000`000f0245 fffff807`2f41d800 : nt!KiRaiseSecurityCheckFailure+0x323
fffff807`37292d80 fffff807`329cab25 : 00000000`00000000 fffff807`2f41a180 fffff807`33325100 00000000`104ce33f : nt!KiRetireDpcList+0x167630
fffff807`37292fb0 fffff807`329ca910 : 00000000`00000054 fffff807`329ca1b1 00000000`01000010 00000000`00000286 : nt!KxRetireDpcList+0x5
fffffe0c`327c6ac0 fffff807`329ca1c5 : 00000000`104ce33f fffff807`329c5b91 00000000`00000001 fffffe0c`327c6b80 : nt!KiDispatchInterruptContinue
fffffe0c`327c6af0 fffff807`329c5b91 : 00000000`00000001 fffffe0c`327c6b80 fffff807`33325100 ffffb10c`8eac33e0 : nt!KiDpcInterruptBypass+0x25
fffffe0c`327c6b00 00007ffc`2bff9f50 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiInterruptDispatchNoLockNoEtw+0xb1
000000ca`32bff308 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`2bff9f50

SYMBOL_NAME: nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: d0

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_nt!KiFastFailDispatch

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {3aede96a-54dd-40d6-d4cb-2a161a843851}

Followup: MachineOwner
---------