Categories
internet

DSAPI.exe – NTSTATUS 0xc0000409 – The system detected an overrun of a stack-based buffer in…

(*2*)

(*4*) (*3*) Good Morning Everyone,

I’m in search of some lend a hand right here.

I’ve posted the worm test research underneath.

DSAPI.exe is Dell reinforce lend a hand to my working out and I’ve got rid of this from the pc.

The different issues I’ve spotted are:

The C: is staying at 100% ” Active time ” however the disk switch fee could be very very low

The HDD begins spinning up after which stops this occurs frequently till I put the pc into sleep mode. When I take the pc out of sleep

mode the laborious disk pressure does now not make the noises however the PC continues to be fairly gradual.

Checked energy choices

The HDD has been changed roughly 6 months in the past

I ran a disk test remaining evening at the C: and it discovered no mistakes however after the test completed the pc hanged and I needed to laborious restart

I’ve ran HDD checking out instrument which doesn’t display any mistakes Can(*1*)

Mini Kernel Dump File: Only registers and stack hint are to be had

Symbol seek trail is: srv*

(*6*) seek trail is:

Windows 10 Kernel Version 19041 MP 8 procs Free x64

Product: WinNt, suite: TerminalServer UnmarriedUserTS

Edition construct lab: 19041.1.amd64fre.vb_release.191206-1406

Machine Name:

Kernel base = 0xfffff802`1e000000 PsLoadedModuleList = 0xfffff802`1ec2a2b0

Debug consultation time: Mon Jan 4 16:51:26.179 2021 UTC + 8:00

System Uptime: 1 days 4:08:54.870

Loading Kernel Symbols

………………………………………………………

……………………………………………………….

……………………………………………………….

……………………………

Loading User Symbols

Loading unloaded module checklist

……………………………………….

For research of this report, run !analyze -v

nt!KeBugCheckEx:

fffff802`1e3f5780 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff840e`4200d4f0=0000000000000139

2: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE 139

A kernel element has corrupted a essential information construction. The corruption

may just doubtlessly permit a malicious consumer to achieve keep watch over of this device.

(*12*):

Arg1: 0000000000000003, A LIST_ENTRY has been corrupted i.e. double take away.

Arg2: ffff840e4200d810, Address of the lure body for the exception that led to the bugcheck

Arg3: ffff840e4200d768, Address of the exception document for the exception that led to the bugcheck

Arg4: 0000000000000000, Reserved

(*10*) Details:

——————

KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec

Value: 5843

Key : Analysis.DebugAnalysisSupplier.CPP

Value: Create: 8007007e on DESKTOP-6P699JR

Key : Analysis.DebugInformation

Value: CreateObject

Key : Analysis.DebugStyle

Value: CreateObject

Key : Analysis.Elapsed.mSec

Value: 34886

Key : Analysis.Memory.CommitPeak.Mb

Value: 86

Key : Analysis.System

Value: CreateObject

Key : WER.OS.Branch

Value: vb_release

Key : WER.OS.(*8*)

Value: 2021-12-06T14:06:00Z

Key : WER.OS.Version

Value: 10.0.19041.1

ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: ffff840e4200d810

BUGCHECK_P3: ffff840e4200d768

BUGCHECK_P4: 0

TRAP_FRAME: ffff840e4200d810 — .lure 0xffff840e4200d810

NOTE: The lure body does now not include all registers.

Some sign up values could also be zeroed or wrong.

rax=ffff8880f3f27d80 rbx=0000000000000000 rcx=0000000000000003

rdx=ffffd20eacb68158 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8021e2651f3 rsp=ffff840e4200d9a0 rbp=ffff8880f3f20180

r8=0000000000000000 r9=00000027e3ddbd4c r10=0000fffff8021e36

r11=ffff840e4200da38 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz na po nc

nt!KiCommitThreadWait+0x5c3:

fffff802`1e2651f3 cd29 int 29h

Resetting default scope

EXCEPTION_RECORD: ffff840e4200d768 — .exr 0xffff840e4200d768

ExceptionAddress: fffff8021e2651f3 nt!KiCommitThreadWait+0x00000000000005c3

ExceptionCode: c0000409 Security test failure or stack buffer overrun

ExceptionFlags: 00000001

QuantityParameters: 1

Parameter[0]: 0000000000000003

Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 !blackboxbsd

BLACKBOXNTFS: 1 !blackboxntfs

BLACKBOXPNP: 1 !blackboxpnp

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: DSAPI.exe

ERROR_CODE: NTSTATUS 0xc0000409 – The system detected an overrun of a stack-primarily based buffer on this application. This overrun may just doubtlessly permit a malicious consumer to achieve keep watch over of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:

ffff840e`4200d4e8 fffff802`1e407769 : 00000000`00000139 00000000`00000003 ffff840e`4200d810 ffff840e`4200d768 : nt!KeBugCheckEx

ffff840e`4200d4f0 fffff802`1e407b90 : ffff8880`00000000 00000000`00000000 ffff7879`83000000 00000000`00000001 : nt!KiBugCheckDispatch+0x69

ffff840e`4200d630 fffff802`1e405f23 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0

ffff840e`4200d810 fffff802`1e2651f3 : ffff840e`4200da40 fffff802`1e278387 000000eb`f0f9b331 00000000`00989680 : nt!KiRaiseSecurityCheckFailure+0x323

ffff840e`4200d9a0 fffff802`1e2296d2 : 00000000`00000000 00000000`00000000 ffffd20e`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x5c3

ffff840e`4200da40 fffff802`1e5edd7f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000002 : nt!KeDelayExecutionThread+0x122

ffff840e`4200dad0 fffff802`1e4071b8 : 00000000`00000000 00000000`00000001 ffffffff`fffe7960 ffff840e`4200db80 : nt!NtDelayExecution+0x5f

ffff840e`4200db00 00007ff9`162ac634 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28

000000dc`40e7f468 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`162ac634

SYMBOL_NAME: nt!KiCommitThreadWait+5c3

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.19041.685

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 5c3

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_KTIMER_LIST_CORRUPTION_nt!KiCommitThreadWait

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {369b7001-cfef-011b-6243-985c04f34d42}

Followup: MachineProprietor

🙂