0x00000139

2023-11-11 23:13| 来源: 网络整理| 查看: 265

0x00000139-kernel security check failure-ntoskrnl.exe蓝屏处理蓝屏信息

关键字

ntoskrnl.exe 0x00000139 终止代码 kernel security check failure 蓝屏分析 BlueScreenView 查看minidump *** ntoskrnl.exe - Address 0xfffff80514ff71b0 base at 0xfffff80514c00000 DateStamp 0x6e567aa7

分析得知引起蓝屏的原因是ntoskrnl.exe，但这个是win内核文件无法确定真实故障点。故需要进一步分析，minidump

windbg分析蓝屏原因

最小转储dump一般所在位置为

C:\Windows\Minidump

注意登录windows用户必须是administrator否则windbg会打不开这个文件

1安装windbg

Microsoft store 搜索winDbg preview并安装

2打开dump

点击文件→Start debugging→Open dump file

3分析dump

第一步分析结果如下

Microsoft (R) Windows Debugger Version 10.0.22415.1003 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\100421-16937-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 19041 MP (16 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Personal Machine Name: Kernel base = 0xfffff805`1a200000 PsLoadedModuleList = 0xfffff805`1ae2a270 Debug session time: Mon Oct 4 22:19:18.595 2021 (UTC + 8:00) System Uptime: 0 days 1:02:10.528 Loading Kernel Symbols .. Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. ............................................................. ................................................................ ................................................................ ................................................................ Loading User Symbols Loading unloaded module list ......................... For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff805`1a5f71b0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8a0f`7c6e4040=0000000000000139

上述文本中倒数第三行 !analyze -v高亮，点它于是第二段分析结果如下

nt!KeBugCheckEx: fffff805`1a5f71b0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8a0f`7c6e4040=0000000000000139 12: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). Arg2: ffff8a0f7c6e4360, Address of the trap frame for the exception that caused the BugCheck Arg3: ffff8a0f7c6e42b8, Address of the exception record for the exception that caused the BugCheck Arg4: 0000000000000000, Reserved Debugging Details: ------------------ KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 1905 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 5697 Key : Analysis.Init.CPU.mSec Value: 343 Key : Analysis.Init.Elapsed.mSec Value: 227766 Key : Analysis.Memory.CommitPeak.Mb Value: 77 Key : FailFast.Name Value: CORRUPT_LIST_ENTRY Key : FailFast.Type Value: 3 DUMP_FILE_ATTRIBUTES: 0x8 Kernel Generated Triage Dump BUGCHECK_CODE: 139 BUGCHECK_P1: 3 BUGCHECK_P2: ffff8a0f7c6e4360 BUGCHECK_P3: ffff8a0f7c6e42b8 BUGCHECK_P4: 0 TRAP_FRAME: ffff8a0f7c6e4360 -- (.trap 0xffff8a0f7c6e4360) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000003 rdx=ffffe08d79a9ea50 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8051a674825 rsp=ffff8a0f7c6e44f0 rbp=fffff80531977350 r8=fffff80531977350 r9=0000000000000000 r10=fffff80531972ca4 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up di pl nz na pe nc nt!ExInterlockedInsertTailList+0x143df5: fffff805`1a674825 cd29 int 29h Resetting default scope EXCEPTION_RECORD: ffff8a0f7c6e42b8 -- (.exr 0xffff8a0f7c6e42b8) ExceptionAddress: fffff8051a674825 (nt!ExInterlockedInsertTailList+0x0000000000143df5) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000003 Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 CUSTOMER_CRASH_COUNT: 1 PROCESS_NAME: MateBookServic ERROR_CODE: (NTSTATUS) 0xc0000409 - EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 0000000000000003 EXCEPTION_STR: 0xc0000409 STACK_TEXT: ffff8a0f`7c6e4038 fffff805`1a609169 : 00000000`00000139 00000000`00000003 ffff8a0f`7c6e4360 ffff8a0f`7c6e42b8 : nt!KeBugCheckEx ffff8a0f`7c6e4040 fffff805`1a609590 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69 ffff8a0f`7c6e4180 fffff805`1a607923 : ffffe08d`8aabdb00 fffff805`31937202 ffffe08d`7ca03eb0 ffffe08d`7ca03de0 : nt!KiFastFailDispatch+0xd0 ffff8a0f`7c6e4360 fffff805`1a674825 : ffffe08d`7ca03de0 fffff805`00000007 ffffe08d`79a9ea50 fffff805`31977360 : nt!KiRaiseSecurityCheckFailure+0x323 ffff8a0f`7c6e44f0 fffff805`31972d14 : ffffe08d`7ca03de0 ffff8a0f`7c6e45d9 ffffe08d`70d74ef0 00000000`00000000 : nt!ExInterlockedInsertTailList+0x143df5 ffff8a0f`7c6e4520 ffffe08d`7ca03de0 : ffff8a0f`7c6e45d9 ffffe08d`70d74ef0 00000000`00000000 ffffe08d`7ca03eb3 : topsecpf+0x2d14 ffff8a0f`7c6e4528 ffff8a0f`7c6e45d9 : ffffe08d`70d74ef0 00000000`00000000 ffffe08d`7ca03eb3 fffff805`1a48508e : 0xffffe08d`7ca03de0 ffff8a0f`7c6e4530 ffffe08d`70d74ef0 : 00000000`00000000 ffffe08d`7ca03eb3 fffff805`1a48508e ffffe08d`7ca03de0 : 0xffff8a0f`7c6e45d9 ffff8a0f`7c6e4538 00000000`00000000 : ffffe08d`7ca03eb3 fffff805`1a48508e ffffe08d`7ca03de0 ffffe08d`70d74da0 : 0xffffe08d`70d74ef0 SYMBOL_NAME: topsecpf+2d14 MODULE_NAME: topsecpf IMAGE_NAME: topsecpf.sys STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: 2d14 FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_topsecpf!unknown_function OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {7d6915eb-8c8b-b32e-d4d4-a1676df73917} Followup: MachineOwner ---------

看最后IMAGE_NAME: topsecpf.sys字段这个就是始作俑者

蓝屏解决方法

topsecpf.sys这特么是万恶的天融信VPN的sys文件。如果有这个客户端卸载它这个在控制面版中叫sv客户端从根源解决需要在c:windows下搜索这个文件并重命名为topsecpf.sys.bak重启就不会蓝屏了

后记

对于任何的蓝屏处理方式为蓝屏→BlueScreenView→winDbg 百度Google之类的一点作用都没有，想解决直接分析dbg

【本文地址】

公司简介

联系我们