BSOD - 0x139 (KERNEL_SECURITY_CHECK_FAILURE)

[IcePanther]

Hi,

I consistently get said BSOD on hwinfo64 startup, when or after it tries to enumerate PCI buses.

Windows 11 x64
HWinfo Version 7.64

Attached are the dump analysis from the minidump, that seems to point at the hwinfo64 driver ; also the hwinfo64.dbg log.
Zip password : h w i 6 4 (minus spaces, to prevent bots from scanning potential identifying info from the dumps, idk enough about them to know if there is any inside)

In case it can be useful :
In "core isolation" in the windows security app, are enabled :
- Memory Integrity
- Kernel Mode Hardware Enforced Stack Protection
- Microsoft vulnerable driver blacklist (greyed out, forced on)

Any help is appreciated.
TIA,

 

[Martin]

Please run this build in Debug Mode: www.hwinfo.com/beta/hwi64_765_5258.zip
It will most likely crash as well but I need the DBG file generated by this build to see some more details for analysis.

 

[IcePanther]

Hi,

It did crash indeed. Here is the generated DBG file, zip password the same as before. The minidump analysis was very similar to the previous one so I omitted it.

 

[Martin]

Thanks. This is quite weird, as if something in the system was blocking access to certain PCIe devices. Is there perhaps some security software installed?

 

[Martin]

Another DBG from this build might be needed but most likely it will crash too: www.hwinfo.com/beta/hwi64_765_5259.zip

 

[IcePanther]

I am using BitDefender, but it has been installed for a while now (>1 year) and didn't cause problems before. I guess it's possible an update would cause problems. I tried disabling it, and it still crashed.

However, it did reliably not crash when disabling "Kernel Mode Hardware Enforced Stack Protection" in Windows Security. Maybe the driver isn't fully compatible with that functionality ?

 

[IcePanther]

Indeed, same with the last build. With the "kernel mode..." stuff on, it crashes, without it, it doesn't.

 

[Martin]

Hmm, the driver is compatible with this feature but in certain special cases it seems that this technology (Control-Flow Enforcement Technology (CET) Shadow Stack) can lead to undesirable side-effects.
I have already discussed this problem with Microsoft and they couldn't explain this behavior either. To me it seems like an erratum in the CET...

 

[Martin]

OK, I have a plan.. But that will take some time, should have a new test build tomorrow...

 

[Martin]

One more request though.. Can you please attach a Debug File from build 5259 with "Kernel Mode Hardware Enforced Stack Protection" disabled, so when it doesn't crash?

 

[IcePanther]

Here it is, from the latest build in this thread, same password.

 

[Martin]

Thanks! I'm wondering why your system is exhibiting such strange behavior in combination with CET (shadow stack).
Anyway, I will have a new test build soon.

 

[Martin]

Please try this build and let me know: www.hwinfo.com/beta/hwi64_765_5260.zip
If any issue, a new DBG file will be needed.

 

[IcePanther]

Sorry, didn't see your second reply, I don't know if the forum sends only an email for the first unread post or what.
Anyway, it still crashes, DBG file attached.

I tried to reproduce the problem on my other computer, but despite it being a 12th gen Intel CPU, it doesn't offer me the option to enable CET Shadow Stack at all (HWinfo shows the CPU is capable of it, so maybe the manufacturer didn't enable something in the BIOS) so I can't test it there.

 

[Martin]

Thanks for the feedback. What kind of BSOD have you got with this build, is it the same KERNEL_SECURITY_CHECK_FAILURE?

 

[IcePanther]

Yup

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000039, A shadow stack violation has occurred due to mismatched return addresses
on the call stack vs the shadow stack.
Arg2: ffff8b890a05f310, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff8b890a05f268, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

 

[Martin]

OK, thanks. I think I'm onto something, so here another build to try: www.hwinfo.com/beta/hwi64_765_5268.zip
Please let me know...

 

[IcePanther]

Sweet ! This one didn't crash, I was able to use it normally. I tried launching it several times, first with debug mode, then without.
Here is a trace with the working version, in case you see something useful in it.

Anyway, thank you very much for your patience and efficiency in solving this. Really appreciated.

I gather you were able to track the root cause of the crash then ?

 

[Martin]

That's great news! Thank you too for your testing and feedback!
Yes, it's indeed a sort of lockout enforced by Microsoft on some devices. What remains weird however is that those BSODs were indicating a CET violation while in fact it's something else. MS couldn't explain this yet...

 

[IcePanther]

How nice it is to debug software when the error messages are wrong... Well, you managed to figure it out anyway. Kudos, and thanks again !