Question 0x139_3_CORRUPT_LIST_ENTRY_KTIMER_LIST_CORRUPTION_nt!KiTimerWaitTest

[kidking93]

My PC have BSODs many times. I cant find a reason. Please help me fix it

Here is minidump log

Spoiler: Spoiler

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff8042ade55d0, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff8042ade5528, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2421

Key : Analysis.Elapsed.mSec
Value: 7711

Key : Analysis.IO.Other.Mb
Value: 7

Key : Analysis.IO.Read.Mb
Value: 0

Key : Analysis.IO.Write.Mb
Value: 30

Key : Analysis.Init.CPU.mSec
Value: 593

Key : Analysis.Init.Elapsed.mSec
Value: 35609

Key : Analysis.Memory.CommitPeak.Mb
Value: 97

Key : Bugcheck.Code.LegacyAPI
Value: 0x139

Key : Bugcheck.Code.TargetModel
Value: 0x139

Key : FailFast.Name
Value: CORRUPT_LIST_ENTRY

Key : FailFast.Type
Value: 3

Key : Failure.Bucket
Value: 0x139_3_CORRUPT_LIST_ENTRY_KTIMER_LIST_CORRUPTION_nt!KiTimerWaitTest

Key : Failure.Hash
Value: {efb56395-a173-53f8-073d-d3c8cfd50e2b}

Key : WER.OS.Branch
Value: ni_release_svc_prod3

Key : WER.OS.Version
Value: 10.0.22621.2506


BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: fffff8042ade55d0

BUGCHECK_P3: fffff8042ade5528

BUGCHECK_P4: 0

FILE_IN_CAB: 042124-6953-01.dmp

TRAP_FRAME: fffff8042ade55d0 -- (.trap 0xfffff8042ade55d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffb28e386a0198 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffc3005fdc3040 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8042d8402d6 rsp=fffff8042ade5760 rbp=fffff8042993d180
r8=0000000000000102 r9=0000000000000000 r10=0000000000085f2b
r11=fffff80429940d80 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac pe nc
nt!KiTryUnwaitThread+0x1daad6:
fffff804`2d8402d6 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: fffff8042ade5528 -- (.exr 0xfffff8042ade5528)
ExceptionAddress: fffff8042d8402d6 (nt!KiTryUnwaitThread+0x00000000001daad6)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
fffff804`2ade52a8 fffff804`2d82c5e9 : 00000000`00000139 00000000`00000003 fffff804`2ade55d0 fffff804`2ade5528 : nt!KeBugCheckEx
fffff804`2ade52b0 fffff804`2d82cbb2 : 00000000`00000020 fffff804`2d6d4e4a fffff804`2e14c700 fffff804`2d72b10a : nt!KiBugCheckDispatch+0x69
fffff804`2ade53f0 fffff804`2d82a906 : ffffb28e`2a31b200 fffff804`2d790af4 00000000`00000000 fffff804`2993d180 : nt!KiFastFailDispatch+0xb2
fffff804`2ade55d0 fffff804`2d8402d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0x346
fffff804`2ade5760 fffff804`2d67675c : ffffb28e`386a01c8 00000000`00000000 ffffb28e`386a0290 fffff804`2d638a2a : nt!KiTryUnwaitThread+0x1daad6
fffff804`2ade57c0 fffff804`2d67629a : ffffb28e`386a01c0 00000000`00000000 fffff804`2ade5af8 00000000`00000000 : nt!KiTimerWaitTest+0x1fc
fffff804`2ade5860 fffff804`2d673084 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff804`299437e8 : nt!KiProcessExpiredTimerList+0xda
fffff804`2ade5990 fffff804`2d81bb5e : fffff804`295cdb50 fffff804`2993d180 fffff804`2e14c700 ffffb28e`318f2080 : nt!KiRetireDpcList+0xaf4
fffff804`2ade5c40 00000000`00000000 : fffff804`2ade6000 fffff804`2ade0000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e


SYMBOL_NAME: nt!KiTimerWaitTest+1fc

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.22621.3155

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 1fc

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_KTIMER_LIST_CORRUPTION_nt!KiTimerWaitTest

OS_VERSION: 10.0.22621.2506

BUILDLAB_STR: ni_release_svc_prod3

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {efb56395-a173-53f8-073d-d3c8cfd50e2b}

Followup: MachineOwner
---------

0: kd> lmvm nt
Browse full module list
start end module name
fffff804`2d400000 fffff804`2e447000 nt (pdb symbols) C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\2A832A6884144D88C39DB4B4DB66D71C1\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Mapped memory image file: C:\ProgramData\Dbg\sym\ntkrnlmp.exe\6479E1C71047000\ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: 6479E1C7 (This is a reproducible build file hash, not a timestamp)
CheckSum: 00B876D8
ImageSize: 01047000
File version: 10.0.22621.3155
Product version: 10.0.22621.3155
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 10.0.22621.3155
FileVersion: 10.0.22621.3155 (WinBuild.160101.0800)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.

 

[Colif]

if system already set up to make them, can you give us the files? can get more out of that than the print out

1. Open Windows File Explore
2. Navigate to C:\Windows\Minidump
3. Copy the mini-dump files out onto your Desktop
4. Do not use Winzip, use the built in facility in Windows
5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
7. Then post a link here to the zip file, so we can take a look for you . . .

full specs of PC helps as well.

 

[kidking93]

if system already set up to make them, can you give us the files? can get more out of that than the print out

1. Open Windows File Explore
2. Navigate to C:\Windows\Minidump
3. Copy the mini-dump files out onto your Desktop
4. Do not use Winzip, use the built in facility in Windows
5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
7. Then post a link here to the zip file, so we can take a look for you . . .

full specs of PC helps as well.

Here is my zip file minidump : https://www.dropbox.com/scl/fi/rrm7...ey=2tnt35m5djgz66cjmpx8qdfay&st=sikb1ez6&dl=0
I have already reinstall win but it still get BODS
My specs of PC :

Processor AMD Ryzen 7 3700X 8-Core Processor 3.60 GHz
RAM 16.0 GB
Main ASUS PRIME B450M-AII
Win 11 Enterprise LTSC

 

[Colif]

I have already reinstall win but it still get BODS

is it the same bsod each time as your report is for a different one to what I was expecting.

report


File: 042124-5875-01.dmp (Apr 22 2024 - 01:46:17)
BugCheck: [IRQL_NOT_LESS_OR_EQUAL (A)]
Probably caused by: memory_corruption (Process: RiotClientServices.exe)
Uptime: 0 Day(s), 2 Hour(s), 57 Min(s), and 51 Sec(s)

Process mentioned is victim, what was running at time of crash. Not cause.

bios - you two versions behind but i wouldn't update just yet

try updating chipset drivers - https://www.amd.com/en/support/downloads/drivers.html/chipsets/am4/b450.html

Try running memtest86 on each of your ram sticks, one stick at a time, up to 4 passes. Only error count you want is 0, any higher could be cause of the BSOD. Remove/replace ram sticks with errors. Memtest is created as a bootable USB so that you don’t need windows to run it

i wonder what this is (it might not be involved, just don't like mysteries)
C:\ProgramData\dbg\sym\globmerger.sys\68AB8BDF1f000\globmerger.sys

its dated next year. can only find one result for it and it doesn't tell me what it is - https://hybrid-analysis.com/sample/...f4b12e61da836218d4d3/62accb2153f4e33837391783
might be part of windows as its common for them to have future dates. Anti virus programs do the same thing.
Its linked to the kernel which is what also makes me think its part of windows... I just can't find it anywhere.

https://learn.microsoft.com/en-us/dotnet/core/extensions/file-globbing
run any linux programs?

glob – Filename pattern matching - GeeksforGeeks

A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.

www.geeksforgeeks.org

 

[ubuysa]

It not easy (and dangerous too) to try and make a firm diagnosis based on just one dump. If you've been having lots of BSODs then there will be other dumps and with dump analysis more dumps is always better!

Can you please download and run the SysnativeBSODCollectionApp and upload the resultant zip file to a cloud service with a link to it here. Be sure to make it public (so we don't have to login to download the zip file).

The SysnativeBSODCollectionApp does not collect any personally identifying information, it's perfectly safe, and it#s used by several respected Windows help forums. You can look at the files in the zip file, mostly they are txt files, but please don't change or delete anything. If you want to know what data these files contain there are full details here.