none
BSOD - KERNEL_SECURITY_CHECK_ERROR and DPC_WATCHDOG_VIOLATION

    Question

  • Can you help me diagnose this issue? Pretty sure somehow it's connected with my Furutech USB DAC, as this happens only when playing music. I've installed latest Furutech driver. Furutech says it's not their driver that's causing the problem.

    Have uploaded mini-dump files: http://1drv.ms/QvRlVJ

    Tuesday, April 22, 2014 8:42 PM

Answers

  • Hi,

    We have various bug checks:

    DPC_WATCHDOG_VIOLATION (133)

    This bug check indicates that the DPC watchdog executed, either because it detected a single long-running deferred procedure call (DPC), or because the system spent a prolonged time at an interrupt request level (IRQL) of DISPATCH_LEVEL or above.

    BugCheck 133, {1, 1e00, 0, 0}

    ^^ If the system exceeds a larger timeout of time spent cumulatively in all DPCs since the IRQL was raised to DPC level, the system will bugcheck with a 0x133, and the first parameter will be set to 1. In your case, this is the first parameter.

    Determining the cause of a stop 0x133 with a first parameter of 1 is a bit more difficult because the problem is a result of DPCs running from multiple drivers, so combing the call stacks from the different processors is insufficient to determine the culprit. Also, given this is a minidump, we cannot do that anyway.

    KERNEL_SECURITY_CHECK_FAILURE (139)

    This bug check indicates that the kernel has detected the corruption of a critical data structure.

    BugCheck 139, {3, fffff8033c69c220, fffff8033c69c178, 0}

    ^^ The 1st parameter of the bugcheck is 3 which indicates that a LIST_ENTRY was corrupted. Code 3, LIST_ENTRY corruption. This type of bug check can be difficult to track down and indicates that an inconsistency has been introduced into a doubly-linked list (detected when an individual list entry element is added to or removed from the list).

    0: kd> .exr 0xfffff8033c69c178
    ExceptionAddress: fffff800f82e796e (Wdf01000!FxIrpQueue::RemoveIrpFromListEntry+0x0000000000000032)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
    

    ^^ The system detected an overrun of a stack-based buffer in this application. Evidently this occurred in Wdf01000!FxIrpQueue::RemoveIrpFromListEntry.

    0: kd> k
    Child-SP          RetAddr           Call Site
    fffff803`3c69bef8 fffff803`3ab7dae9 nt!KeBugCheckEx
    fffff803`3c69bf00 fffff803`3ab7de10 nt!KiBugCheckDispatch+0x69
    fffff803`3c69c040 fffff803`3ab7d034 nt!KiFastFailDispatch+0xd0
    fffff803`3c69c220 fffff800`f82e796e nt!KiRaiseSecurityCheckFailure+0xf4
    fffff803`3c69c3b8 fffff800`f82e8e32 Wdf01000!FxIrpQueue::RemoveIrpFromListEntry+0x32
    fffff803`3c69c3c0 fffff800`f82e8e89 Wdf01000!FxIrpQueue::RemoveIrpFromQueueByContext+0x56
    fffff803`3c69c3f0 fffff800`f82e7a56 Wdf01000!FxRequest::RemoveFromIrpQueue+0x25
    fffff803`3c69c430 fffff800`f82e8f4e Wdf01000!FxIoQueue::RequestCancelable+0xde
    fffff803`3c69c490 fffff800`fa2b7bc2 Wdf01000!imp_WdfRequestUnmarkCancelable+0x76
    fffff803`3c69c4f0 fffff800`fa2b82d2 USBXHCI!Isoch_Transfer_CompleteCancelable+0xa6
    fffff803`3c69c550 fffff800`fa2b861e USBXHCI!Isoch_Stage_CompleteTD+0x16e
    fffff803`3c69c5d0 fffff800`fa2aac66 USBXHCI!Isoch_ProcessTransferEventWithED1+0x252
    fffff803`3c69c660 fffff800`fa2c357f USBXHCI!Endpoint_TransferEventHandler+0x4e
    fffff803`3c69c6d0 fffff800`fa2ad05a USBXHCI!UsbDevice_TransferEventHandler+0x87
    fffff803`3c69c730 fffff800`f8366c81 USBXHCI!Interrupter_WdfEvtInterruptDpc+0x456
    fffff803`3c69c830 fffff803`3aa781e0 Wdf01000!FxInterrupt::DpcHandler+0xc1
    fffff803`3c69c860 fffff803`3aa773fb nt!KiExecuteAllDpcs+0x1b0
    fffff803`3c69c9b0 fffff803`3ab75aea nt!KiRetireDpcList+0xdb
    fffff803`3c69cc60 00000000`00000000 nt!KiIdleLoop+0x5a

    ^^ We have a fair few USBXHCI.sys calls which is the USB XHCI driver (not the true cause).

    So far, at this point, we can confirm that something USB-related (driver or device) is going on, and the system is not happy.

    DRIVER_POWER_STATE_FAILURE (9f)

    This bug check indicates that the driver is in an inconsistent or invalid power state.

    BugCheck 9F, {3, ffffe000f7b178e0, ffffd00060b79930, ffffe000f70ad630}

    Probably caused by : usbccgp.sys

    ^^ usbccgp.sys is not the true cause, so let's go ahead and !irp the 4th parameter of the bug check (blocked IRP address):

    >[ 16, 2]   0  0 ffffe000f7a00050 00000000 00000000-00000000    
    	      Unable to load image \SystemRoot\system32\drivers\ADLESDAC.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ADLESDAC.sys
    *** ERROR: Module load completed but symbols could not be loaded for ADLESDAC.sys
     \Driver\ADLESDAC
    

    ^^ ADLESDAC.sys appears to be the culprit driver. Unfortunately, being the bearer of bad news, I cannot find any documentation regarding this driver, and I've never seen it before myself.

    With this said, note I mentioned above in the 0x139 that we had an overrun of a stack-based buffer in Wdf01000.sys. One of the many reasons this occurs is it allows malicious control over the application it occurred in. Worst case, given the above driver has no documentation available, etc, it may be malware.

    Best case, this is a USB related driver to a device you have connected via USB. With that said, what do you have connected to the system via USB?

    ----------------------

    1. If nothing other than possibly mouse/keyboard connected via USB, navigate to C:\Windows\System32\Drivers and rename ADLESDAC.sys to ADLESDAC.old. Restart afterwards.

    2. If you're still crashing after the above, remove and replace Norton with Windows 8's built-in Windows Defender for temporary troubleshooting purposes as it very well may be causing conflicts:

    Norton removal - https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us;jsessionid=841A6D40BA6872C47697C6C6B19C8E11.4?entsrc=redirect_pubweb&pvid=f-home

    Windows Defender (how to turn on after removal) - http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html

    3. wdcsam64.sys is listed and loaded which is the Western Digital SES (SCSI Enclosure Services) driver. Please remove this software ASAP as it's troublesome and is also not necessary to the functionality of your system.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama


    Tuesday, April 22, 2014 9:26 PM

All replies

  • Hi,

    We have various bug checks:

    DPC_WATCHDOG_VIOLATION (133)

    This bug check indicates that the DPC watchdog executed, either because it detected a single long-running deferred procedure call (DPC), or because the system spent a prolonged time at an interrupt request level (IRQL) of DISPATCH_LEVEL or above.

    BugCheck 133, {1, 1e00, 0, 0}

    ^^ If the system exceeds a larger timeout of time spent cumulatively in all DPCs since the IRQL was raised to DPC level, the system will bugcheck with a 0x133, and the first parameter will be set to 1. In your case, this is the first parameter.

    Determining the cause of a stop 0x133 with a first parameter of 1 is a bit more difficult because the problem is a result of DPCs running from multiple drivers, so combing the call stacks from the different processors is insufficient to determine the culprit. Also, given this is a minidump, we cannot do that anyway.

    KERNEL_SECURITY_CHECK_FAILURE (139)

    This bug check indicates that the kernel has detected the corruption of a critical data structure.

    BugCheck 139, {3, fffff8033c69c220, fffff8033c69c178, 0}

    ^^ The 1st parameter of the bugcheck is 3 which indicates that a LIST_ENTRY was corrupted. Code 3, LIST_ENTRY corruption. This type of bug check can be difficult to track down and indicates that an inconsistency has been introduced into a doubly-linked list (detected when an individual list entry element is added to or removed from the list).

    0: kd> .exr 0xfffff8033c69c178
    ExceptionAddress: fffff800f82e796e (Wdf01000!FxIrpQueue::RemoveIrpFromListEntry+0x0000000000000032)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
    

    ^^ The system detected an overrun of a stack-based buffer in this application. Evidently this occurred in Wdf01000!FxIrpQueue::RemoveIrpFromListEntry.

    0: kd> k
    Child-SP          RetAddr           Call Site
    fffff803`3c69bef8 fffff803`3ab7dae9 nt!KeBugCheckEx
    fffff803`3c69bf00 fffff803`3ab7de10 nt!KiBugCheckDispatch+0x69
    fffff803`3c69c040 fffff803`3ab7d034 nt!KiFastFailDispatch+0xd0
    fffff803`3c69c220 fffff800`f82e796e nt!KiRaiseSecurityCheckFailure+0xf4
    fffff803`3c69c3b8 fffff800`f82e8e32 Wdf01000!FxIrpQueue::RemoveIrpFromListEntry+0x32
    fffff803`3c69c3c0 fffff800`f82e8e89 Wdf01000!FxIrpQueue::RemoveIrpFromQueueByContext+0x56
    fffff803`3c69c3f0 fffff800`f82e7a56 Wdf01000!FxRequest::RemoveFromIrpQueue+0x25
    fffff803`3c69c430 fffff800`f82e8f4e Wdf01000!FxIoQueue::RequestCancelable+0xde
    fffff803`3c69c490 fffff800`fa2b7bc2 Wdf01000!imp_WdfRequestUnmarkCancelable+0x76
    fffff803`3c69c4f0 fffff800`fa2b82d2 USBXHCI!Isoch_Transfer_CompleteCancelable+0xa6
    fffff803`3c69c550 fffff800`fa2b861e USBXHCI!Isoch_Stage_CompleteTD+0x16e
    fffff803`3c69c5d0 fffff800`fa2aac66 USBXHCI!Isoch_ProcessTransferEventWithED1+0x252
    fffff803`3c69c660 fffff800`fa2c357f USBXHCI!Endpoint_TransferEventHandler+0x4e
    fffff803`3c69c6d0 fffff800`fa2ad05a USBXHCI!UsbDevice_TransferEventHandler+0x87
    fffff803`3c69c730 fffff800`f8366c81 USBXHCI!Interrupter_WdfEvtInterruptDpc+0x456
    fffff803`3c69c830 fffff803`3aa781e0 Wdf01000!FxInterrupt::DpcHandler+0xc1
    fffff803`3c69c860 fffff803`3aa773fb nt!KiExecuteAllDpcs+0x1b0
    fffff803`3c69c9b0 fffff803`3ab75aea nt!KiRetireDpcList+0xdb
    fffff803`3c69cc60 00000000`00000000 nt!KiIdleLoop+0x5a

    ^^ We have a fair few USBXHCI.sys calls which is the USB XHCI driver (not the true cause).

    So far, at this point, we can confirm that something USB-related (driver or device) is going on, and the system is not happy.

    DRIVER_POWER_STATE_FAILURE (9f)

    This bug check indicates that the driver is in an inconsistent or invalid power state.

    BugCheck 9F, {3, ffffe000f7b178e0, ffffd00060b79930, ffffe000f70ad630}

    Probably caused by : usbccgp.sys

    ^^ usbccgp.sys is not the true cause, so let's go ahead and !irp the 4th parameter of the bug check (blocked IRP address):

    >[ 16, 2]   0  0 ffffe000f7a00050 00000000 00000000-00000000    
    	      Unable to load image \SystemRoot\system32\drivers\ADLESDAC.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ADLESDAC.sys
    *** ERROR: Module load completed but symbols could not be loaded for ADLESDAC.sys
     \Driver\ADLESDAC
    

    ^^ ADLESDAC.sys appears to be the culprit driver. Unfortunately, being the bearer of bad news, I cannot find any documentation regarding this driver, and I've never seen it before myself.

    With this said, note I mentioned above in the 0x139 that we had an overrun of a stack-based buffer in Wdf01000.sys. One of the many reasons this occurs is it allows malicious control over the application it occurred in. Worst case, given the above driver has no documentation available, etc, it may be malware.

    Best case, this is a USB related driver to a device you have connected via USB. With that said, what do you have connected to the system via USB?

    ----------------------

    1. If nothing other than possibly mouse/keyboard connected via USB, navigate to C:\Windows\System32\Drivers and rename ADLESDAC.sys to ADLESDAC.old. Restart afterwards.

    2. If you're still crashing after the above, remove and replace Norton with Windows 8's built-in Windows Defender for temporary troubleshooting purposes as it very well may be causing conflicts:

    Norton removal - https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us;jsessionid=841A6D40BA6872C47697C6C6B19C8E11.4?entsrc=redirect_pubweb&pvid=f-home

    Windows Defender (how to turn on after removal) - http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html

    3. wdcsam64.sys is listed and loaded which is the Western Digital SES (SCSI Enclosure Services) driver. Please remove this software ASAP as it's troublesome and is also not necessary to the functionality of your system.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama


    Tuesday, April 22, 2014 9:26 PM
  • Thanks for the quick response. I truly appreciate your analysis.

    ADLESDAC.sys is probably the driver for my Furutech USB DAC, It's connected via USB, and actually it's made by ADL (a Furutech subsidiary) (http://www.adl-av.com/products/usbdac/esprit/). Also connected via USB are two Western Digital external drives, APC UPS unit, and Logitech Unifying Receiver for wireless keyboard and mouse.

    You confirm what i've thought for quite some time but have not been able to determine due to lack of expertise. I also suspected Norton 360, but i uninstalled and was still getting BSODs, so this alone couldn't be the cause.

    Took your advise and uninstalled Western Digital SES. Will contact Furutech and tell them about your analysis.

    Furutech should write an updated driver. They insist that their driver is fine.

    Again, thanks so much for your help.

    Tuesday, April 22, 2014 9:57 PM
  • Fantastic, thanks for the information!

    Please keep me updated and let me know how everything goes.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Tuesday, April 22, 2014 9:59 PM