Solved

Solved! BSOD Kernel Security Check Failure and Bad Pool Header

I've been getting multiple BSOD's since my pc's psu died and I replaced it as well as added 2x4gb's ddr3 ram going from 8gb's to 16gb's total. All of the 4 ram are the exact same model/manufacturer. One of the problems ended up being a bad driver lgvirhid.sys and after uninstalling it the pc lasted for 12 hours and then bsod'd again with KERNEL_SECURITY_CHECK_FAILURE. I started looking around and updating my bios driver's, not the bios through MSI Live Updater 6. But then I ended up getting another BSOD with BAD_POOL_HEADER. I'll attach my build and the 2 minidumps I have, and I'll try to keep this thread updated with anymore crash dump files.

Build: Windows 10 64-bit, I7-4770, 4x4gb's 240-Pin DDR3 SDRAM 1600 (PC3 12800) G. Skill RipJaws, MSI H87-G43 (MS-7816) Mobo, EVGA NVIDIA GeForce GTX 760 2gb, and Corsair H80i, 465GB Hitachi HDP725050GLA360 ATA Device (SATA), 298GB Hitachi HDT725032VLA380 ATA Device (SATA),2794GB Seagate ST3000DM001-1ER166 ATA Device (SATA), 931GB Western Digital WD Ext HDD 1021 USB Device (USB (SATA)).

Just realized that both Speccy and CPU-Z say 16.0GB Dual-Channel DDR3 @ 800MHz (9-9-9-24), for some reason the MHz seems wrong to me but I've been in my pc the past week and I'm just lost at this point. CPU-Z also doesn't show any details for the 4th ram slot even though it says 16gb ram still. Odd.

Anyways thank you anyone who is willing to give me some help, I can't think of anything anymore.

BugCheck 139, {3, fffff80304480820, fffff80304480778, 0}

Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff80304480820, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff80304480778, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 10586.122.amd64fre.th2_release_inmarket.160222-1549

SYSTEM_MANUFACTURER: MSI

SYSTEM_PRODUCT_NAME: MS-7816

SYSTEM_SKU: To be filled by O.E.M.

SYSTEM_VERSION: 1.0

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: V2.2

BIOS_DATE: 05/15/2013

BASEBOARD_MANUFACTURER: MSI

BASEBOARD_PRODUCT: H87-G43 (MS-7816)

BASEBOARD_VERSION: 1.0

DUMP_TYPE: 2

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_P1: 3

BUGCHECK_P2: fffff80304480820

BUGCHECK_P3: fffff80304480778

BUGCHECK_P4: 0

TRAP_FRAME: fffff80304480820 -- (.trap 0xfffff80304480820)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffcf80488bee58 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803029740f9 rsp=fffff803044809b0 rbp=fffff80302b22180
r8=0000000000000000 r9=0000000000000002 r10=fffff80302b22180
r11=fffff80302805000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
nt! ?? ::FNODOBFM::`string'+0x1e2f9:
fffff803`029740f9 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: fffff80304480778 -- (.exr 0xfffff80304480778)
ExceptionAddress: fffff803029740f9 (nt! ?? ::FNODOBFM::`string'+0x000000000001e2f9)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

CPU_COUNT: 8

CPU_MHZ: d48

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 1E'00000000 (cache) 1E'00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT

BUGCHECK_STR: 0x139

PROCESS_NAME: System

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

ANALYSIS_SESSION_HOST: MATTHEW-PC

ANALYSIS_SESSION_TIME: 03-08-2016 18:55:19.0783

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

LAST_CONTROL_TRANSFER: from fffff80302951fe9 to fffff80302947450

STACK_TEXT:
fffff803`044804f8 fffff803`02951fe9 : 00000000`00000139 00000000`00000003 fffff803`04480820 fffff803`04480778 : nt!KeBugCheckEx
fffff803`04480500 fffff803`02952310 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff803`04480640 fffff803`029514f3 : 00000000`00000000 00008354`cd68080e ffffe001`00000002 00001000`00000010 : nt!KiFastFailDispatch+0xd0
fffff803`04480820 fffff803`029740f9 : fffff803`04480b70 00000000`40d40089 fffff803`00000000 00000062`d305adc1 : nt!KiRaiseSecurityCheckFailure+0xf3
fffff803`044809b0 fffff803`02872dce : ffffcf80`00000000 ffffcf80`488beb48 fffff803`04480b18 00000000`00000002 : nt! ?? ::FNODOBFM::`string'+0x1e2f9
fffff803`04480a10 fffff803`0294a20a : 00000000`00000000 fffff803`02b22180 00000000`00000000 fffff803`02b98740 : nt!KiRetireDpcList+0x3de
fffff803`04480c60 00000000`00000000 : fffff803`04481000 fffff803`0447b000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a


STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: f2f70c8276e4939089f0282f588686c66441bd33

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 57de6cfd81dd752aa45a52a480cc25ea06529aae

THREAD_SHA1_HASH_MOD: 30a3e915496deaace47137d5b90c3ecc03746bf6

FOLLOWUP_IP:
nt!KiFastFailDispatch+d0
fffff803`02952310 c644242000 mov byte ptr [rsp+20h],0

FAULT_INSTR_CODE: 202444c6

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiFastFailDispatch+d0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 56cc074e

IMAGE_VERSION: 10.0.10586.122

BUCKET_ID_FUNC_OFFSET: d0

FAILURE_BUCKET_ID: 0x139_3_nt!KiFastFailDispatch

BUCKET_ID: 0x139_3_nt!KiFastFailDispatch

PRIMARY_PROBLEM_CLASS: 0x139_3_nt!KiFastFailDispatch

TARGET_TIME: 2016-03-08T15:39:47.000Z

OSBUILD: 10586

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2016-02-22 23:16:30

BUILDDATESTAMP_STR: 160222-1549

BUILDLAB_STR: th2_release_inmarket

BUILDOSVER_STR: 10.0.10586.122.amd64fre.th2_release_inmarket.160222-1549

ANALYSIS_SESSION_ELAPSED_TIME: 38c

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x139_3_nt!kifastfaildispatch

FAILURE_ID_HASH: {36173680-6f08-995f-065a-3d368c996911}

Followup: MachineOwner
---------


BugCheck 19, {21, ffffc000e6c8f000, 1080, c95990610121c8f8}

fffff8026f60a520: Unable to get MiVisibleState
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+1253a )

Followup: MachineOwner
---------

6: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000021, the data following the pool block being freed is corrupt. Typically this means the consumer (call stack ) has overrun the block.
Arg2: ffffc000e6c8f000, The pool pointer being freed.
Arg3: 0000000000001080, The number of bytes allocated for the pool block.
Arg4: c95990610121c8f8, The corrupted value found following the pool block.

Debugging Details:
------------------

fffff8026f60a520: Unable to get MiVisibleState

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 10586.122.amd64fre.th2_release_inmarket.160222-1549

SYSTEM_MANUFACTURER: MSI

SYSTEM_PRODUCT_NAME: MS-7816

SYSTEM_SKU: To be filled by O.E.M.

SYSTEM_VERSION: 1.0

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: V2.2

BIOS_DATE: 05/15/2013

BASEBOARD_MANUFACTURER: MSI

BASEBOARD_PRODUCT: H87-G43 (MS-7816)

BASEBOARD_VERSION: 1.0

DUMP_TYPE: 2

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_P1: 21

BUGCHECK_P2: ffffc000e6c8f000

BUGCHECK_P3: 1080

BUGCHECK_P4: c95990610121c8f8

BUGCHECK_STR: 0x19_21

POOL_ADDRESS: fffff8026f60a520: Unable to get MiVisibleState
ffffc000e6c8f000

CPU_COUNT: 8

CPU_MHZ: d48

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 1E'00000000 (cache) 1E'00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: TiWorker.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: MATTHEW-PC

ANALYSIS_SESSION_TIME: 03-08-2016 19:04:12.0184

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

LAST_CONTROL_TRANSFER: from fffff8026f3ef33a to fffff8026f3ce450

STACK_TEXT:
ffffd001`dc5786e8 fffff802`6f3ef33a : 00000000`00000019 00000000`00000021 ffffc000`e6c8f000 00000000`00001080 : nt!KeBugCheckEx
ffffd001`dc5786f0 fffff802`6f4bc47c : ffffc000`e6c8f000 ffffd001`dc578898 00000000`00000000 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x1253a
ffffd001`dc5787a0 fffff802`6f6574f0 : ffffc000`e6c8f000 ffffc000`e11c0000 00000000`00001000 00000000`31334d43 : nt!ExFreePoolWithTag+0x47c
ffffd001`dc578880 fffff802`6f6573c2 : 00000000`011a0000 ffffc000`e11c0580 ffffd001`dc578760 00000000`00000004 : nt!HvpFreeBin+0x34
ffffd001`dc5788b0 fffff802`6f64295f : ffffc000`00000001 ffffc000`e11c0b01 ffffc000`02a9b000 ffffc000`e11c0000 : nt!HvFreeHive+0xbe
ffffd001`dc578920 fffff802`6f78c949 : 00000000`00000000 ffffd001`dc578a70 ffffc000`e97e1d30 ffffc000`e97e1d30 : nt!CmUnloadKey+0x1d3
ffffd001`dc578970 fffff802`6f3d8ca3 : ffffe000`b69f0080 00000000`00000000 ffffe000`00000000 ffffe000`bb65d001 : nt!NtUnloadKey2+0x301
ffffd001`dc578b00 00007ffd`26438664 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000043`78edf688 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffd`26438664


STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 2f9ffbd6488bb98e4b5a7f9286c185bc823bc508

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 95fd3f89721a889d6f1e945b8ac05c3780b0dd7d

THREAD_SHA1_HASH_MOD: cb5f414824c2521bcc505eaa03e92fa10922dad8

FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+1253a
fffff802`6f3ef33a cc int 3

FAULT_INSTR_CODE: 24bacc

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+1253a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 56cc074e

IMAGE_VERSION: 10.0.10586.122

BUCKET_ID_FUNC_OFFSET: 1253a

FAILURE_BUCKET_ID: 0x19_21_nt!_??_::FNODOBFM::_string_

BUCKET_ID: 0x19_21_nt!_??_::FNODOBFM::_string_

PRIMARY_PROBLEM_CLASS: 0x19_21_nt!_??_::FNODOBFM::_string_

TARGET_TIME: 2016-03-09T02:24:24.000Z

OSBUILD: 10586

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2016-02-22 23:16:30

BUILDDATESTAMP_STR: 160222-1549

BUILDLAB_STR: th2_release_inmarket

BUILDOSVER_STR: 10.0.10586.122.amd64fre.th2_release_inmarket.160222-1549

ANALYSIS_SESSION_ELAPSED_TIME: 3c8

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x19_21_nt!_??_::fnodobfm::_string_

FAILURE_ID_HASH: {cf14c3bf-8028-447e-b16f-afa4ee487a96}

Followup: MachineOwner
---------
3 answers Last reply Best Answer
More about bsod kernel security check failure bad pool header
  1. I can't read the dump files but I know something that can, download Who crashed from here: http://www.resplendence.com/whocrashed It is free for home users.

    Let it scan your computer and it will tell you in plainer English what is causing the Bad Pool Header, it may also tell you about both (I don't know, I only had one BSOD when I ran it).

    If you cannot work out the cause still, copy what it says in here.

    You may also want to run memtest as Bad Pool Header is to do with ram, but the times I have had it, its usually drivers.
  2. WhoCrashed's info is as follows:

    3/9/2016 2:24:23 AM | BAD_POOL_HEADER | 0x19 | 0x21 | 0xFFFFC000E6C8F000 | 0X1080 | 0XC95990610121C8F8 | ntkrnlmp.exe | 00d 00:16:23 |

    3/8/2016 3:39:47 PM | KERNEL_SECURITY_CHECK_FAILURE | 0x139 | 0x3 | 0xFFFFF80300044080820 | 0x0 | ntkrnlmp.exe | 00d 11:47:24

    So both are pointing at "probably caused by: ntkrnlmp.exe" not sure what to do with that info.

    I've attempted memtest and after 8 hours of running it 0 errors.
  3. Best answer
    Turns out my issue was related to a driver conflicting with Windows 10. The driver was from Logitech Gaming Software for my G9x Laser Mouse. It was solved by installing a much older driver for it. I also did a clean install of Windows 10 afterwards.
Ask a new question

Read More

Security Blue Screen Crash System Error Registry Error