Login/Register
Why Slack is causing Windows 10 BSOD?
Asked Answered
windows-10slackcrash-dumpsbsod
A

0

7

I have experienced BSOD every time I have resumed laptop from sleep. I have analyzed the minidump using WinDbg and the causing processes is always Slack.exe. I have googled a bit I have found https://www.tenforums.com/bsod-crashes-debugging/80584-0x139-bsods-daily-when-waking-up-sleep.html. Their suggestion is not to use Windows 10 Slack version or close it before going to sleep.

What is the real reason that Slack.exe is causing this BSOD? I assume that Slack does not directly contain any kernel drivers?

Bug check analysis output (simplified):

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffe580f4e26e40, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffe580f4e26d98, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING:  10.0.14393.1066 (rs1_release_sec.170327-1835)

DUMP_TYPE:  2

BUGCHECK_P1: 3

BUGCHECK_P2: ffffe580f4e26e40

BUGCHECK_P3: ffffe580f4e26d98

BUGCHECK_P4: 0

TRAP_FRAME:  ffffe580f4e26e40 -- (.trap 0xffffe580f4e26e40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc383e86dc640 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff8016b3a1a40 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8016b609a43 rsp=ffffe580f4e26fd0 rbp=ffffe580f4e27100
 r8=0000000000000000  r9=ffffa8095affc460 r10=0000000000000000
r11=ffffe580f4e26f90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
nt! ?? ::NNGAKEGL::`string'+0xe7a3:
fffff801`6b609a43 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffe580f4e26d98 -- (.exr 0xffffe580f4e26d98)
ExceptionAddress: fffff8016b609a43 (nt! ?? ::NNGAKEGL::`string'+0x000000000000e7a3)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  Slack.exe

CURRENT_IRQL:  1

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_SESSION_HOST:  VOSTRO

ANALYSIS_SESSION_TIME:  05-02-2017 09:35:31.0248

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8016b1e0929 to fffff8016b1d57c0

STACK_TEXT:  
ffffe580`f4e26b18 fffff801`6b1e0929 : 00000000`00000139 00000000`00000003 ffffe580`f4e26e40 ffffe580`f4e26d98 : nt!KeBugCheckEx
ffffe580`f4e26b20 fffff801`6b1e0c90 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffe580`f4e26c60 fffff801`6b1dfc73 : ffffc383`e312efc0 00000000`df050e2d ffffa809`5affc400 fffff801`6b0e9311 : nt!KiFastFailDispatch+0xd0
ffffe580`f4e26e40 fffff801`6b609a43 : ffffe580`f4e27100 ffffc383`00000002 ffffc383`e86dc5d0 ffffc383`e86dc5d0 : nt!KiRaiseSecurityCheckFailure+0xf3
ffffe580`f4e26fd0 fffff801`6b4b239b : 00000000`00000000 00000000`e6757898 ffffe580`f4e27100 ffffc383`e86dc5d0 : nt! ?? ::NNGAKEGL::`string'+0xe7a3
ffffe580`f4e27000 fffff801`6b484592 : 00000000`00000000 ffffe580`f4e27470 ffffe580`f4e27401 00000000`00000000 : nt!CmpDoParseKey+0x2adb
ffffe580`f4e273d0 fffff801`6b4abcb1 : fffff801`6b484290 fffff802`00000001 00000000`00000000 ffffe580`f4e27801 : nt!CmpParseKey+0x302
ffffe580`f4e27570 fffff801`6b48d2dd : ffffa809`5a403001 ffffe580`f4e277d0 00000000`00000040 ffffa809`52a71980 : nt!ObpLookupObjectName+0xb71
ffffe580`f4e27740 fffff801`6b48cfbd : ffff1d7f`00000001 000000b9`e31fefd0 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByNameEx+0x1dd
ffffe580`f4e27880 fffff801`6b48a8ff : 00000273`ef1fcdd0 00000273`ebd57058 00000000`00000000 00000273`eab112b0 : nt!CmOpenKey+0x29d
ffffe580`f4e27a40 fffff801`6b1e0493 : ffffa809`5affc080 ffffa809`00000000 00000000`00000000 00000000`00000001 : nt!NtOpenKeyEx+0xf
ffffe580`f4e27a80 00007ff8`510482e4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000b9`e31feef8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff8`510482e4


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  d4ebd809b295e74f12cd19fb6449617794cb2876

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  652a499994ccd23dc5888c837e18181a8bb2b379

THREAD_SHA1_HASH_MOD:  dc844b1b94baa204d070855e43bbbd27eee98b94

FOLLOWUP_IP: 
nt!KiFastFailDispatch+d0
fffff801`6b1e0c90 c644242000      mov     byte ptr [rsp+20h],0

FAULT_INSTR_CODE:  202444c6

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!KiFastFailDispatch+d0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  58d9f097

IMAGE_VERSION:  10.0.14393.1066

BUCKET_ID_FUNC_OFFSET:  d0

FAILURE_BUCKET_ID:  0x139_3_nt!KiFastFailDispatch

BUCKET_ID:  0x139_3_nt!KiFastFailDispatch

PRIMARY_PROBLEM_CLASS:  0x139_3_nt!KiFastFailDispatch

TARGET_TIME:  2017-05-02T06:45:00.000Z

OSBUILD:  14393

OSSERVICEPACK:  1066

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2017-03-28 07:11:51

BUILDDATESTAMP_STR:  170327-1835

BUILDLAB_STR:  rs1_release_sec

BUILDOSVER_STR:  10.0.14393.1066

ANALYSIS_SESSION_ELAPSED_TIME: 41a

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_nt!kifastfaildispatch

FAILURE_ID_HASH:  {36173680-6f08-995f-065a-3d368c996911}

UPDATE: I have followed the hint from @magicandre1981.

Output of !pde.dpx -du follows: 

Start memory scan  : 0xffffe580f4e26b18 ($csp)
End memory scan    : 0xffffe580f4e28000 (Kernel Stack Base)

0xffffe580f4e26b58 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e26c98 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e26eb8 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e26ec8 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e270c8 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27128 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e27160 : 0xffffc383d267f7fe :  !du "\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27168 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e271a8 : 0xffffc383e3db4d70 :  !du "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Rend..."
0xffffe580f4e271d0 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e272e8 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e272f8 : 0xffffc383d267f7a4 :  !du "Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00..."
0xffffe580f4e27308 : 0xffffc383d267f7b4 :  !du "CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27318 : 0xffffc383d267f7d2 :  !du "MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27328 : 0xffffc383d267f7e6 :  !du "Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27338 : 0xffffc383d267f7f2 :  !du "Render\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27348 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27428 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e27528 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e27c18 : 0xffffe580f4e21000 :  !du ""nnection* 2-QoS Packet Scheduler-0000""

Looks like that accessing key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00e63} causes the problem.

Any hints how to find why?

(Currently, the key is not present there.)

Aleris answered 2/5, 2017 at 7:39 Comment(20)
Why this question was downvoted?Aleris
Please note that SO is for programming questions, as you should probably know having 7k points. Please check if Super User would be suitable place for this.Schlesien
@SamiKuhmonen I am asking here, because I want to know programmer details. Some dev might explain, that WIndows 10 app is using different API that Win32 app, that is causing this problem. -- I know the workaround, however I am interested in technical details, which Super User site is not suitable for.Aleris
@SamiKuhmonen I am trying to solve the problem from the windows user/kernel developer perspective. Super User is not about kernel debugging and app development, but rather finding an workaround which I already know.Aleris
nt!NtOpenKeyEx means the application tries to open a registry key. Use Andrew Richards PDE Windbg extension and run !pde.dpx -du to dump all strings. look which registry keys slack tries to read while the issue happens.Prototype
@Prototype Thanks for the hint. The output is attached to the question.Aleris
There is no reason to close this. It is an interesting question worthy of an answer.Daye
Looks like Slack.exe manages to cause Kernel space overflow in nt!CmpDoParseKey by opening a registry key NtOpenKey.Daye
If you can repro in a VM, you could attach kernel debugger to it and be able to inspect it better. Otherwise you need a second machineDaye
@RemusRusanu The problem is that the problem does not occur now. (Maybe because of KB3150513 which was just installed.)Aleris
KB3150513 is an app compatibility update. it blocks tools from running if MSFT detetcs issues. if you can still start Slack, it is not sloved. But I see the user in the other forum says he used the win32 program converted to Store tool. if you also use the store version, go back to the regular desktop version. I know there was a bug for apps ported from iOS to UWP apps, maybe there is stil an issue with such desktop apps which can de deployed via store.Prototype
@Prototype Ok, maybe the store Slack was automatically updated.Aleris
there was a new Slack version released this week. do you still see the crash?Prototype
@Prototype No crash since the last comment. (But I am wondering how reading a certain registry could cause BSOD.)Aleris
maybe the conversion from desktop app to store app has still some bugs and not all registry keys got redirected to safe location.Prototype
@TN we are in 2022 now and I do get these BSOD daily, so now I run slack in a browser. Could you please share the workaround you said that you already found? Thanks.Barbie
@Barbie I have not found any workaround. The bug in the Windows kernel or drivers seems to be fixed. Your cause might be different.Aleris
@TN, I am confused, you said this in the 3rd comment from top, "-- I know the workaround, however..." , what did you mean by that?Barbie
@Barbie From the question: "Their suggestion is not to use Windows 10 Slack version or close it before going to sleep.". (Sorry I forget it, it's a long time:)Aleris
It's August 2022 and the Windows 10 BSOD bug is still an issue in the desktop version of Slack. I tried using the Windows Store version but it has a bug where it does not deliver or make sounds for incoming notifications. LIke @MMEL, I also came to the conclusion that at present the only good way to run slack is in the browser.Madelina

© 2022 - 2024 — McMap. All rights reserved.