Recently, some of our readers reported that an error occurred while checking kernel security. Failure of kernel security check can be caused by conflicts in installed software. Also, if your computer is experiencing memory problems, virus infection, driver incompatibility or obsolescence issues, corrupted Windows system files, and hard drive errors, you may receive a Kernel Stop Code Security Check Error message. January 5, 2021
Afraid of seeing the blue screen of death or BSoD? Well, the rest of the world too! Plus it’s very boring. Unfortunately, the kernel security check error is one of those “fatal” errors that lead to BSoDs.
Option Table 1 and the dump file can help identify the cause of many of these error checks.
LIST_ENTRY corruption can be difficult to find. This error checking indicates that an inconsistency has been inserted into a double-linked list (found when one list item is added or removed from the list). Unfortunately, a discrepancy is not always recognized during damage, so some detective work may be required to determine the root cause.
Common causes of corrupted list entries:
- The driver has corrupted a kernel sync object such as KEVENT (for example, double initializing KEVENT while a thread was waiting for the same KEVENT, or allowing KEVENT on a stack basis to go out of scope while another thread was in that KEVENT). This type of error checking is usually done in nt! Ke * – or nt! Ki code *. This can happen when the thread stops waiting for the synchronization object or when the code tries to put the synchronization object into the signal state. The reported sync object is usually corrupted. Sometimes Driver Verifier with a special pool can help find the culprit (if the corrupted sync object is in a pool block that has already been freed).
- The pilot has damaged periodic CTIMER. This type of error checking is usually done in nt! Ke * – or nt! Ki * code and enables timer signaling or insertion or deletion of a timer from the timer table. A corrupted timer may be corrupted, but it may be necessary to replace the timer table with ! Timer (or manually view the links in the list of timers) to see which timer was corrupted. Sometimes Driver Verifier with a special pool can help find the culprit (if the damaged KTIMER is in a block of the pool that has already been freed).
- The driver did not process the LIST_ENTRY style internal linked list correctly. A typical example would be calling RemoveEntryList twice for the same list entry without re-inserting the list entry betweentwo calls to RemoveEntryList. Other options are possible, for example. B. double insertion of a record into the same list.
- The driver has published a data structure that contains LIST_ENTRY without removing the data structure from the corresponding list. This will later detect corruption when the list is checked after reusing the old pool block.
- The driver was simultaneously using the LIST_ENTRY style list without proper synchronization, which caused the list to be updated incorrectly.
In most cases, you can identify a corrupted data structure by looking at the linked list (the dl and dlb commands are useful for this) and comparing the results. If the list is inconsistent between forward and reverse execution, this is usually the location of the corruption. Since updating a linked list can change the list’s links of a sibling item, you should take a close look at the neighbors of a damaged list item, as they may be the root cause.
Since many system components use LIST_ENTRYs internally, various types of mismanagement of driver resourcesAnyone using system APIs can corrupt the linked list in a system managed linked list.
How Do I Troubleshoot Kernel Security Checks?