DRIVER_OVERRAN_STACK_BUFFER (f7) A driver has overrun a stack-based buffer

So is there any way to determine what driver has overrun the stack? It references a corrupted security cookie. Would this be an OS dll or app dll. The caused by is a generic win32k.sys. I see this a lot. How does this get corrupted so often?


Kernel Complete Dump File: Full address space is available

WARNING: Dump file has been truncated.  Data may be missing.
Symbol search path is: SRV*C:\WINNT\Symbols*
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Jul 23 11:03:33.228 2013 (GMT-5)
System Uptime: 94 days 15:47:10.545
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck F7, {0, 986e, ffff6791, 0}

Probably caused by : win32k.sys ( win32k!xxxResolveDesktop+86f )

Followup: MachineOwner

2: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
Arg1: 00000000, Actual security check cookie from the stack
Arg2: 0000986e, Expected security check cookie
Arg3: ffff6791, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:

bf8bd6db e84335f4ff       call    win32k!_SEH_epilog (bf800c23)

GSFAILURE_FUNCTION: win32k!xxxResolveDesktop

GSFAILURE_MODULE_COOKIE: 0000986e win32k!__security_cookie [ bf99bbb4 ]

GSFAILURE_CORRUPTED_COOKIE: 00000000 [ baa77cc0 ]

SECURITY_COOKIE:  Expected 0000986e found 00000000

Stack buffer overrun analysis follows:

Corruption occured in win32k!xxxResolveDesktop or one of its callers
Real canary at 0xbf99bbb4 (win32k!__security_cookie): 0x0000986e
Real canary complement at : 0xbf99bbb0: 0xffff6791
Corrupted canary at 0xbaa77cc0: 0x00000000
Corrupted cookie value (0x00000000) too generic, skipping read bit-flip check
EBP/ESP check skipped: No saved EBP in exception context
Function win32k!xxxResolveDesktop:
      Funtion has no locals
no candidate buffer found

Stack buffer overrun analysis complete.



LAST_CONTROL_TRANSFER:  from bf911df3 to 804f9f33

baa77bc8 bf911df3 000000f7 00000000 0000986e nt!KeBugCheckEx+0x1b
baa77be8 bf8bd6db e1163c76 75b73f5e 00000000 win32k!__report_gsfailure+0x25
baa77cdc bf878f92 00000a08 baa77d18 baa77d2c win32k!xxxResolveDesktop+0x86f
baa77d4c 8054161c 00000a08 0053fea8 00000000 win32k!NtUserResolveDesktop+0xdb
baa77d4c 7c90e4f4 00000a08 0053fea8 00000000 nt!KiFastCallEntry+0xfc
0053fe18 75b64e59 75b6541a 00000a08 0053fea8 ntdll!KiFastSystemCallRet
0053fe64 75b661bc 00172da4 00000038 00172eb4 winsrv!NtUserResolveDesktop+0xc
0053feb0 75b4356d 00180f98 00000000 00000000 winsrv!ConsoleClientConnectRoutine+0x21b
0053fed0 75b44a47 0053feec 0053ffd8 00000005 CSRSRV!CsrSrvClientConnect+0x70
0053fff4 00000000 00000080 00000000 00000000 CSRSRV!CsrApiRequestThread+0x431


bf8bd6db e84335f4ff       call    win32k!_SEH_epilog (bf800c23)



FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  win32k!xxxResolveDesktop+86f

MODULE_NAME:  win32k

IMAGE_NAME:  win32k.sys


FAILURE_BUCKET_ID:  0xF7_win32k!xxxResolveDesktop+86f

BUCKET_ID:  0xF7_win32k!xxxResolveDesktop+86f

Followup: MachineOwner
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Enable verifer and upload the new dmp file for analysis.

Enable driver verifier
1) Open an elevated command prompt
2) Type "verifier /standard /all"  (no quotes)
3) Reboot your machine
4) Use machine again until it crashes

After the crash & reboot, go into safe mode with networking

Disable driver verifier
1) Open an elevated command prompt
2) Type "verifier /reset" (no quotes)
3) Reboot your machine

dxjAuthor Commented:
Ok I'll try it. Thank you. I do not see any indication that the command took. The command window just flashes back to the previous prompt.  So at C:\ I type verifier/standard/all then enter. The cmd window just flashes back to C:
Make sure there is space can copy paste the command.

Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

dxjAuthor Commented:
Ok thank you I have successfully done this on Win Server. Win XP I could not get it to work. I t takes a while for the machine to BSOD. If you would like me to close the question, I can.
You can keep the question open for next two days.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dxjAuthor Commented:
Thank you as mentioned I do not identified my error/fix, due to the infrequency of the failure, but I definitely picked up new knowledge I can use to isolate the problem,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.