Why Slack is causing Windows 10 BSOD?

问题

I have experienced BSOD every time I have resumed laptop from sleep. I have analyzed the minidump using WinDbg and the causing processes is always Slack.exe. I have googled a bit I have found https://www.tenforums.com/bsod-crashes-debugging/80584-0x139-bsods-daily-when-waking-up-sleep.html. Their suggestion is not to use Windows 10 Slack version or close it before going to sleep.

What is the real reason that Slack.exe is causing this BSOD? I assume that Slack does not directly contain any kernel drivers?

Bug check analysis output (simplified):

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffe580f4e26e40, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffe580f4e26d98, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING:  10.0.14393.1066 (rs1_release_sec.170327-1835)

DUMP_TYPE:  2

BUGCHECK_P1: 3

BUGCHECK_P2: ffffe580f4e26e40

BUGCHECK_P3: ffffe580f4e26d98

BUGCHECK_P4: 0

TRAP_FRAME:  ffffe580f4e26e40 -- (.trap 0xffffe580f4e26e40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc383e86dc640 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff8016b3a1a40 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8016b609a43 rsp=ffffe580f4e26fd0 rbp=ffffe580f4e27100
 r8=0000000000000000  r9=ffffa8095affc460 r10=0000000000000000
r11=ffffe580f4e26f90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
nt! ?? ::NNGAKEGL::`string'+0xe7a3:
fffff801`6b609a43 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffe580f4e26d98 -- (.exr 0xffffe580f4e26d98)
ExceptionAddress: fffff8016b609a43 (nt! ?? ::NNGAKEGL::`string'+0x000000000000e7a3)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  Slack.exe

CURRENT_IRQL:  1

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_SESSION_HOST:  VOSTRO

ANALYSIS_SESSION_TIME:  05-02-2017 09:35:31.0248

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8016b1e0929 to fffff8016b1d57c0

STACK_TEXT:  
ffffe580`f4e26b18 fffff801`6b1e0929 : 00000000`00000139 00000000`00000003 ffffe580`f4e26e40 ffffe580`f4e26d98 : nt!KeBugCheckEx
ffffe580`f4e26b20 fffff801`6b1e0c90 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffe580`f4e26c60 fffff801`6b1dfc73 : ffffc383`e312efc0 00000000`df050e2d ffffa809`5affc400 fffff801`6b0e9311 : nt!KiFastFailDispatch+0xd0
ffffe580`f4e26e40 fffff801`6b609a43 : ffffe580`f4e27100 ffffc383`00000002 ffffc383`e86dc5d0 ffffc383`e86dc5d0 : nt!KiRaiseSecurityCheckFailure+0xf3
ffffe580`f4e26fd0 fffff801`6b4b239b : 00000000`00000000 00000000`e6757898 ffffe580`f4e27100 ffffc383`e86dc5d0 : nt! ?? ::NNGAKEGL::`string'+0xe7a3
ffffe580`f4e27000 fffff801`6b484592 : 00000000`00000000 ffffe580`f4e27470 ffffe580`f4e27401 00000000`00000000 : nt!CmpDoParseKey+0x2adb
ffffe580`f4e273d0 fffff801`6b4abcb1 : fffff801`6b484290 fffff802`00000001 00000000`00000000 ffffe580`f4e27801 : nt!CmpParseKey+0x302
ffffe580`f4e27570 fffff801`6b48d2dd : ffffa809`5a403001 ffffe580`f4e277d0 00000000`00000040 ffffa809`52a71980 : nt!ObpLookupObjectName+0xb71
ffffe580`f4e27740 fffff801`6b48cfbd : ffff1d7f`00000001 000000b9`e31fefd0 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByNameEx+0x1dd
ffffe580`f4e27880 fffff801`6b48a8ff : 00000273`ef1fcdd0 00000273`ebd57058 00000000`00000000 00000273`eab112b0 : nt!CmOpenKey+0x29d
ffffe580`f4e27a40 fffff801`6b1e0493 : ffffa809`5affc080 ffffa809`00000000 00000000`00000000 00000000`00000001 : nt!NtOpenKeyEx+0xf
ffffe580`f4e27a80 00007ff8`510482e4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000b9`e31feef8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff8`510482e4


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  d4ebd809b295e74f12cd19fb6449617794cb2876

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  652a499994ccd23dc5888c837e18181a8bb2b379

THREAD_SHA1_HASH_MOD:  dc844b1b94baa204d070855e43bbbd27eee98b94

FOLLOWUP_IP: 
nt!KiFastFailDispatch+d0
fffff801`6b1e0c90 c644242000      mov     byte ptr [rsp+20h],0

FAULT_INSTR_CODE:  202444c6

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!KiFastFailDispatch+d0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  58d9f097

IMAGE_VERSION:  10.0.14393.1066

BUCKET_ID_FUNC_OFFSET:  d0

FAILURE_BUCKET_ID:  0x139_3_nt!KiFastFailDispatch

BUCKET_ID:  0x139_3_nt!KiFastFailDispatch

PRIMARY_PROBLEM_CLASS:  0x139_3_nt!KiFastFailDispatch

TARGET_TIME:  2017-05-02T06:45:00.000Z

OSBUILD:  14393

OSSERVICEPACK:  1066

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2017-03-28 07:11:51

BUILDDATESTAMP_STR:  170327-1835

BUILDLAB_STR:  rs1_release_sec

BUILDOSVER_STR:  10.0.14393.1066

ANALYSIS_SESSION_ELAPSED_TIME: 41a

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_nt!kifastfaildispatch

FAILURE_ID_HASH:  {36173680-6f08-995f-065a-3d368c996911}

UPDATE: I have followed the hint from @magicandre1981.

Output of !pde.dpx -du follows:

Start memory scan  : 0xffffe580f4e26b18 ($csp)
End memory scan    : 0xffffe580f4e28000 (Kernel Stack Base)

0xffffe580f4e26b58 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e26c98 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e26eb8 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e26ec8 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e270c8 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27128 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e27160 : 0xffffc383d267f7fe :  !du "\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27168 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e271a8 : 0xffffc383e3db4d70 :  !du "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Rend..."
0xffffe580f4e271d0 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e272e8 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e272f8 : 0xffffc383d267f7a4 :  !du "Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00..."
0xffffe580f4e27308 : 0xffffc383d267f7b4 :  !du "CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27318 : 0xffffc383d267f7d2 :  !du "MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27328 : 0xffffc383d267f7e6 :  !du "Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27338 : 0xffffc383d267f7f2 :  !du "Render\{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27348 : 0xffffc383d267f800 :  !du "{6ae32a55-07ce-434d-bc8a-781006c00e63}0"
0xffffe580f4e27428 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e27528 : 0xffffc383d267f790 :  !du "Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a..."
0xffffe580f4e27c18 : 0xffffe580f4e21000 :  !du ""nnection* 2-QoS Packet Scheduler-0000""

Looks like that accessing key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{6ae32a55-07ce-434d-bc8a-781006c00e63} causes the problem.

Any hints how to find why?

(Currently, the key is not present there.)

来源：https://stackoverflow.com/questions/43732613/why-slack-is-causing-windows-10-bsod