Windows 10: Security and Kernel Dumps

Discus and support Security and Kernel Dumps in Windows 10 BSOD Crashes and Debugging to solve the problem; I've identified a third-party DLL as the potential cause of an occasional BSoD I've been getting. The [small] developer wants me to upload them a... Discussion in 'Windows 10 BSOD Crashes and Debugging' started by Cantoris, Jul 17, 2017.

  1. Cantoris Win User

    Security and Kernel Dumps


    I've identified a third-party DLL as the potential cause of an occasional BSoD I've been getting. The [small] developer wants me to upload them a Kernel Dump.

    I'm concerned as to the security implications of doing this. Though I have no reason to be suspicious of the developer, what would I be exposing by providing a Kernel Dump?

    Thanks for your advice!

    :)
     
    Cantoris, Jul 17, 2017
    #1
  2. Willwork4food, Jul 17, 2017
    #2
  3. Lego15451 Win User
    Kernel Security Check Failure

    Frequently having bsod, error message is kernel security check failure please help.

    dump file Dumpfile.zip

    This is the latest dump file if you need the others just ask for them.
     
    Lego15451, Jul 17, 2017
    #3
  4. zbook New Member

    Security and Kernel Dumps

    See: BSOD - Posting Instructions - Windows 10 Forums
    To see an example of a minidump file please open any entry in the bsod forum to view the collected files and click on a minidump file. In case it does not open this is an example:

    Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.




    Loading Dump File [C:\Users\aaaaaaa\AppData\Local\Temp\Temp1_KOSTAS-PC-17_07_2017_224107_15.zip\062417-7765-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available




    ************* Symbol Path validation summary **************
    Response Time (ms) Location
    Deferred SRV*C:\SymCache*Symbol information
    Symbol search path is: SRV*C:\SymCache*Symbol information
    Executable search path is:
    Windows 8 Kernel Version 15063 MP (6 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 15063.0.amd64fre.rs2_release.170317-1834
    Machine Name:
    Kernel base = 0xfffff800`9f49b000 PsLoadedModuleList = 0xfffff800`9f7e75a0
    Debug session time: Thu Jun 22 17:52:31.819 2017 (UTC - 5:00)
    System Uptime: 5 days 4:52:56.000
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ....................................................
    Loading User Symbols
    Loading unloaded module list
    .....................
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************


    Use !analyze -v to get detailed debugging information.


    BugCheck 1E, {ffffffffc0000094, fffff805909949f0, ffffd6813380e058, ffffd6813380d8a0}


    Probably caused by : memory_corruption


    Followup: memory_corruption
    ---------
     
    zbook, Jul 17, 2017
    #4
  5. axe0 New Member
    Hi Cantoris,

    A kernel dump contains information of anything that runs with administrator privilege, e.g. programs and drivers.
    IF personal data is present in the kernel dump it is quite difficult to identify. It is not easy to go through everything a kernel dump has to offer, because it requires knowledge how various systems in Windows work + they need to translate addresses such as ffffd6813380e058 and ffffd6813380d8a0 (thanks zbook) to data that the software use.
    IF there is personal data present, it takes a very long time for them to find it, consider it a waste of time if they would actually try it, chance is very small they find anything.

    What zbook provides is a very, very small example of what a kernel dump can provide. The information zbook posted is from a minidump which is a mere 100 to 200KB, a kernel dump is a few hundreds MB to a few GB.
     
  6. Cantoris Win User
    Thanks Axe0!
    I'm concerned about things like data from Password Managers or exposing credentials for OneDrive/DropBox - that sort of thing.
    I don't know how much of that is at the kernel level and how much is only in the specific processes' usermode space.
     
    Cantoris, Jul 17, 2017
    #6
  7. axe0 New Member
    Don't worry about password managers, password managers data should be encrypted. Finding the data is not easy, decrypting is another thing. That is, if they run in admin mode for which I can find no reason (on top of my head) why they'd need to.

    Cloud apps usually require administrator permission, but only for installing the app. The credentials of cloud apps are in usermode (and encrypted).

    Apps require administrator permission for installing, but when the install process is finished they usually don't have permission anymore. If any app you're concerned about needs admin mode for anything, it is in kernel mode. You can ask the support team of this app what they do with the data you're concerned about to get to know what goes in kernel mode and what not.
     
  8. Cantoris Win User

    Security and Kernel Dumps

    I searched the dump using PowerShell for a few sets of credentials and was able to find some in plaintext. :-(
     
    Cantoris, Jul 29, 2017
    #8
  9. axe0 New Member
    How did you translate the data from this dump into plain text?
     
  10. Cantoris Win User
    I just sent the file to the Select-String cmdlet. Because you see the matches in context, I could see credentials wrapped in HTML for example.
     
    Cantoris, Jul 29, 2017
    #10
  11. Cantoris Win User
    I'm not loading the dump file into windbg to debug a fatal exception, I'm just treating the file as one massive chunk of data and letting the PowerShell cmdlet Select-String look for specific plaintext matches within it. If the string I tell it to look for (eg a specific password) was sitting unencrypted in kernel memory then it'll be visible in the dump that way - and it was.
     
    Cantoris, Jul 29, 2017
    #11
  12. axe0 New Member
    I'm aware of the difference, but I presume this developer uses Windbg since Windbg is a good tool to debug.
    If this developer does, Windbg requires (private) symbols to get information from data that 3rd party programs use AFAIK.

    With powershell you can't debug dumps to find out what went wrong.
     
  13. Cantoris Win User

    Security and Kernel Dumps

    I assume he'd use Windbg and have his own symbol files to determine if his app was indeed involved with the BSoD. I was just concerned what else I would be exposing in a kernel dump. A search for a plaintext match against a few password strings for apps I had open when it crashed seemed the easiest way to see if a kernel dump file was unsuitable for sending the developer.
     
    Cantoris, Jul 29, 2017
    #13
  14. axe0 New Member
    I hope you have the answer you're looking for *Smile
     
  15. Cantoris Win User
    Yes, thanks for your help.
     
    Cantoris, Jul 29, 2017
    #15
Thema:

Security and Kernel Dumps

Loading...
  1. Security and Kernel Dumps - Similar Threads - Security Kernel Dumps

  2. Windows 10 kernel security check failure Memory dump

    in Windows 10 Gaming
    Windows 10 kernel security check failure Memory dump: Windows 10 kernel security check failure cause the blue screen.below is the event log error:The computer has rebooted from a bugcheck. The bugcheck was: 0x00000139 0x0000000000000003, 0xffff86872f269c00, 0xffff86872f269b58, 0x0000000000000000. A dump was saved in:...
  3. Windows 10 kernel security check failure Memory dump

    in Windows 10 Software and Apps
    Windows 10 kernel security check failure Memory dump: Windows 10 kernel security check failure cause the blue screen.below is the event log error:The computer has rebooted from a bugcheck. The bugcheck was: 0x00000139 0x0000000000000003, 0xffff86872f269c00, 0xffff86872f269b58, 0x0000000000000000. A dump was saved in:...
  4. Windows 10 kernel security check failure Memory dump

    in Windows 10 BSOD Crashes and Debugging
    Windows 10 kernel security check failure Memory dump: Windows 10 kernel security check failure cause the blue screen.below is the event log error:The computer has rebooted from a bugcheck. The bugcheck was: 0x00000139 0x0000000000000003, 0xffff86872f269c00, 0xffff86872f269b58, 0x0000000000000000. A dump was saved in:...
  5. Kernel Security Failure

    in Windows 10 BSOD Crashes and Debugging
    Kernel Security Failure: Hi guys. I just recently updated my windows bla bla earlier this day. Then after few hours while I'm playing dayz I notice that my drivers which is intel and nvidia graphics needs to be updated. Then when I click the nvidia geforce; it unpacks like its installing again or...
  6. Kernel security bsod

    in Windows 10 Ask Insider
    Kernel security bsod: I recently experienced a kernel security check bsod. I restarted my computer and ran the sfc scannow feature and it said it fixed a file. Does this mean my issue is fixed or do I need to go more in depth? If so, what do I do next? Any help would be appreciated! submitted by...
  7. Kernel Security Error

    in Windows 10 Ask Insider
    Kernel Security Error: I have been getting blue screens after a few hours of use on my computer. I just recently got a blue screen, then my pc rebooted back up, seemingly with no problems. The error code was Kernel Security Check Failure. Is there anything I can do to stop this from happening in...
  8. Kernel security failure

    in Windows 10 BSOD Crashes and Debugging
    Kernel security failure: I always get a bleu screen with the message 'Kernel security check failure', the computer restart after that. Can you help me ? https://answers.microsoft.com/en-us/windows/forum/all/kernel-security-failure/59abfd74-f77e-4c29-9b62-c0648b1289b7
  9. Kernel security BSOD

    in Windows 10 BSOD Crashes and Debugging
    Kernel security BSOD: I have been getting many BSOD with the same error code help please. Here are the .dmp files that have been generated. Thank you. https://drive.google.com/file/d/1ntl-lxMp2Zkaqw0VJDBLjoF4meq3NKeM/view?usp=sharing...
  10. BSOD "KERNEL SECURITY CHECK" Dump provided

    in Windows 10 BSOD Crashes and Debugging
    BSOD "KERNEL SECURITY CHECK" Dump provided: Hello! After i installed BlueStacks Android Emulator i started to experience BSODs, i am not sure if it is Avast or BlueStacks fault. Would be awesome if someone experienced with that stuff could check these dumps and give an advise or tip. 28708