\Device\Tcp (and other device objects) has incorrect ACLs

(..\..\ntoskrnl\se\accesschk.c:253) HACK: RemainingAccess = 0x00000116  DesiredAccess = 0x001001bf

Break instruction exception - code 80000003 (first chance)

nt!SepAccessCheckEx+0x53a:

8052776a cc              int     3

kd> kp

ChildEBP RetAddr  

f70a214c 80527903 nt!SepAccessCheckEx(void * SecurityDescriptor = 0xe1006218, struct _SECURITY_SUBJECT_CONTEXT * SubjectSecurityContext = 0xb4ae6494, unsigned long DesiredAccess = 0x1001bf, struct _OBJECT_TYPE_LIST * ObjectTypeList = 0x00000000, unsigned long ObjectTypeListLength = 0, unsigned long PreviouslyGrantedAccess = 0x20000, struct _PRIVILEGE_SET ** Privileges = 0xf70a2254, struct _GENERIC_MAPPING * GenericMapping = 0xb4d63778, char AccessMode = 0n1 '', unsigned long * GrantedAccessList = 0xf70a2264, long * AccessStatusList = 0xf70a22f4, unsigned char UseResultList = 0x00 '')+0x53a [c:\ros\reactos-clean\reactos\ntoskrnl\se\accesschk.c @ 255]

f70a2184 80527ad7 nt!SepAccessCheck(void * SecurityDescriptor = 0xe1006218, struct _SECURITY_SUBJECT_CONTEXT * SubjectSecurityContext = 0xb4ae6494, unsigned long DesiredAccess = 0x1001bf, unsigned long PreviouslyGrantedAccess = 0x20000, struct _PRIVILEGE_SET ** Privileges = 0xf70a2254, struct _GENERIC_MAPPING * GenericMapping = 0xb4d63778, char AccessMode = 0n1 '', unsigned long * GrantedAccess = 0xf70a2264, long * AccessStatus = 0xf70a22f4)+0x33 [c:\ros\reactos-clean\reactos\ntoskrnl\se\accesschk.c @ 312]

f70a21c0 804774e8 nt!SeAccessCheck(void * SecurityDescriptor = 0xe1006218, struct _SECURITY_SUBJECT_CONTEXT * SubjectSecurityContext = 0xb4ae6494, unsigned char SubjectContextLocked = 0x01 '', unsigned long DesiredAccess = 0x1001bf, unsigned long PreviouslyGrantedAccess = 0x20000, struct _PRIVILEGE_SET ** Privileges = 0xf70a2254, struct _GENERIC_MAPPING * GenericMapping = 0xb4d63778, char AccessMode = 0n1 '', unsigned long * GrantedAccess = 0xf70a2264, long * AccessStatus = 0xf70a22f4)+0x1c7 [c:\ros\reactos-clean\reactos\ntoskrnl\se\accesschk.c @ 445]

f70a230c 8050b813 nt!IopParseDevice(void * ParseObject = 0xb4ba9990, void * ObjectType = 0x00000000, struct _ACCESS_STATE * AccessState = 0xb4ae6478, char AccessMode = 0n1 '', unsigned long Attributes = 0x40, struct _UNICODE_STRING * CompleteName = 0xf70a242c "\Device\Tcp", struct _UNICODE_STRING * RemainingName = 0xf70a23a4 "", void * Context = 0xb49a1ba0, struct _SECURITY_QUALITY_OF_SERVICE * SecurityQos = 0x00000000, void ** Object = 0xf70a23c8)+0x3a8 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\file.c @ 418]

f70a23d0 80505298 nt!ObpLookupObjectName(void * RootHandle = 0x00000000, struct _UNICODE_STRING * ObjectName = 0xf70a242c "\Device\Tcp", unsigned long Attributes = 0x40, struct _OBJECT_TYPE * ObjectType = 0x00000000, char AccessMode = 0n1 '', void * ParseContext = 0xb49a1ba0, struct _SECURITY_QUALITY_OF_SERVICE * SecurityQos = 0x00000000, void * InsertObject = 0x00000000, struct _ACCESS_STATE * AccessState = 0xb4ae6478, struct _OBP_LOOKUP_CONTEXT * LookupContext = 0xb4ae651c, void ** FoundObject = 0xf70a243c)+0x833 [c:\ros\reactos-clean\reactos\ntoskrnl\ob\obname.c @ 818]

f70a2444 8047aae5 nt!ObOpenObjectByName(struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00b5eb68, struct _OBJECT_TYPE * ObjectType = 0x00000000, char AccessMode = 0n1 '', struct _ACCESS_STATE * PassedAccessState = 0xb4ae6478, unsigned long DesiredAccess = 0xe0100000, void * ParseContext = 0xb49a1ba0, void ** Handle = 0xf70a24c4)+0x1b8 [c:\ros\reactos-clean\reactos\ntoskrnl\ob\obhandle.c @ 2514]

f70a24e8 8047bd9a nt!IoCreateFile(void ** FileHandle = 0x00b5ebb4, unsigned long DesiredAccess = 0xe0100000, struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00b5eb68, struct _IO_STATUS_BLOCK * IoStatusBlock = 0x00b5eb58, union _LARGE_INTEGER * AllocationSize = 0x00000000, unsigned long FileAttributes = 0x80, unsigned long ShareAccess = 3, unsigned long Disposition = 3, unsigned long CreateOptions = 0x20, void * EaBuffer = 0x00000000, unsigned long EaLength = 0, _CREATE_FILE_TYPE CreateFileType = CreateFileTypeNone (0), void * ExtraCreateParameters = 0x00000000, unsigned long Options = 0)+0xa25 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\file.c @ 2463]

f70a2528 80542689 nt!NtCreateFile(void ** FileHandle = 0x00b5ebb4, unsigned long DesiredAccess = 0xe0100000, struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00b5eb68, struct _IO_STATUS_BLOCK * IoStatusBlock = 0x00b5eb58, union _LARGE_INTEGER * AllocateSize = 0x00000000, unsigned long FileAttributes = 0x80, unsigned long ShareAccess = 3, unsigned long CreateDisposition = 3, unsigned long CreateOptions = 0x20, void * EaBuffer = 0x00000000, unsigned long EaLength = 0)+0x3a [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\file.c @ 3228]

f70a2564 8054219d nt!KiSystemCallTrampoline(void * Handler = 0x8047bd60, void * Arguments = 0x00b5eb1c, unsigned long StackBytes = 0x2c)+0x19 [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 725]

f70a25ac 80403e03 nt!KiSystemServiceHandler(struct _KTRAP_FRAME * TrapFrame = 0xf70a25b4, void * Arguments = 0x00b5eb1c)+0x23d [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1717]

f70a25ac 7c92fb8e nt!KiFastCallEntry+0x8c

00b5eb10 7c95ab25 ntdll!KiFastSystemCallRet

00b5eb14 7791ff73 ntdll!NtCreateFile+0xc

00b5eb94 779134de iphlpapi!openTcpFile(void ** tcpFile = 0x00b5ebb4)+0x83 [c:\ros\reactos-clean\reactos\lib\tdilib\handle.c @ 38]

00b5eccc 77917e5d iphlpapi!getInterfaceNameByIndex(unsigned long index = 1)+0x3e [c:\ros\reactos-clean\reactos\dll\win32\iphlpapi\ifenum_reactos.c @ 353]

00b5ece0 71ea559f iphlpapi!GetIfEntry(struct _MIB_IFROW * pIfRow = 0x00b5f0bc)+0x7d [c:\ros\reactos-clean\reactos\dll\win32\iphlpapi\iphlpapi_main.c @ 874]

00b5f450 71ea5a8c netshell!CNetConnectionManager::EnumerateINetConnections(void)+0x2ff [c:\ros\reactos-clean\reactos\dll\shellext\netshell\connectmanager.cpp @ 596]

00b5f46c 71ea9cd0 netshell!INetConnectionManager_Constructor(struct IUnknown * pUnkOuter = 0x00000000, struct _GUID * riid = 0x71eb1198 {c08956a2-1cd3-11d1-b1c5-00805fc1270e}, void ** ppv = 0x00b5f4d0)+0xfc [c:\ros\reactos-clean\reactos\dll\shellext\netshell\connectmanager.cpp @ 689]

00b5f8a0 71eaa4a8 netshell!CLanStatus::InitializeNetTaskbarNotifications(void)+0x190 [c:\ros\reactos-clean\reactos\dll\shellext\netshell\lanstatusui.cpp @ 999]

00b5f8a8 00a11127 netshell!CLanStatus::Exec(struct _GUID * pguidCmdGroup = 0x00a1cebc {000214d2-0000-0000-c000-000000000046}, unsigned long nCmdID = 2, unsigned long nCmdexecopt = 0, struct tagVARIANT * pvaIn = 0x00000000, struct tagVARIANT * pvaOut = 0x00000000)+0x28 [c:\ros\reactos-clean\reactos\dll\shellext\netshell\lanstatusui.cpp @ 1190]

00b5f8d8 00a1127b stobject!CSysTray::InitNetShell(void)+0x77 [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 29]

00b5f8f0 00a11a85 stobject!CSysTray::InitIcons(void)+0xab [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 54]

00b5f904 00a126ba stobject!CSysTray::ProcessWindowMessage(struct HWND__ * hWnd = 0x000500c8, unsigned int uMsg = 1, unsigned int wParam = 0, long lParam = 0xb5faf0, long * lResult = 0x00b5f93c, unsigned long dwMsgMapID = 0)+0x55 [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 211]

00b5f970 77a844b7 stobject!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<2252341248,392> >::WindowProc(struct HWND__ * hWnd = 0x000500c8, unsigned int uMsg = 1, unsigned int wParam = 0, long lParam = 0xb5faf0)+0x9a [c:\ros\reactos-clean\reactos\lib\atl\atlwin.h @ 479]

00b5fa2c 77a88303 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x00a50000, struct _WND * pWnd = 0x003459d0, struct HWND__ * hWnd = 0x000500c8, unsigned int Msg = 1, unsigned int wParam = 0, long lParam = 0xb5faf0)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1490]

00b5fab8 7c92fae1 user32!User32CallWindowProcFromKernel(void * Arguments = 0x00b5fad0, unsigned long ArgumentLength = 0x56)+0x1f3 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 2920]

00b5fc4c 77a92228 ntdll!KiUserCallbackDispatcher+0x2e

00b5fce8 00a12962 user32!CreateWindowExW(unsigned long dwExStyle = 0x188, wchar_t * lpClassName = 0x0000c065 "--- memory read error at address 0x0000c065 ---", wchar_t * lpWindowName = 0x00000000 "", unsigned long dwStyle = 0x86400000, int x = 0x80000000, int y = 0x80000000, int nWidth = 0x80000000, int nHeight = 0x80000000, struct HWND__ * hWndParent = 0x00000000, struct HMENU__ * hMenu = 0x00000000, struct HINSTANCE__ * hInstance = 0x00a10000, void * lpParam = 0x00000000)+0x318 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\window.c @ 567]

00b5fd28 00a11efb stobject!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<2252341248,392> >::Create(struct HWND__ * hWndParent = 0x00000000, class ATL::_U_RECT rect = class ATL::_U_RECT, wchar_t * szWindowName = 0x00000000 "", unsigned long dwStyle = 0x86400000, unsigned long dwExStyle = 0x188, class ATL::_U_MENUorID MenuOrID = class ATL::_U_MENUorID, unsigned short atom = 0xc065, void * lpCreateParam = 0x00000000)+0xd2 [c:\ros\reactos-clean\reactos\lib\atl\atlwin.h @ 528]

00b5fd60 00a1181a stobject!ATL::CWindowImpl<CSysTray,ATL::CWindow,ATL::CWinTraits<2252341248,392> >::Create(struct HWND__ * hWndParent = 0x00000000, class ATL::_U_RECT rect = class ATL::_U_RECT, wchar_t * szWindowName = 0x00000000 "", unsigned long dwStyle = 0x86400000, unsigned long dwExStyle = 0x188, class ATL::_U_MENUorID MenuOrID = class ATL::_U_MENUorID, void * lpCreateParam = 0x00000000)+0xab [c:\ros\reactos-clean\reactos\lib\atl\atlwin.h @ 565]

00b5ffac 00a116f9 stobject!CSysTray::SysTrayThreadProc(void)+0x7a [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 153]

00b5ffb8 77da2c0d stobject!CSysTray::s_SysTrayThreadProc(void * param = 0x00140908)+0x19 [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 124]

00b5ffec 00000000 kernel32!BaseThreadStartup(<function> * lpStartAddress = 0x00a116e0, void * lpParameter = 0x00140908)+0x5d [c:\ros\reactos-clean\reactos\dll\win32\kernel32\client\thread.c @ 69]