Fail Fast Codes

By Stephen Kellett
11 January, 2022

When Windows encounters an error condition that might compromise the security of the computer, the program that encounters that condition is terminated as fast as possible. This is done via the Fast Fail mechanism.

Fast Fail is implemented as an intrinsic, which means you can’t redefine it, and you can’t hook it from user mode code. On x86/x64 it’s implemented as an interrupt call, which is handled inside the kernel.

The definitions for these codes are in winnt.h.

DefinitionValueComment
FAST_FAIL_LEGACY_GS_VIOLATION0Do not use. Legacy value.
FAST_FAIL_VTGUARD_CHECK_FAILURE1 
FAST_FAIL_STACK_COOKIE_CHECK_FAILURE2 
FAST_FAIL_CORRUPT_LIST_ENTRY3 
FAST_FAIL_INCORRECT_STACK4 
FAST_FAIL_INVALID_ARG5 
FAST_FAIL_GS_COOKIE_INIT6 
FAST_FAIL_FATAL_APP_EXIT7 
FAST_FAIL_RANGE_CHECK_FAILURE8 
FAST_FAIL_UNSAFE_REGISTRY_ACCESS9 
FAST_FAIL_GUARD_ICALL_CHECK_FAILURE10 
FAST_FAIL_GUARD_WRITE_CHECK_FAILURE11 
FAST_FAIL_INVALID_FIBER_SWITCH12 
FAST_FAIL_INVALID_SET_OF_CONTEXT13 
FAST_FAIL_INVALID_REFERENCE_COUNT14 
FAST_FAIL_INVALID_JUMP_BUFFER18 
FAST_FAIL_MRDATA_MODIFIED19 
FAST_FAIL_CERTIFICATION_FAILURE20 
FAST_FAIL_INVALID_EXCEPTION_CHAIN21 
FAST_FAIL_CRYPTO_LIBRARY22 
FAST_FAIL_INVALID_CALL_IN_DLL_CALLOUT23 
FAST_FAIL_INVALID_IMAGE_BASE24 
FAST_FAIL_DLOAD_PROTECTION_FAILURE25 
FAST_FAIL_UNSAFE_EXTENSION_CALL26 
FAST_FAIL_DEPRECATED_SERVICE_INVOKED27 
FAST_FAIL_INVALID_BUFFER_ACCESS28 
FAST_FAIL_INVALID_BALANCED_TREE29 
FAST_FAIL_INVALID_NEXT_THREAD30 
FAST_FAIL_GUARD_ICALL_CHECK_SUPPRESSED31Telemetry, nonfatal
FAST_FAIL_APCS_DISABLED32 
FAST_FAIL_INVALID_IDLE_STATE33 
FAST_FAIL_MRDATA_PROTECTION_FAILURE34 
FAST_FAIL_UNEXPECTED_HEAP_EXCEPTION35 
FAST_FAIL_INVALID_LOCK_STATE36 
FAST_FAIL_GUARD_JUMPTABLE37Compiler uses this value. Do not change.
FAST_FAIL_INVALID_LONGJUMP_TARGET38 
FAST_FAIL_INVALID_DISPATCH_CONTEXT39 
FAST_FAIL_INVALID_THREAD40 
FAST_FAIL_INVALID_SYSCALL_NUMBER41Telemetry, nonfatal
FAST_FAIL_INVALID_FILE_OPERATION42Telemetry, nonfatal
FAST_FAIL_LPAC_ACCESS_DENIED43Telemetry, nonfatal
FAST_FAIL_GUARD_SS_FAILURE44 
FAST_FAIL_LOADER_CONTINUITY_FAILURE45Telemetry, nonfatal
FAST_FAIL_GUARD_EXPORT_SUPPRESSION_FAILURE46 
FAST_FAIL_INVALID_CONTROL_STACK47 
FAST_FAIL_SET_CONTEXT_DENIED48 
FAST_FAIL_INVALID_IAT49 
FAST_FAIL_HEAP_METADATA_CORRUPTION50 
FAST_FAIL_PAYLOAD_RESTRICTION_VIOLATION51 
FAST_FAIL_LOW_LABEL_ACCESS_DENIED52Telemetry, nonfatal
FAST_FAIL_ENCLAVE_CALL_FAILURE53 
FAST_FAIL_UNHANDLED_LSS_EXCEPTON54 
FAST_FAIL_ADMINLESS_ACCESS_DENIED55Telemetry, nonfatal
FAST_FAIL_UNEXPECTED_CALL56 
FAST_FAIL_CONTROL_INVALID_RETURN_ADDRESS57 
FAST_FAIL_UNEXPECTED_HOST_BEHAVIOR58 
FAST_FAIL_FLAGS_CORRUPTION59 
FAST_FAIL_VEH_CORRUPTION60 
FAST_FAIL_ETW_CORRUPTION61 
FAST_FAIL_RIO_ABORT62 
FAST_FAIL_INVALID_PFN63 
FAST_FAIL_GUARD_ICALL_CHECK_FAILURE_XFG64 
FAST_FAIL_CAST_GUARD65Compiler uses this value. Do not change.
FAST_FAIL_HOST_VISIBILITY_CHANGE66 
FAST_FAIL_KERNEL_CET_SHADOW_STACK_ASSIST67 
FAST_FAIL_PATCH_CALLBACK_FAILED68 
FAST_FAIL_NTDLL_PATCH_FAILED69 
FAST_FAIL_INVALID_FLS_DATA70 

The FAST_FAIL_LEGACY_GS_VIOLATION definition is a legacy value and is reserved for compatibility with previous implementations of STATUS_STACK_BUFFER_OVERRUN exception status code.

Invocation

Fail Fail is invoked using the __fastfail() instrinsic.

__fastfail() takes one argument, the fast fail code, and is defined as shown below. Calls to __fastfail() do not return.

#if _MSC_VER >= 1610

DECLSPEC_NORETURN
VOID
__fastfail(
    _In_ unsigned int Code
    );

#pragma intrinsic(__fastfail)

#endif

Handling

In user mode code __fastfail() will be seen as a non-continuable second chance exception with code 0xC0000409 (STATUS_STACK_BUFFER_OVERRUN). There is no first chance exception to be handled. This is deliberate – it is assumed that the program state is corrupt and that the exception handling mechanism may have been compromised (think virus, etc).

The fast fail code is the first parameter supplied with the second chance exception. There may be other parameters.

In kernel mode __fastfail() is handled by a specific bugcheck code 0x139 (KERNEL_SECURITY_CHECK_FAILURE).

If a debugger is present it is given a chance to inspect the program before it terminates execution.

Implementation

Native support for __fastfail() was first implemented in Windows 8.

Earlier operating systems will still terminate the application in response to a __fastfail(), via the exception handling or bugcheck mechanism as appropriate to the user/kernel mode.

The header file definition indicates that Visual Studio 2012 (_MSC_VER 1700) onwards include support for __fastfail().

Both Visual Studio 2010, and Visual Studio 2010 SP1 have _MSC_VER defined as 1600. I can’t find an entry for 1610 anywhere.

Fully functional, free for 30 days