Fail Fast Codes
When Windows encounters an error condition that might compromise the security of the computer, the program that encounters that condition is terminated as fast as possible. This is done via the Fast Fail mechanism.
Fast Fail is implemented as an intrinsic, which means you can’t redefine it, and you can’t hook it from user mode code. On x86/x64 it’s implemented as an interrupt call, which is handled inside the kernel.
The definitions for these codes are in winnt.h.
| Definition | Value | Comment |
| FAST_FAIL_LEGACY_GS_VIOLATION | 0 | Do not use. Legacy value. |
| FAST_FAIL_VTGUARD_CHECK_FAILURE | 1 | |
| FAST_FAIL_STACK_COOKIE_CHECK_FAILURE | 2 | |
| FAST_FAIL_CORRUPT_LIST_ENTRY | 3 | |
| FAST_FAIL_INCORRECT_STACK | 4 | |
| FAST_FAIL_INVALID_ARG | 5 | |
| FAST_FAIL_GS_COOKIE_INIT | 6 | |
| FAST_FAIL_FATAL_APP_EXIT | 7 | |
| FAST_FAIL_RANGE_CHECK_FAILURE | 8 | |
| FAST_FAIL_UNSAFE_REGISTRY_ACCESS | 9 | |
| FAST_FAIL_GUARD_ICALL_CHECK_FAILURE | 10 | |
| FAST_FAIL_GUARD_WRITE_CHECK_FAILURE | 11 | |
| FAST_FAIL_INVALID_FIBER_SWITCH | 12 | |
| FAST_FAIL_INVALID_SET_OF_CONTEXT | 13 | |
| FAST_FAIL_INVALID_REFERENCE_COUNT | 14 | |
| FAST_FAIL_INVALID_JUMP_BUFFER | 18 | |
| FAST_FAIL_MRDATA_MODIFIED | 19 | |
| FAST_FAIL_CERTIFICATION_FAILURE | 20 | |
| FAST_FAIL_INVALID_EXCEPTION_CHAIN | 21 | |
| FAST_FAIL_CRYPTO_LIBRARY | 22 | |
| FAST_FAIL_INVALID_CALL_IN_DLL_CALLOUT | 23 | |
| FAST_FAIL_INVALID_IMAGE_BASE | 24 | |
| FAST_FAIL_DLOAD_PROTECTION_FAILURE | 25 | |
| FAST_FAIL_UNSAFE_EXTENSION_CALL | 26 | |
| FAST_FAIL_DEPRECATED_SERVICE_INVOKED | 27 | |
| FAST_FAIL_INVALID_BUFFER_ACCESS | 28 | |
| FAST_FAIL_INVALID_BALANCED_TREE | 29 | |
| FAST_FAIL_INVALID_NEXT_THREAD | 30 | |
| FAST_FAIL_GUARD_ICALL_CHECK_SUPPRESSED | 31 | Telemetry, nonfatal |
| FAST_FAIL_APCS_DISABLED | 32 | |
| FAST_FAIL_INVALID_IDLE_STATE | 33 | |
| FAST_FAIL_MRDATA_PROTECTION_FAILURE | 34 | |
| FAST_FAIL_UNEXPECTED_HEAP_EXCEPTION | 35 | |
| FAST_FAIL_INVALID_LOCK_STATE | 36 | |
| FAST_FAIL_GUARD_JUMPTABLE | 37 | Compiler uses this value. Do not change. |
| FAST_FAIL_INVALID_LONGJUMP_TARGET | 38 | |
| FAST_FAIL_INVALID_DISPATCH_CONTEXT | 39 | |
| FAST_FAIL_INVALID_THREAD | 40 | |
| FAST_FAIL_INVALID_SYSCALL_NUMBER | 41 | Telemetry, nonfatal |
| FAST_FAIL_INVALID_FILE_OPERATION | 42 | Telemetry, nonfatal |
| FAST_FAIL_LPAC_ACCESS_DENIED | 43 | Telemetry, nonfatal |
| FAST_FAIL_GUARD_SS_FAILURE | 44 | |
| FAST_FAIL_LOADER_CONTINUITY_FAILURE | 45 | Telemetry, nonfatal |
| FAST_FAIL_GUARD_EXPORT_SUPPRESSION_FAILURE | 46 | |
| FAST_FAIL_INVALID_CONTROL_STACK | 47 | |
| FAST_FAIL_SET_CONTEXT_DENIED | 48 | |
| FAST_FAIL_INVALID_IAT | 49 | |
| FAST_FAIL_HEAP_METADATA_CORRUPTION | 50 | |
| FAST_FAIL_PAYLOAD_RESTRICTION_VIOLATION | 51 | |
| FAST_FAIL_LOW_LABEL_ACCESS_DENIED | 52 | Telemetry, nonfatal |
| FAST_FAIL_ENCLAVE_CALL_FAILURE | 53 | |
| FAST_FAIL_UNHANDLED_LSS_EXCEPTON | 54 | |
| FAST_FAIL_ADMINLESS_ACCESS_DENIED | 55 | Telemetry, nonfatal |
| FAST_FAIL_UNEXPECTED_CALL | 56 | |
| FAST_FAIL_CONTROL_INVALID_RETURN_ADDRESS | 57 | |
| FAST_FAIL_UNEXPECTED_HOST_BEHAVIOR | 58 | |
| FAST_FAIL_FLAGS_CORRUPTION | 59 | |
| FAST_FAIL_VEH_CORRUPTION | 60 | |
| FAST_FAIL_ETW_CORRUPTION | 61 | |
| FAST_FAIL_RIO_ABORT | 62 | |
| FAST_FAIL_INVALID_PFN | 63 | |
| FAST_FAIL_GUARD_ICALL_CHECK_FAILURE_XFG | 64 | |
| FAST_FAIL_CAST_GUARD | 65 | Compiler uses this value. Do not change. |
| FAST_FAIL_HOST_VISIBILITY_CHANGE | 66 | |
| FAST_FAIL_KERNEL_CET_SHADOW_STACK_ASSIST | 67 | |
| FAST_FAIL_PATCH_CALLBACK_FAILED | 68 | |
| FAST_FAIL_NTDLL_PATCH_FAILED | 69 | |
| FAST_FAIL_INVALID_FLS_DATA | 70 |
The FAST_FAIL_LEGACY_GS_VIOLATION definition is a legacy value and is reserved for compatibility with previous implementations of STATUS_STACK_BUFFER_OVERRUN exception status code.
Invocation
Fail Fail is invoked using the __fastfail() instrinsic.
__fastfail() takes one argument, the fast fail code, and is defined as shown below. Calls to __fastfail() do not return.
#if _MSC_VER >= 1610
DECLSPEC_NORETURN
VOID
__fastfail(
_In_ unsigned int Code
);
#pragma intrinsic(__fastfail)
#endif
Handling
In user mode code __fastfail() will be seen as a non-continuable second chance exception with code 0xC0000409 (STATUS_STACK_BUFFER_OVERRUN). There is no first chance exception to be handled. This is deliberate – it is assumed that the program state is corrupt and that the exception handling mechanism may have been compromised (think virus, etc).
The fast fail code is the first parameter supplied with the second chance exception. There may be other parameters.
In kernel mode __fastfail() is handled by a specific bugcheck code 0x139 (KERNEL_SECURITY_CHECK_FAILURE).
If a debugger is present it is given a chance to inspect the program before it terminates execution.
Implementation
Native support for __fastfail() was first implemented in Windows 8.
Earlier operating systems will still terminate the application in response to a __fastfail(), via the exception handling or bugcheck mechanism as appropriate to the user/kernel mode.
The header file definition indicates that Visual Studio 2012 (_MSC_VER 1700) onwards include support for __fastfail().
Both Visual Studio 2010, and Visual Studio 2010 SP1 have _MSC_VER defined as 1600. I can’t find an entry for 1610 anywhere.