At the latest IFS plugfest event Neal mentioned that NTFS swaps stacks for
create operations. I am now debugging such a situation and cannot persuade
windbg to display the ‘old stack’.
I’m using windbg (x64) Version “Windbg:6.6.0007.5” which appears to be the
latest and greatest avaipable from the downloads area.
I know that at Plugfest the windbg could deal with stack swapping, so there
must either have been newer version, or I’m missing something (glorious
detail below).
Any suggestions?
Here is the stack immediate before the call to KiSwapKernelStackAndExit
0: kd> kb 100
ChildEBP RetAddr Args to Child
96616274 8185ed28 932a6000 93987648 00000000
nt!KiMigrateToNewKernelStack+0x1df
966162f0 838f5069 838f4d8c 9661630c 00000000
nt!KiSwitchKernelStackAndCallout+0x30
9661631c 8397dc68 8cb97998 939d4730 96616374
Ntfs!NtfsCommonCreateOnNewStack+0x36
96616418 81873e5f 82b78498 939d4730 939d4730 Ntfs!NtfsFsdCreate+0x1f1
96616430 83b6d8bc 00000000 939d4730 939d48e4 nt!IofCallDriver+0x63
96616454 83b7fa2c 96616474 82c3cc28 00000000
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a
966164a0 81873e5f 82c3cc28 82c40008 8cb8cdb0 fltmgr!FltpCreate+0x292
966164b8 819e8d0e 9661de38 939f1790 938e3230 nt!IofCallDriver+0x63
96616578 81a394ad 82c3cc28 00000000 93a20720 nt!IopParseDevice+0xcf7
966165b0 819fa7a1 939f1790 00000000 93a20720 nt!IopParseFile+0x46
96616640 819ec992 800005e4 96616698 00000240 nt!ObpLookupObjectName+0x13e
966166a4 81a11f52 96616874 00000000 96616600 nt!ObOpenObjectByName+0x13c
96616718 81a3d42e 966168ac 00100004 96616874 nt!IopCreateFile+0x5ec
96616774 83b81bd4 966168ac 00100004 96616874 nt!IoCreateFileEx+0x9d
966167f8 83b82a3d 93905008 938d3b50 966168ac fltmgr!FltCreateFileEx2+0xae
966168b0 83b82b3e 938d3b50 8cb09588 8cb46a80
fltmgr!FltpOpenLinkOrRenameTarget+0xe1
966168dc 9642bd75 938d3b50 8cb09588 8ca768a8
fltmgr!FltSetInformationFile+0xaa
96616994 9642a20d 938d3b50 8cb09588 966169f0 syscow!RenameFile+0x205
96616a18 96429c30 938d3b50 8c9906d8 8c9aac88 syscow!RenameToTargetArea+0x56d
96616a50 9642a6c9 96616b90 8c9906d8 8c9aac88 syscow!PerformCopy+0x1f0
96616ab8 96420fba 96616b90 8c9aac88 939a7f80
syscow!SysCowResolveToBeCopied+0x179
96616b18 964242c8 9395d4d8 96616b90 00000000
syscow!SysCowPreFilterForCopy+0x40a
96616b70 83b6a811 9395d4d8 96616b90 96616bb0
syscow!SysCowPreDeviceControl+0x458
96616bcc 83b6cd8c 96616c14 00000000 96616c14
fltmgr!FltpPerformPreCallbacks+0x2e5
96616be0 83b6d64b 96616c14 00000000 82c3cc28
fltmgr!FltpPassThroughInternal+0x32
96616bfc 83b7fe42 96616c00 00000000 939a7f80 fltmgr!FltpPassThrough+0x19d
96616c2c 81873e5f 82c3cc28 9399ce28 9399ce28 fltmgr!FltpFsControl+0xd4
96616c44 819e7f4a 939a7f80 9399ce28 9399cfdc nt!IofCallDriver+0x63
96616c64 819ec812 82c3cc28 939a7f80 01c78c01
nt!IopSynchronousServiceTail+0x1df
96616d00 819d8890 82c3cc28 9399ce28 00000000 nt!IopXxxControlFile+0x6b7
96616d34 8184e4b7 00000564 00000000 00000000 nt!NtFsControlFile+0x2a
96616d34 770ac6c4 00000564 00000000 00000000 nt!KiFastCallEntry+0x127
0157debc 770ab178 75d15a6a 00000564 00000000 ntdll!KiFastSystemCallRet
0157df54 770ab3b8 75d15672 0157e404 75d1569c ntdll!ZwFsControlFile+0xc
0157dfd4 770aebfd 00358428 c00000ba 021a008e ntdll!NtOpenFile+0xc
0157df20 75d15fed 00000564 000900a8 00000000
ntdll!RtlIsDosDeviceName_Ustr+0x14
WARNING: Frame IP not in any known module. Following frames may be wrong.
0157dfd4 770aebfd 00358428 c00000ba 021a008e 0x75d15fed
0157e404 75d16187 00358428 ffffffff 003869e8
ntdll!RtlIsDosDeviceName_Ustr+0x14
0157e49c 770916ee 0035f6b4 00000000 00000000 0x75d16187
0157eebc 71c01f42 0157f1bc 0157ef1c 00000554
ntdll!RtlInitializeCriticalSection+0x12
0157f128 71c018bd 0157f1bc 0157f18c 00001000 0x71c01f42
0157f448 71c02901 0157f758 0157f484 00000000 0x71c018bd
0157f4ac 71bf1379 003869e8 0157f758 00000001 0x71c02901
0157f70c 71bf0f59 00350500 00000000 0157f758 0x71bf1379
0157f738 71bf0ee4 00350500 0157f758 00000000 0x71bf0f59
0157f838 770acecc 00000001 00000001 0157f828 0x71bf0ee4
0157f860 731beb29 00350500 00372fc8 00000000 ntdll!RtlFreeHeap+0x101
0157f974 770ada78 00310130 770ada57 01571de0 0x731beb29
0157f990 770add84 00004000 00004008 01c78cb8 ntdll!RtlpFreeHeap+0xb40
0157f8b0 731bedaa 731cd244 731b8424 770accf5 ntdll!RtlAllocateHeap+0x1e3
0157fb60 77062101 00345d28 0157fb00 01571c18 0x731bedaa
0157fb3c 731bbc01 00000000 00b718d0 00000000 ntdll!RtlpTpWaitCallback+0x8f
0157fb60 77062101 00345d28 0157fb00 01571c18 0x731bbc01
0157fb9c 77061f5e 0157fc00 0032ee68 0035b500 ntdll!RtlpTpWaitCallback+0x8f
0157fbc4 770780a6 0157fc00 0035b560 01571b6c
ntdll!TppWaitpExecuteCallback+0xfe
0157fce8 75d274d0 00340428 0157fd34 770910c8 ntdll!TppWorkerThread+0x51b
0157fcf4 770910c8 00340428 01571ab0 00000000 0x75d274d0
0157fd34 00000000 77077e39 00340428 00000000 ntdll!_RtlUserThreadStart+0x23
And here is it about hundred instructions later
0: kd> kb 100
ChildEBP RetAddr Args to Child
932a5d2c 8185ec40 9661630c 00000000 ffffffff Ntfs!NtfsCommonCreateCallout
932a5d2c 8185ed28 9661630c 00000000 ffffffff
nt!KiSwapKernelStackAndExit+0x11c
932a5db4 00000000 00000000 00000000 00000000
nt!KiSwitchKernelStackAndCallout+0x30