Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

RDBSS BSOD

Ehsan_TaheriEhsan_Taheri Member Posts: 120
I have an odd situation which I would appreciate if someone can explain it to me.

I have a fltreadfile call which is causing a BSOD. My debugging result showed that the fltreafile won't cause exception if I filter out volumes with zero sector size (obtained by FltGetVolumeProperties) but that is the case for accessing remote file systems as well. Afterwards I luckily found out if I set FLTFL_OPERATION_REGISTRATION_SKIP_NON_DASD_IO flag in filter registration structure the ecxeption won't occur. I'm totally confused what causes the exception and what caused it to be removed. can someone explain please?

Comments

  • Slava_ImameevSlava_Imameev Member Posts: 480
    I believe you better provide WinDBG's "!analyze -v" command output to get any assistance.
  • Ehsan_TaheriEhsan_Taheri Member Posts: 120
    Thanks for the reply. And,
    Here it is. It says an access violation. but I can't get much information out of this.

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    RDR_FILE_SYSTEM (27)
    If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
    exception record and context record. Do a .cxr on the 3rd parameter and then kb to
    obtain a more informative stack trace.
    The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
    as follows:
    RDBSS_BUG_CHECK_CACHESUP = 0xca550000,
    RDBSS_BUG_CHECK_CLEANUP = 0xc1ee0000,
    RDBSS_BUG_CHECK_CLOSE = 0xc10e0000,
    RDBSS_BUG_CHECK_NTEXCEPT = 0xbaad0000,
    Arguments:
    Arg1: 00000000baad0073
    Arg2: ffffd000bc38c768
    Arg3: ffffd000bc38bf70
    Arg4: fffff8017970d938

    Debugging Details:
    ------------------


    EXCEPTION_RECORD: ffffd000bc38c768 -- (.exr 0xffffd000bc38c768)
    ExceptionAddress: fffff8017970d938 (rdbss!RxInitializeContext+0x000000000001f718)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 0000000000000000
    Parameter[1]: 000000000000004d
    Attempt to read from address 000000000000004d

    CONTEXT: ffffd000bc38bf70 -- (.cxr 0xffffd000bc38bf70;r)
    rax=0000000000000000 rbx=ffffe000431e4010 rcx=fffff801796e23e0
    rdx=0000000000000000 rsi=ffffe00041aa8f20 rdi=ffffcf814cfa2ed8
    rip=fffff8017970d938 rsp=ffffd000bc38c9a0 rbp=ffffcf814cfa2dc0
    r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
    r11=fffff801796bd0d3 r12=ffffd000bc38cb20 r13=0000000000000000
    r14=fffff801796e23e0 r15=0000000000000000
    iopl=0 nv up ei pl zr na po nc
    cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
    rdbss!RxInitializeContext+0x1f718:
    fffff801`7970d938 4438784d cmp byte ptr [rax+4Dh],r15b ds:002b:00000000`0000004d=??
    Last set context:
    rax=0000000000000000 rbx=ffffe000431e4010 rcx=fffff801796e23e0
    rdx=0000000000000000 rsi=ffffe00041aa8f20 rdi=ffffcf814cfa2ed8
    rip=fffff8017970d938 rsp=ffffd000bc38c9a0 rbp=ffffcf814cfa2dc0
    r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
    r11=fffff801796bd0d3 r12=ffffd000bc38cb20 r13=0000000000000000
    r14=fffff801796e23e0 r15=0000000000000000
    iopl=0 nv up ei pl zr na po nc
    cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
    rdbss!RxInitializeContext+0x1f718:
    fffff801`7970d938 4438784d cmp byte ptr [rax+4Dh],r15b ds:002b:00000000`0000004d=??
    Resetting default scope

    PROCESS_NAME: WmiPrvSE.exe

    CURRENT_IRQL: 0

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_PARAMETER1: 0000000000000000

    EXCEPTION_PARAMETER2: 000000000000004d

    READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
    unable to get nt!MmSizeOfNonPagedPoolInBytes
    000000000000004d

    FOLLOWUP_IP:
    rdbss!RxInitializeContext+1f718
    fffff801`7970d938 4438784d cmp byte ptr [rax+4Dh],r15b

    FAULTING_IP:
    rdbss!RxInitializeContext+1f718
    fffff801`7970d938 4438784d cmp byte ptr [rax+4Dh],r15b

    BUGCHECK_STR: 0x27

    DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

    ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

    LAST_CONTROL_TRANSFER: from fffff801796bdb3f to fffff8017970d938

    STACK_TEXT:
    ffffd000`bc38c9a0 fffff801`796bdb3f : ffffd000`bc38cb20 ffffe000`42815030 ffffcf81`4cfa2dc0 ffffcf81`4cfa2ed8 : rdbss!RxInitializeContext+0x1f718
    ffffd000`bc38ca30 fffff801`796ee7df : ffffe000`415fc100 ffffe000`415fc100 ffffcf81`4cfa2dc0 ffffe000`405971c8 : rdbss!RxFsdCommonDispatch+0x30f
    ffffd000`bc38cba0 fffff801`7a4431b3 : 00000000`00000000 ffffe000`42815001 ffffcf81`4cfa2dc0 00000000`00000000 : rdbss!RxFsdDispatch+0xcf
    ffffd000`bc38cc10 fffff801`ace77911 : ffffcf81`4cfa2dc0 ffffe000`42815030 00000000`00000002 ffffe000`413d01a0 : mrxsmb!MRxSmbFsdDispatch+0x83
    ffffd000`bc38cc50 fffff801`793c83cd : ffffe000`4272b340 ffffcf81`4cfa2dc0 ffffe000`41aa8f20 ffffe000`413d01a0 : nt!IovCallDriver+0x3cd
    ffffd000`bc38cca0 fffff801`ace77911 : ffffcf81`4cfa2f68 00000000`00000000 ffffc001`6ea2b8c0 00000000`00000000 : mup!MupFsdIrpPassThrough+0x1ee
    ffffd000`bc38cd20 fffff801`78528989 : ffffcf81`4cfa2dc0 fffff801`78a02b1e fffff801`ac922498 ffffe000`41e86d50 : nt!IovCallDriver+0x3cd
    ffffd000`bc38cd70 fffff801`78a02b1e : ffffcf81`4ce4ab80 ffffd000`bc38ce00 00000000`00000000 ffffcf81`4ce3ed18 : VerifierExt!IofCallDriver_internal_wrapper+0x71
    ffffd000`bc38cdb0 fffff801`78a06188 : ffffd000`bc38ce78 ffffcf81`4ce4ab80 ffffcf81`4ce4ac58 00000000`00000000 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
    ffffd000`bc38ce50 fffff801`78a15551 : ffffcf81`4ce4ab80 00000000`00000000 00000000`00000000 ffffd000`bc38d0c8 : fltmgr!FltPerformSynchronousIo+0x2b8
    ffffd000`bc38cf00 fffff801`78a150e9 : 00000000`00000000 00000000`00000080 00000000`00000005 ffffcf81`4ced8f80 : fltmgr!FltReadFileEx+0x451
    ffffd000`bc38cff0 fffff801`7a9e4150 : ffffcf81`4b29ac58 ffffcf81`4cf32bc0 00000000`00000016 ffffd000`bc38d0f0 : fltmgr!FltReadFile+0x51
    ffffd000`bc38d060 fffff801`78a50aed : ffffcf81`4b29ac58 ffffd000`bc38d248 00000000`00000000 00000000`00000000 : EncryptionFilter!SwapPostCreate+0x270 [c:\users\john\desktop\rms\src\encryption filter\swapbuffers.c @ 891]
    ffffd000`bc38d160 fffff801`78a039d7 : ffffcf81`00000016 ffffcf81`00000000 00000000`00000000 fffff801`00000000 : fltmgr!FltvPostOperation+0xad
    ffffd000`bc38d200 fffff801`78a0414d : ffffcf81`4b28cf00 fffff801`78527e00 00000000`00000000 00000000`00000000 : fltmgr!FltpPerformPostCallbacks+0x2d7
    ffffd000`bc38d2d0 fffff801`78a02bc1 : ffffcf81`4b29ab80 ffffcf81`4b29ab98 ffffcf81`4b28cf68 ffffcf81`4b29ab80 : fltmgr!FltpPassThroughCompletionWorker+0x7d
    ffffd000`bc38d340 fffff801`78a2b349 : ffffd000`bc38d420 ffffcf81`4b29ab80 ffffcf81`4b28cdc0 ffffe000`41a10a50 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x371
    ffffd000`bc38d3e0 fffff801`ace77911 : ffffcf81`4b28cd00 ffffcf81`4b28cdc0 ffffcf81`4b28cfb0 fffff801`ac88620d : fltmgr!FltpCreate+0x339
    ffffd000`bc38d490 fffff801`acbb9b41 : 00000000`00000005 ffffd000`bc38d7e1 00000000`00000000 ffffe000`41e8d990 : nt!IovCallDriver+0x3cd
    ffffd000`bc38d4e0 fffff801`acca7854 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffe000`415fc0d0 : nt!IopParseDevice+0x6c1
    ffffd000`bc38d700 fffff801`acbc66a3 : 00000000`00000000 ffffd000`bc38d8a8 00000000`00000040 ffffe000`3f937b00 : nt!ObpLookupObjectName+0x784
    ffffd000`bc38d830 fffff801`acc59fdb : ffffe000`00000001 ffffe000`42cbb978 00000000`00000001 00000000`00000020 : nt!ObOpenObjectByName+0x1e3
    ffffd000`bc38d960 fffff801`acc59c64 : 0000002d`f8dadf48 0067006f`00100000 0000002d`f8dadf00 ffffe000`4208a080 : nt!IopCreateFile+0x36b
    ffffd000`bc38da00 fffff801`ac95d1b3 : ffffe000`431e4440 ffffd000`bc38db80 ffffd000`bc38daa8 00000000`00000000 : nt!NtCreateFile+0x78
    ffffd000`bc38da90 00007ffd`fc43172a : 00007ffd`e8cf23ac 00000000`00000004 0000002d`f6401b78 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    0000002d`f8dade78 00007ffd`e8cf23ac : 00000000`00000004 0000002d`f6401b78 00000000`00000000 00000000`00000002 : ntdll!NtCreateFile+0xa
    0000002d`f8dade80 00007ffd`e8cf139e : 96eb9e3e`0eec0000 00000000`00000000 00000000`00000000 00007ffd`f9812593 : perfnet!OpenRedirObject+0x90
    0000002d`f8dadf40 00007ffd`f9df3f15 : 00000000`00000000 00007ffd`00000000 00000000`00000001 00000000`00000000 : perfnet!OpenNetSvcsObject+0x4e
    0000002d`f8dadfa0 00007ffd`f9df3c55 : 00000000`2a7a0237 0000002d`f64018c0 0000002d`f7e22040 00000000`00000000 : advapi32!OpenExtObjectLibrary+0x271
    0000002d`f8dae970 00007ffd`f9df20e9 : 00000000`000e84a0 00000000`00000000 0000002d`00000000 00000000`00000000 : advapi32!QueryExtensibleData+0x4a4
    0000002d`f8daeb60 00007ffd`f9866841 : 00007ffd`e84d5640 00000000`00000000 00000000`ffffffff 0000002d`f8daf140 : advapi32!PerfRegQueryValue+0x5dc
    0000002d`f8daf010 00007ffd`f98140b9 : ffffffff`80000004 0000002d`f7e22040 0000002d`f8daf2f0 0000002d`f8daf2e0 : KERNELBASE!LocalBaseRegQueryValue+0x3f6
    0000002d`f8daf190 00007ffd`e8498b02 : ffffffff`80000004 0000002d`f8daf2f0 0000002d`00100000 0000002d`f8daf264 : KERNELBASE!RegQueryValueExW+0xe9
    0000002d`f8daf230 00007ffd`e849736b : 0000002d`f637db50 00000000`00000000 0000002d`00100000 00000000`0000022c : pdh!GetSystemPerfData+0x9c
    0000002d`f8daf2d0 00007ffd`e84cf8f0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000204 : pdh!GetMachineEx+0x1e3
    0000002d`f8daf550 00007ffd`e84cb550 : 00000000`00000001 00000000`00000000 00000000`00000000 0000002d`f8daf698 : pdh!PdhiGetDefaultPerfObjectW+0x1d8
    0000002d`f8daf5d0 00007ffd`e84f2786 : 0000002d`f6c48c70 00000000`00000000 00000000`00000000 0000002d`f8daf698 : pdh!PdhGetDefaultPerfObjectW+0x110
    0000002d`f8daf640 00007ffd`e84e5a19 : 00000000`00000028 00000000`00000000 0000002d`f62ee6c0 0000002d`f636da08 : WmiPerfClass!GetDefaultCounterObject+0x2e
    0000002d`f8daf690 00007ffd`e84e6736 : 0000002d`f6c42cb0 0000002d`f6b967b0 ffffffff`fffffffe 00000000`00000000 : WmiPerfClass!CClassCache::RefreshThreadUpdateSelectedProviders+0x3dd
    0000002d`f8daf8a0 00007ffd`e84e4b11 : 0000002d`f62ee6c0 0000002d`f62ed5e0 0000002d`f8daf978 0000002d`f8daf978 : WmiPerfClass!CClassCache::RefreshThreadProviderObjectUpdate+0x132
    0000002d`f8daf930 00007ffd`fb6313d2 : 0000002d`f62ee6c0 0000002d`00000001 00000001`00000001 0000002d`f6b96870 : WmiPerfClass!CClassCache::RefreshThreadProc+0x475
    0000002d`f8dafa00 00007ffd`fc3b5454 : 00007ffd`fb6313b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
    0000002d`f8dafa30 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34


    SYMBOL_STACK_INDEX: 0

    SYMBOL_NAME: rdbss!RxInitializeContext+1f718

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: rdbss

    IMAGE_NAME: rdbss.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 52affb72

    STACK_COMMAND: .cxr 0xffffd000bc38bf70 ; kb

    BUCKET_ID_FUNC_OFFSET: 1f718

    FAILURE_BUCKET_ID: 0x27_VRF_rdbss!RxInitializeContext

    BUCKET_ID: 0x27_VRF_rdbss!RxInitializeContext

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:0x27_vrf_rdbss!rxinitializecontext

    FAILURE_ID_HASH: {8fe43332-5f18-10da-ca8e-3c371694e6d4}

    Followup: MachineOwner
    ---------
  • Slava_ImameevSlava_Imameev Member Posts: 480
    It might sound stupid but - Did you check that create operation completed with STATUS_SUCCESS? For example STATUS_REPARSE is a success code( i.e. NT_SUCCESS returns TRUE ) but the returned file object is not initialized.

    To verify that the file object was initialized set the debugger to a frame with SwapPostCreate ( .frame command ) and enter

    dt nt!_FILE_OBJECT <address of a file object provided to FltReadFile> , e.g dt nt!_FILE_OBJECT 0xffffd000baaaaaaa

    the FsContext pointer should be non zero
  • Ehsan_TaheriEhsan_Taheri Member Posts: 120
    the FltReadFile is done using FltObjects->FileObject parameter of the PostCreate callback. It is not directly checked in anyway.
    But I think having this on the start of callback should be enough:
    if (!NT_SUCCESS(Data->IoStatus.Status) ||
    (STATUS_REPARSE == Data->IoStatus.Status)) {

    return FLT_POSTOP_FINISHED_PROCESSING;
    }

    here is the debugger result:
    0: kd> dt nt!_FILE_OBJECT 0xffffe0012f2b2530
    +0x000 Type : 0n5
    +0x002 Size : 0n216
    +0x008 DeviceObject : 0xffffe001`2f403060 _DEVICE_OBJECT
    +0x010 Vpb : 0xffffe001`2f404420 _VPB
    +0x018 FsContext : 0xffffe001`2f594de0 Void
    +0x020 FsContext2 : 0xffffe001`2f592660 Void
    +0x028 SectionObjectPointer : 0xffffe001`2f5927a8 _SECTION_OBJECT_POINTERS
    +0x030 PrivateCacheMap : (null)
    +0x038 FinalStatus : 0n0
    +0x040 RelatedFileObject : (null)
    +0x048 LockOperation : 0 ''
    +0x049 DeletePending : 0 ''
    +0x04a ReadAccess : 0x1 ''
    +0x04b WriteAccess : 0x1 ''
    +0x04c DeleteAccess : 0 ''
    +0x04d SharedRead : 0 ''
    +0x04e SharedWrite : 0x1 ''
    +0x04f SharedDelete : 0 ''
    +0x050 Flags : 8
    +0x058 FileName : _UNICODE_STRING "\pagefile.sys"
    +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
    +0x070 Waiters : 0
    +0x074 Busy : 0
    +0x078 LastLock : (null)
    +0x080 Lock : _KEVENT
    +0x098 Event : _KEVENT
    +0x0b0 CompletionContext : (null)
    +0x0b8 IrpListLock : 0
    +0x0c0 IrpList : _LIST_ENTRY [ 0xffffe001`2f2b25f0 - 0xffffe001`2f2b25f0 ]
    +0x0d0 FileObjectExtension : (null)

    The file name was empty string("") till now when exception occured, but it now is "\pagefile.sys"
  • Slava_ImameevSlava_Imameev Member Posts: 480
    So you have "pagefile.sys" on the remote file system? I am asking because it is a pretty unusual name for a remote file. If you run the following command ( this is the address of DeviceObject )

    !devstack 0xffffe001`2f403060

    What will be output?
  • Ehsan_TaheriEhsan_Taheri Member Posts: 120
    no that's not the case. I changed the driver start type from the time I posted the !analyze output.
    when it is boot start the analyze result is this:
    1: kd> !analyze -v
    Connected to Windows 8 9600 x64 target at (Tue Aug 16 08:29:28.396 2016 (UTC - 7:00)), ptr64 TRUE
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Unknown bugcheck code (0)
    Unknown bugcheck description
    Arguments:
    Arg1: 0000000000000000
    Arg2: 0000000000000000
    Arg3: 0000000000000000
    Arg4: 0000000000000000

    Debugging Details:
    ------------------


    PROCESS_NAME: System

    FAULTING_IP:
    CLASSPNP!ServiceTransferRequest+bf
    fffff801`3e4f3e3f 448b512c mov r10d,dword ptr [rcx+2Ch]

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_PARAMETER1: 0000000000000000

    EXCEPTION_PARAMETER2: 000000000000002c

    READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
    unable to get nt!MmSizeOfNonPagedPoolInBytes
    000000000000002c

    FOLLOWUP_IP:
    volmgr!VmReadWrite+13e
    fffff801`3d96014e 8be8 mov ebp,eax

    BUGCHECK_STR: ACCESS_VIOLATION

    DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

    CURRENT_IRQL: 0

    ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

    LAST_CONTROL_TRANSFER: from fffff8013e4f493c to fffff8013e4f3e3f

    STACK_TEXT:
    ffffd000`f6d2b9c0 fffff801`3e4f493c : ffffe001`cae2f770 00000000`00000000 ffffe001`cafc5200 fffff800`3f6f7872 : CLASSPNP!ServiceTransferRequest+0xbf
    ffffd000`f6d2ba60 fffff800`3f6f2911 : ffffcf81`3d17ec10 00000000`00000002 ffffcf81`3d17ec10 fffff800`3f6fdd59 : CLASSPNP!ClassReadWrite+0x11c
    ffffd000`f6d2bb20 fffff800`3f6f2911 : ffffcf81`3d17ec10 ffffe001`cae30040 00000000`00000002 ffffe001`cadaa3e0 : nt!IovCallDriver+0x3cd
    ffffd000`f6d2bb70 fffff801`3d96014e : ffffe001`cae34df0 ffffe001`cae34ca0 ffffe001`cae34ca0 ffffe001`cadaa720 : nt!IovCallDriver+0x3cd
    ffffd000`f6d2bbc0 fffff800`3f6f2911 : ffffe001`cae34ca0 ffffcf81`3d17ec10 00000000`00000002 ffffe001`cadaa580 : volmgr!VmReadWrite+0x13e
    ffffd000`f6d2bc00 fffff801`3e01031d : ffffe001`cae35180 ffffcf81`3d17ec10 ffffe001`cb58b010 ffffe001`cadaa580 : nt!IovCallDriver+0x3cd
    ffffd000`f6d2bc50 fffff800`3f6f2911 : ffffcf81`3d17ec10 00000000`00000002 ffffcf81`3d17ec10 ffffe001`cae392e0 : fvevol!FveFilterRundownReadWrite+0x28d
    ffffd000`f6d2bd30 fffff801`3da321d9 : 00000000`00000000 ffffd000`f6d2bde9 00000000`ffffffff ffffe001`cae392e0 : nt!IovCallDriver+0x3cd
    ffffd000`f6d2bd80 fffff801`3da3272b : ffffcf81`3d17ec10 00000000`00000000 00000000`00000002 00000000`00000002 : rdyboost!SmdProcessReadWrite+0x1c9
    ffffd000`f6d2be50 fffff800`3f6f2911 : ffffcf81`3d17ec10 00000000`00000002 fffff801`3e096766 ffffe001`cae369f0 : rdyboost!SmdDispatchReadWrite+0x8b
    ffffd000`f6d2be80 fffff801`3e096766 : ffffe001`cae37190 ffffe001`cae37040 00000000`00000002 ffffe001`caff4870 : nt!IovCallDriver+0x3cd
    ffffd000`f6d2bed0 fffff800`3f6f2911 : ffffcf81`3d17ec10 00000000`00000002 00000000`00000000 00000000`00000000 : volsnap!VolSnapReadFilter+0x116
    ffffd000`f6d2bf00 fffff801`3dc4ca29 : ffffd000`f8cdc7b0 ffffd000`f8cdc930 ffffe001`c9280040 ffffe001`cadaa4b0 : nt!IovCallDriver+0x3cd
    ffffd000`f6d2bf50 fffff800`3f1d02f7 : ffffd000`f8cdcdd0 00000000`00000000 fffcd390`058b48ff 03ff4d83`e745100f : Ntfs!NtfsStorageDriverCallout+0x16
    ffffd000`f6d2bf80 fffff800`3f1d02bd : 00000000`00000000 00000000`00000000 00000000`00000002 fffff800`3f1381ad : nt!KxSwitchKernelStackCallout+0x27
    ffffd000`f8cdc670 fffff800`3f1381ad : 00000000`00000006 00000000`00000000 00000000`00000006 00000000`00000000 : nt!KiSwitchKernelStackContinue
    ffffd000`f8cdc690 fffff801`3dc3b8c1 : fffff801`3dc4ca14 ffffd000`f8cdc7b0 00000000`00000000 ffffe001`cae39790 : nt!KeExpandKernelStackAndCalloutInternal+0x2fd
    ffffd000`f8cdc780 fffff801`3dc324d3 : ffffe001`cafc5498 ffffe001`cafc5498 ffffd000`f8cdc880 ffffd000`f8cdc858 : Ntfs!NtfsCallStorageDriver+0x31
    ffffd000`f8cdc7f0 fffff801`3dc4c89d : 00000000`00000000 00000000`00000000 00000000`00000000 ffffcf81`3d17ef20 : Ntfs!NtfsPagingFileIo+0x323
    ffffd000`f8cdc900 fffff800`3f6f2911 : ffffcf81`3d17ec10 ffffcf81`3d17ec10 00000000`00000002 ffffe001`cadaa650 : Ntfs!NtfsFsdRead+0x3ad
    ffffd000`f8cdc9b0 fffff801`3d52d989 : ffffcf81`3d17ec10 fffff801`3dae7b1e fffff800`3f19d498 ffffe001`cadaa650 : nt!IovCallDriver+0x3cd
    ffffd000`f8cdca00 fffff801`3dae7b1e : ffffcf81`3d1a6c00 ffffd000`f8cdca80 00000000`00000000 ffffcf81`3d1aed18 : VerifierExt!IofCallDriver_internal_wrapper+0x71
    ffffd000`f8cdca40 fffff801`3daeb188 : ffffd000`f8cdcb08 ffffcf81`3d1a6c00 ffffcf81`3d1a6cd8 00000000`00000000 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
    ffffd000`f8cdcae0 fffff801`3dafa551 : ffffcf81`3d1a6c00 00000000`00000000 00000000`00000000 ffffd000`f8cdcd58 : fltmgr!FltPerformSynchronousIo+0x2b8
    ffffd000`f8cdcb90 fffff801`3dafa0e9 : 00000000`00000000 00000000`00000200 00000000`00000005 ffffcf81`3d1a8e00 : fltmgr!FltReadFileEx+0x451
    ffffd000`f8cdcc80 fffff801`3db59150 : ffffcf81`3d17acd8 ffffcf81`3cd34bc0 00000000`00000016 ffffd000`f8cdcd80 : fltmgr!FltReadFile+0x51
    ffffd000`f8cdccf0 fffff801`3db35aed : ffffcf81`3d17acd8 ffffd000`f8cdced8 00000000`00000000 00000000`00000000 : EncryptionFilter!SwapPostCreate+0x270 [c:\users\john\desktop\rms\src\encryption filter\swapbuffers.c @ 891]
    ffffd000`f8cdcdf0 fffff801`3dae89d7 : ffffcf81`00000016 ffffcf81`00000000 00000000`00000000 fffff800`00000000 : fltmgr!FltvPostOperation+0xad
    ffffd000`f8cdce90 fffff801`3dae914d : ffffcf81`3d176f00 fffff801`3d52ce00 00000000`00000000 00000000`00000000 : fltmgr!FltpPerformPostCallbacks+0x2d7
    ffffd000`f8cdcf60 fffff801`3dae7bc1 : ffffcf81`3d17ac00 ffffcf81`3d17ac18 ffffcf81`3d176f68 ffffcf81`3d17ac00 : fltmgr!FltpPassThroughCompletionWorker+0x7d
    ffffd000`f8cdcfd0 fffff801`3db10349 : ffffd000`f8cdd0b0 ffffcf81`3d17ac00 ffffcf81`3d176c10 ffffe001`caebbc40 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x371
    ffffd000`f8cdd070 fffff800`3f6f2911 : ffffcf81`3d176c00 ffffcf81`3d176c10 ffffcf81`3d176fb0 fffff800`3f10120d : fltmgr!FltpCreate+0x339
    ffffd000`f8cdd120 fffff800`3f434b41 : 00000000`00000004 ffffd000`f8cdd471 00000000`00000000 ffffe001`cad89c40 : nt!IovCallDriver+0x3cd
    ffffd000`f8cdd170 fffff800`3f522854 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffe001`cae34c70 : nt!IopParseDevice+0x6c1
    ffffd000`f8cdd390 fffff800`3f4416a3 : 00000000`00000000 ffffd000`f8cdd538 ffffd000`00000040 ffffe001`c93379a0 : nt!ObpLookupObjectName+0x784
    ffffd000`f8cdd4c0 fffff800`3f4d4fdb : ffff7b9a`00000001 ffffe001`cacaa0a8 00000000`00000000 00000000`00000020 : nt!ObOpenObjectByName+0x1e3
    ffffd000`f8cdd5f0 fffff800`3f4d4a5e : ffffd000`f8cdd818 00000000`c0100000 ffffd000`f8cdd7b0 00000000`0000000a : nt!IopCreateFile+0x36b
    ffffd000`f8cdd690 fffff800`3f778a80 : ffffe001`c9232148 fffff800`3f31e35a 00000000`00000000 00000000`00000000 : nt!IoCreateFile+0x8a
    ffffd000`f8cdd720 fffff800`3f47308c : ffffc001`7a4f4148 ffffc001`7a4f4110 ffffd000`f8cdd9c0 ffffd000`f8cdd8d9 : nt!IopInitCrashDumpRegCallback+0xd8
    ffffd000`f8cdd7f0 fffff800`3f472aec : 00000000`00000000 ffffd000`f8cdd8d9 ffffd000`f8cdd9c0 00000000`0000009b : nt!RtlpCallQueryRegistryRoutine+0x274
    ffffd000`f8cdd850 fffff800`3f50e902 : 00000000`00000000 00000000`00000000 fffff800`3e2e1060 fffff800`3e2e1060 : nt!RtlpQueryRegistryValues+0x178
    ffffd000`f8cdd930 fffff800`3f7863ca : 00000000`00000000 ffffd000`f8cdda19 00000000`00000000 ffffe001`caf8b170 : nt!RtlQueryRegistryValuesEx+0xe
    ffffd000`f8cdd970 fffff800`3f78ec62 : 00000000`00000000 00000000`00000000 00000000`00000006 fffff800`3e2e1060 : nt!IopInitCrashDumpDuringSysInit+0xce
    ffffd000`f8cdda80 fffff800`3f783a31 : fffff800`3f56aed8 fffff800`3e2e1060 ffffe001`c9280040 ffffe001`c9296b00 : nt!IoInitSystemPreDrivers+0x9b2
    ffffd000`f8cddba0 fffff800`3f56af02 : 002e0065`0072006f fffff800`3e2e1060 ffffe001`c9280040 ffffe001`c9296b88 : nt!IoInitSystem+0x9
    ffffd000`f8cddbd0 fffff800`3f17b0a8 : ffffe001`c9280040 01d1f1d8`94480a64 01d0054a`1dcab60d 00000000`00003000 : nt!Phase1Initialization+0x2a
    ffffd000`f8cddc00 fffff800`3f1d2fc6 : fffff800`3f37c180 ffffe001`c9280040 fffff800`3f3d5a00 01d1f1d8`94480a64 : nt!PspSystemThreadStartup+0x58
    ffffd000`f8cddc60 00000000`00000000 : ffffd000`f8cde000 ffffd000`f8cd8000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


    STACK_COMMAND: kb

    SYMBOL_STACK_INDEX: 4

    SYMBOL_NAME: volmgr!VmReadWrite+13e

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: volmgr

    IMAGE_NAME: volmgr.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 5215f889

    IMAGE_VERSION: 6.3.9600.16384

    BUCKET_ID_FUNC_OFFSET: 13e

    FAILURE_BUCKET_ID: ACCESS_VIOLATION_VRF_volmgr!VmReadWrite

    BUCKET_ID: ACCESS_VIOLATION_VRF_volmgr!VmReadWrite

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:access_violation_vrf_volmgr!vmreadwrite

    FAILURE_ID_HASH: {bce42d5f-5bdd-6a25-8864-c3ab69d1e9bb}

    Followup: MachineOwner
    ---------

    sorry for making the situation complicated. I did not think that startType would cause this.

    ********************************************
    ********************************************
    When start type is boot start the filename is \pagefile.sys
    and
    when start type is autostart the file name is empty.
    ********************************************
    ********************************************
    here is the fileObject structure for auto start:

    0: kd> dt nt!_FILE_OBJECT 0xffffe001`80bf5a00
    +0x000 Type : 0n5
    +0x002 Size : 0n216
    +0x008 DeviceObject : 0xffffe001`7fb8d9e0 _DEVICE_OBJECT
    +0x010 Vpb : (null)
    +0x018 FsContext : 0xfffff800`b5e263e0 Void
    +0x020 FsContext2 : (null)
    +0x028 SectionObjectPointer : (null)
    +0x030 PrivateCacheMap : (null)
    +0x038 FinalStatus : 0n0
    +0x040 RelatedFileObject : (null)
    +0x048 LockOperation : 0 ''
    +0x049 DeletePending : 0 ''
    +0x04a ReadAccess : 0 ''
    +0x04b WriteAccess : 0 ''
    +0x04c DeleteAccess : 0 ''
    +0x04d SharedRead : 0 ''
    +0x04e SharedWrite : 0 ''
    +0x04f SharedDelete : 0 ''
    +0x050 Flags : 0
    +0x058 FileName : _UNICODE_STRING ""
    +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
    +0x070 Waiters : 0
    +0x074 Busy : 0
    +0x078 LastLock : (null)
    +0x080 Lock : _KEVENT
    +0x098 Event : _KEVENT
    +0x0b0 CompletionContext : (null)
    +0x0b8 IrpListLock : 0
    +0x0c0 IrpList : _LIST_ENTRY [ 0xffffe001`80bf5ac0 - 0xffffe001`80bf5ac0 ]
    +0x0d0 FileObjectExtension : 0xffffcf80`786defb0 Void
  • Slava_ImameevSlava_Imameev Member Posts: 480
    Look, the topic was started as RDBSS related. Now it become NTFS related and exacerbated by a system volume( an empty name in IopInitCrashDumpDuringSysInit means it is a system volume ). It is not possible to guess what is going on. The people here are not standing behind and watching over your shoulder. You are not consistent.

    Beside that, trying to "swap buffers" for pagefile.sys or a system volume in a filter is a terrible design.

    I can only advise you to concentrate efforts on one case and eliminate the code to find a culprit.
  • Ehsan_TaheriEhsan_Taheri Member Posts: 120
    thanks for your answer and sorry for not being consistent.
    I was just seeking for someone's experiment on specific circumstances FltReadFile might cause exception(if such circumstances existed).

    >trying to "swap buffers" for pagefile.sys or a system volume in a filter is a terrible design.
    It's not by design. It is my unawareness and lack of knowledge. Any tips on how to prevent it?
    by system volume, do you mean the tiny system reserved volume or the volume that windows resides in?
  • Slava_ImameevSlava_Imameev Member Posts: 480
    There are myriads of reasons for an unhandled exception.

    There is no magic answer as nobody here has access to your source code. The reason might be in the damaged system data caused by the code executed before a call to FltReadFile . The reason might be in incorrect parameters provided to FltReadFile .

    Start with the code elimination
    - do not attach to system volume. Test on a removable drive like USB pendrive/storage
    - remove a call to FltReadFile
    - if system crashed the problem is not in FltReadFile , if it carries on then check input parameters to FltReadFile , try to read one byte at 0x0 offset
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE