Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Driver verifier issue due to status_not_implemented from FltGetFileNameInformation().

Pooja_BansalPooja_Bansal Member - All Emails Posts: 44
Hi All,

In my file system minifilter driver, name call back routine registered with filter manager calls FltGetFileNameInformationUnsafe() which returns status_not_implemented error code.

Due to this STATUS_NOT_IMPLEMENTED error code from name call back routine, driver verifier bugcheck comes:
FILTER VERIFIER ERROR: A filter has returned an invalid status code from a name provider callback routine
(Filter = FFFF9600559C2840, Instance = FFFF960055AE4010, Status = 0xc0000002)
status = FltGetFileNameInformationUnsafe( targetFileObject,
Instance,
NameOptions,
&belowFileName );

where

0: kd> dv
Instance = 0xffffc209`dd725010
FileObject = 0xffffc209`dd171a70
CallbackData = 0x00000000`00000000
NameOptions = 0x2000101
CacheFileNameInformation = 0xffff8180`c06e6e20 ""
FileName = 0xffffc209`dfb443c0
targetFileObject = 0xffffc209`dd171a70
flagPfFileObject = 0x00 ''
belowFileName = 0x00000000`00000000
ccb = 0xffffd60b`81e07c70
status = 0n-1073741822
cbd = 0x00000000`00000000
fcb = 0xffffd60b`81e078a0

Nameoption flag specifies:
FLT_FILE_NAME_NORMALIZED
FLT_FILE_NAME_QUERY_DEFAULT
FLT_FILE_NAME_DO_NOT_CACHE

and targetFileObject :

kd> dx -r1 ((sfntpffd!_FILE_OBJECT *)0xffffc209dd171a70)
((sfntpffd!_FILE_OBJECT *)0xffffc209dd171a70) : 0xffffc209dd171a70 : [Type: _FILE_OBJECT *]
[Type: _FILE_OBJECT]
[+0x0] Type : 5
[+0x2] Size : 216
[+0x8] DeviceObject : 0xffffc209dd6cbda0 : [Type: _DEVICE_OBJECT *]
[+0x10] Vpb : 0x0 : [Type: _VPB *]
[+0x18] FsContext : 0xffffd60b81e078a0 : [Type: void *]
[+0x20] FsContext2 : 0xffffd60b81e07c70 : [Type: void *]
[+0x28] SectionObjectPointer : 0xffffc209e0014528 : [Type: _SECTION_OBJECT_POINTERS *]
[+0x30] PrivateCacheMap : 0x0 : [Type: void *]
[+0x38] FinalStatus : 0
[+0x40] RelatedFileObject : 0x0 : [Type: _FILE_OBJECT *]
[+0x48] LockOperation : 0
[+0x49] DeletePending : 0
[+0x4a] ReadAccess : 1
[+0x4b] WriteAccess : 1
[+0x4c] DeleteAccess : 0
[+0x4d] SharedRead : 1
[+0x4e] SharedWrite : 1
[+0x4f] SharedDelete : 0
[+0x50] Flags : 0
[+0x58] FileName : [Type: _UNICODE_STRING]
[+0x68] CurrentByteOffset : [Type: _LARGE_INTEGER]
[+0x70] Waiters : 0
[+0x74] Busy : 0
[+0x78] LastLock : 0x0 : [Type: void *]
[+0x80] Lock : [Type: _KEVENT]
[+0x98] Event : [Type: _KEVENT]
[+0xb0] CompletionContext : 0x0 : [Type: _IO_COMPLETION_CONTEXT *]
[+0xb8] IrpListLock : 0
[+0xc0] IrpList : [Type: _LIST_ENTRY]
[+0xd0] FileObjectExtension : 0xffffeb895c844fb0 : [Type: void *]

and FileName is:
0: kd> dx -r1 ((sfntpffd!_UNICODE_STRING *)0xffffc209dd171ac8)
((sfntpffd!_UNICODE_STRING *)0xffffc209dd171ac8) : 0xffffc209dd171ac8 : [Type: _UNICODE_STRING *]
[Type: _UNICODE_STRING]
[+0x0] Length : 34
[+0x2] MaximumLength : 56
[+0x8] Buffer : 0xffffd60b81b38160 : [Type: wchar_t *] : "\TSCLIENT\SCARD\2"

This issue happens while taking RDP of system on which minifilter driver is installed, while getting file name information for "\TSCLIENT\SCARD\2"..

If anyone has idea regarding why FltGetFileNameInformationUnsafe has returned STATUS_NOT_IMPLEMENTED, please let me know.

Any help is highly appreciated..

Thanks a lot in advance!

Comments

  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 98
    Please send the full !analyze -v output here.
  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44
    Please find details here:

    Use !analyze -v to get detailed debugging information.

    BugCheck 3B, {80000003, fffff803dd1f3018, ffff8a00e9670070, 0}

    *** ERROR: Module load completed but symbols could not be loaded for PSINFile.sys
    Probably caused by : PSINFile.sys ( PSINFile+3daf )

    Followup: MachineOwner
    ---------


    ************* Symbol Path validation summary **************
    Response Time (ms) Location
    Deferred srv*
    OK C:\Pooja\Issues\31aug_win10_dump
    1: kd> .reload /f @"\SystemRoot\system32\DRIVERS\sfntpffd.sys"
    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 0000000080000003, Exception code that caused the bugcheck
    Arg2: fffff803dd1f3018, Address of the instruction which caused the bugcheck
    Arg3: ffff8a00e9670070, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.

    Debugging Details:
    ------------------

    *** ERROR: Module load completed but symbols could not be loaded for PSINFile.sys

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 402

    BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

    SYSTEM_MANUFACTURER: VMware, Inc.

    VIRTUAL_MACHINE: VMware

    SYSTEM_PRODUCT_NAME: VMware Virtual Platform

    SYSTEM_VERSION: None

    BIOS_VENDOR: Phoenix Technologies LTD

    BIOS_VERSION: 6.00

    BIOS_DATE: 07/30/2013

    BASEBOARD_MANUFACTURER: Intel Corporation

    BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

    BASEBOARD_VERSION: None

    DUMP_TYPE: 0

    BUGCHECK_P1: 80000003

    BUGCHECK_P2: fffff803dd1f3018

    BUGCHECK_P3: ffff8a00e9670070

    BUGCHECK_P4: 0

    EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

    FAULTING_IP:
    nt!DebugPrompt+18
    fffff803`dd1f3018 c3 ret

    CONTEXT: ffff8a00e9670070 -- (.cxr 0xffff8a00e9670070)
    rax=0000000000000002 rbx=fffff80c94347390 rcx=fffff80c9433f378
    rdx=ffff8a00e967001f rsi=ffffc00d2d012b80 rdi=000000000000002f
    rip=fffff803dd1f3017 rsp=ffff8a00e9670a68 rbp=ffff8a00e9670bc0
    r8=ffff8a00e9670af0 r9=0000000000000002 r10=ffff8a00e96708d0
    r11=0000000000000000 r12=000000000000001c r13=000000000000001c
    r14=0000000000000000 r15=ffffc00d2f875fa8
    iopl=0 nv up ei pl zr na po nc
    cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000246
    nt!DebugPrompt+0x17:
    fffff803`dd1f3017 cc int 3
    Resetting default scope

    CPU_COUNT: 2

    CPU_MHZ: 960

    CPU_VENDOR: GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 2d

    CPU_STEPPING: 7

    CPU_MICROCODE: 6,2d,7,0 (F,M,S,R) SIG: 710'00000000 (cache) 710'00000000 (init)

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: 0x3B

    PROCESS_NAME: svchost.exe

    CURRENT_IRQL: 0

    ANALYSIS_SESSION_HOST: NOI-D70QD152

    ANALYSIS_SESSION_TIME: 09-22-2017 11:13:29.0673

    ANALYSIS_VERSION: 10.0.15063.468 amd64fre

    LAST_CONTROL_TRANSFER: from fffff803dd2b8a85 to fffff803dd1f3017

    STACK_TEXT:
    ffff8a00`e9670a68 fffff803`dd2b8a85 : ffff8a00`e9670bc0 fffff803`dd1542d0 fffff80c`94347390 ffffc00d`2d012b80 : nt!DebugPrompt+0x17
    ffff8a00`e9670a70 fffff80c`9437491a : fffff80c`94347390 ffffc00d`2d012b80 fffff80c`9433f374 00000000`00000007 : nt!DbgPrompt+0x35
    ffff8a00`e9670ac0 fffff80c`9437a260 : ffffc00d`00000044 ffffc00d`2d010880 ffffc00d`2c92d4e0 ffffc00d`2d130010 : FLTMGR!FltpvPrintErrors+0x14e
    ffff8a00`e9670d30 fffff80c`94368215 : ffffc00d`2f875f00 00000000`0000001a ffffc00d`2f875f00 ffffc00d`00000000 : FLTMGR!FltvNormalizeNameComponentEx+0xc0
    ffff8a00`e9670d90 fffff80c`94357a2a : ffffc00d`2f870001 ffffc00d`0000001a 00000000`0000001b ffffc00d`2f875f00 : FLTMGR!FltpExpandShortNames+0xefb1
    ffff8a00`e9670e20 fffff80c`94357852 : ffffc00d`2f875f00 ffff8a00`e9660000 00000000`00000000 00000000`c000000d : FLTMGR!FltpGetNormalizedFileNameWorker+0x15e
    ffff8a00`e9670e60 fffff80c`94356d7d : 00000000`00000000 ffffc00d`2fe73240 ffffc00d`2fe73200 fffff80c`94359da8 : FLTMGR!FltpGetNormalizedFileName+0x1a
    ffff8a00`e9670eb0 fffff80c`9435d829 : 00000000`00000000 ffffc00d`2f875f00 ffffc00d`2d12f680 ffffc00d`2d130010 : FLTMGR!FltpCreateFileNameInformation+0x32d
    ffff8a00`e9670f00 fffff80c`943273a5 : ffffc00d`2f875f00 00000000`c000000d ffffc00d`2f875f00 ffffc00d`2fe73208 : FLTMGR!CreateTemporaryFileNameInformation+0x3d
    ffff8a00`e9670f50 fffff80c`94358181 : ffff8a00`e9671210 ffffc00d`2fe73200 ffffc00d`2d130010 ffffc00d`2fe763f0 : FLTMGR!FltpGetFileNameInformation+0x885
    ffff8a00`e9671000 fffff80c`96ca3daf : ffffc00d`2f875f00 ffff8a00`e9671210 00000000`00000101 00000000`00000000 : FLTMGR!FltGetFileNameInformationUnsafe+0x71
    ffff8a00`e9671070 fffff80c`96ca6d5a : 00000000`00000000 00000000`00002725 00000000`00002713 00000000`00000000 : PSINFile+0x3daf
    ffff8a00`e96710b0 fffff80c`96ca55f3 : ffffc00d`2fe73200 00000000`01010101 ffffc00d`2fe76370 00000000`00000000 : PSINFile+0x6d5a
    ffff8a00`e9671150 fffff80c`9432413c : ffffc00d`2f84cb60 ffffc00d`2f84cc80 c0000016`00000000 ffffc00d`00000000 : PSINFile+0x55f3
    ffff8a00`e96711c0 fffff80c`94323af3 : ffffc00d`2f84ca00 ffffc00d`2f84ca00 ffffe482`d5626f68 00000000`00000000 : FLTMGR!FltpPerformPostCallbacks+0x2ac
    ffff8a00`e9671290 fffff80c`943256ce : ffffe482`d5626dc0 ffffc00d`2f84ca80 00000000`00000008 ffffc00d`2f84ca98 : FLTMGR!FltpPassThroughCompletionWorker+0x73
    ffff8a00`e96712d0 fffff80c`9435612b : ffff8a00`e9671380 ffffe482`d5626f68 00000000`00000000 00000000`00000040 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21e
    ffff8a00`e9671340 fffff803`dd7e109d : ffffe482`d5626d00 ffffe482`d5626dc0 00000000`00000000 00000000`00000000 : FLTMGR!FltpCreate+0x2eb
    ffff8a00`e96713f0 fffff803`dd2167ad : 00000000`00000085 ffff8a00`e9671750 ffffe482`d5626dc0 ffffc00d`2f3cd9b0 : nt!IovCallDriver+0x245
    ffff8a00`e9671430 fffff803`dd518265 : 00000000`00000085 ffff8a00`e9671750 ffffc00d`2d0fc1e0 00000000`00000000 : nt!IofCallDriver+0x134f9d
    ffff8a00`e9671470 fffff803`dd52361b : fffff803`dd517a50 fffff803`dd517a50 ffff8a00`00000000 ffffc00d`2d0fc5b0 : nt!IopParseDevice+0x815
    ffff8a00`e9671650 fffff803`dd527150 : ffffc00d`2ce82200 ffff8a00`e96718b8 00000000`00000040 ffffc00d`2af029a0 : nt!ObpLookupObjectName+0x46b
    ffff8a00`e9671820 fffff803`dd52b0ca : ffffc00d`00000001 ffffc00d`2ceefbb0 00000031`4c3ff280 00000000`00000000 : nt!ObOpenObjectByNameEx+0x1e0
    ffff8a00`e9671960 fffff803`dd52c159 : 00000145`5863edf0 ffffb00a`a974a630 00000031`4c3ff280 00000031`4c3ff2b0 : nt!IopCreateFile+0x3aa
    ffff8a00`e9671a00 fffff803`dd1f8413 : ffffafd7`dffe5b30 ffffafd7`ebefff28 ffffafd7`ebf5f7f8 ffff6c6a`94227079 : nt!NtCreateFile+0x79
    ffff8a00`e9671a90 00007ff9`76885e44 : 00007ff9`6cde71fe 00660063`00000004 00630030`0030002d 00007ff9`6ce0b880 : nt!KiSystemServiceCopyEnd+0x13
    00000031`4c3ff208 00007ff9`6cde71fe : 00660063`00000004 00630030`0030002d 00007ff9`6ce0b880 00007ff9`6ce0b878 : ntdll!NtCreateFile+0x14
    00000031`4c3ff210 00007ff9`6ce01ebb : 00000000`00000010 00000145`5863eda0 00000000`00000001 00007ff9`6ce19000 : WinSCard!RedirectionContextCreateRdpdrHandle+0xe2
    00000031`4c3ff3e0 00007ff9`6ce0215c : 00000145`5863eda0 00000000`00000000 00000000`00000001 00007ff9`6ce01370 : WinSCard!_SendSCardIOCTLWithWaitForCallback+0xc3
    00000031`4c3ff450 00007ff9`6cdfe3aa : 00000145`5863eda0 00000145`5863eda0 00000000`00000000 00000145`5863eda0 : WinSCard!_SetStartedEventToCorrectState+0x100
    00000031`4c3ff4a0 00007ff9`6cde508a : 00000145`00000001 00007ff9`00000001 00000145`00000004 00000000`00002234 : WinSCard!RedirectedSCardAccessStartedEvent+0xe
    00000031`4c3ff4d0 00007ff9`6cde26ba : 00000145`5863eda0 00000000`00000001 00000031`4c3ff801 00000000`00000001 : WinSCard!_guard_ss_verify_sp_default+0x9ca
    00000031`4c3ff520 00007ff9`6ce323e2 : 00000000`00000001 00000145`00000004 00000000`00002134 00000145`5863eda0 : WinSCard!SCardAccessStartedEvent+0x2da
    00000031`4c3ff590 00007ff9`6ce3236b : 00000000`00000009 00000000`000016a4 00000001`00000000 00000031`49042000 : certprop!errcntrctlib::WinApiErrorContract<+0x32
    00000031`4c3ff600 00007ff9`76823021 : 00000145`5866ae10 00000145`5862b780 00000000`7ffe0386 00000000`000020f8 : certprop!CertPropAssociateSmartCardUserWithCertificateCallback+0x6b
    00000031`4c3ff660 00007ff9`76821989 : 00000145`58e87760 00000000`00000000 00007ff9`76822ef0 00000000`00000000 : ntdll!TppWorkpExecuteCallback+0x131
    00000031`4c3ff6b0 00007ff9`75b22774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x6c9
    00000031`4c3ff9c0 00007ff9`76850d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    00000031`4c3ff9f0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


    THREAD_SHA1_HASH_MOD_FUNC: 1c65640d49035044e989aa6371b9ee704c23d750

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 03c39bc8cc86d3b9f3dccb83fc318f1748e1fd20

    THREAD_SHA1_HASH_MOD: 7a5afbef3f43c6a14a102d7f9977964302622394

    FOLLOWUP_IP:
    PSINFile+3daf
    fffff80c`96ca3daf 85c0 test eax,eax

    FAULT_INSTR_CODE: 3c79c085

    SYMBOL_STACK_INDEX: b

    SYMBOL_NAME: PSINFile+3daf

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: PSINFile

    IMAGE_NAME: PSINFile.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 57a3fab9

    STACK_COMMAND: .cxr 0xffff8a00e9670070 ; kb

    BUCKET_ID_FUNC_OFFSET: 3daf

    FAILURE_BUCKET_ID: 0x3B_VRF_PSINFile!unknown_function

    BUCKET_ID: 0x3B_VRF_PSINFile!unknown_function

    PRIMARY_PROBLEM_CLASS: 0x3B_VRF_PSINFile!unknown_function

    TARGET_TIME: 2017-08-31T07:11:22.000Z

    OSBUILD: 15063

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 272

    PRODUCT_TYPE: 1

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 2017-08-01 06:53:25

    BUILDDATESTAMP_STR: 170317-1834

    BUILDLAB_STR: rs2_release

    BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834

    ANALYSIS_SESSION_ELAPSED_TIME: 281b

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:0x3b_vrf_psinfile!unknown_function

    FAILURE_ID_HASH: {ffe7027d-0b4d-0ac3-d7f0-c05980763caa}

    Followup: MachineOwner
    ---------

    1: kd> k
    # Child-SP RetAddr Call Site
    00 ffff8a00`e966f798 fffff803`dd1f88a9 nt!KeBugCheckEx
    01 ffff8a00`e966f7a0 fffff803`dd1f803c nt!KiBugCheckDispatch+0x69
    02 ffff8a00`e966f8e0 fffff803`dd1f3a3d nt!KiSystemServiceHandler+0x7c
    03 ffff8a00`e966f920 fffff803`dd0acd94 nt!RtlpExecuteHandlerForException+0xd
    04 ffff8a00`e966f950 fffff803`dd0abb36 nt!RtlDispatchException+0x404
    05 ffff8a00`e9670040 fffff803`dd1f898e nt!KiDispatchException+0x1f6
    06 ffff8a00`e96706f0 fffff803`dd1f7df6 nt!KiExceptionDispatch+0xce
    07 ffff8a00`e96708d0 fffff803`dd1f3018 nt!KiDebugServiceTrap+0xf6
    08 ffff8a00`e9670a68 fffff803`dd2b8a85 nt!DebugPrompt+0x18
    09 ffff8a00`e9670a70 fffff80c`9437491a nt!DbgPrompt+0x35
    0a ffff8a00`e9670ac0 fffff80c`9437a260 FLTMGR!FltpvPrintErrors+0x14e
    0b ffff8a00`e9670d30 fffff80c`94368215 FLTMGR!FltvNormalizeNameComponentEx+0xc0
    0c ffff8a00`e9670d90 fffff80c`94357a2a FLTMGR!FltpExpandShortNames+0xefb1
    0d ffff8a00`e9670e20 fffff80c`94357852 FLTMGR!FltpGetNormalizedFileNameWorker+0x15e
    0e ffff8a00`e9670e60 fffff80c`94356d7d FLTMGR!FltpGetNormalizedFileName+0x1a
    0f ffff8a00`e9670eb0 fffff80c`9435d829 FLTMGR!FltpCreateFileNameInformation+0x32d
    10 ffff8a00`e9670f00 fffff80c`943273a5 FLTMGR!CreateTemporaryFileNameInformation+0x3d
    11 ffff8a00`e9670f50 fffff80c`94358181 FLTMGR!FltpGetFileNameInformation+0x885
    12 ffff8a00`e9671000 fffff80c`96ca3daf FLTMGR!FltGetFileNameInformationUnsafe+0x71
    13 ffff8a00`e9671070 fffff80c`96ca6d5a PSINFile+0x3daf
    14 ffff8a00`e96710b0 fffff80c`96ca55f3 PSINFile+0x6d5a
    15 ffff8a00`e9671150 fffff80c`9432413c PSINFile+0x55f3
    16 ffff8a00`e96711c0 fffff80c`94323af3 FLTMGR!FltpPerformPostCallbacks+0x2ac
    17 ffff8a00`e9671290 fffff80c`943256ce FLTMGR!FltpPassThroughCompletionWorker+0x73
    18 ffff8a00`e96712d0 fffff80c`9435612b FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21e
    19 ffff8a00`e9671340 fffff803`dd7e109d FLTMGR!FltpCreate+0x2eb
    1a ffff8a00`e96713f0 fffff803`dd2167ad nt!IovCallDriver+0x245
    1b ffff8a00`e9671430 fffff803`dd518265 nt!IofCallDriver+0x134f9d
    1c ffff8a00`e9671470 fffff803`dd52361b nt!IopParseDevice+0x815
    1d ffff8a00`e9671650 fffff803`dd527150 nt!ObpLookupObjectName+0x46b
    1e ffff8a00`e9671820 fffff803`dd52b0ca nt!ObOpenObjectByNameEx+0x1e0
    1f ffff8a00`e9671960 fffff803`dd52c159 nt!IopCreateFile+0x3aa
    20 ffff8a00`e9671a00 fffff803`dd1f8413 nt!NtCreateFile+0x79
    21 ffff8a00`e9671a90 00007ff9`76885e44 nt!KiSystemServiceCopyEnd+0x13
    22 00000031`4c3ff208 00007ff9`6cde71fe ntdll!NtCreateFile+0x14
    23 00000031`4c3ff210 00007ff9`6ce01ebb WinSCard!RedirectionContextCreateRdpdrHandle+0xe2
    24 00000031`4c3ff3e0 00007ff9`6ce0215c WinSCard!_SendSCardIOCTLWithWaitForCallback+0xc3
    25 00000031`4c3ff450 00007ff9`6cdfe3aa WinSCard!_SetStartedEventToCorrectState+0x100
    26 00000031`4c3ff4a0 00007ff9`6cde508a WinSCard!RedirectedSCardAccessStartedEvent+0xe
    27 00000031`4c3ff4d0 00007ff9`6cde26ba WinSCard!_guard_ss_verify_sp_default+0x9ca
    28 00000031`4c3ff520 00007ff9`6ce323e2 WinSCard!SCardAccessStartedEvent+0x2da
    29 00000031`4c3ff590 00007ff9`6ce3236b certprop!errcntrctlib::WinApiErrorContract<+0x32
    2a 00000031`4c3ff600 00007ff9`76823021 certprop!CertPropAssociateSmartCardUserWithCertificateCallback+0x6b
    2b 00000031`4c3ff660 00007ff9`76821989 ntdll!TppWorkpExecuteCallback+0x131
    2c 00000031`4c3ff6b0 00007ff9`75b22774 ntdll!TppWorkerThread+0x6c9
    2d 00000031`4c3ff9c0 00007ff9`76850d51 KERNEL32!BaseThreadInitThunk+0x14
    2e 00000031`4c3ff9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

    ---------------------------------------------------------------------------------------------------
    If we attach debugger, then we can see bellow error,
    FILTER VERIFIER ERROR: A filter has returned an invalid status code from a
    name provider callback routine
    (Filter = FFFF9600559C2840, Instance = FFFF960055AE4010, Status = 0xc0000002)

    where Status = 0xc0000002 is STATUS_Not_implemented,
  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 98
    This issue is related to FLTMGR!FltGetFileNameInformationUnsafe+0x71 since the antivirus is directly calling this routine with what altitude value ?? is it yours??

    send the kb output.
  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44
    Thanks for your response.

    Let me elaborate in detail, interop issue with driver verifier ON on sfntpffd(my driver).
    I have installed an antivirus PSIINF.sys alongwith sfntpffd installed. While taking remote desktop in presence of PSIINF.sys, system BSODs.

    Altitude of PSIINF.sys 327610
    and altitude of sfntpffd 144200

    In my driver context, name call back routine gets called, which in turn calls FltGetFileNameInformationUnsafe(), which returns STATUS_NOT_IMPLEMENTED.
    With debugger attached, it thorws filter manager verifier exception and clearly points my driver(sfntpffd) and same status code.
    To confirm, I modified return value of STATUS_NOT_IMPLEMENTED from FltGetFileNameInformationUnsafe(), to STATUS_OBJECT_PATH_NOT_FOUND and BSOD did not happen.

    1: kd> kb
    # RetAddr : Args to Child : Call Site
    00 fffff803`dd1f88a9 : 00000000`0000003b 00000000`80000003 fffff803`dd1f3018 ffff8a00`e9670070 : nt!KeBugCheckEx
    01 fffff803`dd1f803c : ffff8a00`e9670828 ffff8a00`e9670070 00000000`00000000 ffff8a00`e9670828 : nt!KiBugCheckDispatch+0x69
    02 fffff803`dd1f3a3d : fffff803`dd40b000 fffff803`dd081000 000536a0`00889000 ffff8a00`e966ff10 : nt!KiSystemServiceHandler+0x7c
    03 fffff803`dd0acd94 : 00000000`00000004 ffff8a00`e966fa50 00000000`00000000 00000011`00000100 : nt!RtlpExecuteHandlerForException+0xd
    04 fffff803`dd0abb36 : ffff8a00`e9670828 ffff8a00`e9670570 ffff8a00`e9670828 ffff8a00`e9670828 : nt!RtlDispatchException+0x404
    05 fffff803`dd1f898e : 00000000`00000000 00000000`00000000 00000000`00000001 ffff8a00`e96709a0 : nt!KiDispatchException+0x1f6
    06 fffff803`dd1f7df6 : ffff8a00`e96709a1 00000000`00000000 00000000`e9670100 00000000`00000042 : nt!KiExceptionDispatch+0xce
    07 fffff803`dd1f3018 : fffff803`dd2b8a85 ffff8a00`e9670bc0 fffff803`dd1542d0 fffff80c`94347390 : nt!KiDebugServiceTrap+0xf6
    08 fffff803`dd2b8a85 : ffff8a00`e9670bc0 fffff803`dd1542d0 fffff80c`94347390 ffffc00d`2d012b80 : nt!DebugPrompt+0x18
    09 fffff80c`9437491a : fffff80c`94347390 ffffc00d`2d012b80 fffff80c`9433f374 00000000`00000007 : nt!DbgPrompt+0x35
    0a fffff80c`9437a260 : ffffc00d`00000044 ffffc00d`2d010880 ffffc00d`2c92d4e0 ffffc00d`2d130010 : FLTMGR!FltpvPrintErrors+0x14e
    0b fffff80c`94368215 : ffffc00d`2f875f00 00000000`0000001a ffffc00d`2f875f00 ffffc00d`00000000 : FLTMGR!FltvNormalizeNameComponentEx+0xc0
    0c fffff80c`94357a2a : ffffc00d`2f870001 ffffc00d`0000001a 00000000`0000001b ffffc00d`2f875f00 : FLTMGR!FltpExpandShortNames+0xefb1
    0d fffff80c`94357852 : ffffc00d`2f875f00 ffff8a00`e9660000 00000000`00000000 00000000`c000000d : FLTMGR!FltpGetNormalizedFileNameWorker+0x15e
    0e fffff80c`94356d7d : 00000000`00000000 ffffc00d`2fe73240 ffffc00d`2fe73200 fffff80c`94359da8 : FLTMGR!FltpGetNormalizedFileName+0x1a
    0f fffff80c`9435d829 : 00000000`00000000 ffffc00d`2f875f00 ffffc00d`2d12f680 ffffc00d`2d130010 : FLTMGR!FltpCreateFileNameInformation+0x32d
    10 fffff80c`943273a5 : ffffc00d`2f875f00 00000000`c000000d ffffc00d`2f875f00 ffffc00d`2fe73208 : FLTMGR!CreateTemporaryFileNameInformation+0x3d
    11 fffff80c`94358181 : ffff8a00`e9671210 ffffc00d`2fe73200 ffffc00d`2d130010 ffffc00d`2fe763f0 : FLTMGR!FltpGetFileNameInformation+0x885
    12 fffff80c`96ca3daf : ffffc00d`2f875f00 ffff8a00`e9671210 00000000`00000101 00000000`00000000 : FLTMGR!FltGetFileNameInformationUnsafe+0x71
    13 fffff80c`96ca6d5a : 00000000`00000000 00000000`00002725 00000000`00002713 00000000`00000000 : PSINFile+0x3daf
    14 fffff80c`96ca55f3 : ffffc00d`2fe73200 00000000`01010101 ffffc00d`2fe76370 00000000`00000000 : PSINFile+0x6d5a
    15 fffff80c`9432413c : ffffc00d`2f84cb60 ffffc00d`2f84cc80 c0000016`00000000 ffffc00d`00000000 : PSINFile+0x55f3
    16 fffff80c`94323af3 : ffffc00d`2f84ca00 ffffc00d`2f84ca00 ffffe482`d5626f68 00000000`00000000 : FLTMGR!FltpPerformPostCallbacks+0x2ac
    17 fffff80c`943256ce : ffffe482`d5626dc0 ffffc00d`2f84ca80 00000000`00000008 ffffc00d`2f84ca98 : FLTMGR!FltpPassThroughCompletionWorker+0x73
    18 fffff80c`9435612b : ffff8a00`e9671380 ffffe482`d5626f68 00000000`00000000 00000000`00000040 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21e
    19 fffff803`dd7e109d : ffffe482`d5626d00 ffffe482`d5626dc0 00000000`00000000 00000000`00000000 : FLTMGR!FltpCreate+0x2eb
    1a fffff803`dd2167ad : 00000000`00000085 ffff8a00`e9671750 ffffe482`d5626dc0 ffffc00d`2f3cd9b0 : nt!IovCallDriver+0x245
    1b fffff803`dd518265 : 00000000`00000085 ffff8a00`e9671750 ffffc00d`2d0fc1e0 00000000`00000000 : nt!IofCallDriver+0x134f9d
    1c fffff803`dd52361b : fffff803`dd517a50 fffff803`dd517a50 ffff8a00`00000000 ffffc00d`2d0fc5b0 : nt!IopParseDevice+0x815
    1d fffff803`dd527150 : ffffc00d`2ce82200 ffff8a00`e96718b8 00000000`00000040 ffffc00d`2af029a0 : nt!ObpLookupObjectName+0x46b
    1e fffff803`dd52b0ca : ffffc00d`00000001 ffffc00d`2ceefbb0 00000031`4c3ff280 00000000`00000000 : nt!ObOpenObjectByNameEx+0x1e0
    1f fffff803`dd52c159 : 00000145`5863edf0 ffffb00a`a974a630 00000031`4c3ff280 00000031`4c3ff2b0 : nt!IopCreateFile+0x3aa
    20 fffff803`dd1f8413 : ffffafd7`dffe5b30 ffffafd7`ebefff28 ffffafd7`ebf5f7f8 ffff6c6a`94227079 : nt!NtCreateFile+0x79
    21 00007ff9`76885e44 : 00007ff9`6cde71fe 00660063`00000004 00630030`0030002d 00007ff9`6ce0b880 : nt!KiSystemServiceCopyEnd+0x13
    22 00007ff9`6cde71fe : 00660063`00000004 00630030`0030002d 00007ff9`6ce0b880 00007ff9`6ce0b878 : ntdll!NtCreateFile+0x14
    23 00007ff9`6ce01ebb : 00000000`00000010 00000145`5863eda0 00000000`00000001 00007ff9`6ce19000 : WinSCard!RedirectionContextCreateRdpdrHandle+0xe2
    24 00007ff9`6ce0215c : 00000145`5863eda0 00000000`00000000 00000000`00000001 00007ff9`6ce01370 : WinSCard!_SendSCardIOCTLWithWaitForCallback+0xc3
    25 00007ff9`6cdfe3aa : 00000145`5863eda0 00000145`5863eda0 00000000`00000000 00000145`5863eda0 : WinSCard!_SetStartedEventToCorrectState+0x100
    26 00007ff9`6cde508a : 00000145`00000001 00007ff9`00000001 00000145`00000004 00000000`00002234 : WinSCard!RedirectedSCardAccessStartedEvent+0xe
    27 00007ff9`6cde26ba : 00000145`5863eda0 00000000`00000001 00000031`4c3ff801 00000000`00000001 : WinSCard!_guard_ss_verify_sp_default+0x9ca
    28 00007ff9`6ce323e2 : 00000000`00000001 00000145`00000004 00000000`00002134 00000145`5863eda0 : WinSCard!SCardAccessStartedEvent+0x2da
    29 00007ff9`6ce3236b : 00000000`00000009 00000000`000016a4 00000001`00000000 00000031`49042000 : certprop!errcntrctlib::WinApiErrorContract<+0x32
    2a 00007ff9`76823021 : 00000145`5866ae10 00000145`5862b780 00000000`7ffe0386 00000000`000020f8 : certprop!CertPropAssociateSmartCardUserWithCertificateCallback+0x6b
    2b 00007ff9`76821989 : 00000145`58e87760 00000000`00000000 00007ff9`76822ef0 00000000`00000000 : ntdll!TppWorkpExecuteCallback+0x131
    2c 00007ff9`75b22774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x6c9
    2d 00007ff9`76850d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    2e 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    1: kd> !fltkd.filtters
    fltkd has no filtters export
    1: kd> !fltkd.filters

    Filter List: ffffc00d2d003930 "Frame 0"
    FLT_FILTER: ffffc00d2d00e660 "vsepflt" "328200"
    FLT_INSTANCE: ffffc00d2d12fc50 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffc00d2d2ccc50 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffc00d2db5ec50 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffc00d2dba6c50 "vsepflt Instance" "328200"
    FLT_FILTER: ffffc00d2c1c9c10 "PSINProc" "327620"
    FLT_INSTANCE: ffffc00d2daacd70 "PSINProc Instance" "327620"
    FLT_INSTANCE: ffffc00d2dbf9010 "PSINProc Instance" "327620"
    FLT_INSTANCE: ffffc00d2e06dca0 "PSINProc Instance" "327620"
    FLT_INSTANCE: ffffc00d2e1c27e0 "PSINProc Instance" "327620"
    FLT_FILTER: ffffc00d2e0b5220 "PSINFile" "327610"
    FLT_INSTANCE: ffffc00d2e1c7c80 "PSINFile Instance" "327610"
    FLT_INSTANCE: ffffc00d2e1c78f0 "PSINFile Instance" "327610"
    FLT_INSTANCE: ffffc00d2e1c8c80 "PSINFile Instance" "327610"
    FLT_INSTANCE: ffffc00d2e095c00 "PSINFile Instance" "327610"
    FLT_FILTER: ffffc00d2e3fe7a0 "storqosflt" "244000"
    FLT_FILTER: ffffc00d2e09b010 "wcifs" "189900"
    FLT_INSTANCE: ffffc00d2e09b580 "wcifs Instance" "189900"
    FLT_FILTER: ffffc00d2d010880 "Sfntpffd" "144200"
    FLT_INSTANCE: ffffc00d2d130010 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffc00d2d2c52f0 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffc00d2db5e010 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffc00d2dba6010 "Sfntpffd Instance" "144200"
    FLT_FILTER: ffffc00d2c1ca640 "FileCrypt" "141100"
    FLT_FILTER: ffffc00d2e0a44d0 "luafv" "135000"
    FLT_INSTANCE: ffffc00d2e0a8470 "luafv" "135000"
    FLT_FILTER: ffffc00d2d3c8b10 "npsvctrig" "46000"
    FLT_INSTANCE: ffffc00d2d3ddd20 "npsvctrig" "46000"
    FLT_FILTER: ffffc00d2d00c710 "Wof" "[ERROR READING NAME]"
    FLT_INSTANCE: ffffc00d2d2bd010 "Wof Instance" "40700"
    FLT_INSTANCE: ffffc00d2db52b90 "Wof Instance" "40700"
    FLT_INSTANCE: ffffc00d2db9fb90 "Wof Instance" "40700"
    FLT_FILTER: ffffc00d2d00c010 "FileInfo" "40500"
    FLT_INSTANCE: ffffc00d2d10ab40 "FileInfo" "40500"
    FLT_INSTANCE: ffffc00d2d2bc640 "FileInfo" "40500"
    FLT_INSTANCE: ffffc00d2db50b40 "FileInfo" "40500"
    FLT_INSTANCE: ffffc00d2db9db40 "FileInfo" "40500"

    Let me know, if any further info needed.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,096
    The RDP network redirector is probably failing the name query for the
    "SCARD" share as this has to do with smart card usage across RDP. You should
    be able to confirm by walking into the FltGetFileNameInformationUnsafe call
    in the debugger.

    You probably don't want to fail the operation here. The path DOES exist, it
    just doesn't let you perform this particular query on it. Ideally you would
    just ignore anything that tries to access the TSCLIENT\SCARD path. Whether
    or not path based filtering/ignoring like this is appropriate for your
    filter really depends on what exactly your filter does. Given that it's the
    network you might be able to improve the precision of the ignore by using
    FsRtlMupGetProviderInfoFromFileObject to determine that this request is
    being handled by RDP.

    Two other things:

    1. Another way to handle this might be to just copy the provided Component
    as the ExpandedComponent if you get back STATUS_NOT_IMPLEMENTED. If the
    lower FS isn't giving you a way to query the name, then presumably the name
    must be the name

    2. Stepping back a bit, I don't understand why you'd be calling
    FltGetFileNameInformationUnsafe on the provided FileObject to
    NormalizeNameComponentExCallback? The normal thing to do is open the parent
    path and query the directory for the component. Not sure what the path of
    the incoming FileObject gets you?

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44
    Thanks scott for your response!

    yes, you are right as mentioned from bsod details , this issue happens for TSCLIENT\SCARD path.

    0: kd> dx -r1 ((sfntpffd!_UNICODE_STRING *)0xffffc209dd171ac8)
    ((sfntpffd!_UNICODE_STRING *)0xffffc209dd171ac8) : 0xffffc209dd171ac8 : [Type:
    _UNICODE_STRING *]
    [Type: _UNICODE_STRING]
    [+0x0] Length : 34
    [+0x2] MaximumLength : 56
    [+0x8] Buffer : 0xffffd60b81b38160 : [Type: wchar_t *] :
    "\TSCLIENT\SCARD\2"

    Few concerns here:

    1. From our filter driver , name call back GenerateFileNameCallback gets called, which calls FltGetFileNameInformationUnsafe() as per name call backs functionality being mentioned at below link:
    http://fsfilters.blogspot.in/2011/03/names-in-minifilters-implementing-name.html

    And we have returned STATUS_NOT_IMPLEMENTED that we got from FltGetFileNameInformationUnsafe() to upper layer..

    2. In NormalizeNameComponentExCallback, FltQueryDirectoryFile returns STATUS_NOT_IMPLEMENTED, which is not valid as per filter manager verifier check..

    so, both registered name callbacks GenerateFileNameCallback and NormalizeNameComponentExCallback have returned STATUS_NOT_IMPLEMENTED, which is not valid.

    Are you suggesting that we should by pass both name call backs for TSCLIENT\SCARD\ path.?

    and how can get help from FsRtlMupGetProviderInfoFromFileObject ??

    Thanks a lot!!
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,096
    > Are you suggesting that we should by pass both name call backs for
    > TSCLIENT\SCARD\ path.?

    Yes. If the RDP redirector doesn't support the information queries necessary
    to call these APIs then there's not much you can do. You either need to
    avoid asking in the first place or deal with the error code using some sane
    default behavior.

    It is valid to return STATUS_NOT_SUPPORTED from the
    GenerateFileNameCallback. FltMgr will then just try calling your
    NormalizeNameComponent callback for each piece of the path.

    I think it's a bit harsh for Flt Verifier to throw error on the result of
    NormalizeNameComponent, but that doesn't matter much at the moment...If RDP
    doesn't support querying the contents of this particular "directory" then
    I'd consider it reasonable to assume that there are no short names in the
    path and the incoming name is as good as the expanded name. That would make
    the default behavior to copy the Component into the ExpandComponentName.

    >and how can get help from FsRtlMupGetProviderInfoFromFileObject ??

    If you want to filter out messing with this path, you could just say "it's a
    special case if I'm dealing with anything named \\TSCLIENT\\*". However,
    that opens you up to taking the special case in ALL cases involving this
    path, even when the target is RDP. A better refinement would be to say,
    "it's a special case if I'm dealing with anything named \\TSCLIENT\\* and
    it's on the network." That sort of works, but now you would take the special
    case if you're talking to something named TSCLIENT over SMB or NFS (for
    example).

    The last level of refinement then is to say, "it's a special case if I'm
    dealing with anything named \\TSCLIENT\\* and it's on the network and the
    network redirector is RDP." That last bit is what
    FsRtlMupGetProviderInfoFromFileObject lets you determine.

    However, after your additional details I'd say that easiest path is just to
    react to the error in your normalize callback. You might want to ASSERT that
    the offending path is the TSCLIENT one so that you can catch other instances
    of this and make sure you're not masking a real issue elsewhere.

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44
    Thanks scott for further information!!

    >> It is valid to return STATUS_NOT_SUPPORTED from the
    GenerateFileNameCallback.

    I have tried changing error code to STATUS_NOT_SUPPORTED, but filter manager throws same exception.
    However, it worked with STATUS_OBJECT_PATH_NOT_FOUND.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,096
    I just wrote a quick filter and reproduced this behavior. This is what I see
    happen:

    1. Upper filter queries for a normalized name, I get called at
    GenerateFileName

    2. FltGetFileNameInformation for normalized name information fails with
    STATUS_NOT_IMPLEMENTED. This appears to be due to the RDP redirector not
    supporting querying for FileStandardInformation

    3. FltMgr Verifier is good with STATUS_NOT_IMPLEMENTED because it was a
    Normalized Name Query:

    cmp ebx,0C0000002h
    je FLTMGR!FltvGenerateFileName+0x74 (fffff800`b59723b4)
    cmp ebx,0C00000BBh
    jne FLTMGR!FltvGenerateFileName+0x96 (fffff800`b59723d6)
    cmp bpl,2 ==> If a normalized query, don't print Verifier error
    jne FLTMGR!FltvGenerateFileName+0x96 (fffff800`b59723d6)

    4. FltMgr then calls GenerateFileName again for an Opened name query. This
    time my call to FltGetFileNameInformation works because I'm just getting the
    opened name.

    5. FltMgr then calls the NormalizeNameComponent callback to try to expand
    the short name. This fails because the directory enumeration fails and I get
    the FltMgr Verifier error

    This is with Server 2016 RS1 because it's what I had lying around.

    Are you seeing different behavior?

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space