I got a crash dump from a system running one of my drivers. It’s a minifilter that does use SFO’s in some cases. The customer said this crash occurs infrequently on start up and although my software has been installed for many months this apparently only started occurring semi-recently. Most of the documentation on INVALID_PROCESS_ATTACH_ATTEMPT state an issue with KeAttachProcess but that’s been deprecated and not used in my driver however I do use KeStackAttachProcess. I’m not sure how to interpret Arg1 and Arg2 as they are “pointers to the dispatcher object of the process.” A “!stacks 2 mydriver” command shows only 1 thread but it’s in a different process than the one that caused the crash.
Based off what I see, I don’t believe I’m the culprit but is there anything else I can check that can help confirm that?
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
INVALID_PROCESS_ATTACH_ATTEMPT (5)
Arguments:
Arg1: ffffd20300000000
Arg2: ffffd203d0aa7640
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 402
BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: Dell System XPS L502X
SYSTEM_SKU: System SKUNumber
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: A12
BIOS_DATE: 09/07/2012
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 0NJT03
BASEBOARD_VERSION: A00
DUMP_TYPE: 0
BUGCHECK_P1: ffffd20300000000
BUGCHECK_P2: ffffd203d0aa7640
BUGCHECK_P3: 0
BUGCHECK_P4: 0
CPU_COUNT: 8
CPU_MHZ: 7cb
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 2a
CPU_STEPPING: 7
CPU_MICROCODE: 6,2a,7,0 (F,M,S,R) SIG: 29’00000000 (cache) 29’00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x5
PROCESS_NAME: ClipRenew.exe
CURRENT_IRQL: 1
LAST_CONTROL_TRANSFER: from fffff800fd395617 to fffff800fd385580
STACK_TEXT:
ffffa3007690f338 fffff800
fd395617 : 0000000000000005 ffffd203
00000000 ffffd203d0aa7640 00000000
00000000 : nt!KeBugCheckEx
ffffa3007690f340 fffff800
fd250225 : ffffd203d0389420 00000000
00000000 ffffd20300000000 fffff800
fd27bf8d : nt!KiDeliverApc+0x146ea7
ffffa3007690f3d0 fffff800
fd3050d7 : ffffd203d06340f0 00000000
00000000 ffffd203d0389420 ffffd203
d0634010 : nt!KiCheckForKernelApcDelivery+0x25
ffffa3007690f400 fffff803
e72d49cc : ffffa3007690f4e9 ffffd203
00000000 ffffd20300000000 ffffd203
d0634010 : nt!KeLeaveGuardedRegion+0x37
ffffa3007690f430 fffff803
e72d46ec : ffffa3007690f620 00000000
00000000 ffffd203d0aa7600 ffffd203
cedaf212 : FLTMGR!FltpPerformPreCallbacks+0x16c
ffffa3007690f550 fffff803
e72d36d8 : ffffd203cedaf2b0 ffffa300
7690f620 ffffd203cedaf2b0 ffffa300
7690f630 : FLTMGR!FltpPassThroughInternal+0x8c
ffffa3007690f580 fffff803
e72d34be : fffffffffffe7960 ffffd203
cd5ce7f0 0000000000000000 00000000
00000000 : FLTMGR!FltpPassThrough+0x168
ffffa3007690f600 fffff800
fd6ac7cf : ffffd203d0aa8360 00000000
00000000 0000000000000000 ffffa300
7690f6b0 : FLTMGR!FltpDispatch+0x9e
ffffa3007690f660 fffff800
fd6bbde8 : 0000000000007fff ffffd203
ca34bb00 0000000000000000 ffffd203
d0aa8340 : nt!IopCloseFile+0x14f
ffffa3007690f6f0 fffff800
fd743c45 : 0000000000000000 ffffd203
d087b928 0000000000000001 ffffffff
ffffffff : nt!ObCloseHandleTableEntry+0x228
ffffa3007690f830 fffff800
fd63fa89 : ffffd203d0aa7640 ffffd203
d0aa5700 ffffd203d0aa7640 00000000
00040001 : nt!ExSweepHandleTable+0xc5
ffffa3007690f8e0 fffff800
fd6e24f7 : 0000000000040000 00000000
00000000 0000000000000000 fffff800
fd6e9786 : nt!ObKillProcess+0x35
ffffa3007690f910 fffff800
fd653641 : ffffd203d0aa7640 ffff8807
16e69060 ffffd203d0aa7640 00000000
00000000 : nt!PspRundownSingleProcess+0x117
ffffa3007690f990 fffff800
fd712f59 : 0000000000000000 ffffd203
d0aa7601 0000008c635d8000 ffffd203
d0aa5700 : nt!PspExitThread+0x57d
ffffa3007690fa90 fffff800
fd390413 : ffffd203d0aa7640 ffffd203
d0aa5700 ffffa3007690fb80 000001d7
679f0730 : nt!NtTerminateProcess+0xe9
ffffa3007690fb00 00007ffd
c3cf5924 : 00007ffdc3c9d2ff 00000000
00000000 000001d7679f0730 000001d7
679f0728 : nt!KiSystemServiceCopyEnd+0x13
0000008c6367fa68 00007ffd
c3c9d2ff : 0000000000000000 000001d7
679f0730 000001d7679f0728 000001d7
679f0730 : ntdll!NtTerminateProcess+0x14
0000008c6367fa70 00007ffd
c3bbc0da : 0000000000000000 00000000
00000000 000001d7679f0730 00007ffd
c3cc0da7 : ntdll!RtlExitUserProcess+0xbf
0000008c6367faa0 00007ffd
c11fa045 : 00007ff7be3eb9c0 00000000
00000000 0000000000000000 000001d7
679f0740 : KERNEL32!ExitProcessImplementation+0xa
0000008c6367fad0 00007ffd
c11fa68d : 000001d7679f0728 00007ff7
a4f1e6b9 000001d767a41a50 00000000
00000000 : msvcrt!_crtExitProcess+0x15
0000008c6367fb00 00007ff7
be3eaf90 : 0000000000000001 00000000
00000000 0000000000000000 00000000
00000000 : msvcrt!unlockexit+0x1d1
0000008c6367fb70 00007ffd
c3bb2774 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ClipRenew!__wmainCRTStartup+0x164
0000008c6367fbb0 00007ffd
c3cc0d51 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000008c6367fbe0 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!RtlUserThreadStart+0x21
1: kd> !thread -1
THREAD ffffd203d0aa5700 Cid 0b6c.0b70 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
IRP List:
ffffd203cedaf2b0: (0006,0598) Flags: 00000404 Mdl: 00000000
Not impersonating
DeviceMap ffff88070b0145a0
Owning Process ffffd203d0aa7640 Image: ClipRenew.exe
Attached Process N/A Image: N/A
Wait Start TickCount 3234 Ticks: 0
Context Switch Count 69 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ClipRenew!wmainCRTStartup (0x00007ff7be3eaff0)
Stack Init ffffa3007690fc90 Current ffffa3007690edf0
Base ffffa30076910000 Limit ffffa3007690a000 Call 0
Priority 7 BasePriority 6 UnusualBoost 0 ForegroundBoost 0 IoPriority 1 PagePriority 2
1: kd> !irp ffffd203cedaf2b0
Irp is active with 16 stacks 16 is current (= 0xffffd203cedaf7b8)
No Mdl: No System Buffer: Thread ffffd203d0aa5700: Irp stack trace.
cmd flg cl Device File Completion-Context
[IRP_MJ_CLEANUP(12), N/A(0)]
0 1 ffffd203cd5ce7f0 ffffd203d0aa8360 00000000-00000000 pending
\FileSystem\FltMgr
Args: 00000000 00000000 00000000 00000000
1: kd> !stacks 2 mydriver
[ffffd203d0b44080 svchost.exe]
c04.000c3c ffffd203d0b61080 fffff35e RUNNING nt!FsRtlFindExtraCreateParameter+0x38
NTFS!NtfsCommonCreate+0x2ef5
NTFS!NtfsCommonCreateCallout+0x1d
nt!KxSwitchKernelStackCallout+0x27
nt!KiSwitchKernelStackContinue
nt!KiExpandKernelStackAndCalloutOnStackSegment+0x12c
nt!KiExpandKernelStackAndCalloutSwitchStack+0x9e
nt!KeExpandKernelStackAndCalloutInternal+0x2f
NTFS!NtfsFsdCreate+0x1cb
FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18d
FLTMGR!FltpCreate+0x2eb
nt!IopParseDevice+0x815
nt!ObpLookupObjectName+0x46b
nt!ObOpenObjectByNameEx+0x1e0
nt!IopCreateFile+0x3aa
nt!IoCreateFileEx+0x124
FLTMGR!FltpExpandFilePathWorker+0x2b9
FLTMGR!FltpExpandFilePath+0x1a
FLTMGR!FltpGetNormalizedFileNameWorker+0x117
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32d
FLTMGR!HandleStreamListNotSupported+0x115
FLTMGR!FltpGetFileNameInformation+0x623
FLTMGR!FltGetFileNameInformation+0x1ba
mydriver+0x17c05
FLTMGR!FltpCallOpenedFileNameHandler+0x70
FLTMGR!FltpGetNormalizedFileNameWorker+0x2f
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32d
FLTMGR!HandleStreamListNotSupported+0x115
FLTMGR!FltpGetFileNameInformation+0x623
FLTMGR!FltGetFileNameInformation+0x1ba
MbamChameleon+0x16e3
MbamChameleon+0x2a543
FLTMGR!FltpPerformPreCallbacks+0x2ec
FLTMGR!FltpPassThroughInternal+0x8c
FLTMGR!FltpCreate+0x2d7
nt!IopParseDevice+0x815
nt!ObpLookupObjectName+0x46b
nt!ObOpenObjectByNameEx+0x1e0
nt!IopCreateFile+0x3aa
nt!IoCreateFileEx+0x124
nt!IopOpenLinkOrRenameTarget+0x166
nt!NtSetInformationFile+0x9c3
nt!KiSystemServiceCopyEnd+0x13
1: kd> !irql
Debugger saved IRQL for processor 0x1 – 1 (APC_LEVEL)
1: kd> !apc
*** Enumerating APCs in all processes
Process ffffd203ca2b4040 System
Thread ffffd203ca29a680 Thread ffffd203ca3125c0
Thread ffffd203cd878040 Thread
Process ffffd203cf239080 csrss.exe
Thread ffffd203cd707080 Thread ffffd203cd705080
Process ffffd203cfef0080 csrss.exe
Thread ffffd203cfeed300 Thread ffffd203cfeeb080
Thread ffffd203cff45080 Thread ffffd203cff43480
Thread ffffd203cff38080 Thread ffffd203cff37700
Thread ffffd203cffc2080 Thread ffffd203cff86080
Thread ffffd203cff8b080 Thread ffffd203cdc60080
Thread ffffd203cf77c080 Thread ffffd203cf72a4c0
Thread ffffd203cf76b080 Thread ffffd203cff25580
Thread ffffd203cf76a080 Thread ffffd203cff1f080
Thread ffffd203cf7b5080 Thread ffffd203cf7b3080
Thread ffffd203cf79a080 Thread ffffd203cff19080
Thread ffffd203d0210080 Thread ffffd203d0269080
Thread ffffd203d0225080 Thread ffffd203d02a5080
Thread ffffd203d0229080 Thread ffffd203d0291700
Thread ffffd203d02ac080 Thread ffffd203d0245080
Thread ffffd203d02ec080 Thread ffffd203d02e8080
Thread ffffd203d02df080 Thread ffffd203d02d1080
Thread ffffd203d0337080 Thread ffffd203d0333380
Thread ffffd203d02ce080 Thread ffffd203d03fd080
Thread ffffd203ca2a2700 Thread ffffd203d034e080
Thread ffffd203d0343080 Thread ffffd203d033c080
Thread ffffd203d0340080 Thread ffffd203d0339340
Thread ffffd203d0355500 Thread ffffd203d0391080
Thread ffffd203d023a080 Thread ffffd203d0236080
Thread ffffd203d0504700 Thread ffffd203d060b080
Thread ffffd203d053d080 Thread ffffd203d0547080
Thread ffffd203cdc53080 Thread ffffd203d059a080
Thread ffffd203d0596080 Thread ffffd203d05a6700
Thread ffffd203d05d5080 Thread ffffd203d05b7080
Thread ffffd203d05d4080 Thread ffffd203d05e9600
Thread ffffd203d0605080 Thread ffffd203d0673080
Thread ffffd203d085a080 Thread ffffd203d0630080
Thread ffffd203d0858080 Thread ffffd203d062b480
Thread ffffd203d08555c0 Thread ffffd203d087f080
Thread ffffd203d088a440 Thread ffffd203d08d9080
Thread ffffd203d0902080 Thread ffffd203d08f8080
Thread ffffd203d09e3080 Thread ffffd203d09de080
Thread ffffd203d09d3080 Thread ffffd203d0625080
Thread ffffd203d092a700 Thread ffffd203d0928080
Thread ffffd203d0984700 Thread ffffd203d095a080
Thread ffffd203d098d080 Thread ffffd203d0a09080
Thread ffffd203d09c0080 Thread ffffd203d0a3f080
Thread ffffd203d09ec080 Thread ffffd203d0a0f080
Thread ffffd203d09eb080 Thread ffffd203d0a0b080
Thread ffffd203d0990080 Thread ffffd203d0a0d080
Thread ffffd203d0aa5700
Process ffffd203d0abf640 svchost.exe
Thread ffffd203d0aba080 Thread ffffd203d0acd080
Thread ffffd203d0aaf080 Thread ffffd203d0ac8080
Thread ffffd203d0ae3080 Thread ffffd203d0aca080
Thread ffffd203d0aee080 Thread ffffd203d0ae9080
Thread ffffd203d0b46080 Thread ffffd203d0b74080
Thread ffffd203d0b42080 Thread ffffd203d0b72080