Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

INVALID_PROCESS_ATTACH_ATTEMPT

John-6John-6 Posts: 57
I got a crash dump from a system running one of my drivers. It's a minifilter that does use SFO's in some cases. The customer said this crash occurs infrequently on start up and although my software has been installed for many months this apparently only started occurring semi-recently. Most of the documentation on INVALID_PROCESS_ATTACH_ATTEMPT state an issue with KeAttachProcess but that's been deprecated and not used in my driver however I do use KeStackAttachProcess. I'm not sure how to interpret Arg1 and Arg2 as they are "pointers to the dispatcher object of the process." A "!stacks 2 mydriver" command shows only 1 thread but it's in a different process than the one that caused the crash.

Based off what I see, I don't believe I'm the culprit but is there anything else I can check that can help confirm that?

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

INVALID_PROCESS_ATTACH_ATTEMPT (5)
Arguments:
Arg1: ffffd20300000000
Arg2: ffffd203d0aa7640
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: Dell System XPS L502X

SYSTEM_SKU: System SKUNumber

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: A12

BIOS_DATE: 09/07/2012

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 0NJT03

BASEBOARD_VERSION: A00

DUMP_TYPE: 0

BUGCHECK_P1: ffffd20300000000

BUGCHECK_P2: ffffd203d0aa7640

BUGCHECK_P3: 0

BUGCHECK_P4: 0

CPU_COUNT: 8

CPU_MHZ: 7cb

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 2a

CPU_STEPPING: 7

CPU_MICROCODE: 6,2a,7,0 (F,M,S,R) SIG: 29'00000000 (cache) 29'00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x5

PROCESS_NAME: ClipRenew.exe

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from fffff800fd395617 to fffff800fd385580

STACK_TEXT:
ffffa300`7690f338 fffff800`fd395617 : 00000000`00000005 ffffd203`00000000 ffffd203`d0aa7640 00000000`00000000 : nt!KeBugCheckEx
ffffa300`7690f340 fffff800`fd250225 : ffffd203`d0389420 00000000`00000000 ffffd203`00000000 fffff800`fd27bf8d : nt!KiDeliverApc+0x146ea7
ffffa300`7690f3d0 fffff800`fd3050d7 : ffffd203`d06340f0 00000000`00000000 ffffd203`d0389420 ffffd203`d0634010 : nt!KiCheckForKernelApcDelivery+0x25
ffffa300`7690f400 fffff803`e72d49cc : ffffa300`7690f4e9 ffffd203`00000000 ffffd203`00000000 ffffd203`d0634010 : nt!KeLeaveGuardedRegion+0x37
ffffa300`7690f430 fffff803`e72d46ec : ffffa300`7690f620 00000000`00000000 ffffd203`d0aa7600 ffffd203`cedaf212 : FLTMGR!FltpPerformPreCallbacks+0x16c
ffffa300`7690f550 fffff803`e72d36d8 : ffffd203`cedaf2b0 ffffa300`7690f620 ffffd203`cedaf2b0 ffffa300`7690f630 : FLTMGR!FltpPassThroughInternal+0x8c
ffffa300`7690f580 fffff803`e72d34be : ffffffff`fffe7960 ffffd203`cd5ce7f0 00000000`00000000 00000000`00000000 : FLTMGR!FltpPassThrough+0x168
ffffa300`7690f600 fffff800`fd6ac7cf : ffffd203`d0aa8360 00000000`00000000 00000000`00000000 ffffa300`7690f6b0 : FLTMGR!FltpDispatch+0x9e
ffffa300`7690f660 fffff800`fd6bbde8 : 00000000`00007fff ffffd203`ca34bb00 00000000`00000000 ffffd203`d0aa8340 : nt!IopCloseFile+0x14f
ffffa300`7690f6f0 fffff800`fd743c45 : 00000000`00000000 ffffd203`d087b928 00000000`00000001 ffffffff`ffffffff : nt!ObCloseHandleTableEntry+0x228
ffffa300`7690f830 fffff800`fd63fa89 : ffffd203`d0aa7640 ffffd203`d0aa5700 ffffd203`d0aa7640 00000000`00040001 : nt!ExSweepHandleTable+0xc5
ffffa300`7690f8e0 fffff800`fd6e24f7 : 00000000`00040000 00000000`00000000 00000000`00000000 fffff800`fd6e9786 : nt!ObKillProcess+0x35
ffffa300`7690f910 fffff800`fd653641 : ffffd203`d0aa7640 ffff8807`16e69060 ffffd203`d0aa7640 00000000`00000000 : nt!PspRundownSingleProcess+0x117
ffffa300`7690f990 fffff800`fd712f59 : 00000000`00000000 ffffd203`d0aa7601 0000008c`635d8000 ffffd203`d0aa5700 : nt!PspExitThread+0x57d
ffffa300`7690fa90 fffff800`fd390413 : ffffd203`d0aa7640 ffffd203`d0aa5700 ffffa300`7690fb80 000001d7`679f0730 : nt!NtTerminateProcess+0xe9
ffffa300`7690fb00 00007ffd`c3cf5924 : 00007ffd`c3c9d2ff 00000000`00000000 000001d7`679f0730 000001d7`679f0728 : nt!KiSystemServiceCopyEnd+0x13
0000008c`6367fa68 00007ffd`c3c9d2ff : 00000000`00000000 000001d7`679f0730 000001d7`679f0728 000001d7`679f0730 : ntdll!NtTerminateProcess+0x14
0000008c`6367fa70 00007ffd`c3bbc0da : 00000000`00000000 00000000`00000000 000001d7`679f0730 00007ffd`c3cc0da7 : ntdll!RtlExitUserProcess+0xbf
0000008c`6367faa0 00007ffd`c11fa045 : 00007ff7`be3eb9c0 00000000`00000000 00000000`00000000 000001d7`679f0740 : KERNEL32!ExitProcessImplementation+0xa
0000008c`6367fad0 00007ffd`c11fa68d : 000001d7`679f0728 00007ff7`a4f1e6b9 000001d7`67a41a50 00000000`00000000 : msvcrt!_crtExitProcess+0x15
0000008c`6367fb00 00007ff7`be3eaf90 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : msvcrt!unlockexit+0x1d1
0000008c`6367fb70 00007ffd`c3bb2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ClipRenew!__wmainCRTStartup+0x164
0000008c`6367fbb0 00007ffd`c3cc0d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000008c`6367fbe0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

1: kd> !thread -1
THREAD ffffd203d0aa5700 Cid 0b6c.0b70 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
IRP List:
ffffd203cedaf2b0: (0006,0598) Flags: 00000404 Mdl: 00000000
Not impersonating
DeviceMap ffff88070b0145a0
Owning Process ffffd203d0aa7640 Image: ClipRenew.exe
Attached Process N/A Image: N/A
Wait Start TickCount 3234 Ticks: 0
Context Switch Count 69 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ClipRenew!wmainCRTStartup (0x00007ff7be3eaff0)
Stack Init ffffa3007690fc90 Current ffffa3007690edf0
Base ffffa30076910000 Limit ffffa3007690a000 Call 0
Priority 7 BasePriority 6 UnusualBoost 0 ForegroundBoost 0 IoPriority 1 PagePriority 2

1: kd> !irp ffffd203cedaf2b0
Irp is active with 16 stacks 16 is current (= 0xffffd203cedaf7b8)
No Mdl: No System Buffer: Thread ffffd203d0aa5700: Irp stack trace.
cmd flg cl Device File Completion-Context

>[IRP_MJ_CLEANUP(12), N/A(0)]
0 1 ffffd203cd5ce7f0 ffffd203d0aa8360 00000000-00000000 pending
\FileSystem\FltMgr
Args: 00000000 00000000 00000000 00000000


1: kd> !stacks 2 mydriver

[ffffd203d0b44080 svchost.exe]
c04.000c3c ffffd203d0b61080 fffff35e RUNNING nt!FsRtlFindExtraCreateParameter+0x38
NTFS!NtfsCommonCreate+0x2ef5
NTFS!NtfsCommonCreateCallout+0x1d
nt!KxSwitchKernelStackCallout+0x27
nt!KiSwitchKernelStackContinue
nt!KiExpandKernelStackAndCalloutOnStackSegment+0x12c
nt!KiExpandKernelStackAndCalloutSwitchStack+0x9e
nt!KeExpandKernelStackAndCalloutInternal+0x2f
NTFS!NtfsFsdCreate+0x1cb
FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18d
FLTMGR!FltpCreate+0x2eb
nt!IopParseDevice+0x815
nt!ObpLookupObjectName+0x46b
nt!ObOpenObjectByNameEx+0x1e0
nt!IopCreateFile+0x3aa
nt!IoCreateFileEx+0x124
FLTMGR!FltpExpandFilePathWorker+0x2b9
FLTMGR!FltpExpandFilePath+0x1a
FLTMGR!FltpGetNormalizedFileNameWorker+0x117
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32d
FLTMGR!HandleStreamListNotSupported+0x115
FLTMGR!FltpGetFileNameInformation+0x623
FLTMGR!FltGetFileNameInformation+0x1ba
mydriver+0x17c05
FLTMGR!FltpCallOpenedFileNameHandler+0x70
FLTMGR!FltpGetNormalizedFileNameWorker+0x2f
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32d
FLTMGR!HandleStreamListNotSupported+0x115
FLTMGR!FltpGetFileNameInformation+0x623
FLTMGR!FltGetFileNameInformation+0x1ba
MbamChameleon+0x16e3
MbamChameleon+0x2a543
FLTMGR!FltpPerformPreCallbacks+0x2ec
FLTMGR!FltpPassThroughInternal+0x8c
FLTMGR!FltpCreate+0x2d7
nt!IopParseDevice+0x815
nt!ObpLookupObjectName+0x46b
nt!ObOpenObjectByNameEx+0x1e0
nt!IopCreateFile+0x3aa
nt!IoCreateFileEx+0x124
nt!IopOpenLinkOrRenameTarget+0x166
nt!NtSetInformationFile+0x9c3
nt!KiSystemServiceCopyEnd+0x13

1: kd> !irql
Debugger saved IRQL for processor 0x1 -- 1 (APC_LEVEL)
1: kd> !apc
*** Enumerating APCs in all processes
Process ffffd203ca2b4040 System
Thread ffffd203ca29a680 Thread ffffd203ca3125c0
Thread ffffd203cd878040 Thread
Process ffffd203cf239080 csrss.exe
Thread ffffd203cd707080 Thread ffffd203cd705080
Process ffffd203cfef0080 csrss.exe
Thread ffffd203cfeed300 Thread ffffd203cfeeb080
Thread ffffd203cff45080 Thread ffffd203cff43480
Thread ffffd203cff38080 Thread ffffd203cff37700
Thread ffffd203cffc2080 Thread ffffd203cff86080
Thread ffffd203cff8b080 Thread ffffd203cdc60080
Thread ffffd203cf77c080 Thread ffffd203cf72a4c0
Thread ffffd203cf76b080 Thread ffffd203cff25580
Thread ffffd203cf76a080 Thread ffffd203cff1f080
Thread ffffd203cf7b5080 Thread ffffd203cf7b3080
Thread ffffd203cf79a080 Thread ffffd203cff19080
Thread ffffd203d0210080 Thread ffffd203d0269080
Thread ffffd203d0225080 Thread ffffd203d02a5080
Thread ffffd203d0229080 Thread ffffd203d0291700
Thread ffffd203d02ac080 Thread ffffd203d0245080
Thread ffffd203d02ec080 Thread ffffd203d02e8080
Thread ffffd203d02df080 Thread ffffd203d02d1080
Thread ffffd203d0337080 Thread ffffd203d0333380
Thread ffffd203d02ce080 Thread ffffd203d03fd080
Thread ffffd203ca2a2700 Thread ffffd203d034e080
Thread ffffd203d0343080 Thread ffffd203d033c080
Thread ffffd203d0340080 Thread ffffd203d0339340
Thread ffffd203d0355500 Thread ffffd203d0391080
Thread ffffd203d023a080 Thread ffffd203d0236080
Thread ffffd203d0504700 Thread ffffd203d060b080
Thread ffffd203d053d080 Thread ffffd203d0547080
Thread ffffd203cdc53080 Thread ffffd203d059a080
Thread ffffd203d0596080 Thread ffffd203d05a6700
Thread ffffd203d05d5080 Thread ffffd203d05b7080
Thread ffffd203d05d4080 Thread ffffd203d05e9600
Thread ffffd203d0605080 Thread ffffd203d0673080
Thread ffffd203d085a080 Thread ffffd203d0630080
Thread ffffd203d0858080 Thread ffffd203d062b480
Thread ffffd203d08555c0 Thread ffffd203d087f080
Thread ffffd203d088a440 Thread ffffd203d08d9080
Thread ffffd203d0902080 Thread ffffd203d08f8080
Thread ffffd203d09e3080 Thread ffffd203d09de080
Thread ffffd203d09d3080 Thread ffffd203d0625080
Thread ffffd203d092a700 Thread ffffd203d0928080
Thread ffffd203d0984700 Thread ffffd203d095a080
Thread ffffd203d098d080 Thread ffffd203d0a09080
Thread ffffd203d09c0080 Thread ffffd203d0a3f080
Thread ffffd203d09ec080 Thread ffffd203d0a0f080
Thread ffffd203d09eb080 Thread ffffd203d0a0b080
Thread ffffd203d0990080 Thread ffffd203d0a0d080
Thread ffffd203d0aa5700
Process ffffd203d0abf640 svchost.exe
Thread ffffd203d0aba080 Thread ffffd203d0acd080
Thread ffffd203d0aaf080 Thread ffffd203d0ac8080
Thread ffffd203d0ae3080 Thread ffffd203d0aca080
Thread ffffd203d0aee080 Thread ffffd203d0ae9080
Thread ffffd203d0b46080 Thread ffffd203d0b74080
Thread ffffd203d0b42080 Thread ffffd203d0b72080

Comments

  • Scott_NooneScott_Noone Posts: 2,989
    Are you 100% certain that all calls to KeStackAttachProcess are paired with
    calls to KeUnstackDetachProcess? From the bugcheck description:

    "this bug check could occur if KeAttachProcess was called when the thread
    was already attached to a process (which is illegal), or if the thread
    returned from certain function calls in an attached state (which is
    invalid),"

    As far as the args, did you try just running !process on them?

    -scott
    OSR
    @OSRDrivers
  • John-6John-6 Posts: 57
    <Quote>Are you 100% certain that all calls to KeStackAttachProcess are paired with
    calls to KeUnstackDetachProcess?</Quote>

    In my driver, yes. I'm simply doing a ObOpenObjectByPointer in between Attach/Detach.

    <Quote>did you try just running !process on them</Quote>

    Ran !process on Arg2. Turns out Arg2 is just the EPROCESS of the process that caused the crash. Arg1 looks bogus.
  • Scott_NooneScott_Noone Posts: 2,989
    OK, that takes care of the easy answer then.

    Looking more closely at the args, Arg1 is Arg2 with the low 32-bits cleared:

    Arg1: ffffd20300000000
    Arg2: ffffd203d0aa7640

    Sounds like another manifestation of the problem you were having previously:

    http://www.osronline.com/showThread.CFM?link=285110

    Did you ever get anywhere on that case?

    -scott
    OSR
    @OSRDrivers
  • John-6John-6 Posts: 57
    I noticed the low 32 bit clearing as well and recognized the similarities with the other crash I was fighting. Unfortunately never figured that one out as I couldn't reproduce and no one else running the software seemed to experience the problem.

    I'm thinking my next move is to programmatically enable verifier on the customers system hoping that it can catch the apparent overwrite at an earlier point.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!