Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

NtCreatePagingFile returning STATUS_OBJECT_NAME_NOT_FOUND

JasonSternJasonStern Member Posts: 2

I'm working on a project using Win10IoT with the Universal Write Filter (UWF). For those unfamiliar with UWF, it's a feature that redirects all write attempts on a protected volume to a virtual overlay, ensuring no modifications have been made to the protected (in this case O/S) volume across reboots. Enabling UWF disables page files, but at runtime with the UWF enabled, you can create and/or increase the page file sizes using SystemPropertiesAdvanced.exe.

After wasting time using WMI/CIM to adjust the page files, only to find out there is no way for the commit limit to increase without a reboot, I used DR. Memory's strace tool on SystemPropertiesAdvanced.exe to try to figure out what exactly it was doing. Parsing the log, I came across the undocumented function NtCreatePagingFile, which gave me a nice:

NtCreatePagingFile
arg 0: 72/74 "\Device\HarddiskVolume2\pagefile.sys" (type=UNICODE_STRING*, size=0x4)
arg 1: (type=ULARGE_INTEGER*, size=0x4)
arg 2: (type=ULARGE_INTEGER*, size=0x4)
arg 3: 0x0 (type=unsigned int, size=0x4)
succeeded =>
retval: 0x0 (type=NTSTATUS, size=0x4)

...entry to go off of. I then wrote an application that enables the SE_CREATE_PAGEFILE_NAME privilege and tries to call NtCreatePagingFile with the appropriate NT file path. Unfortunately, the operation consistently fails with STATUS_OBJECT_NAME_NOT_FOUND. Something appears to be wrong with the "PUNICODE_STRING PageFileName" parameter. If I try something malformed, I get STATUS_OBJECT_NAME_INVALID, so it's at least getting past the file name validation. I've tried ensuring the file exists, ensuring the file does not exist, altering the file's permissions, etc. I'm afraid that I'm not sure exactly where I'm going wrong, and STATUS_OBJECT_NAME_NOT_FOUND doesn't provide enough information for me to really dig into it further. Does anyone have any ideas?

Thank you!

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE