Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


NtCreatePagingFile returning STATUS_OBJECT_NAME_NOT_FOUND

JasonSternJasonStern Member Posts: 2

I'm working on a project using Win10IoT with the Universal Write Filter (UWF). For those unfamiliar with UWF, it's a feature that redirects all write attempts on a protected volume to a virtual overlay, ensuring no modifications have been made to the protected (in this case O/S) volume across reboots. Enabling UWF disables page files, but at runtime with the UWF enabled, you can create and/or increase the page file sizes using SystemPropertiesAdvanced.exe.

After wasting time using WMI/CIM to adjust the page files, only to find out there is no way for the commit limit to increase without a reboot, I used DR. Memory's strace tool on SystemPropertiesAdvanced.exe to try to figure out what exactly it was doing. Parsing the log, I came across the undocumented function NtCreatePagingFile, which gave me a nice:

NtCreatePagingFile
arg 0: 72/74 "\Device\HarddiskVolume2\pagefile.sys" (type=UNICODE_STRING*, size=0x4)
arg 1: (type=ULARGE_INTEGER*, size=0x4)
arg 2: (type=ULARGE_INTEGER*, size=0x4)
arg 3: 0x0 (type=unsigned int, size=0x4)
succeeded =>
retval: 0x0 (type=NTSTATUS, size=0x4)

...entry to go off of. I then wrote an application that enables the SE_CREATE_PAGEFILE_NAME privilege and tries to call NtCreatePagingFile with the appropriate NT file path. Unfortunately, the operation consistently fails with STATUS_OBJECT_NAME_NOT_FOUND. Something appears to be wrong with the "PUNICODE_STRING PageFileName" parameter. If I try something malformed, I get STATUS_OBJECT_NAME_INVALID, so it's at least getting past the file name validation. I've tried ensuring the file exists, ensuring the file does not exist, altering the file's permissions, etc. I'm afraid that I'm not sure exactly where I'm going wrong, and STATUS_OBJECT_NAME_NOT_FOUND doesn't provide enough information for me to really dig into it further. Does anyone have any ideas?

Thank you!

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA