Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


wininit terminated

Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 301

Hello.

I am trying to debug (via a VM), a wininit.exe termination. The following is the kv output from the faulting thread:

ffff9b0a`df1d9ac0 fffff804`4bdd6893 : 00000000`00000000 00000000`00000004 ffff9b0a`df1d9c40 ffff933f`fd7016c0 : nt!PspCatchCriticalBreak+0xa9 ffff9b0a`df1d9b60 fffff804`4bc4906d : ffffffff`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!PspTerminateAllThreads+0x175cbf ffff9b0a`df1d9bd0 fffff804`4b7e1e15 : ffffbe0d`09c4d080 ffffbe0d`09c4d080 ffffbe0d`09c4c080 00000000`00000000 : nt!NtTerminateProcess+0x19d ffff9b0a`df1d9c40 00007ffa`e293c644 : 00007ffa`e290a954 00000000`000000ff 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffff9b0a`df1d9c40) 00000099`203cfbc8 00007ffa`e290a954 : 00000000`000000ff 00000000`00000000 00000000`00000000 00007ffa`e0469aa8 : ntdll!ZwTerminateProcess+0x14 00000099`203cfbd0 00007ffa`e096cd8a : 00000000`0000001f 00000000`00000000 00007ffa`e0469b68 00007ffa`e03c8670 : ntdll!RtlExitUserProcess+0x54 00000099`203cfc00 00007ffa`e03cae38 : 00000000`0000001f 00000000`00000000 00000099`203cfc88 00007ffa`e049bc20 : KERNEL32!FatalExit+0xa 00000099`203cfc30 00007ffa`e03c86ef : 00000000`0000001f 00000000`00000000 00000000`00000000 00000099`203cfc80 : ucrtbase!exit_or_terminate_process+0x44 00000099`203cfc60 00007ffa`e03c7694 : 00000000`0000001f 00000000`00000000 00000000`00000000 00000000`00000001 : ucrtbase!common_exit+0x6f 00000099`203cfcb0 00007ff6`433136d8 : 00000000`0000001f 00000000`00000000 00000000`00000000 00000000`00000000 : ucrtbase!__crt_state_management::wrapped_invoke<void (__cdecl*)(int),int,void>+0x20 00000099`203cfce0 00007ffa`e0967bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wininit!__scrt_common_main_seh+0x168 00000099`203cfd20 00007ffa`e290ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 00000099`203cfd50 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
The kernel stack does not show any values that could be interpreted as NTSTATUS error codes (between 80000000 and FFFFFFFF).
Am I correct to assume that the error is STATUS_UNSUCCESSFUL (1F is GEN_FAILURE WinError code, which roughly translates to STATUS_UNSUCCESSFUL)

Strangely, this is reproable when we process QueryInfo callback and modify the contents of the returned buffer (or modify the buffer without calling lower level drivers).
DV does not show any errors with special pool, leading me to believe that this is a user mode error of sorts.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,401

    The user-mode process is shutting down, apparently because of an exception. There's not enough information here to know what caused the exception. The process is returning 0x1F as its final exit code, but that doesn't necessarily map to any error number.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 301

    Peculiar... even though I found out what caused the problem (by fixing the issue via a Checked build of Windows 7), I still have no clue how I would have figured that was the problem here!
    Our driver was not returning a proper length for FileNormalizedNameInformation query, and noone complained on a Free build of Windows..

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA