Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


RtlGetVersion returns wrong information at boot time

urielginurielgin Member Posts: 1
in NTFSD

Hi OSR community... the weirdest thing!
our driver, In DriverEntry, calls RtlGetVersion.
On systems that were upgraded from windows 10 19041 to newer builds of windows 10 (e.g. 19044), RtlGetVersion returns 19041 if the driver has a service start type of SERVICE_BOOT_START or SERVICE_SYSTEM_START.
After research, I found that RtlGetVersion gets the build number from Nt!NtBuildNumber and that the system later calls nt!CmpSetVersionData to change it:
# Child-SP RetAddr Call Site
00 fffffd896105a630 fffff80661b928d0 nt!CmpSetVersionData+0xbebe0
01 fffffd896105a8a0 fffff80661755a15 nt!CmpFinishSystemHivesLoad+0x6e0
02 fffffd896105ac10 fffff806617fec78 nt!PspSystemThreadStartup+0x55
03 fffffd896105ac60 0000000000000000 nt!KiStartSystemThread+0x28

So... does anyone have an idea of a different way to retrieve the correct build number before CmpSetVersionData is called? Or are all boot_start and system_start driver doomed to hold wrong information?

· Share on Facebook
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 19-23 June 2023 Live, Online
Writing WDF Drivers 10-14 July 2023 Live, Online
Kernel Debugging 16-20 October 2023 Live, Online
Developing Minifilters 13-17 November 2023 Live, Online

Categories