system error 127 at load time

Bo_Branten · April 19, 2022, 4:10pm

Hello,
I tried to recompile a number of drivers with the latest WDK (10.0.22000.0) and VS2019 and one of them refuses to load with the message “system error 127: The specified procedure could not be found.” however the other drivers still load compiled with the new WDK and if I recompile the troublesome driver with an older WDK, for example 10.0.18362.0 it will load again. So I would like to ask you how to isolate this problem, perhaps the driver is calling some function that has been removed? But then it is strange it passes the compiler without warning? How do I find out what the error is? Has anyone else experienced this problem?

Bo_Branten · April 19, 2022, 5:42pm

I have now isolated the error to SeCreateClientSecurity(), SeDeleteClientSecurity() and SeImpersonateClient(). If I comment out these calls the driver will load even when compiled with the latest Win11 WDK and if I have them in the driver will not load when compiled with the Win11 WDK but it does load if compiled with any earlier WDK!

I use these functions to save a user id in an ioctl call and later impersonate that user from a system thread. It would be interesting to hear if anyone else is using these Se calls and if you have any problems with the latest WDK.

Tim_Roberts · April 19, 2022, 5:50pm

What target version are you setting in your build? If, for example, you target Windows 11 but run on Windows 10, that’s not a guaranteed scenario, although I would be surprised if those APIs actually changed in any way.

Bo_Branten · April 19, 2022, 6:23pm

I have now isolated the error to only SeDeleteClientSecurity(), it has always been defined as a macro in nits.h but in the latest WDK it is defined like this:

#if (NTDDI_VERSION >= NTDDI_WIN10_FE)
NTKERNELAPI
VOID
SeDeleteClientSecurity (
Inout PSECURITY_CLIENT_CONTEXT ClientContext
);

#else
#define SeDeleteClientSecurity(C) {
if (SeTokenType((C)->ClientToken) == TokenPrimary) {
PsDereferencePrimaryToken( (C)->ClientToken );
} else {
PsDereferenceImpersonationToken( (C)->ClientToken );
}
}

#endif

This must be a bug in the WDK because I target Win10 and I test on Win10, perhaps the macro is turned to a function only on Win11?. I suppose the solution will be to manually call PsDereferenceImpersonationToken(). Hopefully someone else will be helped of having this problem documented here.

Thanks for you’re time reading this!

Peter_Viscarola_OSR · April 19, 2022, 9:10pm

Well, Windows 10 FE is the “Iron” release… 21H1… so, no. Not Windows 11.

File a bug against the docs if you think something’s in error. At the very least, I would expect the docs to mention in passing that the implementation changes from a macro to a function.

I suppose the solution will be to manually call PsDereferenceImpersonationToken()

That’s probably what I would do, though I’d probably make a runtime check for the version and dynamically load the function if it’s available (and call it that way).

Peter