Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


system error 127 at load time

Bo_BranténBo_Brantén Member Posts: 102

Hello,
I tried to recompile a number of drivers with the latest WDK (10.0.22000.0) and VS2019 and one of them refuses to load with the message "system error 127: The specified procedure could not be found." however the other drivers still load compiled with the new WDK and if I recompile the troublesome driver with an older WDK, for example 10.0.18362.0 it will load again. So I would like to ask you how to isolate this problem, perhaps the driver is calling some function that has been removed? But then it is strange it passes the compiler without warning? How do I find out what the error is? Has anyone else experienced this problem?

Comments

  • Bo_BranténBo_Brantén Member Posts: 102

    I have now isolated the error to SeCreateClientSecurity(), SeDeleteClientSecurity() and SeImpersonateClient(). If I comment out these calls the driver will load even when compiled with the latest Win11 WDK and if I have them in the driver will not load when compiled with the Win11 WDK but it does load if compiled with any earlier WDK!

    I use these functions to save a user id in an ioctl call and later impersonate that user from a system thread. It would be interesting to hear if anyone else is using these Se calls and if you have any problems with the latest WDK.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,295

    What target version are you setting in your build? If, for example, you target Windows 11 but run on Windows 10, that's not a guaranteed scenario, although I would be surprised if those APIs actually changed in any way.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Bo_BranténBo_Brantén Member Posts: 102

    I have now isolated the error to only SeDeleteClientSecurity(), it has always been defined as a macro in nits.h but in the latest WDK it is defined like this:

    if (NTDDI_VERSION >= NTDDI_WIN10_FE)

    NTKERNELAPI
    VOID
    SeDeleteClientSecurity (
    Inout PSECURITY_CLIENT_CONTEXT ClientContext
    );

    else

    define SeDeleteClientSecurity(C) { \

            if (SeTokenType((C)->ClientToken) == TokenPrimary) {               \
                PsDereferencePrimaryToken( (C)->ClientToken );                 \
            } else {                                                           \
                PsDereferenceImpersonationToken( (C)->ClientToken );           \
            }                                                                  \
        }
    

    endif

    This must be a bug in the WDK because I target Win10 and I test on Win10, perhaps the macro is turned to a function only on Win11?. I suppose the solution will be to manually call PsDereferenceImpersonationToken(). Hopefully someone else will be helped of having this problem documented here.

    Thanks for you're time reading this!

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,963

    Well, Windows 10 FE is the "Iron" release... 21H1... so, no. Not Windows 11.

    File a bug against the docs if you think something's in error. At the very least, I would expect the docs to mention in passing that the implementation changes from a macro to a function.

    I suppose the solution will be to manually call PsDereferenceImpersonationToken()

    That's probably what I would do, though I'd probably make a runtime check for the version and dynamically load the function if it's available (and call it that way).

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online
Writing WDF Drivers 12 September 2022 Live, Online