Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

.kdfiles with ETW tracing causes STATUS_SHARING_VIOLATION

matt_sykesmatt_sykes Member - All Emails Posts: 298

I assume it is because the xml registers the sys file as a provider, but even after doing a wevtutil um on the xml file, a disable/enable of the device in device manager results in a STATUS_SHARING_VIOLATION in windbg in response to the .kdfiles overwrite.

Prior to adding ETW tracing to the driver, the sys file copied over from the build machine OK.

Oh, and dont to a disable on the device and then do a wevtutil um, it results in a BSOD.

Anyway, an interesting bug, means you need to do a reboot to get the new sys file on the machine.


  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,678

    Any chance you're missing a call to EventUnregisterXxx in driver unload?


  • matt_sykesmatt_sykes Member - All Emails Posts: 298

    Damn, you are right! It is often the obvious! :)

  • matt_sykesmatt_sykes Member - All Emails Posts: 298

    Actually I was wrong, it is still happening:

    KdPullRemoteFile(FFFFB70B3C8F3080): About to overwrite \SystemRoot\System32\drivers\xxxxxxx.sys and preallocate to 13740
    KdPullRemoteFile(FFFFB70B3C8F3080): Return from ZwCreateFile with status c0000043

    Doresnt matter if you do a wevtutil um on thr xml either, the sys file is STATUS_SHARING_VIOLATION

    Only happens with ETW

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,678

    I just had this happen to me with a driver that has ETW...In my case it turned out I had Event Viewer opened and that's what was holding the SYS file open.


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online