Hi,
to improve my workflow I decided to give .kdfiles a try again.
I noticed that the path expected in the mapping seems to require the
same path (case-insensitive) as is given under
HKLM\SYSTEM\CurrentControlSet\Services for the respective driver. So
instead of \SystemRoot\System32 I am passing ??\C:\Windows\system32 as
the prefix. The difference is that now I actually get to see something
from .kdfiles whereas before apparently it failed to match anything.
My map file looks like this:
map
??\C:\Windows\system32\Drivers\foo.sys
D:\foo.sys
and I ran .kdfiles again to make sure that the mapping took effect (it did).
However, when booting my target machine I see the following in the
Command Output pane of WinDbg:
KD: Accessing ‘D:\foo.sys’ (??\C:\Windows\system32\Drivers\foo.sys)
File size 264KKdPullRemoteFile(87DF14C0): About to overwrite
??\C:\Windows\system32\Drivers\foo.sys and preallocate to 42000
KdPullRemoteFile(87DF14C0): Return from ZwCreateFile with status c0000022
WARNING: No file I/O done by target, .kdfiles files may not be updated
Is there a way by which I can track down why I am receiving
STATUS_ACCESS_DENIED here?
Thanks,
// Oliver
PS: The target is Windows 7 Enterprise SP1 x86 (checked build), the host
running WinDbg is Windows 7 SP1 x64 (free build). WinDbg is version
10.0.10586.567 AMD64.
C:\Windows\System32\drivers>icacls foo.sys
foo.sys NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files