RDBSS BSOD

I have an odd situation which I would appreciate if someone can explain it to me.

I have a fltreadfile call which is causing a BSOD. My debugging result showed that the fltreafile won’t cause exception if I filter out volumes with zero sector size (obtained by FltGetVolumeProperties) but that is the case for accessing remote file systems as well. Afterwards I luckily found out if I set FLTFL_OPERATION_REGISTRATION_SKIP_NON_DASD_IO flag in filter registration structure the ecxeption won’t occur. I’m totally confused what causes the exception and what caused it to be removed. can someone explain please?

I believe you better provide WinDBG’s “!analyze -v” command output to get any assistance.

Thanks for the reply. And,
Here it is. It says an access violation. but I can’t get much information out of this.

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

RDR_FILE_SYSTEM (27)
If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
exception record and context record. Do a .cxr on the 3rd parameter and then kb to
obtain a more informative stack trace.
The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
as follows:
RDBSS_BUG_CHECK_CACHESUP = 0xca550000,
RDBSS_BUG_CHECK_CLEANUP = 0xc1ee0000,
RDBSS_BUG_CHECK_CLOSE = 0xc10e0000,
RDBSS_BUG_CHECK_NTEXCEPT = 0xbaad0000,
Arguments:
Arg1: 00000000baad0073
Arg2: ffffd000bc38c768
Arg3: ffffd000bc38bf70
Arg4: fffff8017970d938

Debugging Details:

EXCEPTION_RECORD: ffffd000bc38c768 – (.exr 0xffffd000bc38c768)
ExceptionAddress: fffff8017970d938 (rdbss!RxInitializeContext+0x000000000001f718)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000000000004d
Attempt to read from address 000000000000004d

CONTEXT: ffffd000bc38bf70 – (.cxr 0xffffd000bc38bf70;r)
rax=0000000000000000 rbx=ffffe000431e4010 rcx=fffff801796e23e0
rdx=0000000000000000 rsi=ffffe00041aa8f20 rdi=ffffcf814cfa2ed8
rip=fffff8017970d938 rsp=ffffd000bc38c9a0 rbp=ffffcf814cfa2dc0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff801796bd0d3 r12=ffffd000bc38cb20 r13=0000000000000000
r14=fffff801796e23e0 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
rdbss!RxInitializeContext+0x1f718:
fffff8017970d938 4438784d cmp byte ptr [rax+4Dh],r15b ds:002b:000000000000004d=??
Last set context:
rax=0000000000000000 rbx=ffffe000431e4010 rcx=fffff801796e23e0
rdx=0000000000000000 rsi=ffffe00041aa8f20 rdi=ffffcf814cfa2ed8
rip=fffff8017970d938 rsp=ffffd000bc38c9a0 rbp=ffffcf814cfa2dc0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff801796bd0d3 r12=ffffd000bc38cb20 r13=0000000000000000
r14=fffff801796e23e0 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
rdbss!RxInitializeContext+0x1f718:
fffff8017970d938 4438784d cmp byte ptr [rax+4Dh],r15b ds:002b:000000000000004d=??
Resetting default scope

PROCESS_NAME: WmiPrvSE.exe

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 000000000000004d

READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
000000000000004d

FOLLOWUP_IP:
rdbss!RxInitializeContext+1f718
fffff801`7970d938 4438784d cmp byte ptr [rax+4Dh],r15b

FAULTING_IP:
rdbss!RxInitializeContext+1f718
fffff801`7970d938 4438784d cmp byte ptr [rax+4Dh],r15b

BUGCHECK_STR: 0x27

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

LAST_CONTROL_TRANSFER: from fffff801796bdb3f to fffff8017970d938

STACK_TEXT:
ffffd000bc38c9a0 fffff801796bdb3f : ffffd000bc38cb20 ffffe00042815030 ffffcf814cfa2dc0 ffffcf814cfa2ed8 : rdbss!RxInitializeContext+0x1f718
ffffd000bc38ca30 fffff801796ee7df : ffffe000415fc100 ffffe000415fc100 ffffcf814cfa2dc0 ffffe000405971c8 : rdbss!RxFsdCommonDispatch+0x30f
ffffd000bc38cba0 fffff8017a4431b3 : 0000000000000000 ffffe00042815001 ffffcf814cfa2dc0 0000000000000000 : rdbss!RxFsdDispatch+0xcf
ffffd000bc38cc10 fffff801ace77911 : ffffcf814cfa2dc0 ffffe00042815030 0000000000000002 ffffe000413d01a0 : mrxsmb!MRxSmbFsdDispatch+0x83
ffffd000bc38cc50 fffff801793c83cd : ffffe0004272b340 ffffcf814cfa2dc0 ffffe00041aa8f20 ffffe000413d01a0 : nt!IovCallDriver+0x3cd
ffffd000bc38cca0 fffff801ace77911 : ffffcf814cfa2f68 0000000000000000 ffffc0016ea2b8c0 0000000000000000 : mup!MupFsdIrpPassThrough+0x1ee
ffffd000bc38cd20 fffff80178528989 : ffffcf814cfa2dc0 fffff80178a02b1e fffff801ac922498 ffffe00041e86d50 : nt!IovCallDriver+0x3cd
ffffd000bc38cd70 fffff80178a02b1e : ffffcf814ce4ab80 ffffd000bc38ce00 0000000000000000 ffffcf814ce3ed18 : VerifierExt!IofCallDriver_internal_wrapper+0x71
ffffd000bc38cdb0 fffff80178a06188 : ffffd000bc38ce78 ffffcf814ce4ab80 ffffcf814ce4ac58 0000000000000000 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
ffffd000bc38ce50 fffff80178a15551 : ffffcf814ce4ab80 0000000000000000 0000000000000000 ffffd000bc38d0c8 : fltmgr!FltPerformSynchronousIo+0x2b8
ffffd000bc38cf00 fffff80178a150e9 : 0000000000000000 0000000000000080 0000000000000005 ffffcf814ced8f80 : fltmgr!FltReadFileEx+0x451
ffffd000bc38cff0 fffff8017a9e4150 : ffffcf814b29ac58 ffffcf814cf32bc0 0000000000000016 ffffd000bc38d0f0 : fltmgr!FltReadFile+0x51
ffffd000bc38d060 fffff80178a50aed : ffffcf814b29ac58 ffffd000bc38d248 0000000000000000 0000000000000000 : EncryptionFilter!SwapPostCreate+0x270 [c:\users\john\desktop\rms\src\encryption filter\swapbuffers.c @ 891]
ffffd000bc38d160 fffff80178a039d7 : ffffcf8100000016 ffffcf8100000000 0000000000000000 fffff80100000000 : fltmgr!FltvPostOperation+0xad
ffffd000bc38d200 fffff80178a0414d : ffffcf814b28cf00 fffff80178527e00 0000000000000000 0000000000000000 : fltmgr!FltpPerformPostCallbacks+0x2d7
ffffd000bc38d2d0 fffff80178a02bc1 : ffffcf814b29ab80 ffffcf814b29ab98 ffffcf814b28cf68 ffffcf814b29ab80 : fltmgr!FltpPassThroughCompletionWorker+0x7d
ffffd000bc38d340 fffff80178a2b349 : ffffd000bc38d420 ffffcf814b29ab80 ffffcf814b28cdc0 ffffe00041a10a50 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x371
ffffd000bc38d3e0 fffff801ace77911 : ffffcf814b28cd00 ffffcf814b28cdc0 ffffcf814b28cfb0 fffff801ac88620d : fltmgr!FltpCreate+0x339
ffffd000bc38d490 fffff801acbb9b41 : 0000000000000005 ffffd000bc38d7e1 0000000000000000 ffffe00041e8d990 : nt!IovCallDriver+0x3cd
ffffd000bc38d4e0 fffff801acca7854 : 0000000000000000 0000000000000000 0000000000000000 ffffe000415fc0d0 : nt!IopParseDevice+0x6c1
ffffd000bc38d700 fffff801acbc66a3 : 0000000000000000 ffffd000bc38d8a8 0000000000000040 ffffe0003f937b00 : nt!ObpLookupObjectName+0x784
ffffd000bc38d830 fffff801acc59fdb : ffffe00000000001 ffffe00042cbb978 0000000000000001 0000000000000020 : nt!ObOpenObjectByName+0x1e3
ffffd000bc38d960 fffff801acc59c64 : 0000002df8dadf48 0067006f00100000 0000002df8dadf00 ffffe0004208a080 : nt!IopCreateFile+0x36b
ffffd000bc38da00 fffff801ac95d1b3 : ffffe000431e4440 ffffd000bc38db80 ffffd000bc38daa8 0000000000000000 : nt!NtCreateFile+0x78
ffffd000bc38da90 00007ffdfc43172a : 00007ffde8cf23ac 0000000000000004 0000002df6401b78 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
0000002df8dade78 00007ffde8cf23ac : 0000000000000004 0000002df6401b78 0000000000000000 0000000000000002 : ntdll!NtCreateFile+0xa
0000002df8dade80 00007ffde8cf139e : 96eb9e3e0eec0000 0000000000000000 0000000000000000 00007ffdf9812593 : perfnet!OpenRedirObject+0x90
0000002df8dadf40 00007ffdf9df3f15 : 0000000000000000 00007ffd00000000 0000000000000001 0000000000000000 : perfnet!OpenNetSvcsObject+0x4e
0000002df8dadfa0 00007ffdf9df3c55 : 000000002a7a0237 0000002df64018c0 0000002df7e22040 0000000000000000 : advapi32!OpenExtObjectLibrary+0x271
0000002df8dae970 00007ffdf9df20e9 : 00000000000e84a0 0000000000000000 0000002d00000000 0000000000000000 : advapi32!QueryExtensibleData+0x4a4
0000002df8daeb60 00007ffdf9866841 : 00007ffde84d5640 0000000000000000 00000000ffffffff 0000002df8daf140 : advapi32!PerfRegQueryValue+0x5dc
0000002df8daf010 00007ffdf98140b9 : ffffffff80000004 0000002df7e22040 0000002df8daf2f0 0000002df8daf2e0 : KERNELBASE!LocalBaseRegQueryValue+0x3f6
0000002df8daf190 00007ffde8498b02 : ffffffff80000004 0000002df8daf2f0 0000002d00100000 0000002df8daf264 : KERNELBASE!RegQueryValueExW+0xe9
0000002df8daf230 00007ffde849736b : 0000002df637db50 0000000000000000 0000002d00100000 000000000000022c : pdh!GetSystemPerfData+0x9c
0000002df8daf2d0 00007ffde84cf8f0 : 0000000000000000 0000000000000000 0000000000000000 0000000000000204 : pdh!GetMachineEx+0x1e3
0000002df8daf550 00007ffde84cb550 : 0000000000000001 0000000000000000 0000000000000000 0000002df8daf698 : pdh!PdhiGetDefaultPerfObjectW+0x1d8
0000002df8daf5d0 00007ffde84f2786 : 0000002df6c48c70 0000000000000000 0000000000000000 0000002df8daf698 : pdh!PdhGetDefaultPerfObjectW+0x110
0000002df8daf640 00007ffde84e5a19 : 0000000000000028 0000000000000000 0000002df62ee6c0 0000002df636da08 : WmiPerfClass!GetDefaultCounterObject+0x2e
0000002df8daf690 00007ffde84e6736 : 0000002df6c42cb0 0000002df6b967b0 fffffffffffffffe 0000000000000000 : WmiPerfClass!CClassCache::RefreshThreadUpdateSelectedProviders+0x3dd
0000002df8daf8a0 00007ffde84e4b11 : 0000002df62ee6c0 0000002df62ed5e0 0000002df8daf978 0000002df8daf978 : WmiPerfClass!CClassCache::RefreshThreadProviderObjectUpdate+0x132
0000002df8daf930 00007ffdfb6313d2 : 0000002df62ee6c0 0000002d00000001 0000000100000001 0000002df6b96870 : WmiPerfClass!CClassCache::RefreshThreadProc+0x475
0000002df8dafa00 00007ffdfc3b5454 : 00007ffdfb6313b0 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x22
0000002df8dafa30 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x34

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: rdbss!RxInitializeContext+1f718

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rdbss

IMAGE_NAME: rdbss.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 52affb72

STACK_COMMAND: .cxr 0xffffd000bc38bf70 ; kb

BUCKET_ID_FUNC_OFFSET: 1f718

FAILURE_BUCKET_ID: 0x27_VRF_rdbss!RxInitializeContext

BUCKET_ID: 0x27_VRF_rdbss!RxInitializeContext

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x27_vrf_rdbss!rxinitializecontext

FAILURE_ID_HASH: {8fe43332-5f18-10da-ca8e-3c371694e6d4}

Followup: MachineOwner

It might sound stupid but - Did you check that create operation completed with STATUS_SUCCESS? For example STATUS_REPARSE is a success code( i.e. NT_SUCCESS returns TRUE ) but the returned file object is not initialized.

To verify that the file object was initialized set the debugger to a frame with SwapPostCreate ( .frame command ) and enter

dt nt!_FILE_OBJECT

, e.g dt nt!_FILE_OBJECT 0xffffd000baaaaaaa

the FsContext pointer should be non zero

the FltReadFile is done using FltObjects->FileObject parameter of the PostCreate callback. It is not directly checked in anyway.
But I think having this on the start of callback should be enough:
if (!NT_SUCCESS(Data->IoStatus.Status) ||
(STATUS_REPARSE == Data->IoStatus.Status)) {

return FLT_POSTOP_FINISHED_PROCESSING;
}

here is the debugger result:
0: kd> dt nt!_FILE_OBJECT 0xffffe0012f2b2530
+0x000 Type : 0n5
+0x002 Size : 0n216
+0x008 DeviceObject : 0xffffe0012f403060 _DEVICE_OBJECT +0x010 Vpb : 0xffffe0012f404420 _VPB
+0x018 FsContext : 0xffffe0012f594de0 Void +0x020 FsContext2 : 0xffffe0012f592660 Void
+0x028 SectionObjectPointer : 0xffffe0012f5927a8 _SECTION_OBJECT_POINTERS +0x030 PrivateCacheMap : (null) +0x038 FinalStatus : 0n0 +0x040 RelatedFileObject : (null) +0x048 LockOperation : 0 '' +0x049 DeletePending : 0 '' +0x04a ReadAccess : 0x1 '' +0x04b WriteAccess : 0x1 '' +0x04c DeleteAccess : 0 '' +0x04d SharedRead : 0 '' +0x04e SharedWrite : 0x1 '' +0x04f SharedDelete : 0 '' +0x050 Flags : 8 +0x058 FileName : _UNICODE_STRING "\pagefile.sys" +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0 +0x070 Waiters : 0 +0x074 Busy : 0 +0x078 LastLock : (null) +0x080 Lock : _KEVENT +0x098 Event : _KEVENT +0x0b0 CompletionContext : (null) +0x0b8 IrpListLock : 0 +0x0c0 IrpList : _LIST_ENTRY [0xffffe0012f2b25f0 - 0xffffe001`2f2b25f0]
+0x0d0 FileObjectExtension : (null)

The file name was empty string(“”) till now when exception occured, but it now is “\pagefile.sys”

So you have “pagefile.sys” on the remote file system? I am asking because it is a pretty unusual name for a remote file. If you run the following command ( this is the address of DeviceObject )

!devstack 0xffffe001`2f403060

What will be output?

no that’s not the case. I changed the driver start type from the time I posted the !analyze output.
when it is boot start the analyze result is this:
1: kd> !analyze -v
Connected to Windows 8 9600 x64 target at (Tue Aug 16 08:29:28.396 2016 (UTC - 7:00)), ptr64 TRUE
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

PROCESS_NAME: System

FAULTING_IP:
CLASSPNP!ServiceTransferRequest+bf
fffff801`3e4f3e3f 448b512c mov r10d,dword ptr [rcx+2Ch]

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 000000000000002c

READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
000000000000002c

FOLLOWUP_IP:
volmgr!VmReadWrite+13e
fffff801`3d96014e 8be8 mov ebp,eax

BUGCHECK_STR: ACCESS_VIOLATION

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

CURRENT_IRQL: 0

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

LAST_CONTROL_TRANSFER: from fffff8013e4f493c to fffff8013e4f3e3f

STACK_TEXT:
ffffd000f6d2b9c0 fffff8013e4f493c : ffffe001cae2f770 0000000000000000 ffffe001cafc5200 fffff8003f6f7872 : CLASSPNP!ServiceTransferRequest+0xbf
ffffd000f6d2ba60 fffff8003f6f2911 : ffffcf813d17ec10 0000000000000002 ffffcf813d17ec10 fffff8003f6fdd59 : CLASSPNP!ClassReadWrite+0x11c
ffffd000f6d2bb20 fffff8003f6f2911 : ffffcf813d17ec10 ffffe001cae30040 0000000000000002 ffffe001cadaa3e0 : nt!IovCallDriver+0x3cd
ffffd000f6d2bb70 fffff8013d96014e : ffffe001cae34df0 ffffe001cae34ca0 ffffe001cae34ca0 ffffe001cadaa720 : nt!IovCallDriver+0x3cd
ffffd000f6d2bbc0 fffff8003f6f2911 : ffffe001cae34ca0 ffffcf813d17ec10 0000000000000002 ffffe001cadaa580 : volmgr!VmReadWrite+0x13e
ffffd000f6d2bc00 fffff8013e01031d : ffffe001cae35180 ffffcf813d17ec10 ffffe001cb58b010 ffffe001cadaa580 : nt!IovCallDriver+0x3cd
ffffd000f6d2bc50 fffff8003f6f2911 : ffffcf813d17ec10 0000000000000002 ffffcf813d17ec10 ffffe001cae392e0 : fvevol!FveFilterRundownReadWrite+0x28d
ffffd000f6d2bd30 fffff8013da321d9 : 0000000000000000 ffffd000f6d2bde9 00000000ffffffff ffffe001cae392e0 : nt!IovCallDriver+0x3cd
ffffd000f6d2bd80 fffff8013da3272b : ffffcf813d17ec10 0000000000000000 0000000000000002 0000000000000002 : rdyboost!SmdProcessReadWrite+0x1c9
ffffd000f6d2be50 fffff8003f6f2911 : ffffcf813d17ec10 0000000000000002 fffff8013e096766 ffffe001cae369f0 : rdyboost!SmdDispatchReadWrite+0x8b
ffffd000f6d2be80 fffff8013e096766 : ffffe001cae37190 ffffe001cae37040 0000000000000002 ffffe001caff4870 : nt!IovCallDriver+0x3cd
ffffd000f6d2bed0 fffff8003f6f2911 : ffffcf813d17ec10 0000000000000002 0000000000000000 0000000000000000 : volsnap!VolSnapReadFilter+0x116
ffffd000f6d2bf00 fffff8013dc4ca29 : ffffd000f8cdc7b0 ffffd000f8cdc930 ffffe001c9280040 ffffe001cadaa4b0 : nt!IovCallDriver+0x3cd
ffffd000f6d2bf50 fffff8003f1d02f7 : ffffd000f8cdcdd0 0000000000000000 fffcd390058b48ff 03ff4d83e745100f : Ntfs!NtfsStorageDriverCallout+0x16
ffffd000f6d2bf80 fffff8003f1d02bd : 0000000000000000 0000000000000000 0000000000000002 fffff8003f1381ad : nt!KxSwitchKernelStackCallout+0x27
ffffd000f8cdc670 fffff8003f1381ad : 0000000000000006 0000000000000000 0000000000000006 0000000000000000 : nt!KiSwitchKernelStackContinue
ffffd000f8cdc690 fffff8013dc3b8c1 : fffff8013dc4ca14 ffffd000f8cdc7b0 0000000000000000 ffffe001cae39790 : nt!KeExpandKernelStackAndCalloutInternal+0x2fd
ffffd000f8cdc780 fffff8013dc324d3 : ffffe001cafc5498 ffffe001cafc5498 ffffd000f8cdc880 ffffd000f8cdc858 : Ntfs!NtfsCallStorageDriver+0x31
ffffd000f8cdc7f0 fffff8013dc4c89d : 0000000000000000 0000000000000000 0000000000000000 ffffcf813d17ef20 : Ntfs!NtfsPagingFileIo+0x323
ffffd000f8cdc900 fffff8003f6f2911 : ffffcf813d17ec10 ffffcf813d17ec10 0000000000000002 ffffe001cadaa650 : Ntfs!NtfsFsdRead+0x3ad
ffffd000f8cdc9b0 fffff8013d52d989 : ffffcf813d17ec10 fffff8013dae7b1e fffff8003f19d498 ffffe001cadaa650 : nt!IovCallDriver+0x3cd
ffffd000f8cdca00 fffff8013dae7b1e : ffffcf813d1a6c00 ffffd000f8cdca80 0000000000000000 ffffcf813d1aed18 : VerifierExt!IofCallDriver_internal_wrapper+0x71
ffffd000f8cdca40 fffff8013daeb188 : ffffd000f8cdcb08 ffffcf813d1a6c00 ffffcf813d1a6cd8 0000000000000000 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
ffffd000f8cdcae0 fffff8013dafa551 : ffffcf813d1a6c00 0000000000000000 0000000000000000 ffffd000f8cdcd58 : fltmgr!FltPerformSynchronousIo+0x2b8
ffffd000f8cdcb90 fffff8013dafa0e9 : 0000000000000000 0000000000000200 0000000000000005 ffffcf813d1a8e00 : fltmgr!FltReadFileEx+0x451
ffffd000f8cdcc80 fffff8013db59150 : ffffcf813d17acd8 ffffcf813cd34bc0 0000000000000016 ffffd000f8cdcd80 : fltmgr!FltReadFile+0x51
ffffd000f8cdccf0 fffff8013db35aed : ffffcf813d17acd8 ffffd000f8cdced8 0000000000000000 0000000000000000 : EncryptionFilter!SwapPostCreate+0x270 [c:\users\john\desktop\rms\src\encryption filter\swapbuffers.c @ 891]
ffffd000f8cdcdf0 fffff8013dae89d7 : ffffcf8100000016 ffffcf8100000000 0000000000000000 fffff80000000000 : fltmgr!FltvPostOperation+0xad
ffffd000f8cdce90 fffff8013dae914d : ffffcf813d176f00 fffff8013d52ce00 0000000000000000 0000000000000000 : fltmgr!FltpPerformPostCallbacks+0x2d7
ffffd000f8cdcf60 fffff8013dae7bc1 : ffffcf813d17ac00 ffffcf813d17ac18 ffffcf813d176f68 ffffcf813d17ac00 : fltmgr!FltpPassThroughCompletionWorker+0x7d
ffffd000f8cdcfd0 fffff8013db10349 : ffffd000f8cdd0b0 ffffcf813d17ac00 ffffcf813d176c10 ffffe001caebbc40 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x371
ffffd000f8cdd070 fffff8003f6f2911 : ffffcf813d176c00 ffffcf813d176c10 ffffcf813d176fb0 fffff8003f10120d : fltmgr!FltpCreate+0x339
ffffd000f8cdd120 fffff8003f434b41 : 0000000000000004 ffffd000f8cdd471 0000000000000000 ffffe001cad89c40 : nt!IovCallDriver+0x3cd
ffffd000f8cdd170 fffff8003f522854 : 0000000000000000 0000000000000000 0000000000000000 ffffe001cae34c70 : nt!IopParseDevice+0x6c1
ffffd000f8cdd390 fffff8003f4416a3 : 0000000000000000 ffffd000f8cdd538 ffffd00000000040 ffffe001c93379a0 : nt!ObpLookupObjectName+0x784
ffffd000f8cdd4c0 fffff8003f4d4fdb : ffff7b9a00000001 ffffe001cacaa0a8 0000000000000000 0000000000000020 : nt!ObOpenObjectByName+0x1e3
ffffd000f8cdd5f0 fffff8003f4d4a5e : ffffd000f8cdd818 00000000c0100000 ffffd000f8cdd7b0 000000000000000a : nt!IopCreateFile+0x36b
ffffd000f8cdd690 fffff8003f778a80 : ffffe001c9232148 fffff8003f31e35a 0000000000000000 0000000000000000 : nt!IoCreateFile+0x8a
ffffd000f8cdd720 fffff8003f47308c : ffffc0017a4f4148 ffffc0017a4f4110 ffffd000f8cdd9c0 ffffd000f8cdd8d9 : nt!IopInitCrashDumpRegCallback+0xd8
ffffd000f8cdd7f0 fffff8003f472aec : 0000000000000000 ffffd000f8cdd8d9 ffffd000f8cdd9c0 000000000000009b : nt!RtlpCallQueryRegistryRoutine+0x274
ffffd000f8cdd850 fffff8003f50e902 : 0000000000000000 0000000000000000 fffff8003e2e1060 fffff8003e2e1060 : nt!RtlpQueryRegistryValues+0x178
ffffd000f8cdd930 fffff8003f7863ca : 0000000000000000 ffffd000f8cdda19 0000000000000000 ffffe001caf8b170 : nt!RtlQueryRegistryValuesEx+0xe
ffffd000f8cdd970 fffff8003f78ec62 : 0000000000000000 0000000000000000 0000000000000006 fffff8003e2e1060 : nt!IopInitCrashDumpDuringSysInit+0xce
ffffd000f8cdda80 fffff8003f783a31 : fffff8003f56aed8 fffff8003e2e1060 ffffe001c9280040 ffffe001c9296b00 : nt!IoInitSystemPreDrivers+0x9b2
ffffd000f8cddba0 fffff8003f56af02 : 002e00650072006f fffff8003e2e1060 ffffe001c9280040 ffffe001c9296b88 : nt!IoInitSystem+0x9
ffffd000f8cddbd0 fffff8003f17b0a8 : ffffe001c9280040 01d1f1d894480a64 01d0054a1dcab60d 0000000000003000 : nt!Phase1Initialization+0x2a
ffffd000f8cddc00 fffff8003f1d2fc6 : fffff8003f37c180 ffffe001c9280040 fffff8003f3d5a00 01d1f1d894480a64 : nt!PspSystemThreadStartup+0x58
ffffd000f8cddc60 0000000000000000 : ffffd000f8cde000 ffffd000f8cd8000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

STACK_COMMAND: kb

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: volmgr!VmReadWrite+13e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: volmgr

IMAGE_NAME: volmgr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5215f889

IMAGE_VERSION: 6.3.9600.16384

BUCKET_ID_FUNC_OFFSET: 13e

FAILURE_BUCKET_ID: ACCESS_VIOLATION_VRF_volmgr!VmReadWrite

BUCKET_ID: ACCESS_VIOLATION_VRF_volmgr!VmReadWrite

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:access_violation_vrf_volmgr!vmreadwrite

FAILURE_ID_HASH: {bce42d5f-5bdd-6a25-8864-c3ab69d1e9bb}

Followup: MachineOwner

sorry for making the situation complicated. I did not think that startType would cause this.

********************************************
********************************************
When start type is boot start the filename is \pagefile.sys
and
when start type is autostart the file name is empty.
********************************************
********************************************
here is the fileObject structure for auto start:

0: kd> dt nt!_FILE_OBJECT 0xffffe00180bf5a00 +0x000 Type : 0n5 +0x002 Size : 0n216 +0x008 DeviceObject : 0xffffe0017fb8d9e0 _DEVICE_OBJECT
+0x010 Vpb : (null)
+0x018 FsContext : 0xfffff800b5e263e0 Void +0x020 FsContext2 : (null) +0x028 SectionObjectPointer : (null) +0x030 PrivateCacheMap : (null) +0x038 FinalStatus : 0n0 +0x040 RelatedFileObject : (null) +0x048 LockOperation : 0 '' +0x049 DeletePending : 0 '' +0x04a ReadAccess : 0 '' +0x04b WriteAccess : 0 '' +0x04c DeleteAccess : 0 '' +0x04d SharedRead : 0 '' +0x04e SharedWrite : 0 '' +0x04f SharedDelete : 0 '' +0x050 Flags : 0 +0x058 FileName : _UNICODE_STRING "" +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0 +0x070 Waiters : 0 +0x074 Busy : 0 +0x078 LastLock : (null) +0x080 Lock : _KEVENT +0x098 Event : _KEVENT +0x0b0 CompletionContext : (null) +0x0b8 IrpListLock : 0 +0x0c0 IrpList : _LIST_ENTRY [0xffffe00180bf5ac0 - 0xffffe00180bf5ac0] +0x0d0 FileObjectExtension : 0xffffcf80786defb0 Void

Look, the topic was started as RDBSS related. Now it become NTFS related and exacerbated by a system volume( an empty name in IopInitCrashDumpDuringSysInit means it is a system volume ). It is not possible to guess what is going on. The people here are not standing behind and watching over your shoulder. You are not consistent.

Beside that, trying to “swap buffers” for pagefile.sys or a system volume in a filter is a terrible design.

I can only advise you to concentrate efforts on one case and eliminate the code to find a culprit.

thanks for your answer and sorry for not being consistent.
I was just seeking for someone’s experiment on specific circumstances FltReadFile might cause exception(if such circumstances existed).

trying to “swap buffers” for pagefile.sys or a system volume in a filter is a terrible design.
It’s not by design. It is my unawareness and lack of knowledge. Any tips on how to prevent it?
by system volume, do you mean the tiny system reserved volume or the volume that windows resides in?

There are myriads of reasons for an unhandled exception.

There is no magic answer as nobody here has access to your source code. The reason might be in the damaged system data caused by the code executed before a call to FltReadFile . The reason might be in incorrect parameters provided to FltReadFile .

Start with the code elimination

  • do not attach to system volume. Test on a removable drive like USB pendrive/storage
  • remove a call to FltReadFile
  • if system crashed the problem is not in FltReadFile , if it carries on then check input parameters to FltReadFile , try to read one byte at 0x0 offset