minifilter - scan all files

dhananjay, thank you for the response.
I don’t know how to get that output.
Could you please guide me how to get that?

You need to use Windbg. Enable kernel debugging and then start your driver again. When it gives you BSOD your system will break into debugger so you can execute analyze command.

By the way, if you have crashdump, you can also open that crashdump with Windbg.

11:56, 6 Mayıs 2017, “xxxxx@gmail.com” :

dhananjay, thank you for the response.
I don’t know how to get that output.
Could you please guide me how to get that?


NTFSD is sponsored by OSR


MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at <http://www.osr.com/seminars>

To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>





Yandex.Mail mobil uygulamasından gönderildi

I think I need to use FltDoCompletionProcessingWhenSafe in my post call back of IRP_MJ_WRITE since it’s DPC level and to make it safe. I tried below code but I still get the same crash.
Please if someone could advise me how to make it work. I also wrote down below the mini dump analysis.

bRet = FltDoCompletionProcessingWhenSafe(
Data,
FltObjects,
CompletionContext,
Flags,
SafePostCallback,
&RetPostOperationStatus
);
if (FALSE == bRet && FLT_POSTOP_FINISHED_PROCESSING == RetPostOperationStatus)
{
DbgPrint(“FltDoCompletionProcessingWhenSafe failed.”);
return FLT_POSTOP_FINISHED_PROCESSING;
}

FLT_POSTOP_CALLBACK_STATUS
SafePostCallback(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
)
{
DbgPrint(“IN safepostcallback…”);
return FLT_POSTOP_FINISHED_PROCESSING;
}

Here is the mini dump analysis:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8000240752a, Address of the instruction which caused the bugcheck
Arg3: ffffd0002505f510, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff800`0240752a 458b722c mov r14d,dword ptr [r10+2Ch]

CONTEXT: ffffd0002505f510 – (.cxr 0xffffd0002505f510)
rax=ffffe0015b668d78 rbx=ffffe0015ae501b0 rcx=ffffe0015b668d78
rdx=0000000000000000 rsi=ffffe0015ae4d010 rdi=ffffe0015b668b00
rip=fffff8000240752a rsp=ffffd0002505ff30 rbp=ffffe0015adee900
r8=0000000000000000 r9=ffffe0015ae50060 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=ffffe0015ae501b0
r14=0000000000000000 r15=ffffe0015b668bd0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00210246
CLASSPNP!ServiceTransferRequest+0xca:
fffff8000240752a 458b722c mov r14d,dword ptr [r10+2Ch] ds:002b:000000000000002c=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: HDSentinel.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80002407403 to fffff8000240752a

STACK_TEXT:
ffffd0002505ff30 fffff80002407403 : ffffe0015ae50060 fffffffffffe2b00 ffffe00100000000 ffffe0015ae50060 : CLASSPNP!ServiceTransferRequest+0xca
ffffd0002505ffe0 fffff8020be8edbe : 0000000000000001 000000000023ae21 ffffe0015f440520 ffffe0015e88b7e0 : CLASSPNP!ClassReadWrite+0x523
ffffd00025060090 fffff8020be8eb98 : ffffe0015b668bd0 0000000000000000 ffffe0015f440520 0000000000000030 : nt!RawReadWriteDeviceControl+0x9e
ffffd000250600c0 fffff80000907895 : ffffe0015fc32310 ffffe0015b668bd0 ffffe0015b668e50 ffffe0015fc323e8 : nt!RawDispatch+0x78
ffffd00025060110 fffff800009052d8 : ffffe0015fc323e8 ffffd000250601e9 0000000000000001 ffffe0015a89a2d0 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5
ffffd000250601a0 fffff80000915e45 : ffffe0015fc32310 0000000000000000 0000000000000000 ffffe0015d601790 : FLTMGR!FltPerformSynchronousIo+0x308
ffffd00025060250 fffff800009159e1 : 0000000000000000 fffff8020bd2eb08 ffffe0015e41cb00 fffff8020ba2d629 : FLTMGR!FltReadFileEx+0x455
ffffd00025060340 fffff80003c71720 : ffffe00100000000 0000000000001000 ffffe0015b720668 ffffe00100000184 : FLTMGR!FltReadFile+0x51
ffffd000250603b0 ffffe00100000000 : 0000000000001000 ffffe0015b720668 ffffe00100000184 ffffe0015d601790 : scanner+0x1720
ffffd000250603b8 0000000000001000 : ffffe0015b720668 ffffe00100000184 ffffe0015d601790 fffff80000000005 : 0xffffe00100000000 ffffd000250603c0 ffffe0015b720668 : ffffe00100000184 ffffe0015d601790 fffff80000000005 ffffd00025060410 : 0x1000 ffffd000250603c8 ffffe00100000184 : ffffe0015d601790 fffff80000000005 ffffd00025060410 0000000000000000 : 0xffffe0015b720668
ffffd000250603d0 ffffe0015d601790 : fffff80000000005 ffffd00025060410 0000000000000000 0000000000000000 : 0xffffe00100000184 ffffd000250603d8 fffff80000000005 : ffffd00025060410 0000000000000000 0000000000000000 0000000000000000 : 0xffffe0015d601790
ffffd000250603e0 ffffd00025060410 : 0000000000000000 0000000000000000 0000000000000000 ffffd00080000005 : 0xfffff80000000005 ffffd000250603e8 0000000000000000 : 0000000000000000 0000000000000000 ffffd00080000005 ffffe001612e0690 : 0xffffd00025060410

FOLLOWUP_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff800`0240752a 458b722c mov r14d,dword ptr [r10+2Ch]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: CLASSPNP!ServiceTransferRequest+ca

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: CLASSPNP

IMAGE_NAME: CLASSPNP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 5632d175

STACK_COMMAND: .cxr 0xffffd0002505f510 ; kb

FAILURE_BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca

BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca

Followup: MachineOwner

What your filter was trying to read was not a common file on a file system. This was a disk ( do not confuse with a volume, in your case this was a disk ).

Direct disk access is performed through a RAW file system object mounted to a disk object. RAW is a minimal pass through file system (you can’t make it more minimal than that). A filter manager object is attached to a RAW file system object.

The crash happened when CLASSPNP!ServiceTransferRequest called MmGetMdlVirtualAddress(Irp->MdlAddress) with Irp->MdlAddress == NULL.

I do not have access to your source code so I won’t speculate further how it happened that Irp->MdlAddress is NULL.

Hi Slava
Thank you for your response.
Can you please confirm if below code will solve this specific problem?

if (Data->Iopb->Parameters.Write.MdlAddress != NULL) {
return FLT_POSTOP_FINISHED_PROCESSING;
}

Thanks.

Just correcting myself:

if (Data->Iopb->Parameters.Write.MdlAddress == NULL) {
return FLT_POSTOP_FINISHED_PROCESSING;
}

Hi Slava !

Why do you think that this was a disk and not volume ?
In my understanding raw fs gives access to volume, and not disk.

On 7 May 2017, at 15:02, xxxxx@hotmail.com wrote:

What your filter was trying to read was not a common file on a file system. This was a disk ( do not confuse with a volume, in your case this was a disk ).

Direct disk access is performed through a RAW file system object mounted to a disk object. RAW is a minimal pass through file system (you can’t make it more minimal than that). A filter manager object is attached to a RAW file system object.

The crash happened when CLASSPNP!ServiceTransferRequest called MmGetMdlVirtualAddress(Irp->MdlAddress) with Irp->MdlAddress == NULL.

I do not have access to your source code so I won’t speculate further how it happened that Irp->MdlAddress is NULL.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:>

I doubt this will solve the problem with the crash. The problem somewhere around FltReadFile.

There was no volmgr driver in the stack. The request went directly to pnpclass driver. RAW FSD is used for any mass storage device object to provide file object interface to block devices.

Once again I got BDOS, this time SYSTEM_SERVIECE_EXCEPTION CLASSPNP.SYS.
How can I get !analyze -v output ? I am not much familiar with driver coding and I just want to fix this issue somehow.
Thank you all for your help.
Below is the mini dump of the exception:

Windows 8 Kernel Version 10586 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 10586.839.amd64fre.th2_release.170303-1605
Machine Name:
Kernel base = 0xfffff8020b677000 PsLoadedModuleList = 0xfffff8020b954c90
Debug session time: Sun May 7 14:57:54.115 2017 (UTC - 4:00)
System Uptime: 0 days 5:56:27.551
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8015b0b752a, Address of the instruction which caused the bugcheck
Arg3: ffffd000216714e0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff801`5b0b752a 458b722c mov r14d,dword ptr [r10+2Ch]

CONTEXT: ffffd000216714e0 – (.cxr 0xffffd000216714e0)
rax=ffffe001cd43bd78 rbx=ffffe001c8e9a480 rcx=ffffe001cd43bd78
rdx=0000000000000000 rsi=ffffe001c8e96010 rdi=ffffe001cd43bb00
rip=fffff8015b0b752a rsp=ffffd00021671f00 rbp=ffffe001c81d17a0
r8=0000000000000000 r9=ffffe001c8e9a330 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=ffffe001c8e9a480
r14=0000000000000000 r15=ffffe001cd43bbd0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
CLASSPNP!ServiceTransferRequest+0xca:
fffff8015b0b752a 458b722c mov r14d,dword ptr [r10+2Ch] ds:002b:000000000000002c=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: HDSentinel.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff8015b0b7403 to fffff8015b0b752a

STACK_TEXT:
ffffd00021671f00 fffff8015b0b7403 : ffffe001c8e9a330 fffffffffffe2b00 ffffe00100000000 ffffe001c8e9a330 : CLASSPNP!ServiceTransferRequest+0xca
ffffd00021671fb0 fffff8020baeadbe : 0000000000000001 000000000023ae1f ffffe001cd7de280 ffffe001ce6457e0 : CLASSPNP!ClassReadWrite+0x523
ffffd00021672060 fffff8020baeab98 : ffffe001cd43bbd0 0000000000000000 ffffe001cd7de280 0000000000000030 : nt!RawReadWriteDeviceControl+0x9e
ffffd00021672090 fffff80159f57895 : ffffe001cd6d2490 ffffe001cd43bbd0 ffffe001cd43be50 ffffe001cd6d2568 : nt!RawDispatch+0x78
ffffd000216720e0 fffff80159f552d8 : ffffe001cd6d2568 ffffd000216721b9 0000000000000001 ffffe001ced6ae00 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5
ffffd00021672170 fffff80159f65e45 : ffffe001cd6d2490 0000000000000000 0000000000000000 ffffe001ce9d4480 : FLTMGR!FltPerformSynchronousIo+0x308
ffffd00021672220 fffff80159f659e1 : 0000000000000000 fffff8020b98ab08 0000000000000000 0000000000000295 : FLTMGR!FltReadFileEx+0x455
ffffd00021672310 fffff8015d9b1a20 : ffffe00100000000 0000000000001000 ffffe001cda45b58 ffffd00000000184 : FLTMGR!FltReadFile+0x51
ffffd00021672380 ffffe00100000000 : 0000000000001000 ffffe001cda45b58 ffffd00000000184 ffffe001ce9d4480 : scanner+0x1a20
ffffd00021672388 0000000000001000 : ffffe001cda45b58 ffffd00000000184 ffffe001ce9d4480 0000000000000005 : 0xffffe00100000000 ffffd00021672390 ffffe001cda45b58 : ffffd00000000184 ffffe001ce9d4480 0000000000000005 ffffd000216723e0 : 0x1000 ffffd00021672398 ffffd00000000184 : ffffe001ce9d4480 0000000000000005 ffffd000216723e0 0000000000000000 : 0xffffe001cda45b58
ffffd000216723a0 ffffe001ce9d4480 : 0000000000000005 ffffd000216723e0 0000000000000000 0000000000000000 : 0xffffd00000000184 ffffd000216723a8 0000000000000005 : ffffd000216723e0 0000000000000000 0000000000000000 fffff8020b759581 : 0xffffe001ce9d4480
ffffd000216723b0 ffffd000216723e0 : 0000000000000000 0000000000000000 fffff8020b759581 ffffd00080000005 : 0x5
ffffd000216723b8 0000000000000000 : 0000000000000000 fffff8020b759581 ffffd00080000005 ffffe001ce70b010 : 0xffffd000`216723e0

FOLLOWUP_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff801`5b0b752a 458b722c mov r14d,dword ptr [r10+2Ch]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: CLASSPNP!ServiceTransferRequest+ca

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: CLASSPNP

IMAGE_NAME: CLASSPNP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 5632d175

STACK_COMMAND: .cxr 0xffffd000216714e0 ; kb

FAILURE_BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca

BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca

Followup: MachineOwner

Hi Slava,

In my ScannerPostCreate I call below method which has FltReadFile. Can you pleas point out how can I solve this?

NTSTATUS
ScannerpScanFileInUserMode (
In PFLT_INSTANCE Instance,
In PFILE_OBJECT FileObject,
Out PBOOLEAN SafeToOpen
)
{
NTSTATUS status = STATUS_SUCCESS;
PVOID buffer = NULL;
ULONG bytesRead;
PSCANNER_NOTIFICATION notification = NULL;
FLT_VOLUME_PROPERTIES volumeProps;
LARGE_INTEGER offset;
ULONG replyLength, length;
PFLT_VOLUME volume = NULL;

*SafeToOpen = TRUE;

if (ScannerData.ClientPort == NULL) {

return STATUS_SUCCESS;
}

try {

status = FltGetVolumeFromInstance( Instance, &volume );

if (!NT_SUCCESS( status )) {

leave;
}

//
// Determine sector size. Noncached I/O can only be done at sector size offsets, and in lengths which are
// multiples of sector size. A more efficient way is to make this call once and remember the sector size in the
// instance setup routine and setup an instance context where we can cache it.
//

status = FltGetVolumeProperties( volume,
&volumeProps,
sizeof( volumeProps ),
&length );
//
// STATUS_BUFFER_OVERFLOW can be returned - however we only need the properties, not the names
// hence we only check for error status.
//

if (NT_ERROR( status )) {

leave;
}

length = max( SCANNER_READ_BUFFER_SIZE, volumeProps.SectorSize );

//
// Use non-buffered i/o, so allocate aligned pool
//

buffer = FltAllocatePoolAlignedWithTag( Instance,
NonPagedPool,
length,
‘nacS’ );

if (NULL == buffer) {

status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}

notification = ExAllocatePoolWithTag( NonPagedPool,
sizeof( SCANNER_NOTIFICATION ),
‘nacS’ );

if(NULL == notification) {

status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}

//
// Read the beginning of the file and pass the contents to user mode.
//

offset.QuadPart = bytesRead = 0;
status = FltReadFile( Instance,
FileObject,
&offset,
length,
buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL );

if (NT_SUCCESS( status ) && (0 != bytesRead)) {

notification->BytesToScan = (ULONG) bytesRead;

//
// Copy only as much as the buffer can hold
//

RtlCopyMemory( &notification->Contents,
buffer,
min( notification->BytesToScan, SCANNER_READ_BUFFER_SIZE ) );

replyLength = sizeof( SCANNER_REPLY );

status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
notification,
sizeof(SCANNER_NOTIFICATION),
notification,
&replyLength,
NULL );

if (STATUS_SUCCESS == status) {

*SafeToOpen = ((PSCANNER_REPLY) notification)->SafeToOpen;

} else {

//
// Couldn’t send message
//

//DbgPrint( “!!! scanner.sys — couldn’t send message to user-mode to scan file, status 0x%X\n”, status );
}
}

} finally {

if (NULL != buffer) {

FltFreePoolAlignedWithTag( Instance, buffer, ‘nacS’ );
}

if (NULL != notification) {

ExFreePoolWithTag( notification, ‘nacS’ );
}

if (NULL != volume) {

FltObjectDereference( volume );
}
}

return status;
}

Thank you Slava !

On 7 May 2017, at 22:06, xxxxx@hotmail.com wrote:

I doubt this will solve the problem with the crash. The problem somewhere around FltReadFile.

There was no volmgr driver in the stack. The request went directly to pnpclass driver. RAW FSD is used for any mass storage device object to provide file object interface to block devices.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:>

Try this check for DO_DIRECT_IO

NTSTATUS
ScannerpScanFileInUserMode (

)
{

//
// I don’t use IoGetRelatedDeviceObject to exclude a rogue filter
// that doesn’t propagate DO_DIRECT_IO flag
//
if ((IoGetBaseFileSystemDeviceObject( FileObject ))->Flags & DO_DIRECT_IO) {

return STATUS_SUCCESS;
}

if (ScannerData.ClientPort == NULL) {

return STATUS_SUCCESS;
}

}

This should stop crashing if yours or other driver/filter doesn’t corrupt objects or memory.

Hi Slava,

I tried your suggestion, but still the BDOS occurs with the same error -SYSTEM_SERVIECE_EXCEPTION CLASSPNP.SYS.

Is there something else that can be done?
Thanks in advance.

Here’s the mini dump analysis:

Machine Name:
Kernel base = 0xfffff80319678000 PsLoadedModuleList = 0xfffff80319955c90
Debug session time: Sun May 7 16:33:01.396 2017 (UTC - 4:00)
System Uptime: 0 days 1:32:59.022
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff801c56c752a, Address of the instruction which caused the bugcheck
Arg3: ffffd000220d74e0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff801`c56c752a 458b722c mov r14d,dword ptr [r10+2Ch]

CONTEXT: ffffd000220d74e0 – (.cxr 0xffffd000220d74e0)
rax=ffffe000a2f34d78 rbx=ffffe0009dc571b0 rcx=ffffe000a2f34d78
rdx=0000000000000000 rsi=ffffe0009dc53010 rdi=ffffe000a2f34b00
rip=fffff801c56c752a rsp=ffffd000220d7f00 rbp=ffffe0009d1dcb20
r8=0000000000000000 r9=ffffe0009dc57060 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=ffffe0009dc571b0
r14=0000000000000000 r15=ffffe000a2f34bd0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
CLASSPNP!ServiceTransferRequest+0xca:
fffff801c56c752a 458b722c mov r14d,dword ptr [r10+2Ch] ds:002b:000000000000002c=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: HDSentinel.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff801c56c7403 to fffff801c56c752a

STACK_TEXT:
ffffd000220d7f00 fffff801c56c7403 : ffffe0009dc57060 fffffffffffe2b00 ffffe00000000000 ffffe0009dc57060 : CLASSPNP!ServiceTransferRequest+0xca
ffffd000220d7fb0 fffff80319aebdbe : 0000000000000001 000000000023ae23 ffffe000a45ba850 ffffe000a42c27e0 : CLASSPNP!ClassReadWrite+0x523
ffffd000220d8060 fffff80319aebb98 : ffffe000a2f34bd0 0000000000000000 ffffe000a45ba850 0000000000000030 : nt!RawReadWriteDeviceControl+0x9e
ffffd000220d8090 fffff801c4787895 : ffffe000a261ca80 ffffe000a2f34bd0 ffffe000a2f34e50 ffffe000a261cb58 : nt!RawDispatch+0x78
ffffd000220d80e0 fffff801c47852d8 : ffffe000a261cb58 ffffd000220d81b9 0000000000000001 ffffe000a3591950 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5
ffffd000220d8170 fffff801c4795e45 : ffffe000a261ca80 0000000000000000 0000000000000000 ffffe0009c686830 : FLTMGR!FltPerformSynchronousIo+0x308
ffffd000220d8220 fffff801c47959e1 : 0000000000000000 fffff8031998bb08 0000000000000000 0000000000000295 : FLTMGR!FltReadFileEx+0x455
ffffd000220d8310 fffff801c83e1a20 : ffffe00000000000 0000000000001000 ffffe000a33c20e8 ffffd00000000184 : FLTMGR!FltReadFile+0x51
ffffd000220d8380 ffffe00000000000 : 0000000000001000 ffffe000a33c20e8 ffffd00000000184 ffffe0009c686830 : scanner+0x1a20
ffffd000220d8388 0000000000001000 : ffffe000a33c20e8 ffffd00000000184 ffffe0009c686830 0000000000000005 : 0xffffe00000000000 ffffd000220d8390 ffffe000a33c20e8 : ffffd00000000184 ffffe0009c686830 0000000000000005 ffffd000220d83e0 : 0x1000 ffffd000220d8398 ffffd00000000184 : ffffe0009c686830 0000000000000005 ffffd000220d83e0 0000000000000000 : 0xffffe000a33c20e8
ffffd000220d83a0 ffffe0009c686830 : 0000000000000005 ffffd000220d83e0 0000000000000000 0000000000000000 : 0xffffd00000000184 ffffd000220d83a8 0000000000000005 : ffffd000220d83e0 0000000000000000 0000000000000000 fffff8031975a581 : 0xffffe0009c686830
ffffd000220d83b0 ffffd000220d83e0 : 0000000000000000 0000000000000000 fffff8031975a581 ffffd00080000005 : 0x5
ffffd000220d83b8 0000000000000000 : 0000000000000000 fffff8031975a581 ffffd00080000005 ffffe000a449ebf0 : 0xffffd000`220d83e0

FOLLOWUP_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff801`c56c752a 458b722c mov r14d,dword ptr [r10+2Ch]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: CLASSPNP!ServiceTransferRequest+ca

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: CLASSPNP

IMAGE_NAME: CLASSPNP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 5632d175

STACK_COMMAND: .cxr 0xffffd000220d74e0 ; kb

FAILURE_BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca

BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca

Followup: MachineOwner

The DO_DIRECT_IO flag is allegedly missing for an object created by the RAW FSD but CLASSPNP expects a non NULL Irp->MdlAddress. This is an unusual situation and I don’t have enough information to investigate further the cause.

For example there is no stack shown after
ffffd00000000184 ffffe0009c686830 : scanner+0x1a20
because WinDBG was unable to locate symbols for your filter driver. This makes impossible to know a call sequence that resulted in your filter being called.

Hi Slava,

Thanks for your reply.
Is there any other information I can provide to help solve this problem?
All I need to do is send to user mode all I/O operations that the user calls. I just need to avoid the crash somehow.
Thanks.

Start with providing us with a call stack with calls before your scaner as I told before.

This can be done only when debugging, right?
I’m having troubles running VM… I am still trying…

WinDBG usually doesn’t have problems in finding symbol files if a dump is opened on the same PC where a driver was compiled and the driver has not been recompiled so symbol file has not been rewritten.

Check that your build environment generates a symbol file.

I am not familiar with what you are saying and not sure what you mean.
Should I provide the scanner.pdb file in my /x64/debug/ folder?

https://msdn.microsoft.com/en-us/library/windows/desktop/ee416588(v=vs.85).aspx