dhananjay, thank you for the response.
I don’t know how to get that output.
Could you please guide me how to get that?
You need to use Windbg. Enable kernel debugging and then start your driver again. When it gives you BSOD your system will break into debugger so you can execute analyze command.
By the way, if you have crashdump, you can also open that crashdump with Windbg.
11:56, 6 Mayıs 2017, “xxxxx@gmail.com” :
dhananjay, thank you for the response.
I don’t know how to get that output.
Could you please guide me how to get that?
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at <http://www.osr.com/seminars>
To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>
–
Yandex.Mail mobil uygulamasından gönderildi
I think I need to use FltDoCompletionProcessingWhenSafe in my post call back of IRP_MJ_WRITE since it’s DPC level and to make it safe. I tried below code but I still get the same crash.
Please if someone could advise me how to make it work. I also wrote down below the mini dump analysis.
bRet = FltDoCompletionProcessingWhenSafe(
Data,
FltObjects,
CompletionContext,
Flags,
SafePostCallback,
&RetPostOperationStatus
);
if (FALSE == bRet && FLT_POSTOP_FINISHED_PROCESSING == RetPostOperationStatus)
{
DbgPrint(“FltDoCompletionProcessingWhenSafe failed.”);
return FLT_POSTOP_FINISHED_PROCESSING;
}
FLT_POSTOP_CALLBACK_STATUS
SafePostCallback(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
)
{
DbgPrint(“IN safepostcallback…”);
return FLT_POSTOP_FINISHED_PROCESSING;
}
Here is the mini dump analysis:
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8000240752a, Address of the instruction which caused the bugcheck
Arg3: ffffd0002505f510, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff800`0240752a 458b722c mov r14d,dword ptr [r10+2Ch]
CONTEXT: ffffd0002505f510 – (.cxr 0xffffd0002505f510)
rax=ffffe0015b668d78 rbx=ffffe0015ae501b0 rcx=ffffe0015b668d78
rdx=0000000000000000 rsi=ffffe0015ae4d010 rdi=ffffe0015b668b00
rip=fffff8000240752a rsp=ffffd0002505ff30 rbp=ffffe0015adee900
r8=0000000000000000 r9=ffffe0015ae50060 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=ffffe0015ae501b0
r14=0000000000000000 r15=ffffe0015b668bd0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00210246
CLASSPNP!ServiceTransferRequest+0xca:
fffff8000240752a 458b722c mov r14d,dword ptr [r10+2Ch] ds:002b:00000000
0000002c=???
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: HDSentinel.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80002407403 to fffff8000240752a
STACK_TEXT:
ffffd0002505ff30 fffff800
02407403 : ffffe0015ae50060 ffffffff
fffe2b00 ffffe00100000000 ffffe001
5ae50060 : CLASSPNP!ServiceTransferRequest+0xca
ffffd0002505ffe0 fffff802
0be8edbe : 0000000000000001 00000000
0023ae21 ffffe0015f440520 ffffe001
5e88b7e0 : CLASSPNP!ClassReadWrite+0x523
ffffd00025060090 fffff802
0be8eb98 : ffffe0015b668bd0 00000000
00000000 ffffe0015f440520 00000000
00000030 : nt!RawReadWriteDeviceControl+0x9e
ffffd000250600c0 fffff800
00907895 : ffffe0015fc32310 ffffe001
5b668bd0 ffffe0015b668e50 ffffe001
5fc323e8 : nt!RawDispatch+0x78
ffffd00025060110 fffff800
009052d8 : ffffe0015fc323e8 ffffd000
250601e9 0000000000000001 ffffe001
5a89a2d0 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5
ffffd000250601a0 fffff800
00915e45 : ffffe0015fc32310 00000000
00000000 0000000000000000 ffffe001
5d601790 : FLTMGR!FltPerformSynchronousIo+0x308
ffffd00025060250 fffff800
009159e1 : 0000000000000000 fffff802
0bd2eb08 ffffe0015e41cb00 fffff802
0ba2d629 : FLTMGR!FltReadFileEx+0x455
ffffd00025060340 fffff800
03c71720 : ffffe00100000000 00000000
00001000 ffffe0015b720668 ffffe001
00000184 : FLTMGR!FltReadFile+0x51
ffffd000250603b0 ffffe001
00000000 : 0000000000001000 ffffe001
5b720668 ffffe00100000184 ffffe001
5d601790 : scanner+0x1720
ffffd000250603b8 00000000
00001000 : ffffe0015b720668 ffffe001
00000184 ffffe0015d601790 fffff800
00000005 : 0xffffe00100000000 ffffd000
250603c0 ffffe0015b720668 : ffffe001
00000184 ffffe0015d601790 fffff800
00000005 ffffd00025060410 : 0x1000 ffffd000
250603c8 ffffe00100000184 : ffffe001
5d601790 fffff80000000005 ffffd000
25060410 0000000000000000 : 0xffffe001
5b720668
ffffd000250603d0 ffffe001
5d601790 : fffff80000000005 ffffd000
25060410 0000000000000000 00000000
00000000 : 0xffffe00100000184 ffffd000
250603d8 fffff80000000005 : ffffd000
25060410 0000000000000000 00000000
00000000 0000000000000000 : 0xffffe001
5d601790
ffffd000250603e0 ffffd000
25060410 : 0000000000000000 00000000
00000000 0000000000000000 ffffd000
80000005 : 0xfffff80000000005 ffffd000
250603e8 0000000000000000 : 00000000
00000000 0000000000000000 ffffd000
80000005 ffffe001612e0690 : 0xffffd000
25060410
FOLLOWUP_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff800`0240752a 458b722c mov r14d,dword ptr [r10+2Ch]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CLASSPNP!ServiceTransferRequest+ca
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 5632d175
STACK_COMMAND: .cxr 0xffffd0002505f510 ; kb
FAILURE_BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca
BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca
Followup: MachineOwner
What your filter was trying to read was not a common file on a file system. This was a disk ( do not confuse with a volume, in your case this was a disk ).
Direct disk access is performed through a RAW file system object mounted to a disk object. RAW is a minimal pass through file system (you can’t make it more minimal than that). A filter manager object is attached to a RAW file system object.
The crash happened when CLASSPNP!ServiceTransferRequest called MmGetMdlVirtualAddress(Irp->MdlAddress) with Irp->MdlAddress == NULL.
I do not have access to your source code so I won’t speculate further how it happened that Irp->MdlAddress is NULL.
Hi Slava
Thank you for your response.
Can you please confirm if below code will solve this specific problem?
if (Data->Iopb->Parameters.Write.MdlAddress != NULL) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
Thanks.
Just correcting myself:
if (Data->Iopb->Parameters.Write.MdlAddress == NULL) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
Hi Slava !
Why do you think that this was a disk and not volume ?
In my understanding raw fs gives access to volume, and not disk.
On 7 May 2017, at 15:02, xxxxx@hotmail.com wrote:
What your filter was trying to read was not a common file on a file system. This was a disk ( do not confuse with a volume, in your case this was a disk ).
Direct disk access is performed through a RAW file system object mounted to a disk object. RAW is a minimal pass through file system (you can’t make it more minimal than that). A filter manager object is attached to a RAW file system object.
The crash happened when CLASSPNP!ServiceTransferRequest called MmGetMdlVirtualAddress(Irp->MdlAddress) with Irp->MdlAddress == NULL.
I do not have access to your source code so I won’t speculate further how it happened that Irp->MdlAddress is NULL.
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:>
I doubt this will solve the problem with the crash. The problem somewhere around FltReadFile.
There was no volmgr driver in the stack. The request went directly to pnpclass driver. RAW FSD is used for any mass storage device object to provide file object interface to block devices.
Once again I got BDOS, this time SYSTEM_SERVIECE_EXCEPTION CLASSPNP.SYS.
How can I get !analyze -v output ? I am not much familiar with driver coding and I just want to fix this issue somehow.
Thank you all for your help.
Below is the mini dump of the exception:
Windows 8 Kernel Version 10586 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 10586.839.amd64fre.th2_release.170303-1605
Machine Name:
Kernel base = 0xfffff8020b677000 PsLoadedModuleList = 0xfffff802
0b954c90
Debug session time: Sun May 7 14:57:54.115 2017 (UTC - 4:00)
System Uptime: 0 days 5:56:27.551
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8015b0b752a, Address of the instruction which caused the bugcheck
Arg3: ffffd000216714e0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff801`5b0b752a 458b722c mov r14d,dword ptr [r10+2Ch]
CONTEXT: ffffd000216714e0 – (.cxr 0xffffd000216714e0)
rax=ffffe001cd43bd78 rbx=ffffe001c8e9a480 rcx=ffffe001cd43bd78
rdx=0000000000000000 rsi=ffffe001c8e96010 rdi=ffffe001cd43bb00
rip=fffff8015b0b752a rsp=ffffd00021671f00 rbp=ffffe001c81d17a0
r8=0000000000000000 r9=ffffe001c8e9a330 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=ffffe001c8e9a480
r14=0000000000000000 r15=ffffe001cd43bbd0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
CLASSPNP!ServiceTransferRequest+0xca:
fffff8015b0b752a 458b722c mov r14d,dword ptr [r10+2Ch] ds:002b:00000000
0000002c=???
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: HDSentinel.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff8015b0b7403 to fffff8015b0b752a
STACK_TEXT:
ffffd00021671f00 fffff801
5b0b7403 : ffffe001c8e9a330 ffffffff
fffe2b00 ffffe00100000000 ffffe001
c8e9a330 : CLASSPNP!ServiceTransferRequest+0xca
ffffd00021671fb0 fffff802
0baeadbe : 0000000000000001 00000000
0023ae1f ffffe001cd7de280 ffffe001
ce6457e0 : CLASSPNP!ClassReadWrite+0x523
ffffd00021672060 fffff802
0baeab98 : ffffe001cd43bbd0 00000000
00000000 ffffe001cd7de280 00000000
00000030 : nt!RawReadWriteDeviceControl+0x9e
ffffd00021672090 fffff801
59f57895 : ffffe001cd6d2490 ffffe001
cd43bbd0 ffffe001cd43be50 ffffe001
cd6d2568 : nt!RawDispatch+0x78
ffffd000216720e0 fffff801
59f552d8 : ffffe001cd6d2568 ffffd000
216721b9 0000000000000001 ffffe001
ced6ae00 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5
ffffd00021672170 fffff801
59f65e45 : ffffe001cd6d2490 00000000
00000000 0000000000000000 ffffe001
ce9d4480 : FLTMGR!FltPerformSynchronousIo+0x308
ffffd00021672220 fffff801
59f659e1 : 0000000000000000 fffff802
0b98ab08 0000000000000000 00000000
00000295 : FLTMGR!FltReadFileEx+0x455
ffffd00021672310 fffff801
5d9b1a20 : ffffe00100000000 00000000
00001000 ffffe001cda45b58 ffffd000
00000184 : FLTMGR!FltReadFile+0x51
ffffd00021672380 ffffe001
00000000 : 0000000000001000 ffffe001
cda45b58 ffffd00000000184 ffffe001
ce9d4480 : scanner+0x1a20
ffffd00021672388 00000000
00001000 : ffffe001cda45b58 ffffd000
00000184 ffffe001ce9d4480 00000000
00000005 : 0xffffe00100000000 ffffd000
21672390 ffffe001cda45b58 : ffffd000
00000184 ffffe001ce9d4480 00000000
00000005 ffffd000216723e0 : 0x1000 ffffd000
21672398 ffffd00000000184 : ffffe001
ce9d4480 0000000000000005 ffffd000
216723e0 0000000000000000 : 0xffffe001
cda45b58
ffffd000216723a0 ffffe001
ce9d4480 : 0000000000000005 ffffd000
216723e0 0000000000000000 00000000
00000000 : 0xffffd00000000184 ffffd000
216723a8 0000000000000005 : ffffd000
216723e0 0000000000000000 00000000
00000000 fffff8020b759581 : 0xffffe001
ce9d4480
ffffd000216723b0 ffffd000
216723e0 : 0000000000000000 00000000
00000000 fffff8020b759581 ffffd000
80000005 : 0x5
ffffd000216723b8 00000000
00000000 : 0000000000000000 fffff802
0b759581 ffffd00080000005 ffffe001
ce70b010 : 0xffffd000`216723e0
FOLLOWUP_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff801`5b0b752a 458b722c mov r14d,dword ptr [r10+2Ch]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CLASSPNP!ServiceTransferRequest+ca
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 5632d175
STACK_COMMAND: .cxr 0xffffd000216714e0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca
BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca
Followup: MachineOwner
Hi Slava,
In my ScannerPostCreate I call below method which has FltReadFile. Can you pleas point out how can I solve this?
NTSTATUS
ScannerpScanFileInUserMode (
In PFLT_INSTANCE Instance,
In PFILE_OBJECT FileObject,
Out PBOOLEAN SafeToOpen
)
{
NTSTATUS status = STATUS_SUCCESS;
PVOID buffer = NULL;
ULONG bytesRead;
PSCANNER_NOTIFICATION notification = NULL;
FLT_VOLUME_PROPERTIES volumeProps;
LARGE_INTEGER offset;
ULONG replyLength, length;
PFLT_VOLUME volume = NULL;
*SafeToOpen = TRUE;
if (ScannerData.ClientPort == NULL) {
return STATUS_SUCCESS;
}
try {
status = FltGetVolumeFromInstance( Instance, &volume );
if (!NT_SUCCESS( status )) {
leave;
}
//
// Determine sector size. Noncached I/O can only be done at sector size offsets, and in lengths which are
// multiples of sector size. A more efficient way is to make this call once and remember the sector size in the
// instance setup routine and setup an instance context where we can cache it.
//
status = FltGetVolumeProperties( volume,
&volumeProps,
sizeof( volumeProps ),
&length );
//
// STATUS_BUFFER_OVERFLOW can be returned - however we only need the properties, not the names
// hence we only check for error status.
//
if (NT_ERROR( status )) {
leave;
}
length = max( SCANNER_READ_BUFFER_SIZE, volumeProps.SectorSize );
//
// Use non-buffered i/o, so allocate aligned pool
//
buffer = FltAllocatePoolAlignedWithTag( Instance,
NonPagedPool,
length,
‘nacS’ );
if (NULL == buffer) {
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
notification = ExAllocatePoolWithTag( NonPagedPool,
sizeof( SCANNER_NOTIFICATION ),
‘nacS’ );
if(NULL == notification) {
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
//
// Read the beginning of the file and pass the contents to user mode.
//
offset.QuadPart = bytesRead = 0;
status = FltReadFile( Instance,
FileObject,
&offset,
length,
buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL );
if (NT_SUCCESS( status ) && (0 != bytesRead)) {
notification->BytesToScan = (ULONG) bytesRead;
//
// Copy only as much as the buffer can hold
//
RtlCopyMemory( ¬ification->Contents,
buffer,
min( notification->BytesToScan, SCANNER_READ_BUFFER_SIZE ) );
replyLength = sizeof( SCANNER_REPLY );
status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
notification,
sizeof(SCANNER_NOTIFICATION),
notification,
&replyLength,
NULL );
if (STATUS_SUCCESS == status) {
*SafeToOpen = ((PSCANNER_REPLY) notification)->SafeToOpen;
} else {
//
// Couldn’t send message
//
//DbgPrint( “!!! scanner.sys — couldn’t send message to user-mode to scan file, status 0x%X\n”, status );
}
}
} finally {
if (NULL != buffer) {
FltFreePoolAlignedWithTag( Instance, buffer, ‘nacS’ );
}
if (NULL != notification) {
ExFreePoolWithTag( notification, ‘nacS’ );
}
if (NULL != volume) {
FltObjectDereference( volume );
}
}
return status;
}
Thank you Slava !
On 7 May 2017, at 22:06, xxxxx@hotmail.com wrote:
I doubt this will solve the problem with the crash. The problem somewhere around FltReadFile.
There was no volmgr driver in the stack. The request went directly to pnpclass driver. RAW FSD is used for any mass storage device object to provide file object interface to block devices.
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:>
Try this check for DO_DIRECT_IO
NTSTATUS
ScannerpScanFileInUserMode (
…
)
{
…
//
// I don’t use IoGetRelatedDeviceObject to exclude a rogue filter
// that doesn’t propagate DO_DIRECT_IO flag
//
if ((IoGetBaseFileSystemDeviceObject( FileObject ))->Flags & DO_DIRECT_IO) {
return STATUS_SUCCESS;
}
if (ScannerData.ClientPort == NULL) {
return STATUS_SUCCESS;
}
…
}
This should stop crashing if yours or other driver/filter doesn’t corrupt objects or memory.
Hi Slava,
I tried your suggestion, but still the BDOS occurs with the same error -SYSTEM_SERVIECE_EXCEPTION CLASSPNP.SYS.
Is there something else that can be done?
Thanks in advance.
Here’s the mini dump analysis:
Machine Name:
Kernel base = 0xfffff80319678000 PsLoadedModuleList = 0xfffff803
19955c90
Debug session time: Sun May 7 16:33:01.396 2017 (UTC - 4:00)
System Uptime: 0 days 1:32:59.022
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff801c56c752a, Address of the instruction which caused the bugcheck
Arg3: ffffd000220d74e0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff801`c56c752a 458b722c mov r14d,dword ptr [r10+2Ch]
CONTEXT: ffffd000220d74e0 – (.cxr 0xffffd000220d74e0)
rax=ffffe000a2f34d78 rbx=ffffe0009dc571b0 rcx=ffffe000a2f34d78
rdx=0000000000000000 rsi=ffffe0009dc53010 rdi=ffffe000a2f34b00
rip=fffff801c56c752a rsp=ffffd000220d7f00 rbp=ffffe0009d1dcb20
r8=0000000000000000 r9=ffffe0009dc57060 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=ffffe0009dc571b0
r14=0000000000000000 r15=ffffe000a2f34bd0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
CLASSPNP!ServiceTransferRequest+0xca:
fffff801c56c752a 458b722c mov r14d,dword ptr [r10+2Ch] ds:002b:00000000
0000002c=???
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: HDSentinel.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff801c56c7403 to fffff801c56c752a
STACK_TEXT:
ffffd000220d7f00 fffff801
c56c7403 : ffffe0009dc57060 ffffffff
fffe2b00 ffffe00000000000 ffffe000
9dc57060 : CLASSPNP!ServiceTransferRequest+0xca
ffffd000220d7fb0 fffff803
19aebdbe : 0000000000000001 00000000
0023ae23 ffffe000a45ba850 ffffe000
a42c27e0 : CLASSPNP!ClassReadWrite+0x523
ffffd000220d8060 fffff803
19aebb98 : ffffe000a2f34bd0 00000000
00000000 ffffe000a45ba850 00000000
00000030 : nt!RawReadWriteDeviceControl+0x9e
ffffd000220d8090 fffff801
c4787895 : ffffe000a261ca80 ffffe000
a2f34bd0 ffffe000a2f34e50 ffffe000
a261cb58 : nt!RawDispatch+0x78
ffffd000220d80e0 fffff801
c47852d8 : ffffe000a261cb58 ffffd000
220d81b9 0000000000000001 ffffe000
a3591950 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5
ffffd000220d8170 fffff801
c4795e45 : ffffe000a261ca80 00000000
00000000 0000000000000000 ffffe000
9c686830 : FLTMGR!FltPerformSynchronousIo+0x308
ffffd000220d8220 fffff801
c47959e1 : 0000000000000000 fffff803
1998bb08 0000000000000000 00000000
00000295 : FLTMGR!FltReadFileEx+0x455
ffffd000220d8310 fffff801
c83e1a20 : ffffe00000000000 00000000
00001000 ffffe000a33c20e8 ffffd000
00000184 : FLTMGR!FltReadFile+0x51
ffffd000220d8380 ffffe000
00000000 : 0000000000001000 ffffe000
a33c20e8 ffffd00000000184 ffffe000
9c686830 : scanner+0x1a20
ffffd000220d8388 00000000
00001000 : ffffe000a33c20e8 ffffd000
00000184 ffffe0009c686830 00000000
00000005 : 0xffffe00000000000 ffffd000
220d8390 ffffe000a33c20e8 : ffffd000
00000184 ffffe0009c686830 00000000
00000005 ffffd000220d83e0 : 0x1000 ffffd000
220d8398 ffffd00000000184 : ffffe000
9c686830 0000000000000005 ffffd000
220d83e0 0000000000000000 : 0xffffe000
a33c20e8
ffffd000220d83a0 ffffe000
9c686830 : 0000000000000005 ffffd000
220d83e0 0000000000000000 00000000
00000000 : 0xffffd00000000184 ffffd000
220d83a8 0000000000000005 : ffffd000
220d83e0 0000000000000000 00000000
00000000 fffff8031975a581 : 0xffffe000
9c686830
ffffd000220d83b0 ffffd000
220d83e0 : 0000000000000000 00000000
00000000 fffff8031975a581 ffffd000
80000005 : 0x5
ffffd000220d83b8 00000000
00000000 : 0000000000000000 fffff803
1975a581 ffffd00080000005 ffffe000
a449ebf0 : 0xffffd000`220d83e0
FOLLOWUP_IP:
CLASSPNP!ServiceTransferRequest+ca
fffff801`c56c752a 458b722c mov r14d,dword ptr [r10+2Ch]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CLASSPNP!ServiceTransferRequest+ca
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 5632d175
STACK_COMMAND: .cxr 0xffffd000220d74e0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca
BUCKET_ID: X64_0x3B_CLASSPNP!ServiceTransferRequest+ca
Followup: MachineOwner
The DO_DIRECT_IO flag is allegedly missing for an object created by the RAW FSD but CLASSPNP expects a non NULL Irp->MdlAddress. This is an unusual situation and I don’t have enough information to investigate further the cause.
For example there is no stack shown after
ffffd00000000184 ffffe000
9c686830 : scanner+0x1a20
because WinDBG was unable to locate symbols for your filter driver. This makes impossible to know a call sequence that resulted in your filter being called.
Hi Slava,
Thanks for your reply.
Is there any other information I can provide to help solve this problem?
All I need to do is send to user mode all I/O operations that the user calls. I just need to avoid the crash somehow.
Thanks.
Start with providing us with a call stack with calls before your scaner as I told before.
This can be done only when debugging, right?
I’m having troubles running VM… I am still trying…
WinDBG usually doesn’t have problems in finding symbol files if a dump is opened on the same PC where a driver was compiled and the driver has not been recompiled so symbol file has not been rewritten.
Check that your build environment generates a symbol file.
I am not familiar with what you are saying and not sure what you mean.
Should I provide the scanner.pdb file in my /x64/debug/ folder?