Driver verifier issue due to status_not_implemented from FltGetFileNameInformation().

Hi All,

In my file system minifilter driver, name call back routine registered with filter manager calls FltGetFileNameInformationUnsafe() which returns status_not_implemented error code.

Due to this STATUS_NOT_IMPLEMENTED error code from name call back routine, driver verifier bugcheck comes:
FILTER VERIFIER ERROR: A filter has returned an invalid status code from a name provider callback routine
(Filter = FFFF9600559C2840, Instance = FFFF960055AE4010, Status = 0xc0000002)
status = FltGetFileNameInformationUnsafe( targetFileObject,
Instance,
NameOptions,
&belowFileName );

where

0: kd> dv
Instance = 0xffffc209dd725010 FileObject = 0xffffc209dd171a70
CallbackData = 0x0000000000000000 NameOptions = 0x2000101 CacheFileNameInformation = 0xffff8180c06e6e20 “”
FileName = 0xffffc209dfb443c0 targetFileObject = 0xffffc209dd171a70
flagPfFileObject = 0x00 ‘’
belowFileName = 0x0000000000000000 ccb = 0xffffd60b81e07c70
status = 0n-1073741822
cbd = 0x0000000000000000 fcb = 0xffffd60b81e078a0

Nameoption flag specifies:
FLT_FILE_NAME_NORMALIZED
FLT_FILE_NAME_QUERY_DEFAULT
FLT_FILE_NAME_DO_NOT_CACHE

and targetFileObject :

kd> dx -r1 ((sfntpffd!_FILE_OBJECT *)0xffffc209dd171a70)
((sfntpffd!_FILE_OBJECT *)0xffffc209dd171a70) : 0xffffc209dd171a70 : [Type: _FILE_OBJECT *]
[Type: _FILE_OBJECT]
[+0x0] Type : 5
[+0x2] Size : 216
[+0x8] DeviceObject : 0xffffc209dd6cbda0 : [Type: _DEVICE_OBJECT *]
[+0x10] Vpb : 0x0 : [Type: _VPB *]
[+0x18] FsContext : 0xffffd60b81e078a0 : [Type: void *]
[+0x20] FsContext2 : 0xffffd60b81e07c70 : [Type: void *]
[+0x28] SectionObjectPointer : 0xffffc209e0014528 : [Type: _SECTION_OBJECT_POINTERS *]
[+0x30] PrivateCacheMap : 0x0 : [Type: void *]
[+0x38] FinalStatus : 0
[+0x40] RelatedFileObject : 0x0 : [Type: _FILE_OBJECT *]
[+0x48] LockOperation : 0
[+0x49] DeletePending : 0
[+0x4a] ReadAccess : 1
[+0x4b] WriteAccess : 1
[+0x4c] DeleteAccess : 0
[+0x4d] SharedRead : 1
[+0x4e] SharedWrite : 1
[+0x4f] SharedDelete : 0
[+0x50] Flags : 0
[+0x58] FileName : [Type: _UNICODE_STRING]
[+0x68] CurrentByteOffset : [Type: _LARGE_INTEGER]
[+0x70] Waiters : 0
[+0x74] Busy : 0
[+0x78] LastLock : 0x0 : [Type: void *]
[+0x80] Lock : [Type: _KEVENT]
[+0x98] Event : [Type: _KEVENT]
[+0xb0] CompletionContext : 0x0 : [Type: _IO_COMPLETION_CONTEXT *]
[+0xb8] IrpListLock : 0
[+0xc0] IrpList : [Type: _LIST_ENTRY]
[+0xd0] FileObjectExtension : 0xffffeb895c844fb0 : [Type: void *]

and FileName is:
0: kd> dx -r1 ((sfntpffd!_UNICODE_STRING *)0xffffc209dd171ac8)
((sfntpffd!_UNICODE_STRING *)0xffffc209dd171ac8) : 0xffffc209dd171ac8 : [Type: _UNICODE_STRING *]
[Type: _UNICODE_STRING]
[+0x0] Length : 34
[+0x2] MaximumLength : 56
[+0x8] Buffer : 0xffffd60b81b38160 : [Type: wchar_t *] : “\TSCLIENT\SCARD\2”

This issue happens while taking RDP of system on which minifilter driver is installed, while getting file name information for “\TSCLIENT\SCARD\2”…

If anyone has idea regarding why FltGetFileNameInformationUnsafe has returned STATUS_NOT_IMPLEMENTED, please let me know.

Any help is highly appreciated…

Thanks a lot in advance!

Please send the full !analyze -v output here.

Please find details here:

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {80000003, fffff803dd1f3018, ffff8a00e9670070, 0}

*** ERROR: Module load completed but symbols could not be loaded for PSINFile.sys
Probably caused by : PSINFile.sys ( PSINFile+3daf )

Followup: MachineOwner

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
OK C:\Pooja\Issues\31aug_win10_dump
1: kd> .reload /f @“\SystemRoot\system32\DRIVERS\sfntpffd.sys”
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 0000000080000003, Exception code that caused the bugcheck
Arg2: fffff803dd1f3018, Address of the instruction which caused the bugcheck
Arg3: ffff8a00e9670070, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

*** ERROR: Module load completed but symbols could not be loaded for PSINFile.sys

DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

SYSTEM_MANUFACTURER: VMware, Inc.

VIRTUAL_MACHINE: VMware

SYSTEM_PRODUCT_NAME: VMware Virtual Platform

SYSTEM_VERSION: None

BIOS_VENDOR: Phoenix Technologies LTD

BIOS_VERSION: 6.00

BIOS_DATE: 07/30/2013

BASEBOARD_MANUFACTURER: Intel Corporation

BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

BASEBOARD_VERSION: None

DUMP_TYPE: 0

BUGCHECK_P1: 80000003

BUGCHECK_P2: fffff803dd1f3018

BUGCHECK_P3: ffff8a00e9670070

BUGCHECK_P4: 0

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

FAULTING_IP:
nt!DebugPrompt+18
fffff803`dd1f3018 c3 ret

CONTEXT: ffff8a00e9670070 – (.cxr 0xffff8a00e9670070)
rax=0000000000000002 rbx=fffff80c94347390 rcx=fffff80c9433f378
rdx=ffff8a00e967001f rsi=ffffc00d2d012b80 rdi=000000000000002f
rip=fffff803dd1f3017 rsp=ffff8a00e9670a68 rbp=ffff8a00e9670bc0
r8=ffff8a00e9670af0 r9=0000000000000002 r10=ffff8a00e96708d0
r11=0000000000000000 r12=000000000000001c r13=000000000000001c
r14=0000000000000000 r15=ffffc00d2f875fa8
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000246
nt!DebugPrompt+0x17:
fffff803`dd1f3017 cc int 3
Resetting default scope

CPU_COUNT: 2

CPU_MHZ: 960

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 2d

CPU_STEPPING: 7

CPU_MICROCODE: 6,2d,7,0 (F,M,S,R) SIG: 710’00000000 (cache) 710’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: NOI-D70QD152

ANALYSIS_SESSION_TIME: 09-22-2017 11:13:29.0673

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

LAST_CONTROL_TRANSFER: from fffff803dd2b8a85 to fffff803dd1f3017

STACK_TEXT:
ffff8a00e9670a68 fffff803dd2b8a85 : ffff8a00e9670bc0 fffff803dd1542d0 fffff80c94347390 ffffc00d2d012b80 : nt!DebugPrompt+0x17
ffff8a00e9670a70 fffff80c9437491a : fffff80c94347390 ffffc00d2d012b80 fffff80c9433f374 0000000000000007 : nt!DbgPrompt+0x35
ffff8a00e9670ac0 fffff80c9437a260 : ffffc00d00000044 ffffc00d2d010880 ffffc00d2c92d4e0 ffffc00d2d130010 : FLTMGR!FltpvPrintErrors+0x14e
ffff8a00e9670d30 fffff80c94368215 : ffffc00d2f875f00 000000000000001a ffffc00d2f875f00 ffffc00d00000000 : FLTMGR!FltvNormalizeNameComponentEx+0xc0
ffff8a00e9670d90 fffff80c94357a2a : ffffc00d2f870001 ffffc00d0000001a 000000000000001b ffffc00d2f875f00 : FLTMGR!FltpExpandShortNames+0xefb1
ffff8a00e9670e20 fffff80c94357852 : ffffc00d2f875f00 ffff8a00e9660000 0000000000000000 00000000c000000d : FLTMGR!FltpGetNormalizedFileNameWorker+0x15e
ffff8a00e9670e60 fffff80c94356d7d : 0000000000000000 ffffc00d2fe73240 ffffc00d2fe73200 fffff80c94359da8 : FLTMGR!FltpGetNormalizedFileName+0x1a
ffff8a00e9670eb0 fffff80c9435d829 : 0000000000000000 ffffc00d2f875f00 ffffc00d2d12f680 ffffc00d2d130010 : FLTMGR!FltpCreateFileNameInformation+0x32d
ffff8a00e9670f00 fffff80c943273a5 : ffffc00d2f875f00 00000000c000000d ffffc00d2f875f00 ffffc00d2fe73208 : FLTMGR!CreateTemporaryFileNameInformation+0x3d
ffff8a00e9670f50 fffff80c94358181 : ffff8a00e9671210 ffffc00d2fe73200 ffffc00d2d130010 ffffc00d2fe763f0 : FLTMGR!FltpGetFileNameInformation+0x885
ffff8a00e9671000 fffff80c96ca3daf : ffffc00d2f875f00 ffff8a00e9671210 0000000000000101 0000000000000000 : FLTMGR!FltGetFileNameInformationUnsafe+0x71
ffff8a00e9671070 fffff80c96ca6d5a : 0000000000000000 0000000000002725 0000000000002713 0000000000000000 : PSINFile+0x3daf
ffff8a00e96710b0 fffff80c96ca55f3 : ffffc00d2fe73200 0000000001010101 ffffc00d2fe76370 0000000000000000 : PSINFile+0x6d5a
ffff8a00e9671150 fffff80c9432413c : ffffc00d2f84cb60 ffffc00d2f84cc80 c000001600000000 ffffc00d00000000 : PSINFile+0x55f3
ffff8a00e96711c0 fffff80c94323af3 : ffffc00d2f84ca00 ffffc00d2f84ca00 ffffe482d5626f68 0000000000000000 : FLTMGR!FltpPerformPostCallbacks+0x2ac
ffff8a00e9671290 fffff80c943256ce : ffffe482d5626dc0 ffffc00d2f84ca80 0000000000000008 ffffc00d2f84ca98 : FLTMGR!FltpPassThroughCompletionWorker+0x73
ffff8a00e96712d0 fffff80c9435612b : ffff8a00e9671380 ffffe482d5626f68 0000000000000000 0000000000000040 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21e
ffff8a00e9671340 fffff803dd7e109d : ffffe482d5626d00 ffffe482d5626dc0 0000000000000000 0000000000000000 : FLTMGR!FltpCreate+0x2eb
ffff8a00e96713f0 fffff803dd2167ad : 0000000000000085 ffff8a00e9671750 ffffe482d5626dc0 ffffc00d2f3cd9b0 : nt!IovCallDriver+0x245
ffff8a00e9671430 fffff803dd518265 : 0000000000000085 ffff8a00e9671750 ffffc00d2d0fc1e0 0000000000000000 : nt!IofCallDriver+0x134f9d
ffff8a00e9671470 fffff803dd52361b : fffff803dd517a50 fffff803dd517a50 ffff8a0000000000 ffffc00d2d0fc5b0 : nt!IopParseDevice+0x815
ffff8a00e9671650 fffff803dd527150 : ffffc00d2ce82200 ffff8a00e96718b8 0000000000000040 ffffc00d2af029a0 : nt!ObpLookupObjectName+0x46b
ffff8a00e9671820 fffff803dd52b0ca : ffffc00d00000001 ffffc00d2ceefbb0 000000314c3ff280 0000000000000000 : nt!ObOpenObjectByNameEx+0x1e0
ffff8a00e9671960 fffff803dd52c159 : 000001455863edf0 ffffb00aa974a630 000000314c3ff280 000000314c3ff2b0 : nt!IopCreateFile+0x3aa
ffff8a00e9671a00 fffff803dd1f8413 : ffffafd7dffe5b30 ffffafd7ebefff28 ffffafd7ebf5f7f8 ffff6c6a94227079 : nt!NtCreateFile+0x79
ffff8a00e9671a90 00007ff976885e44 : 00007ff96cde71fe 0066006300000004 006300300030002d 00007ff96ce0b880 : nt!KiSystemServiceCopyEnd+0x13
000000314c3ff208 00007ff96cde71fe : 0066006300000004 006300300030002d 00007ff96ce0b880 00007ff96ce0b878 : ntdll!NtCreateFile+0x14
000000314c3ff210 00007ff96ce01ebb : 0000000000000010 000001455863eda0 0000000000000001 00007ff96ce19000 : WinSCard!RedirectionContextCreateRdpdrHandle+0xe2
000000314c3ff3e0 00007ff96ce0215c : 000001455863eda0 0000000000000000 0000000000000001 00007ff96ce01370 : WinSCard!_SendSCardIOCTLWithWaitForCallback+0xc3
000000314c3ff450 00007ff96cdfe3aa : 000001455863eda0 000001455863eda0 0000000000000000 000001455863eda0 : WinSCard!_SetStartedEventToCorrectState+0x100
000000314c3ff4a0 00007ff96cde508a : 0000014500000001 00007ff900000001 0000014500000004 0000000000002234 : WinSCard!RedirectedSCardAccessStartedEvent+0xe
000000314c3ff4d0 00007ff96cde26ba : 000001455863eda0 0000000000000001 000000314c3ff801 0000000000000001 : WinSCard!_guard_ss_verify_sp_default+0x9ca
000000314c3ff520 00007ff96ce323e2 : 0000000000000001 0000014500000004 0000000000002134 000001455863eda0 : WinSCard!SCardAccessStartedEvent+0x2da
000000314c3ff590 00007ff96ce3236b : 0000000000000009 00000000000016a4 0000000100000000 0000003149042000 : certprop!errcntrctlib::WinApiErrorContract<<lambda_729d4eada3656720b1e125f364f44fb4> >+0x32
000000314c3ff600 00007ff976823021 : 000001455866ae10 000001455862b780 000000007ffe0386 00000000000020f8 : certprop!CertPropAssociateSmartCardUserWithCertificateCallback+0x6b
000000314c3ff660 00007ff976821989 : 0000014558e87760 0000000000000000 00007ff976822ef0 0000000000000000 : ntdll!TppWorkpExecuteCallback+0x131
000000314c3ff6b0 00007ff975b22774 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x6c9
000000314c3ff9c0 00007ff976850d51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14
000000314c3ff9f0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21

THREAD_SHA1_HASH_MOD_FUNC: 1c65640d49035044e989aa6371b9ee704c23d750

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 03c39bc8cc86d3b9f3dccb83fc318f1748e1fd20

THREAD_SHA1_HASH_MOD: 7a5afbef3f43c6a14a102d7f9977964302622394

FOLLOWUP_IP:
PSINFile+3daf
fffff80c96ca3daf 85c0 test eax,eax<br><br>FAULT_INSTR_CODE: 3c79c085<br><br>SYMBOL_STACK_INDEX: b<br><br>SYMBOL_NAME: PSINFile+3daf<br><br>FOLLOWUP_NAME: MachineOwner<br><br>MODULE_NAME: PSINFile<br><br>IMAGE_NAME: PSINFile.sys<br><br>DEBUG_FLR_IMAGE_TIMESTAMP: 57a3fab9<br><br>STACK_COMMAND: .cxr 0xffff8a00e9670070 ; kb<br><br>BUCKET_ID_FUNC_OFFSET: 3daf<br><br>FAILURE_BUCKET_ID: 0x3B_VRF_PSINFile!unknown_function<br><br>BUCKET_ID: 0x3B_VRF_PSINFile!unknown_function<br><br>PRIMARY_PROBLEM_CLASS: 0x3B_VRF_PSINFile!unknown_function<br><br>TARGET_TIME: 2017-08-31T07:11:22.000Z<br><br>OSBUILD: 15063<br><br>OSSERVICEPACK: 0<br><br>SERVICEPACK_NUMBER: 0<br><br>OS_REVISION: 0<br><br>SUITE_MASK: 272<br><br>PRODUCT_TYPE: 1<br><br>OSPLATFORM_TYPE: x64<br><br>OSNAME: Windows 10<br><br>OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS<br><br>OS_LOCALE: <br><br>USER_LCID: 0<br><br>OSBUILD_TIMESTAMP: 2017-08-01 06:53:25<br><br>BUILDDATESTAMP_STR: 170317-1834<br><br>BUILDLAB_STR: rs2_release<br><br>BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834<br><br>ANALYSIS_SESSION_ELAPSED_TIME: 281b<br><br>ANALYSIS_SOURCE: KM<br><br>FAILURE_ID_HASH_STRING: km:0x3b_vrf_psinfile!unknown_function<br><br>FAILURE_ID_HASH: {ffe7027d-0b4d-0ac3-d7f0-c05980763caa}<br><br>Followup: MachineOwner<br>---------<br><br>1: kd&gt; k<br> # Child-SP RetAddr Call Site<br>00 ffff8a00e966f798 fffff803dd1f88a9 nt!KeBugCheckEx<br>01 ffff8a00e966f7a0 fffff803dd1f803c nt!KiBugCheckDispatch+0x69<br>02 ffff8a00e966f8e0 fffff803dd1f3a3d nt!KiSystemServiceHandler+0x7c<br>03 ffff8a00e966f920 fffff803dd0acd94 nt!RtlpExecuteHandlerForException+0xd<br>04 ffff8a00e966f950 fffff803dd0abb36 nt!RtlDispatchException+0x404<br>05 ffff8a00e9670040 fffff803dd1f898e nt!KiDispatchException+0x1f6<br>06 ffff8a00e96706f0 fffff803dd1f7df6 nt!KiExceptionDispatch+0xce<br>07 ffff8a00e96708d0 fffff803dd1f3018 nt!KiDebugServiceTrap+0xf6<br>08 ffff8a00e9670a68 fffff803dd2b8a85 nt!DebugPrompt+0x18<br>09 ffff8a00e9670a70 fffff80c9437491a nt!DbgPrompt+0x35<br>0a ffff8a00e9670ac0 fffff80c9437a260 FLTMGR!FltpvPrintErrors+0x14e<br>0b ffff8a00e9670d30 fffff80c94368215 FLTMGR!FltvNormalizeNameComponentEx+0xc0<br>0c ffff8a00e9670d90 fffff80c94357a2a FLTMGR!FltpExpandShortNames+0xefb1<br>0d ffff8a00e9670e20 fffff80c94357852 FLTMGR!FltpGetNormalizedFileNameWorker+0x15e<br>0e ffff8a00e9670e60 fffff80c94356d7d FLTMGR!FltpGetNormalizedFileName+0x1a<br>0f ffff8a00e9670eb0 fffff80c9435d829 FLTMGR!FltpCreateFileNameInformation+0x32d<br>10 ffff8a00e9670f00 fffff80c943273a5 FLTMGR!CreateTemporaryFileNameInformation+0x3d<br>11 ffff8a00e9670f50 fffff80c94358181 FLTMGR!FltpGetFileNameInformation+0x885<br>12 ffff8a00e9671000 fffff80c96ca3daf FLTMGR!FltGetFileNameInformationUnsafe+0x71<br>13 ffff8a00e9671070 fffff80c96ca6d5a PSINFile+0x3daf<br>14 ffff8a00e96710b0 fffff80c96ca55f3 PSINFile+0x6d5a<br>15 ffff8a00e9671150 fffff80c9432413c PSINFile+0x55f3<br>16 ffff8a00e96711c0 fffff80c94323af3 FLTMGR!FltpPerformPostCallbacks+0x2ac<br>17 ffff8a00e9671290 fffff80c943256ce FLTMGR!FltpPassThroughCompletionWorker+0x73<br>18 ffff8a00e96712d0 fffff80c9435612b FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21e<br>19 ffff8a00e9671340 fffff803dd7e109d FLTMGR!FltpCreate+0x2eb<br>1a ffff8a00e96713f0 fffff803dd2167ad nt!IovCallDriver+0x245<br>1b ffff8a00e9671430 fffff803dd518265 nt!IofCallDriver+0x134f9d<br>1c ffff8a00e9671470 fffff803dd52361b nt!IopParseDevice+0x815<br>1d ffff8a00e9671650 fffff803dd527150 nt!ObpLookupObjectName+0x46b<br>1e ffff8a00e9671820 fffff803dd52b0ca nt!ObOpenObjectByNameEx+0x1e0<br>1f ffff8a00e9671960 fffff803dd52c159 nt!IopCreateFile+0x3aa<br>20 ffff8a00e9671a00 fffff803dd1f8413 nt!NtCreateFile+0x79<br>21 ffff8a00e9671a90 00007ff976885e44 nt!KiSystemServiceCopyEnd+0x13<br>22 000000314c3ff208 00007ff96cde71fe ntdll!NtCreateFile+0x14<br>23 000000314c3ff210 00007ff96ce01ebb WinSCard!RedirectionContextCreateRdpdrHandle+0xe2<br>24 000000314c3ff3e0 00007ff96ce0215c WinSCard!_SendSCardIOCTLWithWaitForCallback+0xc3<br>25 000000314c3ff450 00007ff96cdfe3aa WinSCard!_SetStartedEventToCorrectState+0x100<br>26 000000314c3ff4a0 00007ff96cde508a WinSCard!RedirectedSCardAccessStartedEvent+0xe<br>27 000000314c3ff4d0 00007ff96cde26ba WinSCard!_guard_ss_verify_sp_default+0x9ca<br>28 000000314c3ff520 00007ff96ce323e2 WinSCard!SCardAccessStartedEvent+0x2da<br>29 000000314c3ff590 00007ff96ce3236b certprop!errcntrctlib::WinApiErrorContract&lt;<lambda_729d4eada3656720b1e125f364f44fb4> &gt;+0x32<br>2a 000000314c3ff600 00007ff976823021 certprop!CertPropAssociateSmartCardUserWithCertificateCallback+0x6b<br>2b 000000314c3ff660 00007ff976821989 ntdll!TppWorkpExecuteCallback+0x131<br>2c 000000314c3ff6b0 00007ff975b22774 ntdll!TppWorkerThread+0x6c9<br>2d 000000314c3ff9c0 00007ff976850d51 KERNEL32!BaseThreadInitThunk+0x14<br>2e 000000314c3ff9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

---------------------------------------------------------------------------------------------------
If we attach debugger, then we can see bellow error,
FILTER VERIFIER ERROR: A filter has returned an invalid status code from a
name provider callback routine
(Filter = FFFF9600559C2840, Instance = FFFF960055AE4010, Status = 0xc0000002)

where Status = 0xc0000002 is STATUS_Not_implemented,</lambda_729d4eada3656720b1e125f364f44fb4></lambda_729d4eada3656720b1e125f364f44fb4>

This issue is related to FLTMGR!FltGetFileNameInformationUnsafe+0x71 since the antivirus is directly calling this routine with what altitude value ?? is it yours??

send the kb output.

Thanks for your response.

Let me elaborate in detail, interop issue with driver verifier ON on sfntpffd(my driver).
I have installed an antivirus PSIINF.sys alongwith sfntpffd installed. While taking remote desktop in presence of PSIINF.sys, system BSODs.

Altitude of PSIINF.sys 327610
and altitude of sfntpffd 144200

In my driver context, name call back routine gets called, which in turn calls FltGetFileNameInformationUnsafe(), which returns STATUS_NOT_IMPLEMENTED.
With debugger attached, it thorws filter manager verifier exception and clearly points my driver(sfntpffd) and same status code.
To confirm, I modified return value of STATUS_NOT_IMPLEMENTED from FltGetFileNameInformationUnsafe(), to STATUS_OBJECT_PATH_NOT_FOUND and BSOD did not happen.

1: kd> kb

RetAddr : Args to Child : Call Site

00 fffff803dd1f88a9 : 000000000000003b 0000000080000003 fffff803dd1f3018 ffff8a00e9670070 : nt!KeBugCheckEx 01 fffff803dd1f803c : ffff8a00e9670828 ffff8a00e9670070 0000000000000000 ffff8a00e9670828 : nt!KiBugCheckDispatch+0x69
02 fffff803dd1f3a3d : fffff803dd40b000 fffff803dd081000 000536a000889000 ffff8a00e966ff10 : nt!KiSystemServiceHandler+0x7c 03 fffff803dd0acd94 : 0000000000000004 ffff8a00e966fa50 0000000000000000 0000001100000100 : nt!RtlpExecuteHandlerForException+0xd
04 fffff803dd0abb36 : ffff8a00e9670828 ffff8a00e9670570 ffff8a00e9670828 ffff8a00e9670828 : nt!RtlDispatchException+0x404 05 fffff803dd1f898e : 0000000000000000 0000000000000000 0000000000000001 ffff8a00e96709a0 : nt!KiDispatchException+0x1f6
06 fffff803dd1f7df6 : ffff8a00e96709a1 0000000000000000 00000000e9670100 0000000000000042 : nt!KiExceptionDispatch+0xce 07 fffff803dd1f3018 : fffff803dd2b8a85 ffff8a00e9670bc0 fffff803dd1542d0 fffff80c94347390 : nt!KiDebugServiceTrap+0xf6
08 fffff803dd2b8a85 : ffff8a00e9670bc0 fffff803dd1542d0 fffff80c94347390 ffffc00d2d012b80 : nt!DebugPrompt+0x18 09 fffff80c9437491a : fffff80c94347390 ffffc00d2d012b80 fffff80c9433f374 0000000000000007 : nt!DbgPrompt+0x35
0a fffff80c9437a260 : ffffc00d00000044 ffffc00d2d010880 ffffc00d2c92d4e0 ffffc00d2d130010 : FLTMGR!FltpvPrintErrors+0x14e 0b fffff80c94368215 : ffffc00d2f875f00 000000000000001a ffffc00d2f875f00 ffffc00d00000000 : FLTMGR!FltvNormalizeNameComponentEx+0xc0
0c fffff80c94357a2a : ffffc00d2f870001 ffffc00d0000001a 000000000000001b ffffc00d2f875f00 : FLTMGR!FltpExpandShortNames+0xefb1 0d fffff80c94357852 : ffffc00d2f875f00 ffff8a00e9660000 0000000000000000 00000000c000000d : FLTMGR!FltpGetNormalizedFileNameWorker+0x15e
0e fffff80c94356d7d : 0000000000000000 ffffc00d2fe73240 ffffc00d2fe73200 fffff80c94359da8 : FLTMGR!FltpGetNormalizedFileName+0x1a 0f fffff80c9435d829 : 0000000000000000 ffffc00d2f875f00 ffffc00d2d12f680 ffffc00d2d130010 : FLTMGR!FltpCreateFileNameInformation+0x32d
10 fffff80c943273a5 : ffffc00d2f875f00 00000000c000000d ffffc00d2f875f00 ffffc00d2fe73208 : FLTMGR!CreateTemporaryFileNameInformation+0x3d 11 fffff80c94358181 : ffff8a00e9671210 ffffc00d2fe73200 ffffc00d2d130010 ffffc00d2fe763f0 : FLTMGR!FltpGetFileNameInformation+0x885
12 fffff80c96ca3daf : ffffc00d2f875f00 ffff8a00e9671210 0000000000000101 0000000000000000 : FLTMGR!FltGetFileNameInformationUnsafe+0x71 13 fffff80c96ca6d5a : 0000000000000000 0000000000002725 0000000000002713 0000000000000000 : PSINFile+0x3daf
14 fffff80c96ca55f3 : ffffc00d2fe73200 0000000001010101 ffffc00d2fe76370 0000000000000000 : PSINFile+0x6d5a 15 fffff80c9432413c : ffffc00d2f84cb60 ffffc00d2f84cc80 c000001600000000 ffffc00d00000000 : PSINFile+0x55f3
16 fffff80c94323af3 : ffffc00d2f84ca00 ffffc00d2f84ca00 ffffe482d5626f68 0000000000000000 : FLTMGR!FltpPerformPostCallbacks+0x2ac 17 fffff80c943256ce : ffffe482d5626dc0 ffffc00d2f84ca80 0000000000000008 ffffc00d2f84ca98 : FLTMGR!FltpPassThroughCompletionWorker+0x73
18 fffff80c9435612b : ffff8a00e9671380 ffffe482d5626f68 0000000000000000 0000000000000040 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21e 19 fffff803dd7e109d : ffffe482d5626d00 ffffe482d5626dc0 0000000000000000 0000000000000000 : FLTMGR!FltpCreate+0x2eb
1a fffff803dd2167ad : 0000000000000085 ffff8a00e9671750 ffffe482d5626dc0 ffffc00d2f3cd9b0 : nt!IovCallDriver+0x245 1b fffff803dd518265 : 0000000000000085 ffff8a00e9671750 ffffc00d2d0fc1e0 0000000000000000 : nt!IofCallDriver+0x134f9d
1c fffff803dd52361b : fffff803dd517a50 fffff803dd517a50 ffff8a0000000000 ffffc00d2d0fc5b0 : nt!IopParseDevice+0x815 1d fffff803dd527150 : ffffc00d2ce82200 ffff8a00e96718b8 0000000000000040 ffffc00d2af029a0 : nt!ObpLookupObjectName+0x46b
1e fffff803dd52b0ca : ffffc00d00000001 ffffc00d2ceefbb0 000000314c3ff280 0000000000000000 : nt!ObOpenObjectByNameEx+0x1e0 1f fffff803dd52c159 : 000001455863edf0 ffffb00aa974a630 000000314c3ff280 000000314c3ff2b0 : nt!IopCreateFile+0x3aa
20 fffff803dd1f8413 : ffffafd7dffe5b30 ffffafd7ebefff28 ffffafd7ebf5f7f8 ffff6c6a94227079 : nt!NtCreateFile+0x79 21 00007ff976885e44 : 00007ff96cde71fe 0066006300000004 006300300030002d 00007ff96ce0b880 : nt!KiSystemServiceCopyEnd+0x13
22 00007ff96cde71fe : 0066006300000004 006300300030002d 00007ff96ce0b880 00007ff96ce0b878 : ntdll!NtCreateFile+0x14 23 00007ff96ce01ebb : 0000000000000010 000001455863eda0 0000000000000001 00007ff96ce19000 : WinSCard!RedirectionContextCreateRdpdrHandle+0xe2
24 00007ff96ce0215c : 000001455863eda0 0000000000000000 0000000000000001 00007ff96ce01370 : WinSCard!_SendSCardIOCTLWithWaitForCallback+0xc3 25 00007ff96cdfe3aa : 000001455863eda0 000001455863eda0 0000000000000000 000001455863eda0 : WinSCard!_SetStartedEventToCorrectState+0x100
26 00007ff96cde508a : 0000014500000001 00007ff900000001 0000014500000004 0000000000002234 : WinSCard!RedirectedSCardAccessStartedEvent+0xe 27 00007ff96cde26ba : 000001455863eda0 0000000000000001 000000314c3ff801 0000000000000001 : WinSCard!_guard_ss_verify_sp_default+0x9ca
28 00007ff96ce323e2 : 0000000000000001 0000014500000004 0000000000002134 000001455863eda0 : WinSCard!SCardAccessStartedEvent+0x2da 29 00007ff96ce3236b : 0000000000000009 00000000000016a4 0000000100000000 0000003149042000 : certprop!errcntrctlib::WinApiErrorContract<<lambda_729d4eada3656720b1e125f364f44fb4> >+0x32
2a 00007ff976823021 : 000001455866ae10 000001455862b780 000000007ffe0386 00000000000020f8 : certprop!CertPropAssociateSmartCardUserWithCertificateCallback+0x6b<br>2b 00007ff976821989 : 0000014558e87760 0000000000000000 00007ff976822ef0 0000000000000000 : ntdll!TppWorkpExecuteCallback+0x131
2c 00007ff975b22774 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x6c9<br>2d 00007ff976850d51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14
2e 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
1: kd> !fltkd.filtters
fltkd has no filtters export
1: kd> !fltkd.filters

Filter List: ffffc00d2d003930 “Frame 0”
FLT_FILTER: ffffc00d2d00e660 “vsepflt” “328200”
FLT_INSTANCE: ffffc00d2d12fc50 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffc00d2d2ccc50 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffc00d2db5ec50 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffc00d2dba6c50 “vsepflt Instance” “328200”
FLT_FILTER: ffffc00d2c1c9c10 “PSINProc” “327620”
FLT_INSTANCE: ffffc00d2daacd70 “PSINProc Instance” “327620”
FLT_INSTANCE: ffffc00d2dbf9010 “PSINProc Instance” “327620”
FLT_INSTANCE: ffffc00d2e06dca0 “PSINProc Instance” “327620”
FLT_INSTANCE: ffffc00d2e1c27e0 “PSINProc Instance” “327620”
FLT_FILTER: ffffc00d2e0b5220 “PSINFile” “327610”
FLT_INSTANCE: ffffc00d2e1c7c80 “PSINFile Instance” “327610”
FLT_INSTANCE: ffffc00d2e1c78f0 “PSINFile Instance” “327610”
FLT_INSTANCE: ffffc00d2e1c8c80 “PSINFile Instance” “327610”
FLT_INSTANCE: ffffc00d2e095c00 “PSINFile Instance” “327610”
FLT_FILTER: ffffc00d2e3fe7a0 “storqosflt” “244000”
FLT_FILTER: ffffc00d2e09b010 “wcifs” “189900”
FLT_INSTANCE: ffffc00d2e09b580 “wcifs Instance” “189900”
FLT_FILTER: ffffc00d2d010880 “Sfntpffd” “144200”
FLT_INSTANCE: ffffc00d2d130010 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffc00d2d2c52f0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffc00d2db5e010 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffc00d2dba6010 “Sfntpffd Instance” “144200”
FLT_FILTER: ffffc00d2c1ca640 “FileCrypt” “141100”
FLT_FILTER: ffffc00d2e0a44d0 “luafv” “135000”
FLT_INSTANCE: ffffc00d2e0a8470 “luafv” “135000”
FLT_FILTER: ffffc00d2d3c8b10 “npsvctrig” “46000”
FLT_INSTANCE: ffffc00d2d3ddd20 “npsvctrig” “46000”
FLT_FILTER: ffffc00d2d00c710 “Wof” “[ERROR READING NAME]”
FLT_INSTANCE: ffffc00d2d2bd010 “Wof Instance” “40700”
FLT_INSTANCE: ffffc00d2db52b90 “Wof Instance” “40700”
FLT_INSTANCE: ffffc00d2db9fb90 “Wof Instance” “40700”
FLT_FILTER: ffffc00d2d00c010 “FileInfo” “40500”
FLT_INSTANCE: ffffc00d2d10ab40 “FileInfo” “40500”
FLT_INSTANCE: ffffc00d2d2bc640 “FileInfo” “40500”
FLT_INSTANCE: ffffc00d2db50b40 “FileInfo” “40500”
FLT_INSTANCE: ffffc00d2db9db40 “FileInfo” “40500”

Let me know, if any further info needed.</lambda_729d4eada3656720b1e125f364f44fb4>

The RDP network redirector is probably failing the name query for the
“SCARD” share as this has to do with smart card usage across RDP. You should
be able to confirm by walking into the FltGetFileNameInformationUnsafe call
in the debugger.

You probably don’t want to fail the operation here. The path DOES exist, it
just doesn’t let you perform this particular query on it. Ideally you would
just ignore anything that tries to access the TSCLIENT\SCARD path. Whether
or not path based filtering/ignoring like this is appropriate for your
filter really depends on what exactly your filter does. Given that it’s the
network you might be able to improve the precision of the ignore by using
FsRtlMupGetProviderInfoFromFileObject to determine that this request is
being handled by RDP.

Two other things:

  1. Another way to handle this might be to just copy the provided Component
    as the ExpandedComponent if you get back STATUS_NOT_IMPLEMENTED. If the
    lower FS isn’t giving you a way to query the name, then presumably the name
    must be the name

  2. Stepping back a bit, I don’t understand why you’d be calling
    FltGetFileNameInformationUnsafe on the provided FileObject to
    NormalizeNameComponentExCallback? The normal thing to do is open the parent
    path and query the directory for the component. Not sure what the path of
    the incoming FileObject gets you?

-scott
OSR
@OSRDrivers

Thanks scott for your response!

yes, you are right as mentioned from bsod details , this issue happens for TSCLIENT\SCARD path.

0: kd> dx -r1 ((sfntpffd!_UNICODE_STRING *)0xffffc209dd171ac8)
((sfntpffd!_UNICODE_STRING *)0xffffc209dd171ac8) : 0xffffc209dd171ac8 : [Type:
_UNICODE_STRING *]
[Type: _UNICODE_STRING]
[+0x0] Length : 34
[+0x2] MaximumLength : 56
[+0x8] Buffer : 0xffffd60b81b38160 : [Type: wchar_t *] :
“\TSCLIENT\SCARD\2”

Few concerns here:

  1. From our filter driver , name call back GenerateFileNameCallback gets called, which calls FltGetFileNameInformationUnsafe() as per name call backs functionality being mentioned at below link:
    http://fsfilters.blogspot.in/2011/03/names-in-minifilters-implementing-name.html

And we have returned STATUS_NOT_IMPLEMENTED that we got from FltGetFileNameInformationUnsafe() to upper layer…

  1. In NormalizeNameComponentExCallback, FltQueryDirectoryFile returns STATUS_NOT_IMPLEMENTED, which is not valid as per filter manager verifier check…

so, both registered name callbacks GenerateFileNameCallback and NormalizeNameComponentExCallback have returned STATUS_NOT_IMPLEMENTED, which is not valid.

Are you suggesting that we should by pass both name call backs for TSCLIENT\SCARD\ path.?

and how can get help from FsRtlMupGetProviderInfoFromFileObject ??

Thanks a lot!!

> Are you suggesting that we should by pass both name call backs for

TSCLIENT\SCARD\ path.?

Yes. If the RDP redirector doesn’t support the information queries necessary
to call these APIs then there’s not much you can do. You either need to
avoid asking in the first place or deal with the error code using some sane
default behavior.

It is valid to return STATUS_NOT_SUPPORTED from the
GenerateFileNameCallback. FltMgr will then just try calling your
NormalizeNameComponent callback for each piece of the path.

I think it’s a bit harsh for Flt Verifier to throw error on the result of
NormalizeNameComponent, but that doesn’t matter much at the moment…If RDP
doesn’t support querying the contents of this particular “directory” then
I’d consider it reasonable to assume that there are no short names in the
path and the incoming name is as good as the expanded name. That would make
the default behavior to copy the Component into the ExpandComponentName.

and how can get help from FsRtlMupGetProviderInfoFromFileObject ??

If you want to filter out messing with this path, you could just say “it’s a
special case if I’m dealing with anything named \TSCLIENT\". However,
that opens you up to taking the special case in ALL cases involving this
path, even when the target is RDP. A better refinement would be to say,
"it’s a special case if I’m dealing with anything named \TSCLIENT\
and
it’s on the network.” That sort of works, but now you would take the special
case if you’re talking to something named TSCLIENT over SMB or NFS (for
example).

The last level of refinement then is to say, “it’s a special case if I’m
dealing with anything named \TSCLIENT\* and it’s on the network and the
network redirector is RDP.” That last bit is what
FsRtlMupGetProviderInfoFromFileObject lets you determine.

However, after your additional details I’d say that easiest path is just to
react to the error in your normalize callback. You might want to ASSERT that
the offending path is the TSCLIENT one so that you can catch other instances
of this and make sure you’re not masking a real issue elsewhere.

-scott
OSR
@OSRDrivers

Thanks scott for further information!!

> It is valid to return STATUS_NOT_SUPPORTED from the
GenerateFileNameCallback.

I have tried changing error code to STATUS_NOT_SUPPORTED, but filter manager throws same exception.
However, it worked with STATUS_OBJECT_PATH_NOT_FOUND.

I just wrote a quick filter and reproduced this behavior. This is what I see
happen:

  1. Upper filter queries for a normalized name, I get called at
    GenerateFileName

  2. FltGetFileNameInformation for normalized name information fails with
    STATUS_NOT_IMPLEMENTED. This appears to be due to the RDP redirector not
    supporting querying for FileStandardInformation

  3. FltMgr Verifier is good with STATUS_NOT_IMPLEMENTED because it was a
    Normalized Name Query:

cmp ebx,0C0000002h
je FLTMGR!FltvGenerateFileName+0x74 (fffff800b59723b4) cmp ebx,0C00000BBh jne FLTMGR!FltvGenerateFileName+0x96 (fffff800b59723d6)
cmp bpl,2 ==> If a normalized query, don’t print Verifier error
jne FLTMGR!FltvGenerateFileName+0x96 (fffff800`b59723d6)

  1. FltMgr then calls GenerateFileName again for an Opened name query. This
    time my call to FltGetFileNameInformation works because I’m just getting the
    opened name.

  2. FltMgr then calls the NormalizeNameComponent callback to try to expand
    the short name. This fails because the directory enumeration fails and I get
    the FltMgr Verifier error

This is with Server 2016 RS1 because it’s what I had lying around.

Are you seeing different behavior?

-scott
OSR
@OSRDrivers