Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

IoGetDeviceObjectPointer() causes BSOD 8E on WinXP

KunalKunal Member - All Emails Posts: 21


I have a filesystem minifilter driver (on WIndows XP) in which I have registered for IRP_MJ_CLEANUP. Sometimes during the system bootup the machine crashes with bugcheck 8E.
The crash occurs when I call IoGetDeviceObjectPointer().
The logic for this piece of code is as below:
During the cleanup call, it first breaks the file path into parts seperated by a '\'. It then appends part one-by-one and analyzes if there is a DeviceObject that will handle the input name.
Eg, if the input path is "\Device\HarddiskVolume1\SiteLog\WinShare_log.txt", we will first pass "\Device" to IoGetDeviceObjectPointer(). If it fails, we will pass "\Device\HarddiskVolume1" and so on until we get a device object for that name.

But in one case it caused a BSOD when "\Device" was passed to IoGetDeviceObjectPointer(). BSOD is not reproducible and it occurs rarely. Does anybody have any clue about this BSOD?

Below is the analyze -v output:

1: kd> !analyze -v

  • *
  • Bugcheck Analysis *
  • *

This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
Arg1: c0000005, The exception code that was not handled
Arg2: 8056ca2e, The address that the exception occurred at
Arg3: a09641fc, Trap Frame
Arg4: 00000000

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

8056ca2e 848788000000 test byte ptr [edi+88h],al

TRAP_FRAME: a09641fc -- (.trap 0xffffffffa09641fc)
ErrCode = 00000000
eax=00000001 ebx=899a1f30 ecx=00000004 edx=00000000 esi=899a1fe4 edi=00000000
eip=8056ca2e esp=a0964270 ebp=a096427c iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
8056ca2e 848788000000 test byte ptr [edi+88h],al ds:0023:00000088=??
Resetting default scope



PROCESS_NAME: drwtsn32.exe

LAST_CONTROL_TRANSFER: from 80522241 to 805376ba

a0963dc4 80522241 0000008e c0000005 8056ca2e nt!KeBugCheckEx+0x1b
a096418c 804de403 a09641a8 00000000 a09641fc nt!KiDispatchException+0x3b1
a09641f4 804de3b4 a096427c 8056ca2e badb0d00 nt!CommonDispatchException+0x4d
a096427c 8056ca93 899c06c8 89b7f020 899a1f30 nt!Kei386EoiHelper+0x18a
a096429c 8057018e 899a1f30 899a1fe4 00000000 nt!SeCreateAccessState+0x28
a09642d4 80579eb6 00000000 00000000 96437400 nt!ObOpenObjectByName+0x8f
a0964350 80579f85 a09644cc 00000000 a09644a4 nt!IopCreateFile+0x407
a09643ac 8057a0bc a09644cc 00000000 a09644a4 nt!IoCreateFile+0x8e
a09643ec 804dd99f a09644cc 00000000 a09644a4 nt!NtOpenFile+0x27
a09643ec 804e3bc3 a09644cc 00000000 a09644a4 nt!KiFastCallEntry+0xfc
a096447c 805e7db2 a09644cc 00000000 a09644a4 nt!ZwOpenFile+0x11
a09644c4 b9e839d0 a09644f4 00000000 a0964508 nt!IoGetDeviceObjectPointer+0x40
a0964540 b9e7f8f1 8a3f2020 a096456c a096457c swin!SwSysStrComponentizePath+0x190
a096459c b9e8028f 8a3f2020 a09645dc a09645d4 swin!SysCrtParsePathName+0xb1
a09645fc b9e80852 8a3f6868 8a3f688c 8a3f6868 swin!SysCrtCreateHandler+0xff
a0964614 b9e80955 8a3f6868 00000000 e3bda3d8 swin!SwSysCrtCreateCloseHandler+0x52
a0964640 b9e5d816 a09646a8 80000000 a0964750 swin!SwSysCrtFowardCreateEx+0xd5
a09646b8 b9e5e306 8a42a5e8 8a432b58 a0964830 swin!swflt_create_file_ex+0x186
a0964700 b9e9e36b 8a42a5e8 8a432b58 a0964830 swin!swflt_create_file+0x46
a0964778 b9e3bafd a096482c 80000000 a0964834 swin!swin_shadow_create_file+0x10b
a09647e8 b9e3ce67 a0964828 e330fc38 00000004 swin!qfile_open_basic+0x13d
a0964808 b9efcc89 a0964828 e330fc38 00000004 swin!qfile_open+0x17
a0964854 b9ef7d73 e36d9ae8 00000000 00000004 swin!cctl_du_filter_and_log+0x89
a09648c4 b9ef7f32 00000426 00000000 00000000 swin!cctl_process_file_change_ex+0x533
a09648ec b9e9c384 e36d9ae8 00000000 00000004 swin!cctl_process_file_change+0x22
a0964914 b9e9c920 e3a33438 00000001 89391d34 swin!fct_raise_mon_events+0xa4
a0964938 b9ea4e03 89391d34 00000000 00000000 swin!fct_fs_hook_cleanup_cmpl+0x100
a0964950 b9e63229 89391d34 897ecad8 00000000 swin!swin_fs_hook_cleanup_cmpl+0x23
a0964974 b9e5f94c b9ea4de0 89391d34 897ecad8 swin!swflt_file_filter_call_postop+0xc9
a09649a0 b9e6153b a09649e0 00000000 00000000 swin!flt_file_operation_irp_postprocess+0xcc
a09649cc b9e61c92 a09649fe a09649ff a09649fd swin!flt_file_cbdatairp_process+0xeb
a0964a00 b9e5b3df 00000000 a0964a1b 89393490 swin!swflt_file_operation_filter_irp_process+0x182
a0964a1c b9fe68e9 8a3f2020 89393490 a096f120 swin!SwFltFileFileSysControl+0x1f
a0964a60 804e13eb 8a3f2020 89393490 89393490 swin!SwFsFltCleanup+0x89
a0964a70 805741e9 89ab5568 00000038 8a598ca0 nt!IopfCallDriver+0x31
a0964aa0 8056f831 89b7f020 8a3f2020 00120196 nt!IopCloseFile+0x26b
a0964ad4 8056f984 89b7f020 00000001 8a598ca0 nt!ObpDecrementHandleCount+0xd8
a0964afc 8058ee2e e2ad79a0 89ab5580 000000ac nt!ObpCloseHandleTableEntry+0x14d
a0964b1c 8058e66a e10ff158 000000ac a0964b5c nt!ObpCloseHandleProcedure+0x1f
a0964b3c 8058edda e2ad79a0 8058ee0f a0964b5c nt!ExSweepHandleTable+0x3b
a0964b68 80605408 89b7f020 00000000 89b7f008 nt!ObKillProcess+0x5c
a0964b98 8056d73d 89b7f020 00000000 89b7f008 nt!PspProcessDelete+0xf9
a0964bb4 804e1977 89b7f020 00000000 00000074 nt!ObpRemoveObjectRoutine+0xe0
a0964bcc 8056f98c 000001e3 00000074 e10fa0e8 nt!ObfDereferenceObject+0x4c
a0964be4 8058ee2e e3a52440 89b7f020 00000074 nt!ObpCloseHandleTableEntry+0x155
a0964c04 8058e66a e10fa0e8 00000074 a0964c44 nt!ObpCloseHandleProcedure+0x1f
a0964c24 8058edda e3a52440 8058ee0f a0964c44 nt!ExSweepHandleTable+0x3b
a0964c50 8058e55f 899f0b28 89a05338 00000000 nt!ObKillProcess+0x5c
a0964cf0 8058ed59 00000000 a0964d4c 804e75da nt!PspExitThread+0x5e9
a0964cfc 804e75da 89a05338 a0964d48 a0964d3c nt!PsExitSpecialApc+0x22
a0964d4c 804dda0a 00000001 00000000 a0964d64 nt!KiDeliverApc+0x1af
a0964d4c 7c90e514 00000001 00000000 a0964d64 nt!KiServiceExit+0x59
WARNING: Frame IP not in any known module. Following frames may be wrong.
00a8ecfc 00000000 00000000 00000000 00000000 0x7c90e514


b9e839d0 8945e0 mov dword ptr [ebp-20h],eax

712: //
713: status = IoGetDeviceObjectPointer(&path,
715: &pFileObject,

716: &pDeviceObject);

718: //
719: // See if we found a match.
720: //
721: if ( NT_SUCCESS(status) )


SYMBOL_NAME: swin!SwSysStrComponentizePath+190



IMAGE_NAME: swin.sys


FAILURE_BUCKET_ID: 0x8E_swin!SwSysStrComponentizePath+190

BUCKET_ID: 0x8E_swin!SwSysStrComponentizePath+190

Followup: MachineOwner

1: kd> dv
pVolDev = 0x8a3f2020
pComponentListHead = 0xa096456c [ 0xe17833f8 - 0xe3e978c8 ]
PFinalName = 0xa096457c
PFinalNameLength = 0xa0964578
AddTrailingSlash = 0x00 ''
path = struct _UNICODE_STRING "\Device"
components = 1
status = 0n0
tmpBuffer = 0x00000000
pFileObject = 0x00000000
size = 0x84
pDeviceObject = 0x00000000
ppe = 0xe17833f8
component_offset = 7
finalNameLength = 0
pBuffer = 0xe13971d8
devName = struct _UNICODE_STRING "--- memory read error at address 0xfffffffe ---"
foundFilter = 0x00 ''

1: kd> !thread
THREAD 899c06c8 Cid 0a8c.0a9c Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
IRP List:
89393490: (0006,01b4) Flags: 00000404 Mdl: 00000000
Not impersonating
Owning Process 0 Image:
Attached Process 89b7f020 Image: drwtsn32.exe
Wait Start TickCount 5768640 Ticks: 0
Context Switch Count 70 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x77df3539
Start Address 0x7c8106f9
Stack Init a0965000 Current a09644ac Base a0965000 Limit a0961000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
a0963dc4 80522241 0000008e c0000005 8056ca2e nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
a096418c 804de403 a09641a8 00000000 a09641fc nt!KiDispatchException+0x3b1 (FPO: [Non-Fpo])
a09641f4 804de3b4 a096427c 8056ca2e badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])


  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    You're calling IoGetDeviceObjectPointer on a Directory Object, so not entirely surprising that you're getting a crash on XP. I'd say the only solution is "don't do that."


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA