Hi,
I have a filesystem minifilter driver (on WIndows XP) in which I have registered for IRP_MJ_CLEANUP. Sometimes during the system bootup the machine crashes with bugcheck 8E.
The crash occurs when I call IoGetDeviceObjectPointer().
The logic for this piece of code is as below:
During the cleanup call, it first breaks the file path into parts seperated by a ''. It then appends part one-by-one and analyzes if there is a DeviceObject that will handle the input name.
Eg, if the input path is “\Device\HarddiskVolume1\SiteLog\WinShare_log.txt”, we will first pass “\Device” to IoGetDeviceObjectPointer(). If it fails, we will pass “\Device\HarddiskVolume1” and so on until we get a device object for that name.
But in one case it caused a BSOD when “\Device” was passed to IoGetDeviceObjectPointer(). BSOD is not reproducible and it occurs rarely. Does anybody have any clue about this BSOD?
Below is the analyze -v output:
1: kd> !analyze -v
-
* -
Bugcheck Analysis * -
*
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8056ca2e, The address that the exception occurred at
Arg3: a09641fc, Trap Frame
Arg4: 00000000
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
FAULTING_IP:
nt!SeCreateAccessStateEx+5b
8056ca2e 848788000000 test byte ptr [edi+88h],al
TRAP_FRAME: a09641fc – (.trap 0xffffffffa09641fc)
ErrCode = 00000000
eax=00000001 ebx=899a1f30 ecx=00000004 edx=00000000 esi=899a1fe4 edi=00000000
eip=8056ca2e esp=a0964270 ebp=a096427c iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!SeCreateAccessStateEx+0x5b:
8056ca2e 848788000000 test byte ptr [edi+88h],al ds:0023:00000088=??
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: drwtsn32.exe
LAST_CONTROL_TRANSFER: from 80522241 to 805376ba
STACK_TEXT:
a0963dc4 80522241 0000008e c0000005 8056ca2e nt!KeBugCheckEx+0x1b
a096418c 804de403 a09641a8 00000000 a09641fc nt!KiDispatchException+0x3b1
a09641f4 804de3b4 a096427c 8056ca2e badb0d00 nt!CommonDispatchException+0x4d
a096427c 8056ca93 899c06c8 89b7f020 899a1f30 nt!Kei386EoiHelper+0x18a
a096429c 8057018e 899a1f30 899a1fe4 00000000 nt!SeCreateAccessState+0x28
a09642d4 80579eb6 00000000 00000000 96437400 nt!ObOpenObjectByName+0x8f
a0964350 80579f85 a09644cc 00000000 a09644a4 nt!IopCreateFile+0x407
a09643ac 8057a0bc a09644cc 00000000 a09644a4 nt!IoCreateFile+0x8e
a09643ec 804dd99f a09644cc 00000000 a09644a4 nt!NtOpenFile+0x27
a09643ec 804e3bc3 a09644cc 00000000 a09644a4 nt!KiFastCallEntry+0xfc
a096447c 805e7db2 a09644cc 00000000 a09644a4 nt!ZwOpenFile+0x11
a09644c4 b9e839d0 a09644f4 00000000 a0964508 nt!IoGetDeviceObjectPointer+0x40
a0964540 b9e7f8f1 8a3f2020 a096456c a096457c swin!SwSysStrComponentizePath+0x190
a096459c b9e8028f 8a3f2020 a09645dc a09645d4 swin!SysCrtParsePathName+0xb1
a09645fc b9e80852 8a3f6868 8a3f688c 8a3f6868 swin!SysCrtCreateHandler+0xff
a0964614 b9e80955 8a3f6868 00000000 e3bda3d8 swin!SwSysCrtCreateCloseHandler+0x52
a0964640 b9e5d816 a09646a8 80000000 a0964750 swin!SwSysCrtFowardCreateEx+0xd5
a09646b8 b9e5e306 8a42a5e8 8a432b58 a0964830 swin!swflt_create_file_ex+0x186
a0964700 b9e9e36b 8a42a5e8 8a432b58 a0964830 swin!swflt_create_file+0x46
a0964778 b9e3bafd a096482c 80000000 a0964834 swin!swin_shadow_create_file+0x10b
a09647e8 b9e3ce67 a0964828 e330fc38 00000004 swin!qfile_open_basic+0x13d
a0964808 b9efcc89 a0964828 e330fc38 00000004 swin!qfile_open+0x17
a0964854 b9ef7d73 e36d9ae8 00000000 00000004 swin!cctl_du_filter_and_log+0x89
a09648c4 b9ef7f32 00000426 00000000 00000000 swin!cctl_process_file_change_ex+0x533
a09648ec b9e9c384 e36d9ae8 00000000 00000004 swin!cctl_process_file_change+0x22
a0964914 b9e9c920 e3a33438 00000001 89391d34 swin!fct_raise_mon_events+0xa4
a0964938 b9ea4e03 89391d34 00000000 00000000 swin!fct_fs_hook_cleanup_cmpl+0x100
a0964950 b9e63229 89391d34 897ecad8 00000000 swin!swin_fs_hook_cleanup_cmpl+0x23
a0964974 b9e5f94c b9ea4de0 89391d34 897ecad8 swin!swflt_file_filter_call_postop+0xc9
a09649a0 b9e6153b a09649e0 00000000 00000000 swin!flt_file_operation_irp_postprocess+0xcc
a09649cc b9e61c92 a09649fe a09649ff a09649fd swin!flt_file_cbdatairp_process+0xeb
a0964a00 b9e5b3df 00000000 a0964a1b 89393490 swin!swflt_file_operation_filter_irp_process+0x182
a0964a1c b9fe68e9 8a3f2020 89393490 a096f120 swin!SwFltFileFileSysControl+0x1f
a0964a60 804e13eb 8a3f2020 89393490 89393490 swin!SwFsFltCleanup+0x89
a0964a70 805741e9 89ab5568 00000038 8a598ca0 nt!IopfCallDriver+0x31
a0964aa0 8056f831 89b7f020 8a3f2020 00120196 nt!IopCloseFile+0x26b
a0964ad4 8056f984 89b7f020 00000001 8a598ca0 nt!ObpDecrementHandleCount+0xd8
a0964afc 8058ee2e e2ad79a0 89ab5580 000000ac nt!ObpCloseHandleTableEntry+0x14d
a0964b1c 8058e66a e10ff158 000000ac a0964b5c nt!ObpCloseHandleProcedure+0x1f
a0964b3c 8058edda e2ad79a0 8058ee0f a0964b5c nt!ExSweepHandleTable+0x3b
a0964b68 80605408 89b7f020 00000000 89b7f008 nt!ObKillProcess+0x5c
a0964b98 8056d73d 89b7f020 00000000 89b7f008 nt!PspProcessDelete+0xf9
a0964bb4 804e1977 89b7f020 00000000 00000074 nt!ObpRemoveObjectRoutine+0xe0
a0964bcc 8056f98c 000001e3 00000074 e10fa0e8 nt!ObfDereferenceObject+0x4c
a0964be4 8058ee2e e3a52440 89b7f020 00000074 nt!ObpCloseHandleTableEntry+0x155
a0964c04 8058e66a e10fa0e8 00000074 a0964c44 nt!ObpCloseHandleProcedure+0x1f
a0964c24 8058edda e3a52440 8058ee0f a0964c44 nt!ExSweepHandleTable+0x3b
a0964c50 8058e55f 899f0b28 89a05338 00000000 nt!ObKillProcess+0x5c
a0964cf0 8058ed59 00000000 a0964d4c 804e75da nt!PspExitThread+0x5e9
a0964cfc 804e75da 89a05338 a0964d48 a0964d3c nt!PsExitSpecialApc+0x22
a0964d4c 804dda0a 00000001 00000000 a0964d64 nt!KiDeliverApc+0x1af
a0964d4c 7c90e514 00000001 00000000 a0964d64 nt!KiServiceExit+0x59
WARNING: Frame IP not in any known module. Following frames may be wrong.
00a8ecfc 00000000 00000000 00000000 00000000 0x7c90e514
STACK_COMMAND: kb
FOLLOWUP_IP:
swin!SwSysStrComponentizePath+190
b9e839d0 8945e0 mov dword ptr [ebp-20h],eax
FAULTING_SOURCE_CODE:
712: //
713: status = IoGetDeviceObjectPointer(&path,
714: FILE_ANY_ACCESS,
715: &pFileObject,
716: &pDeviceObject);
717:
718: //
719: // See if we found a match.
720: //
721: if ( NT_SUCCESS(status) )
SYMBOL_STACK_INDEX: c
SYMBOL_NAME: swin!SwSysStrComponentizePath+190
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: swin
IMAGE_NAME: swin.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5c2d4caf
FAILURE_BUCKET_ID: 0x8E_swin!SwSysStrComponentizePath+190
BUCKET_ID: 0x8E_swin!SwSysStrComponentizePath+190
Followup: MachineOwner
1: kd> dv
pVolDev = 0x8a3f2020
pComponentListHead = 0xa096456c [ 0xe17833f8 - 0xe3e978c8 ]
PFinalName = 0xa096457c
PFinalNameLength = 0xa0964578
AddTrailingSlash = 0x00 ‘’
path = struct _UNICODE_STRING “\Device”
components = 1
status = 0n0
tmpBuffer = 0x00000000
pFileObject = 0x00000000
size = 0x84
pDeviceObject = 0x00000000
ppe = 0xe17833f8
component_offset = 7
finalNameLength = 0
pBuffer = 0xe13971d8
devName = struct _UNICODE_STRING “— memory read error at address 0xfffffffe —”
foundFilter = 0x00 ‘’
1: kd> !thread
THREAD 899c06c8 Cid 0a8c.0a9c Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
IRP List:
89393490: (0006,01b4) Flags: 00000404 Mdl: 00000000
Not impersonating
Owning Process 0 Image:
Attached Process 89b7f020 Image: drwtsn32.exe
Wait Start TickCount 5768640 Ticks: 0
Context Switch Count 70 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x77df3539
Start Address 0x7c8106f9
Stack Init a0965000 Current a09644ac Base a0965000 Limit a0961000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
a0963dc4 80522241 0000008e c0000005 8056ca2e nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
a096418c 804de403 a09641a8 00000000 a09641fc nt!KiDispatchException+0x3b1 (FPO: [Non-Fpo])
a09641f4 804de3b4 a096427c 8056ca2e badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])