Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

NtCreatePagingFile returning STATUS_OBJECT_NAME_NOT_FOUND

JasonSternJasonStern Member Posts: 2

I'm working on a project using Win10IoT with the Universal Write Filter (UWF). For those unfamiliar with UWF, it's a feature that redirects all write attempts on a protected volume to a virtual overlay, ensuring no modifications have been made to the protected (in this case O/S) volume across reboots. Enabling UWF disables page files, but at runtime with the UWF enabled, you can create and/or increase the page file sizes using SystemPropertiesAdvanced.exe.

After wasting time using WMI/CIM to adjust the page files, only to find out there is no way for the commit limit to increase without a reboot, I used DR. Memory's strace tool on SystemPropertiesAdvanced.exe to try to figure out what exactly it was doing. Parsing the log, I came across the undocumented function NtCreatePagingFile, which gave me a nice:

NtCreatePagingFile
arg 0: 72/74 "\Device\HarddiskVolume2\pagefile.sys" (type=UNICODE_STRING*, size=0x4)
arg 1: (type=ULARGE_INTEGER*, size=0x4)
arg 2: (type=ULARGE_INTEGER*, size=0x4)
arg 3: 0x0 (type=unsigned int, size=0x4)
succeeded =>
retval: 0x0 (type=NTSTATUS, size=0x4)

...entry to go off of. I then wrote an application that enables the SE_CREATE_PAGEFILE_NAME privilege and tries to call NtCreatePagingFile with the appropriate NT file path. Unfortunately, the operation consistently fails with STATUS_OBJECT_NAME_NOT_FOUND. Something appears to be wrong with the "PUNICODE_STRING PageFileName" parameter. If I try something malformed, I get STATUS_OBJECT_NAME_INVALID, so it's at least getting past the file name validation. I've tried ensuring the file exists, ensuring the file does not exist, altering the file's permissions, etc. I'm afraid that I'm not sure exactly where I'm going wrong, and STATUS_OBJECT_NAME_NOT_FOUND doesn't provide enough information for me to really dig into it further. Does anyone have any ideas?

Thank you!

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 2 August 2021 Live, Online
Kernel Debugging 27 Sept 2021 Live, Online