Thanks all for your help. I’ll see if I can get the checked NTFS.sys working. In the meantime, I think I’ve found two threads that are waiting on each other:
Resource @ 0xfffffa8004fdacf0 Exclusively owned
Contention Count = 3
NumberOfSharedWaiters = 1
NumberOfExclusiveWaiters = 1
Threads: fffffa8004f90b60-01<*>
THREAD fffffa8004f90b60 Cid 0780.1018 Teb: 000000007efdb000 Win32Thread: 0000000000000000 WAIT: (WrGuardedMutex) KernelMode Non-Alertable
fffffa8006082388 Gate
IRP List:
fffff98030eecc10: (0006,03e8) Flags: 40000884 Mdl: 00000000
fffff98030f8ec10: (0006,03e8) Flags: 40060800 Mdl: 00000000
Not impersonating
DeviceMap fffff8a003e13900
Owning Process fffffa8004ff1b30 Image: binplace.exe
Attached Process N/A Image: N/A
Wait Start TickCount 14699 Ticks: 939 (0:00:00:14.648)
Context Switch Count 216
UserTime 00:00:00.000
KernelTime 00:00:00.062
Win32 Start Address 0x0000000000f14990
Stack Init fffff88006451db0 Current fffff88006451690
Base fffff88006452000 Limit fffff8800644c000 Call 0
Priority 13 BasePriority 4 UnusualBoost 9 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880064516d0 fffff80002ad1052 nt!KiSwapContext+0x7a
fffff88006451810 fffff80002b114c5 nt!KiCommitThreadWait+0x1d2
fffff880064518a0 fffff80002a9f2dd nt!KeWaitForGate+0x101
fffff880064518f0 fffff80002ae1138 nt!KiAcquireGuardedMutex+0x45
fffff88006451920 fffff880012c551d nt!KeAcquireGuardedMutex+0x38
fffff88006451950 fffff880012c5ce2 Ntfs!NtfsFindPrefixHashEntry+0xaf8
fffff88006451a80 fffff880012c028d Ntfs!NtfsFindStartingNode+0x452
fffff88006451b50 fffff88001229c0d Ntfs!NtfsCommonCreate+0x3dd
fffff88006451d30 fffff80002ac1d87 Ntfs!NtfsCommonCreateCallout+0x1d
fffff88006451d60 fffff80002ac1d41 nt!KySwitchKernelStackCallout+0x27 (TrapFrame @ fffff88006451c20) fffff880074ed8b0 fffff80002ad980a nt!KiSwitchKernelStackContinue fffff880074ed8d0 fffff88001229b2f nt!KeExpandKernelStackAndCalloutEx+0x29a fffff880074ed9b0 fffff880012c69c0 Ntfs!NtfsCommonCreateOnNewStack+0x4f fffff880074eda10 fffff80002f6fc16 Ntfs!NtfsFsdCreate+0x1b0 fffff880074edbc0 fffff880011903a2 nt!IovCallDriver+0x566 fffff880074edc20 fffff80002f6fc16 fltmgr!FltpCreate+0x392 fffff880074edcd0 fffff80002dca477 nt!IovCallDriver+0x566 fffff880074edd30 fffff80002dc0764 nt!IopParseDevice+0x5a7 fffff880074edec0 fffff80002dc5876 nt!ObpLookupObjectName+0x585 fffff880074edfc0 fffff80002dcc587 nt!ObOpenObjectByName+0x306 fffff880074ee090 fffff80002d7158b nt!IopCreateFile+0x2b7 fffff880074ee130 fffff8800119243c nt!IoCreateFileEx+0xfb fffff880074ee1d0 fffff880011a1a11 fltmgr!FltCreateFileEx2+0x18c fffff880074ee2e0 fffff880011ac169 fltmgr!FltCreateFileEx+0x91 fffff880074ee370 fffff88006e02952 fltmgr!FltvCreateFileEx+0xd9 fffff880074ee410 fffff88006e03521 ReadOnlyFilter!ROFInitFileContextForDirectoryQuery+0x1f2 [c:\wm7_tools_mib\tools\ostools\buildtools\readonlyfilter\filter\readonlyfilter.c @ 1292] fffff880074ee570 fffff88006e0b116 ReadOnlyFilter!EnsureContextReadyForQuery+0x1d1 [c:\wm7_tools_mib\tools\ostools\buildtools\readonlyfilter\filter\readonlyfilter.c @ 2005] fffff880074ee5b0 fffff88006e0af14 ReadOnlyFilter!ProcessDirPostBuffers+0x1b6 [c:\wm7_tools_mib\tools\ostools\buildtools\readonlyfilter\filter\readonlyfilter.c @ 2544] fffff880074ee610 fffff88006e0a841 ReadOnlyFilter!ProcessDirPreBuffers+0x5d4 [c:\wm7_tools_mib\tools\ostools\buildtools\readonlyfilter\filter\readonlyfilter.c @ 2504] fffff880074ee6f0 fffff880011aec3e ReadOnlyFilter!ROFPreDirectory+0x391 [c:\wm7_tools_mib\tools\ostools\buildtools\readonlyfilter\filter\readonlyfilter.c @ 2231] fffff880074ee780 fffff88001170027 fltmgr!FltvPreOperation+0xbe fffff880074ee890 fffff88001170be9 fltmgr!FltpPerformPreCallbacks+0x2f7 fffff880074ee990 fffff8800116f6c7 fltmgr!FltpPassThrough+0x2d9 fffff880074eea10 fffff80002f6fc16 fltmgr!FltpDispatch+0xb7 fffff880074eea70 fffff80002de494d nt!IovCallDriver+0x566 fffff880074eead0 fffff80002ac9153 nt!NtQueryDirectoryFile+0x1ad fffff880074eebb0 00000000778d020a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880074eec20)
00000000001dde68 00000000001d4890 0x778d020a
00000000001dde70 0000000000000000 0x1d4890
fffffa80035ff040-01
THREAD fffffa80035ff040 Cid 0004.0028 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrResource) KernelMode Non-Alertable
fffffa8006a55510 Semaphore Limit 0x7fffffff
Not impersonating
DeviceMap fffff8a000007eb0
Owning Process fffffa80035ea040 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 15503 Ticks: 135 (0:00:00:02.106)
Context Switch Count 10668
UserTime 00:00:00.000
KernelTime 00:00:03.260
Win32 Start Address nt!ExpWorkerThread (0xfffff80002ad7050)
Stack Init fffff8800319adb0 Current fffff8800319a410
Base fffff8800319b000 Limit fffff88003195000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff8800319a450 fffff80002ad1052 nt!KiSwapContext+0x7a
fffff8800319a590 fffff80002ad31af nt!KiCommitThreadWait+0x1d2
fffff8800319a620 fffff80002a92b1e nt!KeWaitForSingleObject+0x19f
fffff8800319a6c0 fffff80002ac0ad1 nt!ExpWaitForResource+0xae
fffff8800319a730 fffff8800122e599 nt!ExAcquireResourceSharedLite+0x2c6
fffff8800319a7a0 fffff880012b58a9 Ntfs!NtfsAcquireSharedFcb+0x69
fffff8800319a7f0 fffff880012b7421 Ntfs!NtfsQueryDirectory+0x3f9
fffff8800319ab90 fffff8800121b452 Ntfs!NtfsCommonDirectoryControl+0xa1
fffff8800319abd0 fffff80002ad7161 Ntfs!NtfsFspDispatch+0x1e2
fffff8800319acb0 fffff80002d6d166 nt!ExpWorkerThread+0x111
fffff8800319ad40 fffff80002aa8486 nt!PspSystemThreadStartup+0x5a
fffff8800319ad80 0000000000000000 nt!KxStartSystemThread+0x16
Threads Waiting On Exclusive Access:
fffffa800422fb60
So fffffa80035ff040 is wating for shared access and is blocked on fffffa8004f90b60. If we look at the mutex that fffffa8004f90b60 is blocked on:
nt!_KGUARDED_MUTEX
+0x000 Count : 8
+0x008 Owner : 0xfffffa80`035ff040 _KTHREAD
+0x010 Contention : 2
+0x018 Gate : _KGATE
+0x030 KernelApcDisable : 0
+0x032 SpecialApcDisable : 0
+0x030 CombinedApcDisable : 0
The mutex is owned by fffffa80035ff040, so we have a deadlock.