NTFSD Folk:
I have a client that has a laptop running WinXP Home and got a crash in
FltEnumerateVolumes() called from my mini-filter. It was at boot time. My
mini-filter driver is set to auto-start.
It’s been working for months – this is the first time it crashed.
The code calling FltEnumerateVolumes() is straightforward:
PFLT_VOLUME aVolumeList[256];
status = FltEnumerateVolumes( FKFilter, aVolumeList,
RTL_NUMBER_OF(aVolumeList), &iNumVolumes );
Here’s a clip from the analyze -v:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
fltmgr!FltEnumerateVolumes+14
f919abd4 8b7014 mov esi,[eax+0x14]
TRAP_FRAME: ef5a320c – (.trap ffffffffef5a320c)
ErrCode = 00000000
eax=00000000 ebx=00004000 ecx=ef5a374c edx=0000002e esi=f0696520
edi=00000000
eip=f919abd4 esp=ef5a3280 ebp=ef5a3290 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
fltmgr!FltEnumerateVolumes+0x14:
f919abd4 8b7014 mov esi,[eax+0x14]
ds:0023:00000014=???
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from f0691242 to f919abd4
STACK_TEXT:
ef5a3290 f0691242 00000000 ef5a32b4 00000100 fltmgr!FltEnumerateVolumes+0x14
ef5a3968 f069d46a f069cbe0 ffba2008 ffb6dbc0 fkdriver!FKFindRepository+0xa4
[c:\winddk\3790.1830\src\filesys\minifilter\fkdriver\fklib.c @ 611]
ef5a398c f918e944 ffb6dc1c ef5a39ac ef5a39dc
fkdriver!FKDriverPreCreate+0x114
[c:\winddk\3790.1830\src\filesys\minifilter\fkdriver\fkdriver.c @ 1616]
ef5a39ec f9190352 005a3a30 ffb6dbc0 00000000
fltmgr!FltpPerformPreCallbacks+0x2d4
ef5a3a00 f919cccb ef5a3a30 f919b094 00000000
fltmgr!FltpPassThroughInternal+0x32
ef5a3a18 f919d142 ef5a3a30 fce1a018 81ad25b0 fltmgr!FltpCreateInternal+0x63
ef5a3a4c 804e37f7 ffad63e0 fce1a1bc fce1a008 fltmgr!FltpCreate+0x1d2
WARNING: Stack unwind information not available. Following frames may be
wrong.
ef5a3b3c 8056316c 81b56868 00000000 fd10a9a0 nt!IofCallDriver+0x32
ef5a3bc4 8056729a 00000000 ef5a3c04 00000040 nt!RtlEqualUnicodeString+0x4cf
ef5a3c18 80570b73 00000000 00000000 5a3d3001 nt!ObOpenObjectByName+0xdb
ef5a3c94 80570c42 028efac0 40100080 028efa60
nt!FsRtlCurrentBatchOplock+0x212
ef5a3cf0 80570d78 028efac0 40100080 028efa60 nt!IoCreateFile+0x4f
ef5a3d30 804de7ec 028efac0 40100080 028efa60 nt!NtCreateFile+0x30
ef5a3d64 7c90eb94 badb0d00 028efa28 efdb1d98 nt!ZwYieldExecution+0xb78
028efab8 00000000 00000000 00000000 00000000 0x7c90eb94
Any thoughts?
Ken