Bug Check 0x5: INVALID_PROCESS_ATTACH_ATTEMPT

OSR_Community_User · October 5, 2006, 11:01am

Hi,

This is regarding the bugcheck 0x5: INVALID_PROCESS_ATTACH_ATTEMPT, which is being received on a server running Windows 2003 SP1 and Exchanged 2003 SP2. The stack trace shows exifs.sys as well as our FSFD involved. Both drivers use KeAttachProcess and KeDetachProcess.

The cause for the bugcheck is found out - KeAttachProcess called consecutively without an intervening call to KeDetachProcess. We are also aware KeStackAttachProcess and KeUnstackDetachProcess should be used instead of KeAttachProcess and KeDetachProcess.

The problem: It is required for us to support our FSFD on NT4 platform. The functions KeStackAttachProcess and KeUnstackDetachProcess are available in Windows 2000 and beyond and so we are required to compile the FSFD using W2K ddk/ifsk.

Other than placing the new functions, is there any solution/workaround to this problem possible? We are looking for minimal changes that can allow us to do without having to compile the driver on W2K ddk.

Thanks,
Amol

OSR_Community_User · October 5, 2006, 11:31am

KeStackAttachProcess is definitely the simplest solution and was introduced to resolve exactly the issue you raise here.

So, if I understand your question, you want to know how to call these functions if they are available. I’d suggest one way would be to define your own attach/detach functions that you always call in your own code. In your driver, you load a second (“buddy”) driver that explicitly uses KeStackAttachProcess and KeUnstackDetachProcess. If the load succeeds, your buddy driver then sends an IOCTL with the address of these functions to your primary driver. If the load fails, you know you are running on an NT 4.0 system and must use KeAttachProcess.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

OSR_Community_User · October 11, 2006, 6:21pm

>functions that you always call in your own code. In your driver, you load a
second

(“buddy”) driver that explicitly uses KeStackAttachProcess and
KeUnstackDetachProcess. If the load succeeds, your buddy driver then sends
an IOCTL with the address of these functions to your primary driver. If the
load
fails, you know you are running on an NT 4.0 system and must use
KeAttachProcess.

Writing your own MmGetSystemRoutineAddress for NT4 by parsing the kernel’s
image header is also a way.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com