I am already running unsigned driver and also LIVE kernel debugging.
I can also try to edit the registry and boot from a LIVE CD.
thanks.
Send me your fltmgr.sys file then.
24 нояб. 2016 г. 4:14 PM пользователь <mandar.nanivadekar> написал:
> I am already running unsigned driver and also LIVE kernel debugging.
> I can also try to edit the registry and boot from a LIVE CD.
>
> thanks.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></mandar.nanivadekar>
Please find the link below for fltmgr.sys
https://drive.google.com/file/d/0B59FSVYGDOVCbHlkSy1VeThOLUE/view?usp=sharing
Please let me know if I can post my email address for the patched file to be sent.
Thanks.
> Please let me know if I can post my email address for the patched file to
be sent.
I can send you the file directly if you don’t mind.
thanks, sure. in the existing email address the domain has changed from hp.com to hpe.com.
Also please let me know what should be changed in the registry from a LiveCD (I have never done this but will try)
Ok. I’m patching now.
Just sent you patched version. You should do next:
- unpack file and place it with original one with name fltmgrdbg.sys
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FltMgr registery
key change ImagePath to new file - Reboot and in the boot menu select “disable driver signature…”
If something goes wrong and system wouldn’t boot with this patched fltmgr,
you should use live cd or usb flash to start windows command prompt and do
regedit to restore original value of the ImagePath.
If system boots, just wait for BSOD or breakpoint to occur under kernel
debugger.
After copying the patching file fltmgrdbg.sys and changing the registry, the host machine does not boot, it always goes in automatic repair.
I am checking if there is a way to boot this.
Did you select in boot menu “disable driver signature enforcement”?
Also disable automatic repair to be able to see error.
To boot into system boot from USB with Windows installer and open regedit
to restore original driver name in ImagePath.
I was selecting debugging mode so that I can use kernel debugger.
Now I have selected ‘disable driver signature enforcement’ and I guess it is booting altough it is taking a long time.
I Will post an update soon.
Enable debugger for your boot entry with bcdedit utility to avoid to its
manual enabling in the menu.
I also have enabled it in bcdedit.
While booting a breakpoint has been reached with the following stack trace.
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD (d4)
A driver unloaded without cancelling lookaside lists, DPCs, worker threads, etc.
The broken driver’s name is displayed on the screen.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
An attempt was made to access the driver at raised IRQL after it unloaded.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff8019d1a7240, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff803e7154040, address which referenced memory
Debugging Details:
BUGCHECK_P1: fffff8019d1a7240
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff803e7154040
FAULTING_IP:
HPEDpHsmX64+a240
fffff801`9d1a7240 ?? ???
CPU_COUNT: 8
CPU_MHZ: a28
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 2d
CPU_STEPPING: 7
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xD4
PROCESS_NAME: System
CURRENT_IRQL: 2
ANALYSIS_VERSION: 10.0.10240.9 amd64fre
STACK_TEXT:
ffffd001715ee428 fffff803e7261a46 : 0000000000000000 0000000000000000 ffffd001715ee590 fffff803e70ce8cc : nt!DbgBreakPointWithStatus
ffffd001715ee430 fffff803e7261357 : 0000000000000003 ffffd001715ee590 fffff803e71e5fd0 ffffd001715eeae0 : nt!KiBugCheckDebugBreak+0x12
ffffd001715ee490 fffff803e71d80a4 : 0000000000000000 ffffc000b35f9660 ffffe0016b68c5e0 ffffc000b35f9690 : nt!KeBugCheck2+0x8ab
ffffd001715eeba0 fffff803e71e3ae9 : 000000000000000a fffff8019d1a7240 0000000000000002 0000000000000000 : nt!KeBugCheckEx+0x104
ffffd001715eebe0 fffff803e71e233a : 0000000000000000 0000000000000000 0000000000000000 ffffd001715eed20 : nt!KiBugCheckDispatch+0x69
ffffd001715eed20 fffff803e7154040 : ffffd001715eee00 fffff803e7361940 0000000000000000 0000000020206f00 : nt!KiPageFault+0x23a
ffffd001715eeeb0 fffff803e7153f5d : 0000000074727044 ffffd001715eef80 ffffe0016c179000 0000000000000002 : nt!ExInitializeNPagedLookasideListInternal+0xdc
ffffd001715eeee0 fffff8019d9335fa : 0000000074727044 ffffd001715eef80 ffffe0016c179000 0000000000000002 : nt!ExInitializeNPagedLookasideList+0x2d
ffffd001715eef30 fffff8019d933089 : ffffe0016c17ce60 ffffe0016c179000 ffffe0016b8561a0 ffffe0016be846d0 : dxgkrnl!DpiInitializeGlobalState+0x406
ffffd001715ef170 fffff803e75417da : 0000008000000008 ffffe0016be846d0 0000000000000000 00000000000007ff : dxgkrnl!DriverEntry+0x59
ffffd001715ef1f0 fffff803e756885a : 0000000000000000 0000000000000000 0000000000000000 fffff803e7318d33 : nt!IopLoadDriver+0x5e2
ffffd001715ef4b0 fffff803e756880a : 0000000000000000 ffffffff80000108 0000000000000000 0000000000000801 : nt!IopLoadUnloadDriver+0x4e
ffffd001715ef4f0 fffff803e71e37b3 : ffffe0016b6b3040 ffffe0016c17bb00 ffffe0016c17a010 0000000000000076 : nt!NtLoadDriver+0x1da
ffffd001715ef5a0 fffff803e71dbc00 : fffff8019d1b315d 000000000000071a fffff803e731903f 0000000000000200 : nt!KiSystemServiceCopyEnd+0x13
ffffd001715ef738 fffff8019d1b315d : 000000000000071a fffff803e731903f 0000000000000200 0000000000000000 : nt!KiServiceLinkage
ffffd001715ef740 fffff8019d1b3005 : ffffe0016c17bb00 ffffe0016c17bb00 ffffe0016b608000 ffffd001715ef950 : BasicRender!DlpLoadDxgkrnl+0x5d
ffffd001715ef7a0 fffff8019d1b2e7d : ffffffff0000071a ffffe0016c17bb00 ffffe0016c17a000 0000000000000000 : BasicRender!DxgkInitialize+0x91
ffffd001715ef820 fffff803e75417da : ffffe0016c17c390 ffffe0016c17a000 0000000000000000 00000000000007ff : BasicRender!DriverEntry+0x2b5
ffffd001715ef850 fffff803e77911a7 : ffffe0016be998a8 ffffe0016be998a8 ffffd001715efb70 ffffe00120206f49 : nt!IopLoadDriver+0x5e2
ffffd001715efb10 fffff803e77b24ae : fffff80300000000 ffffc000b25749d0 ffffffff80000104 fffff803e5f9ad30 : nt!IopInitializeSystemDrivers+0x14f
ffffd001715efba0 fffff803e7633e56 : 0000000000000000 fffff803e5f9ad30 ffffe0016b6b3040 ffffe0016b698bc8 : nt!IoInitSystem+0x16
ffffd001715efbd0 fffff803e7153794 : ffffe0016b6b3040 0000000000000000 0000000000000000 0000000000000000 : nt!Phase1Initialization+0x2a
ffffd001715efc00 fffff803e71de5c6 : fffff803e736a180 ffffe0016b6b3040 fffff803e73d1a00 0000000000000000 : nt!PspSystemThreadStartup+0x58
ffffd001715efc60 0000000000000000 : ffffd001715f0000 ffffd001715ea000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
HPEDpHsmX64+a240
fffff801`9d1a7240 ?? ???
SYMBOL_NAME: HPEDpHsmX64+a240
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: HPEDpHsmX64
IMAGE_NAME: HPEDpHsmX64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID_FUNC_OFFSET: a240
FAILURE_BUCKET_ID: 0xD4_UNLOADED_MODULE_HPEDpHsmX64!Unknown_Function
BUCKET_ID: 0xD4_UNLOADED_MODULE_HPEDpHsmX64!Unknown_Function
PRIMARY_PROBLEM_CLASS: 0xD4_UNLOADED_MODULE_HPEDpHsmX64!Unknown_Function
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xd4_unloaded_module_hpedphsmx64!unknown_function
FAILURE_ID_HASH: {6130c85b-e154-1068-0440-cc8e6d882785}
Followup: MachineOwner
Your driver was unloaded? Also make sure fltmgr is present in loaded module
list.
Not sure why the driver is being unloaded here.
The driver cleans up all the resources while being unloaded but I see both fltmgr and fltmgrdbg.sys loaded.
7: kd> !lmi fltmgr.sys
Loaded Module Info: [fltmgr.sys]
Module: FLTMGR
Base Address: fffff8019d4b4000
Image Name: FLTMGR.SYS
Machine Type: 34404 (X64)
Time Stamp: 530894ec Sat Feb 22 17:45:40 2014
Size: 5c000
CheckSum: 5886e
Characteristics: 2022
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 23, 17bf8, 16ff8 RSDS - GUID: {F415B4E3-A12F-4EA9-8E02-002E3847B7B9}
Age: 2, Pdb: fltMgr.pdb
CLSID 8, 17bf0, 16ff0 [Data not mapped]
Symbol Type: DEFERRED - No error - symbol load deferred
Load Report: no symbols loaded
7: kd> !lmi fltmgrdbg.sys
Loaded Module Info: [fltmgrdbg.sys]
Module: fltmgrdbg
Base Address: fffff8019cda1000
Image Name: fltmgrdbg.sys
Machine Type: 34404 (X64)
Time Stamp: 530894ec Sat Feb 22 17:45:40 2014
Size: 5c000
CheckSum: 572f7
Characteristics: 2022
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 23, 17bf8, 16ff8 RSDS - GUID: {F415B4E3-A12F-4EA9-8E02-002E3847B7B9}
Age: 2, Pdb: fltMgr.pdb
CLSID 8, 17bf0, 16ff0 [Data not mapped]
Symbol Type: DEFERRED - No error - symbol load deferred
Load Report: no symbols loaded
Interesting. When you have to backup original fltmgr and replace it with
patched one. Also you have to restore ImagePath value to its original state
and try all again.
24 нояб. 2016 г. 8:03 PM пользователь <mandar.nanivadekar> написал:
> Not sure why the driver is being unloaded here.
> The driver cleans up all the resources while being unloaded but I see both
> fltmgr and fltmgrdbg.sys loaded.
>
> 7: kd> !lmi fltmgr.sys
> Loaded Module Info: [fltmgr.sys]
> Module: FLTMGR
> Base Address: fffff8019d4b4000
> Image Name: FLTMGR.SYS
> Machine Type: 34404 (X64)
> Time Stamp: 530894ec Sat Feb 22 17:45:40 2014
> Size: 5c000
> CheckSum: 5886e
> Characteristics: 2022
> Debug Data Dirs: Type Size VA Pointer
> CODEVIEW 23, 17bf8, 16ff8 RSDS - GUID:
> {F415B4E3-A12F-4EA9-8E02-002E3847B7B9}
> Age: 2, Pdb: fltMgr.pdb
> CLSID 8, 17bf0, 16ff0 [Data not mapped]
> Symbol Type: DEFERRED - No error - symbol load deferred
> Load Report: no symbols loaded
> 7: kd> !lmi fltmgrdbg.sys
> Loaded Module Info: [fltmgrdbg.sys]
> Module: fltmgrdbg
> Base Address: fffff8019cda1000
> Image Name: fltmgrdbg.sys
> Machine Type: 34404 (X64)
> Time Stamp: 530894ec Sat Feb 22 17:45:40 2014
> Size: 5c000
> CheckSum: 572f7
> Characteristics: 2022
> Debug Data Dirs: Type Size VA Pointer
> CODEVIEW 23, 17bf8, 16ff8 RSDS - GUID:
> {F415B4E3-A12F-4EA9-8E02-002E3847B7B9}
> Age: 2, Pdb: fltMgr.pdb
> CLSID 8, 17bf0, 16ff0 [Data not mapped]
> Symbol Type: DEFERRED - No error - symbol load deferred
> Load Report: no symbols loaded
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></mandar.nanivadekar>
> When you have to backup
Then you have to
Sorry my English
I will revert the VM snapshot, so that the machine boots and retry again.
Not sure why both fltmgr and fltmgrdbg are loaded.
Just to re-ensure the steps
- I am changing the ImagePath of FltMgr to FltMgrdbg.sys in the registry
is there anything else needed?
> I will revert the VM snapshot, so that the machine boots and retry again.
Even easier.
Just to re-ensure the steps
First of all fltmgr is system file and we don’t know what exactly bootmgr
does with it so i think we should try another way.
Now try just to replace original file with patched one.
Also, when your debugger would be attached do “u fltmgr+0x4F4E” command and
tell what it says.
When the original binary is patched, it always goes into recovery and fails to boot.
I guess it detects the file change
I will run the other command and post the output after some time.