checked fltmgr on windows7

Alex_Li-2 · May 7, 2010, 5:31am

Hi, all.

I replaced ‘fltmgr.sys’ and ‘ntfs.sys’ with checked version.
While the system is starting, a assert failure occured.
Here is stack trace:

kd> g
Access violation - code c0000005 (!!! second chance !!!)
00000000 ?? ???
kd> kv
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
8078610c 8568eaa1 00000000 00000000 00000000 0x0
80786124 8569603a 8569f000 80786194 80786148 FLTMGR!ExAllocateFromNPagedLookasideList+0x27
80786134 856960d8 80786194 8c3f1b28 00000001 FLTMGR!FltpAllocateNameGenerationContext+0x10
80786148 856abccb 80786194 00000000 8c3f1b28 FLTMGR!FltpAllocateInitializeNameGenerationContext+0x10
80786184 85c96b54 8c3f1b28 00000000 00000101 FLTMGR!FltGetFileNameInformationUnsafe+0x4b
807861a4 85c96be5 8c3f1b28 807861c4 807861c0 tcpip!WfpAleQueryNormalizedImageFileName+0x26
807861c8 85c96e05 8c3f1b28 80786208 80786218 tcpip!WfpAleCaptureImageFileName+0x21
8078621c 83e99278 8c3f1670 00000108 80786240 tcpip!WfpCreateProcessNotifyRoutine+0xe3
807862d4 83e98563 8c3f8020 013f1670 80786330 nt!PspInsertThread+0x5be
807869e0 83c8544a 80786c2c 80786c30 02000000 nt!NtCreateUserProcess+0x742
807869e0 83c83109 80786c2c 80786c30 02000000 nt!KiFastCallEntry+0x12a
80786a84 83ff3ebc 80786c2c 80786c30 02000000 nt!ZwCreateUserProcess+0x11
80786be4 83ff3d29 8c3f7040 8c3f7008 00000100 nt!RtlpCreateUserProcess+0x183
80786bf8 83ff5174 8c3f7040 80786c28 80813018 nt!RtlCreateUserProcess+0x38
80786c70 83ff4f33 853f7a80 853f76e0 00000000 nt!StartFirstUserProcess+0x184
80786d48 83dcd47c 80786d90 83e506bb 8080baa0 nt!Phase1InitializationDiscard+0xda8
80786d50 83e506bb 8080baa0 fa10e9f1 00000000 nt!Phase1Initialization+0xd
80786d90 83d020f9 83dcd46f 8080baa0 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

Is there something I am overlooking?

Thanks in adv!

Alex.

Don_Burn_1 · May 7, 2010, 7:53am

Did you also have a check kernel and HAL, many of the checked components
rely on the kernel and HAL being checked.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@gmail.com [mailto:xxxxx@gmail.com]
Posted At: Friday, May 07, 2010 5:32 AM
Posted To: ntfsd
Conversation: checked fltmgr on windows7
Subject: checked fltmgr on windows7

Hi, all.

I replaced ‘fltmgr.sys’ and ‘ntfs.sys’ with checked version.
While the system is starting, a assert failure occured.
Here is stack trace:

kd> g
Access violation - code c0000005 (!!! second chance !!!)
00000000 ?? ???
kd> kv
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be
wrong.
8078610c 8568eaa1 00000000 00000000 00000000 0x0
80786124 8569603a 8569f000 80786194 80786148
FLTMGR!ExAllocateFromNPagedLookasideList+0x27
80786134 856960d8 80786194 8c3f1b28 00000001
FLTMGR!FltpAllocateNameGenerationContext+0x10
80786148 856abccb 80786194 00000000 8c3f1b28
FLTMGR!FltpAllocateInitializeNameGenerationContext+0x10
80786184 85c96b54 8c3f1b28 00000000 00000101
FLTMGR!FltGetFileNameInformationUnsafe+0x4b
807861a4 85c96be5 8c3f1b28 807861c4 807861c0
tcpip!WfpAleQueryNormalizedImageFileName+0x26
807861c8 85c96e05 8c3f1b28 80786208 80786218
tcpip!WfpAleCaptureImageFileName+0x21
8078621c 83e99278 8c3f1670 00000108 80786240
tcpip!WfpCreateProcessNotifyRoutine+0xe3
807862d4 83e98563 8c3f8020 013f1670 80786330 nt!PspInsertThread+0x5be
807869e0
83c8544a 80786c2c 80786c30 02000000 nt!NtCreateUserProcess+0x742
807869e0
83c83109 80786c2c 80786c30 02000000 nt!KiFastCallEntry+0x12a
80786a84 83ff3ebc 80786c2c 80786c30 02000000
nt!ZwCreateUserProcess+0x11
80786be4 83ff3d29 8c3f7040 8c3f7008 00000100
nt!RtlpCreateUserProcess+0x183
80786bf8 83ff5174 8c3f7040 80786c28 80813018
nt!RtlCreateUserProcess+0x38
80786c70 83ff4f33 853f7a80 853f76e0 00000000
nt!StartFirstUserProcess+0x184
80786d48 83dcd47c 80786d90 83e506bb 8080baa0
nt!Phase1InitializationDiscard+0xda8
80786d50 83e506bb 8080baa0 fa10e9f1 00000000
nt!Phase1Initialization+0xd
80786d90 83d020f9 83dcd46f 8080baa0 00000000
nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

Is there something I am overlooking?

Thanks in adv!

Alex.

__________ Information from ESET Smart Security, version of virus
signature
database 5094 (20100507) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Alex_Carp · May 7, 2010, 11:05am

IIRC you can use just a checked fltmgr and ntfs without a kernel and HAL.
That’s the configuration the IFS plugfest has been using for a while.

Could you perhaps look at the disassembly leading to this assert and figure
out what went wrong ?

Thanks,
Alex.

Alex_Li-2 · May 7, 2010, 7:40pm

Don, Alex,

Thanks for your reply.

I use just checked fltmgr and ntfs.

Here is the disassembly:
kd> uf FLTMGR!ExAllocateFromNPagedLookasideList
FLTMGR!ExAllocateFromPagedLookasideList:
856bca7a 8bff mov edi,edi
856bca7c 55 push ebp
856bca7d 8bec mov ebp,esp
856bca7f 56 push esi
856bca80 8b7508 mov esi,dword ptr [ebp+8]
856bca83 ff460c inc dword ptr [esi+0Ch]
856bca86 8bce mov ecx,esi
856bca88 ff1540706c85 call dword ptr [FLTMGR!_imp_InterlockedPopEntrySList (856c7040)]
856bca8e 85c0 test eax,eax
856bca90 750f jne FLTMGR!ExAllocateFromNPagedLookasideList+0x27 (856bcaa1)

FLTMGR!ExAllocateFromNPagedLookasideList+0x18:
856bca92 ff7620 push dword ptr [esi+20h]
856bca95 ff4610 inc dword ptr [esi+10h]
856bca98 ff7624 push dword ptr [esi+24h]
856bca9b ff761c push dword ptr [esi+1Ch]
856bca9e ff5628 call dword ptr [esi+28h] <== here

FLTMGR!ExAllocateFromNPagedLookasideList+0x27:
856bcaa1 5e pop esi
856bcaa2 5d pop ebp
856bcaa3 c20400 ret 4
kd> dd @esi+28h
856cd028 00000000 00000000 00000000 00000000
856cd038 00000000 00000000 00000000 00000000
856cd048 00000000 00000000 00000000 00000000
856cd058 00000000 00000000 00000000 00000000
856cd068 00000000 00000000 00000000 00000000
856cd078 00000000 00000000 00000000 00000000
856cd088 00000000 00000000 00000000 00000000
856cd098 00000000 00000000 00000000 00000000

And output of '!analyse -v':

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

PROCESS_NAME: System

FAULTING_IP:
+19
00000000 ?? ???

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

EXCEPTION_PARAMETER1: 00000008

EXCEPTION_PARAMETER2: 00000000

WRITE_ADDRESS: 00000000

FOLLOWUP_IP:
tcpip!WfpAleQueryNormalizedImageFileName+26
85c8fb54 85c0 test eax,eax

FAILED_INSTRUCTION_ADDRESS:
+68ef2faf0093df54
00000000 ?? ???

BUGCHECK_STR: ACCESS_VIOLATION

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 856bcaa1 to 00000000

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
8078610c 856bcaa1 00000000 00000000 00000000 0x0
80786124 856c403a 856cd000 80786194 80786148 FLTMGR!ExAllocateFromNPagedLookasideList+0x27
80786134 856c40d8 80786194 8c402038 00000001 FLTMGR!FltpAllocateNameGenerationContext+0x10
80786148 856d9ccb 80786194 00000000 8c402038 FLTMGR!FltpAllocateInitializeNameGenerationContext+0x10
80786184 85c8fb54 8c402038 00000000 00000101 FLTMGR!FltGetFileNameInformationUnsafe+0x4b
807861a4 85c8fbe5 8c402038 807861c4 807861c0 tcpip!WfpAleQueryNormalizedImageFileName+0x26
807861c8 85c8fe05 8c402038 80786208 80786218 tcpip!WfpAleCaptureImageFileName+0x21
8078621c 83e72278 8c402b80 00000108 80786240 tcpip!WfpCreateProcessNotifyRoutine+0xe3
807862d4 83e71563 8c402630 01402b80 80786330 nt!PspInsertThread+0x5be
807869e0 83c5e44a 80786c2c 80786c30 02000000 nt!NtCreateUserProcess+0x742
807869e0 83c5c109 80786c2c 80786c30 02000000 nt!KiFastCallEntry+0x12a
80786a84 83fccebc 80786c2c 80786c30 02000000 nt!ZwCreateUserProcess+0x11
80786be4 83fccd29 8c3bd040 8c3bd008 00000100 nt!RtlpCreateUserProcess+0x183
80786bf8 83fce174 8c3bd040 80786c28 80813018 nt!RtlCreateUserProcess+0x38
80786c70 83fcdf33 853d8a80 853d86e0 00000000 nt!StartFirstUserProcess+0x184
80786d48 83da647c 80786d90 83e296bb 8080baa0 nt!Phase1InitializationDiscard+0xda8
80786d50 83e296bb 8080baa0 9e33b861 00000000 nt!Phase1Initialization+0xd
80786d90 83cdb0f9 83da646f 8080baa0 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

STACK_COMMAND: kb

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: tcpip!WfpAleQueryNormalizedImageFileName+26

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: tcpip

IMAGE_NAME: tcpip.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf8e

FAILURE_BUCKET_ID: ACCESS_VIOLATION_VRF_NULL_IP_tcpip!WfpAleQueryNormalizedImageFileName+26

BUCKET_ID: ACCESS_VIOLATION_VRF_NULL_IP_tcpip!WfpAleQueryNormalizedImageFileName+26

Followup: MachineOwner

Alex_Li-2 · May 7, 2010, 7:49pm

I found 2 fltmgr loaded:

kd> lm
start end module name
…
85637000 856aa000 fltMgr_chk (deferred)
856bb000 856ef000 FLTMGR (deferred)
…

kd> lmvm FLTMGR
start end module name
856bb000 856ef000 FLTMGR (pdb symbols) d:\symbols\fltMgr.pdb\E6CA9E082E70438988788CB58DB340B01\fltMgr.pdb
Loaded symbol image file: FLTMGR.SYS
Image path: \SystemRoot\system32\drivers\FLTMGR.SYS
Image name: FLTMGR.SYS

kd> lmvm fltmgr_chk
start end module name
85637000 856aa000 fltMgr_chk (deferred)
Image path: \SystemRoot\system32\drivers\fltMgr_chk.sys
Image name: fltMgr_chk.sys

I change the ‘ImagePath’ in ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr’ to use the checked fltmgr.sys.
But it seems that the system load the original one.

Alex.

Alex_Li-2 · May 7, 2010, 7:57pm

Er…
I am sorry for a mistake in my last post.
System is using the checked fltmgr.

kd> !devstack 0x8c2e3018
!DevObj !DrvObj !DevExt ObjectName
8c2cbe30 \FileSystem\FltMgr 8c2cbee8

8c2e3018 \FileSystem\Ntfs 8c2e30d0

d> !devobj 8c2cbe30
Device object (8c2cbe30) is for:
\FileSystem\FltMgr DriverObject 8c19b670
Current Irp 00000000 RefCount 0 Type 00000008 Flags 00040000
DevExt 8c2cbee8 DevObjExt 8c2cbf18
ExtensionFlags (0x80000800) DOE_DESIGNATED_FDO
Unknown flags 0x00000800
AttachedTo (Lower) 8c2e3018 \FileSystem\Ntfs
Device queue is not busy.

kd> dt _driver_object 8c19b670
nt!_DRIVER_OBJECT
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : 0x8c2cbe30 _DEVICE_OBJECT
+0x008 Flags : 0x1a
+0x00c DriverStart : 0x85637000 Void
+0x010 DriverSize : 0x73000
+0x014 DriverSection : 0x853b1460 Void
+0x018 DriverExtension : 0x8c19b718 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING “\FileSystem\FltMgr”
+0x024 HardwareDatabase : 0x83f85250 _UNICODE_STRING “\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
+0x028 FastIoDispatch : 0x8c1a5600 _FAST_IO_DISPATCH
+0x02c DriverInit : 0x8569df34 long fltMgr_chk!GsDriverEntry+0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction : [28] 0x85671f2c long fltMgr_chk!FltpCreate+0

and ntfs is checked too:
kd> dt _driver_object 8c1d3470
nt!_DRIVER_OBJECT
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : 0x8c2e3018 _DEVICE_OBJECT
+0x008 Flags : 0x9a
+0x00c DriverStart : 0x85802000 Void
+0x010 DriverSize : 0x1da000
+0x014 DriverSection : 0x853b12e0 Void
+0x018 DriverExtension : 0x8c1d3518 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING “\FileSystem\Ntfs”
+0x024 HardwareDatabase : 0x83f85250 _UNICODE_STRING “\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
+0x028 FastIoDispatch : 0x85861c00 _FAST_IO_DISPATCH
+0x02c DriverInit : 0x859a56d3 long ntfs_chk!GsDriverEntry+0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction : [28] 0x858ac6c6 long ntfs_chk!NtfsFsdCreate+0

But why is there two fltmgr in the output of ‘lm’?