CSQ problem when unload driver

NTFSD
1

Hi all.
I develop file system filter driver, legacy model.
There is control object, and it has CSQ to manage control IRPs from my app.
It seems that all works fine, but I get BSOD when trying to unload driver (via SC).
I need unloadable driver mainly for testing and developing, but I cant be sure driver is generally OK until it gives such BSODs.
I have removed any usage of CSQ, and now driver is just like a sample with control object, but with initializing of CSQ in DriverEntry. It still gives BSOD with this on unload, and without initializing of CSQ all works fine.
May be driver with CSQ could not be unloadable at all?

*****************************************************
NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG i = 0;

//ASSERT(FALSE); // This will break to debugger

// Store our driver object.
g_fsFilterDriverObject = DriverObject;

// Initialize the driver object dispatch table.
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; ++i)
{
DriverObject->MajorFunction[i] = FsFilterDispatchPassThrough;
}

DriverObject->MajorFunction[IRP_MJ_CREATE] = FsFilterDispatchCreate;

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = FsFilterDispatchDeviceControl;

DriverObject->MajorFunction[IRP_MJ_CLOSE] = FsFilterDispatchClose;

DriverObject->MajorFunction[IRP_MJ_CLEANUP] = FsFilterDispatchCleanup;

DriverObject->MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL] = FsFilterDispatchFileSystemControl;

// Set fast-io dispatch table.
DriverObject->FastIoDispatch = &g_fastIoDispatch;

// Registered callback routine for file system changes.
status = IoRegisterFsRegistrationChange(DriverObject, FsFilterNotificationCallback);
if (!NT_SUCCESS(status))
{
return status;
}

// Set driver unload routine (debug purpose only).
DriverObject->DriverUnload = FsFilterUnload;

// Create control object
FilterCreateControlObject(DriverObject);

return STATUS_SUCCESS;
}
***********************************************
NTSTATUS FilterCreateControlObject(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING ntDeviceName;
UNICODE_STRING symbolicLinkName;
PDEVICE_EXTENSION devExtension;

NTSTATUS status, status1;

// Initialize the unicode strings
RtlInitUnicodeString(&ntDeviceName, NTDEVICE_NAME_STRING);
RtlInitUnicodeString(&symbolicLinkName, SYMBOLIC_NAME_STRING);

// Create a named deviceobject so that applications or drivers
// can directly talk to us without going throuhg the entire stack.
// This call could fail if there are not enough resources or
// another deviceobject of same name exists (name collision).
status = IoCreateDevice(DriverObject,
sizeof(PDEVICE_EXTENSION),
&ntDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&ControlDeviceObject);

DbgPrint(“Creating IoCreateDevice \n”);

if (NT_SUCCESS( status ))
{

ControlDeviceObject->Flags |= DO_BUFFERED_IO;

status = IoCreateSymbolicLink( &symbolicLinkName, &ntDeviceName );

if ( !NT_SUCCESS( status ))
{
IoDeleteDevice(ControlDeviceObject);
DbgPrint(“IoCreateSymbolicLink failed \n”);
return status;
}

devExtension = ControlDeviceObject->DeviceExtension;

ControlDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;

KeInitializeSpinLock(&devExtension->QueueLock);

InitializeListHead(&devExtension->PendingIrpQueue);

status1 = IoCsqInitializeEx(&devExtension->CancelSafeQueue,
CsampInsertIrp,
CsampRemoveIrp,
CsampPeekNextIrp,
CsampAcquireLock,
CsampReleaseLock,
CsampCompleteCanceledIrp);

if ( !NT_SUCCESS( status1 ))
{
IoDeleteDevice(ControlDeviceObject);
DbgPrint(“Initializing CSQ failed!\n”);
return status;
}

}
else
{
DbgPrint(“IoCreateDevice failed \n”);
}
return status;

}
**************************************************

2

I’m very sorry :frowning:
I forgot add this info:
BSOD is IRQL_NOT_LESS_OR_EQUAL
also code for unloading
*****************
VOID FsFilterUnload(
__in PDRIVER_OBJECT DriverObject
)
{
ULONG numDevices = 0;
ULONG i = 0;
LARGE_INTEGER interval;
PDEVICE_OBJECT devList[DEVOBJ_LIST_SIZE];

interval.QuadPart = (5 * DELAY_ONE_SECOND); //delay 5 seconds

// Unregistered callback routine for file system changes.
IoUnregisterFsRegistrationChange(DriverObject, FsFilterNotificationCallback);

// Delete control object
FilterDeleteControlObject();

// This is the loop that will go through all of the devices we are attached
// to and detach from them.
for (;:wink:
{
IoEnumerateDeviceObjectList(
DriverObject,
devList,
sizeof(devList),
&numDevices);

if (0 == numDevices)
{
break;
}

numDevices = min(numDevices, RTL_NUMBER_OF(devList));

for (i = 0; i < numDevices; ++i)
{
FsFilterDetachFromDevice(devList[i]);
ObDereferenceObject(devList[i]);
}

KeDelayExecutionThread(KernelMode, FALSE, &interval);
}

DbgPrint(“Delete FsFilter \n”);
}
*****************
VOID FilterDeleteControlObject()
{
UNICODE_STRING symbolicLinkName;

if(ControlDeviceObject)
{
RtlInitUnicodeString(&symbolicLinkName, SYMBOLIC_NAME_STRING);

IoDeleteSymbolicLink(&symbolicLinkName);
IoDeleteDevice(ControlDeviceObject);
ControlDeviceObject->DeviceExtension = NULL;
ControlDeviceObject= NULL;
DbgPrint(“Delete IoCreateDevice \n”);
}

}
*****************

3

Output of !analyze -v is needed for anyone to even have a clue as to what is going wrong. Also, you want to clear DO_DEVICE_INITIALIZING, ie

ControlDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;

AFTER you have initialized the device object and its device extension, not before. Technically as soon as you clear the flag, you could see a create irp coming into the device and you could still be in the middle of initializing the device extension, thus putting your driver in a very weird state

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, December 06, 2010 11:05 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] CSQ problem when unload driver

I’m very sorry :frowning:
I forgot add this info:
BSOD is IRQL_NOT_LESS_OR_EQUAL
also code for unloading
*****************
VOID FsFilterUnload(
__in PDRIVER_OBJECT DriverObject
)
{
ULONG numDevices = 0;
ULONG i = 0;
LARGE_INTEGER interval;
PDEVICE_OBJECT devList[DEVOBJ_LIST_SIZE];

interval.QuadPart = (5 * DELAY_ONE_SECOND); //delay 5 seconds

// Unregistered callback routine for file system changes.
IoUnregisterFsRegistrationChange(DriverObject, FsFilterNotificationCallback);

// Delete control object
FilterDeleteControlObject();

// This is the loop that will go through all of the devices we are attached
// to and detach from them.
for (;:wink:
{
IoEnumerateDeviceObjectList(
DriverObject,
devList,
sizeof(devList),
&numDevices);

if (0 == numDevices)
{
break;
}

numDevices = min(numDevices, RTL_NUMBER_OF(devList));

for (i = 0; i < numDevices; ++i)
{
FsFilterDetachFromDevice(devList[i]);
ObDereferenceObject(devList[i]);
}

KeDelayExecutionThread(KernelMode, FALSE, &interval);
}

DbgPrint(“Delete FsFilter \n”);
}
*****************
VOID FilterDeleteControlObject()
{
UNICODE_STRING symbolicLinkName;

if(ControlDeviceObject)
{
RtlInitUnicodeString(&symbolicLinkName, SYMBOLIC_NAME_STRING);

IoDeleteSymbolicLink(&symbolicLinkName);
IoDeleteDevice(ControlDeviceObject);
ControlDeviceObject->DeviceExtension = NULL;
ControlDeviceObject= NULL;
DbgPrint(“Delete IoCreateDevice \n”);
}

}
*****************

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

Could you please post the !analyze -v output as well ?

Also, do you drain the CSQ someplace before unloading ? (for example by
calling the CsampCompleteCanceledIrp routine for each IRP in the queue ?)

Thanks,
Alex.

5

Ok.

  1. BSOD changed from IRQL_NOT_LESS_OR_EQUAL to “BugCheck 7E” after I added prefast annotations like in sample:
    ***********************
    __drv_raisesIRQL(DISPATCH_LEVEL)
    __drv_maxIRQL(DISPATCH_LEVEL)
    VOID CsampAcquireLock(…

    __drv_requiresIRQL(DISPATCH_LEVEL)
    VOID CsampReleaseLock(…

    ************************
    but BSOD is still present on driver unload and I beleive problem is the same.

  2. Alex Carp, I dont drain CSQ somewhere, because I dont fill it. I have only initialization. Actually I had usage of it but i commented it to find out root cause of unload problem. I dont know if just dummy initialization of CSQ can cause such fault.

  3. Doron Holan, I have “fixed” DO_DEVICE_INITIALIZING flag, but it didnt help me with current problem :frowning: but thank you, i’m a newbe with such details.

  4. !analyze -v. comment after output
    *****************
    2: kd> !analyze -v

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 80547ba3, The address that the exception occurred at
    Arg3: f78f2b34, Exception Record Address
    Arg4: f78f2830, Context Record Address

Debugging Details:


*** Your debugger is not using the correct symbols ***
*** ***

*** Type referenced: nt!_MM_DRIVER_VERIFIER_DATA ***
… ***
*** Type referenced: nt!_KPRCB ***
… ***
*** Type referenced: nt!KPRCB ***
… ***
*** ***
*** Type referenced: nt!_KPRCB ***
… ***
*** ***
*** Type referenced: nt!KPRCB ***
… ***
*** Type referenced: nt!_KPRCB ***
… ***
*** Type referenced: nt!_KPRCB ***
… ***
*** Type referenced: nt!_KPRCB ***

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -

FAULTING_IP:
nt!VfGetPDO+a
80547ba3 8b4918 mov ecx,dword ptr [ecx+18h]

EXCEPTION_RECORD: f78f2b34 – (.exr 0xfffffffff78f2b34)
ExceptionAddress: 80547ba3 (nt!VfGetPDO+0x0000000a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 4d8b0860
Attempt to read from address 4d8b0860

CONTEXT: f78f2830 – (.cxr 0xfffffffff78f2830)
eax=a76caab0 ebx=00000000 ecx=4d8b0848 edx=8592cf10 esi=8592cf10 edi=a833bb84
eip=80547ba3 esp=f78f2bfc ebp=f78f2bfc iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!VfGetPDO+0xa:
80547ba3 8b4918 mov ecx,dword ptr [ecx+18h] ds:0023:4d8b0860=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from 80678893 to 80547ba3

STACK_TEXT:
f78f2bfc 80678893 8592cf10 8592cf10 f78f2c18 nt!VfGetPDO+0xa
f78f2c0c 80674481 8592cf10 f78f2c28 8052082b nt!VfHalDeleteDevice+0xf
f78f2c18 8052082b 8592cf10 a833bb84 f78f2c3c nt!IovDeleteDevice+0x16
f78f2c28 a76ca7c7 8592cf10 00320030 a76cade0 nt!IoDeleteDevice+0x18
f78f2c3c a76c951b b9cf4850 80000000 b9d49b88 FsFilter!FilterDeleteControlObject+0x37 [d:\job\antivir\fsfilter\fsfilter\controlobject.c @ 91]
f78f2d60 805f18f8 85958d98 a833bb84 8056a5fc FsFilter!FsFilterUnload+0x3b [d:\job\antivir\fsfilter\fsfilter\main.c @ 126]
f78f2d7c 804e23b5 a833bb84 00000000 8a0c73c8 nt!IopLoadUnloadDriver+0x19
f78f2dac 80575723 a833bb84 00000000 00000000 nt!ExpWorkerThread+0xef
f78f2ddc 804ec6d9 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
FsFilter!FilterDeleteControlObject+37 [d:\job\antivir\fsfilter\fsfilter\controlobject.c @ 91]
a76ca7c7 8be5 mov esp,ebp

FAULTING_SOURCE_CODE:
87: // ControlDeviceObject= NULL;
88: //DbgPrint(“Delete IoCreateDevice \n”);
89: }
90:
> 91: }
92:
93:
94: NTSTATUS ControlObjectDispatchIo(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
95: {
96: PIO_STACK_LOCATION irpStack;

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: FsFilter!FilterDeleteControlObject+37

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: FsFilter

IMAGE_NAME: FsFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4cfe9b0e

STACK_COMMAND: .cxr 0xfffffffff78f2830 ; kb

FAILURE_BUCKET_ID: 0x7E_VRF_FsFilter!FilterDeleteControlObject+37

BUCKET_ID: 0x7E_VRF_FsFilter!FilterDeleteControlObject+37

Followup: MachineOwner

*****************

it shows FAULTING_SOURCE_CODE on any source line after IoDeleteDevice(ControlDeviceObject); in

VOID FilterDeleteControlObject()
{
UNICODE_STRING symbolicLinkName;

if(ControlDeviceObject)
{
RtlInitUnicodeString(&symbolicLinkName, SYMBOLIC_NAME_STRING);

IoDeleteSymbolicLink(&symbolicLinkName);
IoDeleteDevice(ControlDeviceObject);
//ControlDeviceObject->DeviceExtension = NULL;
// ControlDeviceObject= NULL;
//DbgPrint(“Delete IoCreateDevice \n”);
}

}

I commented lines spet by step to check this.
This makes me crazy, because if I just comment call IoCsqInitializeEx all works fine.

6

The annotations do not effect compilation or runtime. Did you run prefast for drivers after you added them? Fix your symbols, what is your .sympath?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, December 07, 2010 1:01 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] CSQ problem when unload driver

Ok.

  1. BSOD changed from IRQL_NOT_LESS_OR_EQUAL to “BugCheck 7E” after I added prefast annotations like in sample:
    ***********************
    __drv_raisesIRQL(DISPATCH_LEVEL)
    __drv_maxIRQL(DISPATCH_LEVEL)
    VOID CsampAcquireLock(…

    __drv_requiresIRQL(DISPATCH_LEVEL)
    VOID CsampReleaseLock(…

    ************************
    but BSOD is still present on driver unload and I beleive problem is the same.

  2. Alex Carp, I dont drain CSQ somewhere, because I dont fill it. I have only initialization. Actually I had usage of it but i commented it to find out root cause of unload problem. I dont know if just dummy initialization of CSQ can cause such fault.

  3. Doron Holan, I have “fixed” DO_DEVICE_INITIALIZING flag, but it didnt help me with current problem :frowning: but thank you, i’m a newbe with such details.

  4. !analyze -v. comment after output
    *****************
    2: kd> !analyze -v

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 80547ba3, The address that the exception occurred at
    Arg3: f78f2b34, Exception Record Address
    Arg4: f78f2830, Context Record Address

Debugging Details:


*** Your debugger is not using the correct symbols ***
*** ***

*** Type referenced: nt!_MM_DRIVER_VERIFIER_DATA ***
… ***
*** Type referenced: nt!_KPRCB ***
… ***
*** Type referenced: nt!KPRCB ***
… ***
*** ***
*** Type referenced: nt!_KPRCB ***
… ***
*** ***
*** Type referenced: nt!KPRCB ***
… ***
*** Type referenced: nt!_KPRCB ***
… ***
*** Type referenced: nt!_KPRCB ***
… ***
*** Type referenced: nt!_KPRCB ***

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -

FAULTING_IP:
nt!VfGetPDO+a
80547ba3 8b4918 mov ecx,dword ptr [ecx+18h]

EXCEPTION_RECORD: f78f2b34 – (.exr 0xfffffffff78f2b34)
ExceptionAddress: 80547ba3 (nt!VfGetPDO+0x0000000a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 4d8b0860
Attempt to read from address 4d8b0860

CONTEXT: f78f2830 – (.cxr 0xfffffffff78f2830)
eax=a76caab0 ebx=00000000 ecx=4d8b0848 edx=8592cf10 esi=8592cf10 edi=a833bb84
eip=80547ba3 esp=f78f2bfc ebp=f78f2bfc iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!VfGetPDO+0xa:
80547ba3 8b4918 mov ecx,dword ptr [ecx+18h] ds:0023:4d8b0860=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from 80678893 to 80547ba3

STACK_TEXT:
f78f2bfc 80678893 8592cf10 8592cf10 f78f2c18 nt!VfGetPDO+0xa f78f2c0c 80674481 8592cf10 f78f2c28 8052082b nt!VfHalDeleteDevice+0xf
f78f2c18 8052082b 8592cf10 a833bb84 f78f2c3c nt!IovDeleteDevice+0x16
f78f2c28 a76ca7c7 8592cf10 00320030 a76cade0 nt!IoDeleteDevice+0x18 f78f2c3c a76c951b b9cf4850 80000000 b9d49b88 FsFilter!FilterDeleteControlObject+0x37 [d:\job\antivir\fsfilter\fsfilter\controlobject.c @ 91]
f78f2d60 805f18f8 85958d98 a833bb84 8056a5fc FsFilter!FsFilterUnload+0x3b [d:\job\antivir\fsfilter\fsfilter\main.c @ 126] f78f2d7c 804e23b5 a833bb84 00000000 8a0c73c8 nt!IopLoadUnloadDriver+0x19 f78f2dac 80575723 a833bb84 00000000 00000000 nt!ExpWorkerThread+0xef f78f2ddc 804ec6d9 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
FsFilter!FilterDeleteControlObject+37 [d:\job\antivir\fsfilter\fsfilter\controlobject.c @ 91]
a76ca7c7 8be5 mov esp,ebp

FAULTING_SOURCE_CODE:
87: // ControlDeviceObject= NULL;
88: //DbgPrint(“Delete IoCreateDevice \n”);
89: }
90:
> 91: }
92:
93:
94: NTSTATUS ControlObjectDispatchIo(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
95: {
96: PIO_STACK_LOCATION irpStack;

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: FsFilter!FilterDeleteControlObject+37

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: FsFilter

IMAGE_NAME: FsFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4cfe9b0e

STACK_COMMAND: .cxr 0xfffffffff78f2830 ; kb

FAILURE_BUCKET_ID: 0x7E_VRF_FsFilter!FilterDeleteControlObject+37

BUCKET_ID: 0x7E_VRF_FsFilter!FilterDeleteControlObject+37

Followup: MachineOwner

*****************

it shows FAULTING_SOURCE_CODE on any source line after IoDeleteDevice(ControlDeviceObject); in

VOID FilterDeleteControlObject()
{
UNICODE_STRING symbolicLinkName;

if(ControlDeviceObject)
{
RtlInitUnicodeString(&symbolicLinkName, SYMBOLIC_NAME_STRING);

IoDeleteSymbolicLink(&symbolicLinkName);
IoDeleteDevice(ControlDeviceObject);
//ControlDeviceObject->DeviceExtension = NULL;
// ControlDeviceObject= NULL;
//DbgPrint(“Delete IoCreateDevice \n”);
}

}

I commented lines spet by step to check this.
This makes me crazy, because if I just comment call IoCsqInitializeEx all works fine.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

7

"Doron Holan:
The annotations do not effect compilation or runtime. Did you run prefast for drivers after you added them? Fix your symbols, what is your .sympath? "

1.No, I dont run any prefast and I removed annotations to clear code because of same arror anyway.
2.My sympath is like here:
srv*f:\symbols\websymbols*http://msdl.microsoft.com/download/symbols;z:\mydriver,
but with path to my driver output (PDBs, SYS, etc).

  1. Essantial is only !analyze -v output that I’ve posted. As I understand IoDeleteDevice throws an error, if look on my code (some VfGetPDO after my IoDeleteDevice). This is deleting of my Control Device, where CSQ was defined, and it is in device extension of my Control Device. (Code is in my first post). I know that I should release all resources in device extension before IoDeleteDevice, but I cant find out how could I relese CSQ. If I remove call to IoCqsInitializeEx problem is gone, but this is not a solution.
    May be problem is that I just initialize CSQ but dont do any further wirk with it? But I suppose in this case I should not get any error, because I dont do any work that coould cause the fault.
8

  1. What do you mean you ‘removed’ the annotations?

  2. Did you fix your symbols?

mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, December 08, 2010 2:20 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] CSQ problem when unload driver

"Doron Holan:
The annotations do not effect compilation or runtime. Did you run prefast
for drivers after you added them? Fix your symbols, what is your .sympath? "

1.No, I dont run any prefast and I removed annotations to clear code because
of same arror anyway.
2.My sympath is like here:
srv*f:\symbols\websymbols*http://msdl.microsoft.com/download/symbols;z:\mydr
iver,
but with path to my driver output (PDBs, SYS, etc).

  1. Essantial is only !analyze -v output that I’ve posted. As I understand
    IoDeleteDevice throws an error, if look on my code (some VfGetPDO after my
    IoDeleteDevice). This is deleting of my Control Device, where CSQ was
    defined, and it is in device extension of my Control Device. (Code is in my
    first post). I know that I should release all resources in device extension
    before IoDeleteDevice, but I cant find out how could I relese CSQ. If I
    remove call to IoCqsInitializeEx problem is gone, but this is not a
    solution.
    May be problem is that I just initialize CSQ but dont do any further wirk
    with it? But I suppose in this case I should not get any error, because I
    dont do any work that coould cause the fault.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

9

mm:

  1. What do you mean you ‘removed’ the annotations?
    I have removed
    __drv_raisesIRQL(DISPATCH_LEVEL)
    __drv_maxIRQL(DISPATCH_LEVEL)
    __drv_requiresIRQL(DISPATCH_LEVEL)
    and __prefast(suppress…
    from
    VOID CsampAcquireLock(… …
    and
    VOID CsampReleaseLock(…
    because this has not influence on current error

  2. Did you fix your symbols?
    No.
    I dont know how could I fix it if websymbols doesn’t work.
    but it seems symbols I have is enough for me. Or I am wrong?
    What are that symbols nt!_MM_DRIVER_VERIFIER_DATA and nt!_KPRCB?
    Is it critical to have it?

10

Oh, you mean you removed them from your own code? If so, my bad. I thought
you might be modifying system header files.

If you’re using the msft symbol server and your symbols really don’t match,
then no, there’s nothing that you can do.

That being said, the msft symbol will usually contain correct symbols for at
least nt & hal. Are you sure that you’re not doing something wrong here.

If you don’t mind, please try this and post the output:

.sympath
.symopt+ 0x80000000
.reload -f -n
lml
lme

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, December 08, 2010 5:00 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] CSQ problem when unload driver

mm:

  1. What do you mean you ‘removed’ the annotations?
    I have removed
    __drv_raisesIRQL(DISPATCH_LEVEL)
    __drv_maxIRQL(DISPATCH_LEVEL)
    __drv_requiresIRQL(DISPATCH_LEVEL)
    and __prefast(suppress…
    from
    VOID CsampAcquireLock(… …
    and
    VOID CsampReleaseLock(…
    because this has not influence on current error

  2. Did you fix your symbols?
    No.
    I dont know how could I fix it if websymbols doesn’t work.
    but it seems symbols I have is enough for me. Or I am wrong?
    What are that symbols nt!_MM_DRIVER_VERIFIER_DATA and nt!_KPRCB?
    Is it critical to have it?

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

11

MM:
If you don’t mind, please try this and post the output:
.sympath
.symopt+ 0x80000000
.reload -f -n
lml
lme

OK, here it is, but without full .reload -f -n because it is very big ;(

2: kd> .sympath
Symbol search path is: D:\Job\Antivir\FsFilter\FSFilter\objchk_wxp_x86\i386;srv*d:\symbols\websymbols*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386;srv*d:\symbols\websymbols*http://msdl.microsoft.com/download/symbols
2: kd> .symopt+ 0x80000000
Symbol options are 0x80030237:
0x00000001 - SYMOPT_CASE_INSENSITIVE
0x00000002 - SYMOPT_UNDNAME
0x00000004 - SYMOPT_DEFERRED_LOADS
0x00000010 - SYMOPT_LOAD_LINES
0x00000020 - SYMOPT_OMAP_FIND_NEAREST
0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
0x00010000 - SYMOPT_AUTO_PUBLICS
0x00020000 - SYMOPT_NO_IMAGE_SEARCH
0x80000000 - SYMOPT_DEBUG
2: kd> .reload -f -n
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\ntkrnlmp.pdb - file not found
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\exe\ntkrnlmp.pdb - file not found
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\symbols\exe\ntkrnlmp.pdb - file not found
DBGHELP: nt - public symbols
d:\symbols\websymbols\ntkrnlmp.pdb\79D38DEF79B7454A9D615042001794322\ntkrnlmp.pdb
Loading Kernel Symbols
.
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\halmacpi.pdb - file not found
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\dll\halmacpi.pdb - file not found
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\symbols\dll\halmacpi.pdb - file not found
SYMSRV: The server name or address could not be resolved
SYMSRV: The server name or address could not be resolved
SYMSRV: d:\symbols\websymbols\halmacpi.pdb\9875FD697ECA4BBB8A475825F6BF885E1\halmacpi.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/halmacpi.pdb/9875FD697ECA4BBB8A475825F6BF885E1/halmacpi.pdb not found
DBGHELP: halmacpi.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for halmacpi.dll -
DBGHELP: hal - export symbols
.
.
.
.
.
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\http.pdb - file not found
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\sys\http.pdb - file not found
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\symbols\sys\http.pdb - file not found
SYMSRV: The server name or address could not be resolved
SYMSRV: d:\symbols\websymbols\http.pdb\7EEE6CC4EB01437595E173C6B8C2C2971\http.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/http.pdb/7EEE6CC4EB01437595E173C6B8C2C2971/http.pdb not found
DBGHELP: http.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for HTTP.sys
DBGHELP: HTTP - no symbols loaded
.
DBGHELP: FsFilter - private symbols & lines
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\FsFilter.pdb

Loading unloaded module list

2: kd> lml
start end module name
804d7000 80700000 nt (pdb symbols) d:\symbols\websymbols\ntkrnlmp.pdb\79D38DEF79B7454A9D615042001794322\ntkrnlmp.pdb
80700000 80720d00 hal (export symbols) halmacpi.dll
a73dd000 a741de00 HTTP (no symbols)
a7596000 a7599a60 ASNDIS5 (no symbols)
a7e5a000 a7eab880 srv (no symbols)
a7f7c000 a7f7e600 FsFilter (private pdb symbols) d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\FsFilter.pdb
a7fea000 a7ffe480 wdmaud (no symbols)
a8027000 a8053180 mrxdav (no symbols)
a82d4000 a82f4a00 exFat (no symbols)
a8319000 a831c900 ndisuio (no symbols)
a837d000 a838bd80 sysaudio (no symbols)
a845d000 a8474900 dump_atapi (no symbols)
a8515000 a8595d80 btaudio (no symbols)
a85e6000 a8793a80 snp2uvc (no symbols)
a87bc000 a882b500 mrxsmb (no symbols)
a882c000 a8856e80 rdbss (export symbols) rdbss.sys
a88f7000 a8918d00 afd (no symbols)
a8919000 a8940c00 netbt (no symbols)
a8941000 a8999480 tcpip (export symbols) tcpip.sys
a89c2000 a89d4600 ipsec (no symbols)
a89d5000 a8ef5000 kl1 (no symbols)
a8f15000 a8f66000 klif (no symbols)
a8fbf000 a8fc1900 Dxapi (export symbols) Dxapi.sys
a8fd7000 a8fd9f80 mouhid (no symbols)
a8fdb000 a8fdd880 hidusb (no symbols)
a8ffb000 a902f800 IntcDAud (no symbols)
a9030000 a9053a80 portcls (export symbols) portcls.sys
a9054000 a9211000 CHDAU32 (no symbols)
a9352000 a9354280 rasacd (no symbols)
a9356000 a9358400 Fs_Rec (no symbols)
b9770000 b97cdf00 update (no symbols)
b97ce000 b97fde80 rdpdr (no symbols)
b9805000 b9805d00 dxgthk (export symbols) dxgthk.sys
b9858000 b9867580 rspndr (no symbols)
b9878000 b9884980 btwhid (no symbols)
b98c8000 b98d1000 HIDCLASS (export symbols) HIDCLASS.SYS
b98d8000 b98e1e80 btwusb (no symbols)
b98e8000 b98f4100 STREAM (export symbols) STREAM.SYS
b98f8000 b9908e00 psched (export symbols) psched.sys
b9909000 b991f580 ndiswan (no symbols)
b9920000 b995f000 srs_PremiumSound_i386 (no symbols)
b995f000 b9a4fb00 btkrnl (no symbols)
b9a69000 b9aa1000 arc0x5xp (no symbols)
b9aa1000 b9abfb00 Impcd (no symbols)
b9ac0000 b9ae2700 ks (export symbols) ks.sys
b9ae3000 b9afe000 ETD (no symbols)
b9afe000 b9b1d000 jmcr (no symbols)
b9b1d000 b9b45000 HDAudBus (no symbols)
b9b45000 b9b68200 USBPORT (export symbols) USBPORT.SYS
b9b69000 b9b7cf00 VIDEOPRT (export symbols) VIDEOPRT.SYS
b9b7d000 b9d4fdc0 igxpmp32 (no symbols)
ba0f2000 ba0fdd00 raspptp (no symbols)
ba102000 ba10c200 raspppoe (no symbols)
ba112000 ba11e880 rasl2tp (no symbols)
ba122000 ba12c000 klim5 (no symbols)
ba132000 ba13bf00 intelppm (no symbols)
ba142000 ba150400 redbook (no symbols)
ba152000 ba161600 cdrom (no symbols)
ba162000 ba16c480 imapi (no symbols)
ba172000 ba17b000 klmouflt (no symbols)
ba182000 ba18ef80 i8042prt (no symbols)
ba358000 ba35bc80 mssmbios (no symbols)
ba370000 ba372780 ndistapi (export symbols) ndistapi.sys
ba378000 ba37b680 CmBatt (no symbols)
ba3cc000 ba3e5b80 Mup (no symbols)
ba3e6000 ba412980 NDIS (export symbols) NDIS.sys
ba413000 ba49f600 Ntfs (no symbols)
ba4a0000 ba4b6b00 KSecDD (export symbols) KSecDD.sys
ba4b7000 ba4c8f00 sr (no symbols)
ba4c9000 ba4e8b00 fltMgr (export symbols) fltMgr.sys
ba4e9000 ba500900 atapi (no symbols)
ba501000 ba526800 dmio (no symbols)
ba527000 ba545a00 ftdisk (no symbols)
ba546000 ba554400 JME (no symbols)
ba556000 ba565900 Cdfs (no symbols)
ba596000 ba5a0e00 Fips (no symbols)
ba5a6000 ba5ae780 netbios (no symbols)
ba5e6000 ba5f6b80 pci (no symbols)
ba5f7000 ba624f80 ACPI (no symbols)
ba625000 ba63c880 SCSIPORT (export symbols) SCSIPORT.SYS
ba63d000 ba730000 sptd (no symbols)
ba730000 ba76b500 DSFOleaut32 (export symbols) DSFOleaut32.sys
ba76c000 ba7ded00 dsfksvcs (export symbols) dsfksvcs.sys
bf000000 bf011600 dxg T (no symbols)
bf012000 bf024000 igxprd32 T (no symbols)
bf024000 bf05a000 igxpgd32 T (no symbols)
bf05a000 bf36d7a0 igxpdv32 T (no symbols)
bf36e000 bf71d000 igxpdx32 T (no symbols)
bf800000 bf9c6100 win32k T (no symbols)
bffa0000 bffe5c00 ATMFD T (no symbols)
f75f7000 f7600280 isapnp (no symbols)
f7607000 f7611580 MountMgr (no symbols)
f7617000 f7623b00 VolSnap (no symbols)
f7627000 f762fe00 disk (no symbols)
f7637000 f7643180 CLASSPNP (export symbols) CLASSPNP.SYS
f7647000 f7654000 klbg (no symbols)
f7657000 f765f900 msgpc (no symbols)
f7667000 f7670f00 termdd (export symbols) termdd.sys
f7687000 f7690e80 NDProxy (no symbols)
f7697000 f76a5880 usbhub (no symbols)
f76a7000 f76b5b00 drmk (export symbols) drmk.sys
f76d7000 f76df700 wanarp (no symbols)
f7707000 f770d180 PCIIDEX (export symbols) PCIIDEX.SYS
f770f000 f7713d00 PartMgr (no symbols)
f7717000 f771c580 dsfroot (no symbols)
f7737000 f773e700 btport (no symbols)
f778f000 f7796600 usbehci (no symbols)
f7797000 f779cb00 mouclass (no symbols)
f779f000 f77a7000 kbfiltr (no symbols)
f77a7000 f77ad100 kbdclass (no symbols)
f77c7000 f77cc200 vga (no symbols)
f77cf000 f77d3a80 Msfs (no symbols)
f77d7000 f77de880 Npfs (no symbols)
f77df000 f77e5f80 sncduvc (export symbols) sncduvc.SYS
f77e7000 f77ed180 HIDPARSE (export symbols) HIDPARSE.SYS
f77ef000 f77f3500 watchdog (export symbols) watchdog.sys
f780f000 f7813a80 TDI (export symbols) TDI.SYS
f7817000 f781b580 ptilink (export symbols) ptilink.sys
f781f000 f7823080 raspti (no symbols)
f7897000 f789a000 BOOTVID (export symbols) BOOTVID.dll
f789b000 f789d800 compbatt (no symbols)
f789f000 f78a2780 BATTC (export symbols) BATTC.SYS
f78a3000 f78a5e00 ACPIEC (no symbols)
f7987000 f7988b80 kdcom (export symbols) kdcom.dll
f7989000 f798a100 WMILIB (export symbols) WMILIB.SYS
f798b000 f798c700 dmload (no symbols)
f79ab000 f79ac680 ATKACPI (no symbols)
f79ad000 f79ae100 swenum (no symbols)
f79af000 f79b0280 USBD (export symbols) USBD.SYS
f79b7000 f79b8080 Beep (no symbols)
f79b9000 f79ba080 mnmdd (no symbols)
f79bb000 f79bc080 RDPCDD (no symbols)
f79bf000 f79c0100 dump_WMILIB (export symbols) dump_WMILIB.SYS
f79df000 f79e0c00 ASMMAP (no symbols)
f7a4f000 f7a4fd00 PCIIde (no symbols)
f7a50000 f7a50d80 OPRGHDLR (export symbols) OPRGHDLR.SYS
f7a62000 f7a62b80 Null (no symbols)
f7ac2000 f7ac2c00 audstub (no symbols)
2: kd> lme
start end module name
80700000 80720d00 hal (export symbols) halmacpi.dll
a73dd000 a741de00 HTTP (no symbols)
a7596000 a7599a60 ASNDIS5 (no symbols)
a7e5a000 a7eab880 srv (no symbols)
a7fea000 a7ffe480 wdmaud (no symbols)
a8027000 a8053180 mrxdav (no symbols)
a82d4000 a82f4a00 exFat (no symbols)
a8319000 a831c900 ndisuio (no symbols)
a837d000 a838bd80 sysaudio (no symbols)
a845d000 a8474900 dump_atapi (no symbols)
a8515000 a8595d80 btaudio (no symbols)
a85e6000 a8793a80 snp2uvc (no symbols)
a87bc000 a882b500 mrxsmb (no symbols)
a882c000 a8856e80 rdbss (export symbols) rdbss.sys
a88f7000 a8918d00 afd (no symbols)
a8919000 a8940c00 netbt (no symbols)
a8941000 a8999480 tcpip (export symbols) tcpip.sys
a89c2000 a89d4600 ipsec (no symbols)
a89d5000 a8ef5000 kl1 (no symbols)
a8f15000 a8f66000 klif (no symbols)
a8fbf000 a8fc1900 Dxapi (export symbols) Dxapi.sys
a8fd7000 a8fd9f80 mouhid (no symbols)
a8fdb000 a8fdd880 hidusb (no symbols)
a8ffb000 a902f800 IntcDAud (no symbols)
a9030000 a9053a80 portcls (export symbols) portcls.sys
a9054000 a9211000 CHDAU32 (no symbols)
a9352000 a9354280 rasacd (no symbols)
a9356000 a9358400 Fs_Rec (no symbols)
b9770000 b97cdf00 update (no symbols)
b97ce000 b97fde80 rdpdr (no symbols)
b9805000 b9805d00 dxgthk (export symbols) dxgthk.sys
b9858000 b9867580 rspndr (no symbols)
b9878000 b9884980 btwhid (no symbols)
b98c8000 b98d1000 HIDCLASS (export symbols) HIDCLASS.SYS
b98d8000 b98e1e80 btwusb (no symbols)
b98e8000 b98f4100 STREAM (export symbols) STREAM.SYS
b98f8000 b9908e00 psched (export symbols) psched.sys
b9909000 b991f580 ndiswan (no symbols)
b9920000 b995f000 srs_PremiumSound_i386 (no symbols)
b995f000 b9a4fb00 btkrnl (no symbols)
b9a69000 b9aa1000 arc0x5xp (no symbols)
b9aa1000 b9abfb00 Impcd (no symbols)
b9ac0000 b9ae2700 ks (export symbols) ks.sys
b9ae3000 b9afe000 ETD (no symbols)
b9afe000 b9b1d000 jmcr (no symbols)
b9b1d000 b9b45000 HDAudBus (no symbols)
b9b45000 b9b68200 USBPORT (export symbols) USBPORT.SYS
b9b69000 b9b7cf00 VIDEOPRT (export symbols) VIDEOPRT.SYS
b9b7d000 b9d4fdc0 igxpmp32 (no symbols)
ba0f2000 ba0fdd00 raspptp (no symbols)
ba102000 ba10c200 raspppoe (no symbols)
ba112000 ba11e880 rasl2tp (no symbols)
ba122000 ba12c000 klim5 (no symbols)
ba132000 ba13bf00 intelppm (no symbols)
ba142000 ba150400 redbook (no symbols)
ba152000 ba161600 cdrom (no symbols)
ba162000 ba16c480 imapi (no symbols)
ba172000 ba17b000 klmouflt (no symbols)
ba182000 ba18ef80 i8042prt (no symbols)
ba358000 ba35bc80 mssmbios (no symbols)
ba370000 ba372780 ndistapi (export symbols) ndistapi.sys
ba378000 ba37b680 CmBatt (no symbols)
ba3cc000 ba3e5b80 Mup (no symbols)
ba3e6000 ba412980 NDIS (export symbols) NDIS.sys
ba413000 ba49f600 Ntfs (no symbols)
ba4a0000 ba4b6b00 KSecDD (export symbols) KSecDD.sys
ba4b7000 ba4c8f00 sr (no symbols)
ba4c9000 ba4e8b00 fltMgr (export symbols) fltMgr.sys
ba4e9000 ba500900 atapi (no symbols)
ba501000 ba526800 dmio (no symbols)
ba527000 ba545a00 ftdisk (no symbols)
ba546000 ba554400 JME (no symbols)
ba556000 ba565900 Cdfs (no symbols)
ba596000 ba5a0e00 Fips (no symbols)
ba5a6000 ba5ae780 netbios (no symbols)
ba5e6000 ba5f6b80 pci (no symbols)
ba5f7000 ba624f80 ACPI (no symbols)
ba625000 ba63c880 SCSIPORT (export symbols) SCSIPORT.SYS
ba63d000 ba730000 sptd (no symbols)
ba730000 ba76b500 DSFOleaut32 (export symbols) DSFOleaut32.sys
ba76c000 ba7ded00 dsfksvcs (export symbols) dsfksvcs.sys
bf000000 bf011600 dxg T (no symbols)
bf012000 bf024000 igxprd32 T (no symbols)
bf024000 bf05a000 igxpgd32 T (no symbols)
bf05a000 bf36d7a0 igxpdv32 T (no symbols)
bf36e000 bf71d000 igxpdx32 T (no symbols)
bf800000 bf9c6100 win32k T (no symbols)
bffa0000 bffe5c00 ATMFD T (no symbols)
f75f7000 f7600280 isapnp (no symbols)
f7607000 f7611580 MountMgr (no symbols)
f7617000 f7623b00 VolSnap (no symbols)
f7627000 f762fe00 disk (no symbols)
f7637000 f7643180 CLASSPNP (export symbols) CLASSPNP.SYS
f7647000 f7654000 klbg (no symbols)
f7657000 f765f900 msgpc (no symbols)
f7667000 f7670f00 termdd (export symbols) termdd.sys
f7687000 f7690e80 NDProxy (no symbols)
f7697000 f76a5880 usbhub (no symbols)
f76a7000 f76b5b00 drmk (export symbols) drmk.sys
f76d7000 f76df700 wanarp (no symbols)
f7707000 f770d180 PCIIDEX (export symbols) PCIIDEX.SYS
f770f000 f7713d00 PartMgr (no symbols)
f7717000 f771c580 dsfroot (no symbols)
f7737000 f773e700 btport (no symbols)
f778f000 f7796600 usbehci (no symbols)
f7797000 f779cb00 mouclass (no symbols)
f779f000 f77a7000 kbfiltr (no symbols)
f77a7000 f77ad100 kbdclass (no symbols)
f77c7000 f77cc200 vga (no symbols)
f77cf000 f77d3a80 Msfs (no symbols)
f77d7000 f77de880 Npfs (no symbols)
f77df000 f77e5f80 sncduvc (export symbols) sncduvc.SYS
f77e7000 f77ed180 HIDPARSE (export symbols) HIDPARSE.SYS
f77ef000 f77f3500 watchdog (export symbols) watchdog.sys
f780f000 f7813a80 TDI (export symbols) TDI.SYS
f7817000 f781b580 ptilink (export symbols) ptilink.sys
f781f000 f7823080 raspti (no symbols)
f7897000 f789a000 BOOTVID (export symbols) BOOTVID.dll
f789b000 f789d800 compbatt (no symbols)
f789f000 f78a2780 BATTC (export symbols) BATTC.SYS
f78a3000 f78a5e00 ACPIEC (no symbols)
f7987000 f7988b80 kdcom (export symbols) kdcom.dll
f7989000 f798a100 WMILIB (export symbols) WMILIB.SYS
f798b000 f798c700 dmload (no symbols)
f79ab000 f79ac680 ATKACPI (no symbols)
f79ad000 f79ae100 swenum (no symbols)
f79af000 f79b0280 USBD (export symbols) USBD.SYS
f79b7000 f79b8080 Beep (no symbols)
f79b9000 f79ba080 mnmdd (no symbols)
f79bb000 f79bc080 RDPCDD (no symbols)
f79bf000 f79c0100 dump_WMILIB (export symbols) dump_WMILIB.SYS
f79df000 f79e0c00 ASMMAP (no symbols)
f7a4f000 f7a4fd00 PCIIde (no symbols)
f7a50000 f7a50d80 OPRGHDLR (export symbols) OPRGHDLR.SYS
f7a62000 f7a62b80 Null (no symbols)
f7ac2000 f7ac2c00 audstub (no symbols)
DBGHELP: Symbol Search Path: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386;srv*d:\symbols\websymbols*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386;srv*d:\symbols\websymbols*http://msdl.microsoft.com/download/symbols

12

What version of the os is your target:

vertarget

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, December 08, 2010 5:30 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] CSQ problem when unload driver

MM:
If you don’t mind, please try this and post the output:
.sympath
.symopt+ 0x80000000
.reload -f -n
lml
lme

OK, here it is, but without full .reload -f -n because it is very big ;(

2: kd> .sympath
Symbol search path is:
D:\Job\Antivir\FsFilter\FSFilter\objchk_wxp_x86\i386;srv*d:\symbols\websymbo
ls*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is:
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386;srv*d:\symbols\websymbo
ls*http://msdl.microsoft.com/download/symbols
2: kd> .symopt+ 0x80000000
Symbol options are 0x80030237:
0x00000001 - SYMOPT_CASE_INSENSITIVE
0x00000002 - SYMOPT_UNDNAME
0x00000004 - SYMOPT_DEFERRED_LOADS
0x00000010 - SYMOPT_LOAD_LINES
0x00000020 - SYMOPT_OMAP_FIND_NEAREST
0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
0x00010000 - SYMOPT_AUTO_PUBLICS
0x00020000 - SYMOPT_NO_IMAGE_SEARCH
0x80000000 - SYMOPT_DEBUG
2: kd> .reload -f -n
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\ntkrnlmp.pdb -
file not found
DBGHELP:
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\exe\ntkrnlmp.pdb - file
not found
DBGHELP:
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\symbols\exe\ntkrnlmp.pd
b - file not found
DBGHELP: nt - public symbols

d:\symbols\websymbols\ntkrnlmp.pdb\79D38DEF79B7454A9D615042001794322\ntkrnlm
p.pdb
Loading Kernel Symbols
.
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\halmacpi.pdb -
file not found
DBGHELP:
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\dll\halmacpi.pdb - file
not found
DBGHELP:
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\symbols\dll\halmacpi.pd
b - file not found
SYMSRV: The server name or address could not be resolved
SYMSRV: The server name or address could not be resolved
SYMSRV:
d:\symbols\websymbols\halmacpi.pdb\9875FD697ECA4BBB8A475825F6BF885E1\halmacp
i.pdb not found
SYMSRV:
http://msdl.microsoft.com/download/symbols/halmacpi.pdb/9875FD697ECA4BBB8A47
5825F6BF885E1/halmacpi.pdb not found
DBGHELP: halmacpi.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
halmacpi.dll -
DBGHELP: hal - export symbols
.
.
.
.
.
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\http.pdb -
file not found
DBGHELP: d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\sys\http.pdb -
file not found
DBGHELP:
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\symbols\sys\http.pdb -
file not found
SYMSRV: The server name or address could not be resolved
SYMSRV:
d:\symbols\websymbols\http.pdb\7EEE6CC4EB01437595E173C6B8C2C2971\http.pdb
not found
SYMSRV:
http://msdl.microsoft.com/download/symbols/http.pdb/7EEE6CC4EB01437595E173C6
B8C2C2971/http.pdb not found
DBGHELP: http.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for
HTTP.sys
DBGHELP: HTTP - no symbols loaded
.
DBGHELP: FsFilter - private symbols & lines
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\FsFilter.pdb

Loading unloaded module list

2: kd> lml
start end module name
804d7000 80700000 nt (pdb symbols)
d:\symbols\websymbols\ntkrnlmp.pdb\79D38DEF79B7454A9D615042001794322\ntkrnlm
p.pdb
80700000 80720d00 hal (export symbols) halmacpi.dll
a73dd000 a741de00 HTTP (no symbols)
a7596000 a7599a60 ASNDIS5 (no symbols)
a7e5a000 a7eab880 srv (no symbols)
a7f7c000 a7f7e600 FsFilter (private pdb symbols)
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386\FsFilter.pdb
a7fea000 a7ffe480 wdmaud (no symbols)
a8027000 a8053180 mrxdav (no symbols)
a82d4000 a82f4a00 exFat (no symbols)
a8319000 a831c900 ndisuio (no symbols)
a837d000 a838bd80 sysaudio (no symbols)
a845d000 a8474900 dump_atapi (no symbols)
a8515000 a8595d80 btaudio (no symbols)
a85e6000 a8793a80 snp2uvc (no symbols)
a87bc000 a882b500 mrxsmb (no symbols)
a882c000 a8856e80 rdbss (export symbols) rdbss.sys
a88f7000 a8918d00 afd (no symbols)
a8919000 a8940c00 netbt (no symbols)
a8941000 a8999480 tcpip (export symbols) tcpip.sys
a89c2000 a89d4600 ipsec (no symbols)
a89d5000 a8ef5000 kl1 (no symbols)
a8f15000 a8f66000 klif (no symbols)
a8fbf000 a8fc1900 Dxapi (export symbols) Dxapi.sys
a8fd7000 a8fd9f80 mouhid (no symbols)
a8fdb000 a8fdd880 hidusb (no symbols)
a8ffb000 a902f800 IntcDAud (no symbols)
a9030000 a9053a80 portcls (export symbols) portcls.sys
a9054000 a9211000 CHDAU32 (no symbols)
a9352000 a9354280 rasacd (no symbols)
a9356000 a9358400 Fs_Rec (no symbols)
b9770000 b97cdf00 update (no symbols)
b97ce000 b97fde80 rdpdr (no symbols)
b9805000 b9805d00 dxgthk (export symbols) dxgthk.sys
b9858000 b9867580 rspndr (no symbols)
b9878000 b9884980 btwhid (no symbols)
b98c8000 b98d1000 HIDCLASS (export symbols) HIDCLASS.SYS
b98d8000 b98e1e80 btwusb (no symbols)
b98e8000 b98f4100 STREAM (export symbols) STREAM.SYS
b98f8000 b9908e00 psched (export symbols) psched.sys
b9909000 b991f580 ndiswan (no symbols)
b9920000 b995f000 srs_PremiumSound_i386 (no symbols)
b995f000 b9a4fb00 btkrnl (no symbols)
b9a69000 b9aa1000 arc0x5xp (no symbols)
b9aa1000 b9abfb00 Impcd (no symbols)
b9ac0000 b9ae2700 ks (export symbols) ks.sys
b9ae3000 b9afe000 ETD (no symbols)
b9afe000 b9b1d000 jmcr (no symbols)
b9b1d000 b9b45000 HDAudBus (no symbols)
b9b45000 b9b68200 USBPORT (export symbols) USBPORT.SYS
b9b69000 b9b7cf00 VIDEOPRT (export symbols) VIDEOPRT.SYS
b9b7d000 b9d4fdc0 igxpmp32 (no symbols)
ba0f2000 ba0fdd00 raspptp (no symbols)
ba102000 ba10c200 raspppoe (no symbols)
ba112000 ba11e880 rasl2tp (no symbols)
ba122000 ba12c000 klim5 (no symbols)
ba132000 ba13bf00 intelppm (no symbols)
ba142000 ba150400 redbook (no symbols)
ba152000 ba161600 cdrom (no symbols)
ba162000 ba16c480 imapi (no symbols)
ba172000 ba17b000 klmouflt (no symbols)
ba182000 ba18ef80 i8042prt (no symbols)
ba358000 ba35bc80 mssmbios (no symbols)
ba370000 ba372780 ndistapi (export symbols) ndistapi.sys
ba378000 ba37b680 CmBatt (no symbols)
ba3cc000 ba3e5b80 Mup (no symbols)
ba3e6000 ba412980 NDIS (export symbols) NDIS.sys
ba413000 ba49f600 Ntfs (no symbols)
ba4a0000 ba4b6b00 KSecDD (export symbols) KSecDD.sys
ba4b7000 ba4c8f00 sr (no symbols)
ba4c9000 ba4e8b00 fltMgr (export symbols) fltMgr.sys
ba4e9000 ba500900 atapi (no symbols)
ba501000 ba526800 dmio (no symbols)
ba527000 ba545a00 ftdisk (no symbols)
ba546000 ba554400 JME (no symbols)
ba556000 ba565900 Cdfs (no symbols)
ba596000 ba5a0e00 Fips (no symbols)
ba5a6000 ba5ae780 netbios (no symbols)
ba5e6000 ba5f6b80 pci (no symbols)
ba5f7000 ba624f80 ACPI (no symbols)
ba625000 ba63c880 SCSIPORT (export symbols) SCSIPORT.SYS
ba63d000 ba730000 sptd (no symbols)
ba730000 ba76b500 DSFOleaut32 (export symbols) DSFOleaut32.sys
ba76c000 ba7ded00 dsfksvcs (export symbols) dsfksvcs.sys
bf000000 bf011600 dxg T (no symbols)
bf012000 bf024000 igxprd32 T (no symbols)
bf024000 bf05a000 igxpgd32 T (no symbols)
bf05a000 bf36d7a0 igxpdv32 T (no symbols)
bf36e000 bf71d000 igxpdx32 T (no symbols)
bf800000 bf9c6100 win32k T (no symbols)
bffa0000 bffe5c00 ATMFD T (no symbols)
f75f7000 f7600280 isapnp (no symbols)
f7607000 f7611580 MountMgr (no symbols)
f7617000 f7623b00 VolSnap (no symbols)
f7627000 f762fe00 disk (no symbols)
f7637000 f7643180 CLASSPNP (export symbols) CLASSPNP.SYS
f7647000 f7654000 klbg (no symbols)
f7657000 f765f900 msgpc (no symbols)
f7667000 f7670f00 termdd (export symbols) termdd.sys
f7687000 f7690e80 NDProxy (no symbols)
f7697000 f76a5880 usbhub (no symbols)
f76a7000 f76b5b00 drmk (export symbols) drmk.sys
f76d7000 f76df700 wanarp (no symbols)
f7707000 f770d180 PCIIDEX (export symbols) PCIIDEX.SYS
f770f000 f7713d00 PartMgr (no symbols)
f7717000 f771c580 dsfroot (no symbols)
f7737000 f773e700 btport (no symbols)
f778f000 f7796600 usbehci (no symbols)
f7797000 f779cb00 mouclass (no symbols)
f779f000 f77a7000 kbfiltr (no symbols)
f77a7000 f77ad100 kbdclass (no symbols)
f77c7000 f77cc200 vga (no symbols)
f77cf000 f77d3a80 Msfs (no symbols)
f77d7000 f77de880 Npfs (no symbols)
f77df000 f77e5f80 sncduvc (export symbols) sncduvc.SYS
f77e7000 f77ed180 HIDPARSE (export symbols) HIDPARSE.SYS
f77ef000 f77f3500 watchdog (export symbols) watchdog.sys
f780f000 f7813a80 TDI (export symbols) TDI.SYS
f7817000 f781b580 ptilink (export symbols) ptilink.sys
f781f000 f7823080 raspti (no symbols)
f7897000 f789a000 BOOTVID (export symbols) BOOTVID.dll
f789b000 f789d800 compbatt (no symbols)
f789f000 f78a2780 BATTC (export symbols) BATTC.SYS
f78a3000 f78a5e00 ACPIEC (no symbols)
f7987000 f7988b80 kdcom (export symbols) kdcom.dll
f7989000 f798a100 WMILIB (export symbols) WMILIB.SYS
f798b000 f798c700 dmload (no symbols)
f79ab000 f79ac680 ATKACPI (no symbols)
f79ad000 f79ae100 swenum (no symbols)
f79af000 f79b0280 USBD (export symbols) USBD.SYS
f79b7000 f79b8080 Beep (no symbols)
f79b9000 f79ba080 mnmdd (no symbols)
f79bb000 f79bc080 RDPCDD (no symbols)
f79bf000 f79c0100 dump_WMILIB (export symbols) dump_WMILIB.SYS
f79df000 f79e0c00 ASMMAP (no symbols)
f7a4f000 f7a4fd00 PCIIde (no symbols)
f7a50000 f7a50d80 OPRGHDLR (export symbols) OPRGHDLR.SYS
f7a62000 f7a62b80 Null (no symbols)
f7ac2000 f7ac2c00 audstub (no symbols)
2: kd> lme
start end module name
80700000 80720d00 hal (export symbols) halmacpi.dll
a73dd000 a741de00 HTTP (no symbols)
a7596000 a7599a60 ASNDIS5 (no symbols)
a7e5a000 a7eab880 srv (no symbols)
a7fea000 a7ffe480 wdmaud (no symbols)
a8027000 a8053180 mrxdav (no symbols)
a82d4000 a82f4a00 exFat (no symbols)
a8319000 a831c900 ndisuio (no symbols)
a837d000 a838bd80 sysaudio (no symbols)
a845d000 a8474900 dump_atapi (no symbols)
a8515000 a8595d80 btaudio (no symbols)
a85e6000 a8793a80 snp2uvc (no symbols)
a87bc000 a882b500 mrxsmb (no symbols)
a882c000 a8856e80 rdbss (export symbols) rdbss.sys
a88f7000 a8918d00 afd (no symbols)
a8919000 a8940c00 netbt (no symbols)
a8941000 a8999480 tcpip (export symbols) tcpip.sys
a89c2000 a89d4600 ipsec (no symbols)
a89d5000 a8ef5000 kl1 (no symbols)
a8f15000 a8f66000 klif (no symbols)
a8fbf000 a8fc1900 Dxapi (export symbols) Dxapi.sys
a8fd7000 a8fd9f80 mouhid (no symbols)
a8fdb000 a8fdd880 hidusb (no symbols)
a8ffb000 a902f800 IntcDAud (no symbols)
a9030000 a9053a80 portcls (export symbols) portcls.sys
a9054000 a9211000 CHDAU32 (no symbols)
a9352000 a9354280 rasacd (no symbols)
a9356000 a9358400 Fs_Rec (no symbols)
b9770000 b97cdf00 update (no symbols)
b97ce000 b97fde80 rdpdr (no symbols)
b9805000 b9805d00 dxgthk (export symbols) dxgthk.sys
b9858000 b9867580 rspndr (no symbols)
b9878000 b9884980 btwhid (no symbols)
b98c8000 b98d1000 HIDCLASS (export symbols) HIDCLASS.SYS
b98d8000 b98e1e80 btwusb (no symbols)
b98e8000 b98f4100 STREAM (export symbols) STREAM.SYS
b98f8000 b9908e00 psched (export symbols) psched.sys
b9909000 b991f580 ndiswan (no symbols)
b9920000 b995f000 srs_PremiumSound_i386 (no symbols)
b995f000 b9a4fb00 btkrnl (no symbols)
b9a69000 b9aa1000 arc0x5xp (no symbols)
b9aa1000 b9abfb00 Impcd (no symbols)
b9ac0000 b9ae2700 ks (export symbols) ks.sys
b9ae3000 b9afe000 ETD (no symbols)
b9afe000 b9b1d000 jmcr (no symbols)
b9b1d000 b9b45000 HDAudBus (no symbols)
b9b45000 b9b68200 USBPORT (export symbols) USBPORT.SYS
b9b69000 b9b7cf00 VIDEOPRT (export symbols) VIDEOPRT.SYS
b9b7d000 b9d4fdc0 igxpmp32 (no symbols)
ba0f2000 ba0fdd00 raspptp (no symbols)
ba102000 ba10c200 raspppoe (no symbols)
ba112000 ba11e880 rasl2tp (no symbols)
ba122000 ba12c000 klim5 (no symbols)
ba132000 ba13bf00 intelppm (no symbols)
ba142000 ba150400 redbook (no symbols)
ba152000 ba161600 cdrom (no symbols)
ba162000 ba16c480 imapi (no symbols)
ba172000 ba17b000 klmouflt (no symbols)
ba182000 ba18ef80 i8042prt (no symbols)
ba358000 ba35bc80 mssmbios (no symbols)
ba370000 ba372780 ndistapi (export symbols) ndistapi.sys
ba378000 ba37b680 CmBatt (no symbols)
ba3cc000 ba3e5b80 Mup (no symbols)
ba3e6000 ba412980 NDIS (export symbols) NDIS.sys
ba413000 ba49f600 Ntfs (no symbols)
ba4a0000 ba4b6b00 KSecDD (export symbols) KSecDD.sys
ba4b7000 ba4c8f00 sr (no symbols)
ba4c9000 ba4e8b00 fltMgr (export symbols) fltMgr.sys
ba4e9000 ba500900 atapi (no symbols)
ba501000 ba526800 dmio (no symbols)
ba527000 ba545a00 ftdisk (no symbols)
ba546000 ba554400 JME (no symbols)
ba556000 ba565900 Cdfs (no symbols)
ba596000 ba5a0e00 Fips (no symbols)
ba5a6000 ba5ae780 netbios (no symbols)
ba5e6000 ba5f6b80 pci (no symbols)
ba5f7000 ba624f80 ACPI (no symbols)
ba625000 ba63c880 SCSIPORT (export symbols) SCSIPORT.SYS
ba63d000 ba730000 sptd (no symbols)
ba730000 ba76b500 DSFOleaut32 (export symbols) DSFOleaut32.sys
ba76c000 ba7ded00 dsfksvcs (export symbols) dsfksvcs.sys
bf000000 bf011600 dxg T (no symbols)
bf012000 bf024000 igxprd32 T (no symbols)
bf024000 bf05a000 igxpgd32 T (no symbols)
bf05a000 bf36d7a0 igxpdv32 T (no symbols)
bf36e000 bf71d000 igxpdx32 T (no symbols)
bf800000 bf9c6100 win32k T (no symbols)
bffa0000 bffe5c00 ATMFD T (no symbols)
f75f7000 f7600280 isapnp (no symbols)
f7607000 f7611580 MountMgr (no symbols)
f7617000 f7623b00 VolSnap (no symbols)
f7627000 f762fe00 disk (no symbols)
f7637000 f7643180 CLASSPNP (export symbols) CLASSPNP.SYS
f7647000 f7654000 klbg (no symbols)
f7657000 f765f900 msgpc (no symbols)
f7667000 f7670f00 termdd (export symbols) termdd.sys
f7687000 f7690e80 NDProxy (no symbols)
f7697000 f76a5880 usbhub (no symbols)
f76a7000 f76b5b00 drmk (export symbols) drmk.sys
f76d7000 f76df700 wanarp (no symbols)
f7707000 f770d180 PCIIDEX (export symbols) PCIIDEX.SYS
f770f000 f7713d00 PartMgr (no symbols)
f7717000 f771c580 dsfroot (no symbols)
f7737000 f773e700 btport (no symbols)
f778f000 f7796600 usbehci (no symbols)
f7797000 f779cb00 mouclass (no symbols)
f779f000 f77a7000 kbfiltr (no symbols)
f77a7000 f77ad100 kbdclass (no symbols)
f77c7000 f77cc200 vga (no symbols)
f77cf000 f77d3a80 Msfs (no symbols)
f77d7000 f77de880 Npfs (no symbols)
f77df000 f77e5f80 sncduvc (export symbols) sncduvc.SYS
f77e7000 f77ed180 HIDPARSE (export symbols) HIDPARSE.SYS
f77ef000 f77f3500 watchdog (export symbols) watchdog.sys
f780f000 f7813a80 TDI (export symbols) TDI.SYS
f7817000 f781b580 ptilink (export symbols) ptilink.sys
f781f000 f7823080 raspti (no symbols)
f7897000 f789a000 BOOTVID (export symbols) BOOTVID.dll
f789b000 f789d800 compbatt (no symbols)
f789f000 f78a2780 BATTC (export symbols) BATTC.SYS
f78a3000 f78a5e00 ACPIEC (no symbols)
f7987000 f7988b80 kdcom (export symbols) kdcom.dll
f7989000 f798a100 WMILIB (export symbols) WMILIB.SYS
f798b000 f798c700 dmload (no symbols)
f79ab000 f79ac680 ATKACPI (no symbols)
f79ad000 f79ae100 swenum (no symbols)
f79af000 f79b0280 USBD (export symbols) USBD.SYS
f79b7000 f79b8080 Beep (no symbols)
f79b9000 f79ba080 mnmdd (no symbols)
f79bb000 f79bc080 RDPCDD (no symbols)
f79bf000 f79c0100 dump_WMILIB (export symbols) dump_WMILIB.SYS
f79df000 f79e0c00 ASMMAP (no symbols)
f7a4f000 f7a4fd00 PCIIde (no symbols)
f7a50000 f7a50d80 OPRGHDLR (export symbols) OPRGHDLR.SYS
f7a62000 f7a62b80 Null (no symbols)
f7ac2000 f7ac2c00 audstub (no symbols)
DBGHELP: Symbol Search Path:
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386;srv*d:\symbols\websymbo
ls*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path:
d:\job\antivir\fsfilter\fsfilter\objchk_wxp_x86\i386;srv*d:\symbols\websymbo
ls*http://msdl.microsoft.com/download/symbols

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

13

MM:
"What version of the os is your target:
vertarget "

2: kd> vertarget
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.090804-1456
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805634c0
Debug session time: Wed Dec 8 08:57:52.500 2010 (UTC + 2:00)
System Uptime: 0 days 0:31:12.015

14

I have no idea of why you can’t match symbols for that.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, December 08, 2010 5:40 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] CSQ problem when unload driver

MM:
"What version of the os is your target:
vertarget "

2: kd> vertarget
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.090804-1456
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805634c0
Debug session time: Wed Dec 8 08:57:52.500 2010 (UTC + 2:00)
System Uptime: 0 days 0:31:12.015

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

15

1.If I can’t match all symbols, mainly for some drivers of my system, could this be critical to !analyze -v output that I have posted? It seems there is needed info about fault in my driver :frowning:

  1. So, does CSQ need some DEinitialization before IoDeleteDevice. Even if there was no any insert in the queue, just its initialization. I was sure that no 0_o
16

Yes, lack of symbols will make debugging very difficult in general and will
also break lots of extensions.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, December 08, 2010 6:00 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] CSQ problem when unload driver

1.If I can’t match all symbols, mainly for some drivers of my system, could
this be critical to !analyze -v output that I have posted? It seems there is
needed info about fault in my driver :frowning:

  1. So, does CSQ need some DEinitialization before IoDeleteDevice. Even if
    there was no any insert in the queue, just its initialization. I was sure
    that no 0_o

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

17

Perhaps I missed it, but what do you h ave symsrv set too"

Gary G. Little

----- Original Message -----
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, December 8, 2010 5:00:11 AM
Subject: RE:[ntfsd] CSQ problem when unload driver

1.If I can’t match all symbols, mainly for some drivers of my system, could this be critical to !analyze -v output that I have posted? It seems there is needed info about fault in my driver :frowning:

2. So, does CSQ need some DEinitialization before IoDeleteDevice. Even if there was no any insert in the queue, just its initialization. I was sure that no 0_o


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

18

Is it possible that you only do “ControlDeviceObject->DeviceExtension = NULL;” when you set up the CSQ ? What happens if you remove that line from FilterDeleteControlObject?

IoDeleteDevice(ControlDeviceObject);

//ControlDeviceObject->DeviceExtension = NULL;

ControlDeviceObject= NULL;

Thanks,

Alex.

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Wednesday, December 08, 2010 5:42 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] CSQ problem when unload driver

Perhaps I missed it, but what do you h ave symsrv set too"

Gary G. Little

----- Original Message -----
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, December 8, 2010 5:00:11 AM
Subject: RE:[ntfsd] CSQ problem when unload driver

1.If I can’t match all symbols, mainly for some drivers of my system, could this be critical to !analyze -v output that I have posted? It seems there is needed info about fault in my driver :frowning:

2. So, does CSQ need some DEinitialization before IoDeleteDevice. Even if there was no any insert in the queue, just its initialization. I was sure that no 0_o


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

19

Gary G. Little:
“Perhaps I missed it, but what do you h ave symsrv set too”

I got advice from here: http://www.osronline.com/article.cfm?article=221
symsrv is srv*d:\symbols\websymbo ls*http://msdl.microsoft.com/download/symbols

20

Alex Carp:
"Is it possible that you only do =E2??ControlDeviceObject->DeviceExtension = NULL;??? when you set up the CSQ ? What happens if you remove that line from FilterDeleteControlObject? ??? IoDeleteDevice(ControlDeviceObject); //ControlDeviceObject->DeviceExtension = NULL; ControlDeviceObject= NULL; ??? "

I’m not sure I have understand your question :frowning:
Any source line after call to IoDeleteDevice has not a sence, because problem is in this function.
It causes access violation somewhere internally (if to beleive WinDbg), if CSQ was initialized.
I have tried to set ControlDeviceObject->DeviceExtension = NULL; before IoDeleteDevice, but unsuccessfully.