Driver fail to unload because of RDP smart card device

Hi,

I have minifilter filesystem driver which by default attach with all system volumes. In normal scenario everything works without any issue but sometimes intermuttently I have observed that my filter driver is not getting unloaded. After dump analysis I observed there is still one file open in driver “ActiveOpen” section.

kd> !fltkd.filter ffffe00003717560 8 1

FLT_FILTER: ffffe00003717560 “vfsmfd” “263410”
InstanceList : (ffffe000037175b8)
Resource (ffffe00003717620) List [ffffe00003718070-ffffe00003718870] rCount=3
FLT_INSTANCE: ffffe00003718010 “VEAI” “263400”
FLT_OBJECT: ffffe00003718010 [01000001] Instance DRAINING
RundownRef : 0x0000000000000004 (2)
PointerCount : 0x00000003
PrimaryLink : [ffffe00001fa3100-ffffe00001fa4020]
OperationRundownRef : ffffe000033e4160
Could not read field “Number” of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: ffffe000033e4160
Flags : [00000002] Deleting
Volume : ffffe00001fa35b0 “\Device\Mup”
Filter : ffffe00003717560 “vfsmfd”
TrackCompletionNodes : ffffe000037172a0
ContextLock : (ffffe00003718080)
Context : 0000000000000000
CallbackNodes : (ffffe000037180a0)
VolumeLink : [ffffe00001fa3100-ffffe00001fa4020]
FilterLink : [ffffe00003718c70-ffffe00003717620]

FLT_INSTANCE: ffffe00003718c10 “VEAI” “263400”
FLT_OBJECT: ffffe00003718c10 [01000000] Instance
RundownRef : 0x0000000000000000 (0)
PointerCount : 0x00000001
PrimaryLink : [ffffe00002e69020-ffffe0000215cc70]
OperationRundownRef : ffffe0000338e820
Could not read field “Number” of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: ffffe0000338e820
Flags : [00000000]
Volume : ffffe0000201c7f0 “\Device\HarddiskVolume2”
Filter : ffffe00003717560 “vfsmfd”
TrackCompletionNodes : ffffe00003716760
ContextLock : (ffffe00003718c80)
Context : 0000000000000000
CallbackNodes : (ffffe00003718ca0)
VolumeLink : [ffffe00002e69020-ffffe0000215cc70]
FilterLink : [ffffe00003718870-ffffe00003718070]

FLT_INSTANCE: ffffe00003718810 “VEAI” “263400”
FLT_OBJECT: ffffe00003718810 [01000000] Instance
RundownRef : 0x0000000000000000 (0)
PointerCount : 0x00000001
PrimaryLink : [ffffe000022c3660-ffffe000022c4020]
OperationRundownRef : ffffe0000328d130
Could not read field “Number” of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: ffffe0000328d130
Flags : [00000000]
Volume : ffffe0000229a010 “\Device\HarddiskVolume1”
Filter : ffffe00003717560 “vfsmfd”
TrackCompletionNodes : ffffe000037162f0
ContextLock : (ffffe00003718880)
Context : 0000000000000000
CallbackNodes : (ffffe000037188a0)
VolumeLink : [ffffe000022c3660-ffffe000022c4020]
FilterLink : [ffffe00003717620-ffffe00003718c70]

Object usage/reference information:
References to FLT_CONTEXT : 0
Allocations of FLT_CALLBACK_DATA : 0
Allocations of FLT_DEFERRED_IO_WORKITEM : 0
Allocations of FLT_GENERIC_WORKITEM : 0
References to FLT_FILE_NAME_INFORMATION : 0
Open files : 1
References to FLT_OBJECT : 0
List of objects used/referenced::
FLT_VERIFIER_OBJECT: ffffe0000371c820
Object: ffffe0000110b630 Type: FILE_OBJECT RefCount: 00000001

After finding the FileObject when I tried to look into it I observed it is showing following output

kd> !fileobj ffffe0000110b630

\TSCLIENT\SCARD\2

Device Object: 0xffffe00001fa0660 \FileSystem\Mup
Vpb is NULL
Event signalled
Access: Read SharedRead SharedWrite SharedDelete

Flags: 0x40020
Sequential Only
Handle Created

FsContext: 0xffffc0000286bb00 FsContext2: 0xffffc0000286bea0
CurrentByteOffset: 0
Cache Data:
Section Object Pointers: ffffe000011abeb8
Shared Cache Map: 00000000

File object extension is at ffffcf800114afb0:

Flags: 00000001
Ignore share access checks.

In my PreCreateCallback() I am ignoring all requests for DirectoryFile, VolumeOpen, NamedPipe, MailSlot. But I am not sure what is “\TSCLIENT\SCARD\2” and which file type it is. From name it look like that it is something specific to Remote desktop’s Smart option, but I don’t think it contains any meaningful data for me I want to ignore it.

Can anyone suggest how can I ignore it? Because this thing is not getting closed and because of this I am not able to unload my driver.

I have encountered these problems when a GINA library is attempting to
access a smart card for authentication. What I would suggest is to add a
name filter in your driver to break on access to that particular name
and then make a determination as to how you can avoid these accesses.

Though I would not agree that you either filtering or creating a context
for these would prevent your filter from unloading. This would be caused
from some other reference preventing it or you indicating to not unload
due to some outstanding resource.

Pete

On 12/16/2013 4:13 AM, xxxxx@gmail.com wrote:

Hi,

I have minifilter filesystem driver which by default attach with all system volumes. In normal scenario everything works without any issue but sometimes intermuttently I have observed that my filter driver is not getting unloaded. After dump analysis I observed there is still one file open in driver “ActiveOpen” section.

kd> !fltkd.filter ffffe00003717560 8 1

FLT_FILTER: ffffe00003717560 “vfsmfd” “263410”
InstanceList : (ffffe000037175b8)
Resource (ffffe00003717620) List [ffffe00003718070-ffffe00003718870] rCount=3
FLT_INSTANCE: ffffe00003718010 “VEAI” “263400”
FLT_OBJECT: ffffe00003718010 [01000001] Instance DRAINING
RundownRef : 0x0000000000000004 (2)
PointerCount : 0x00000003
PrimaryLink : [ffffe00001fa3100-ffffe00001fa4020]
OperationRundownRef : ffffe000033e4160
Could not read field “Number” of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: ffffe000033e4160
Flags : [00000002] Deleting
Volume : ffffe00001fa35b0 “\Device\Mup”
Filter : ffffe00003717560 “vfsmfd”
TrackCompletionNodes : ffffe000037172a0
ContextLock : (ffffe00003718080)
Context : 0000000000000000
CallbackNodes : (ffffe000037180a0)
VolumeLink : [ffffe00001fa3100-ffffe00001fa4020]
FilterLink : [ffffe00003718c70-ffffe00003717620]

FLT_INSTANCE: ffffe00003718c10 “VEAI” “263400”
FLT_OBJECT: ffffe00003718c10 [01000000] Instance
RundownRef : 0x0000000000000000 (0)
PointerCount : 0x00000001
PrimaryLink : [ffffe00002e69020-ffffe0000215cc70]
OperationRundownRef : ffffe0000338e820
Could not read field “Number” of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: ffffe0000338e820
Flags : [00000000]
Volume : ffffe0000201c7f0 “\Device\HarddiskVolume2”
Filter : ffffe00003717560 “vfsmfd”
TrackCompletionNodes : ffffe00003716760
ContextLock : (ffffe00003718c80)
Context : 0000000000000000
CallbackNodes : (ffffe00003718ca0)
VolumeLink : [ffffe00002e69020-ffffe0000215cc70]
FilterLink : [ffffe00003718870-ffffe00003718070]

FLT_INSTANCE: ffffe00003718810 “VEAI” “263400”
FLT_OBJECT: ffffe00003718810 [01000000] Instance
RundownRef : 0x0000000000000000 (0)
PointerCount : 0x00000001
PrimaryLink : [ffffe000022c3660-ffffe000022c4020]
OperationRundownRef : ffffe0000328d130
Could not read field “Number” of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: ffffe0000328d130
Flags : [00000000]
Volume : ffffe0000229a010 “\Device\HarddiskVolume1”
Filter : ffffe00003717560 “vfsmfd”
TrackCompletionNodes : ffffe000037162f0
ContextLock : (ffffe00003718880)
Context : 0000000000000000
CallbackNodes : (ffffe000037188a0)
VolumeLink : [ffffe000022c3660-ffffe000022c4020]
FilterLink : [ffffe00003717620-ffffe00003718c70]

Object usage/reference information:
References to FLT_CONTEXT : 0
Allocations of FLT_CALLBACK_DATA : 0
Allocations of FLT_DEFERRED_IO_WORKITEM : 0
Allocations of FLT_GENERIC_WORKITEM : 0
References to FLT_FILE_NAME_INFORMATION : 0
Open files : 1
References to FLT_OBJECT : 0
List of objects used/referenced::
FLT_VERIFIER_OBJECT: ffffe0000371c820
Object: ffffe0000110b630 Type: FILE_OBJECT RefCount: 00000001

After finding the FileObject when I tried to look into it I observed it is showing following output

kd> !fileobj ffffe0000110b630

\TSCLIENT\SCARD\2

Device Object: 0xffffe00001fa0660 \FileSystem\Mup
Vpb is NULL
Event signalled
Access: Read SharedRead SharedWrite SharedDelete

Flags: 0x40020
Sequential Only
Handle Created

FsContext: 0xffffc0000286bb00 FsContext2: 0xffffc0000286bea0
CurrentByteOffset: 0
Cache Data:
Section Object Pointers: ffffe000011abeb8
Shared Cache Map: 00000000

File object extension is at ffffcf800114afb0:

Flags: 00000001
Ignore share access checks.

In my PreCreateCallback() I am ignoring all requests for DirectoryFile, VolumeOpen, NamedPipe, MailSlot. But I am not sure what is “\TSCLIENT\SCARD\2” and which file type it is. From name it look like that it is something specific to Remote desktop’s Smart option, but I don’t think it contains any meaningful data for me I want to ignore it.

Can anyone suggest how can I ignore it? Because this thing is not getting closed and because of this I am not able to unload my driver.

---

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

Thanks a lot Peter for looking into this.
Even I was expecting that Filtering or adding context to this pseudo file, should not hold my driver from unloading. Actually I have enabled Driver verifier with default options and I am assuming if there is any leak happening in driver then it should have be caught by verifier while I am unloading the driver. But verifier is not complaining about any kind of leak, that is what making this problem for me to solve very difficult. Since the reproducibility of this issue is also not consistent I am not sure how I can solve this problem. I tried to find it in code as well but unfortunately I didn’t see any place where we are leaking any reference.

Meantime I will try to relook all other places in code if you have any other suggestion please let me know.

Thanks,
Bishnu