ERROR_GEN_FAILURE while starting a minifilter.

NTFSD
1

Hi everybody, I’m experiencing a weird scenario with my minifilter. The driver works 100% on every machine and the client application which installs and then starts it too.
On a single client pc ( which I do not have access to, but I can retrieve my app logs ), the StartService call always fails setting the last error to ERROR_GEN_FAILURE and I am not able to replicate this error, even with a badly signed driver the error I get is another.
Anyone has an idea of what might cause this behaviour ?

The computer runs Windows 7 ( no sp ) 64bit, with a Intel(R) Core™2 CPU 6400 @ 2.13GHz and 2GB of ram.

From the windows event log I can see something weird is happening on the client pc (I don’t know if this is related to my error) :

Source : Application Error
EntryType : Error
Message : Name of the application: svchost.exe, version: 6.1.7600.16385, timestamp: 0x4a5bc100

Module which generated the error: ntdll.dll, version: 6.1.7600.16385, timestamp: 0x4a5bdb3b

Exception code: 0xc0000374
Error offset 0x000cdcbb

2

Not sure if this is your case, but check if other tools
can load their drivers (Procmon, Procexp, FileSpy, …).
I’ve seen malware preventing loading any drivers that
are not in the database at boot time.

Worth a try.

L.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, April 4, 2014 12:25 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] ERROR_GEN_FAILURE while starting a minifilter.

Hi everybody, I’m experiencing a weird scenario with my minifilter. The
driver works 100% on every machine and the client application which installs
and then starts it too.
On a single client pc ( which I do not have access to, but I can retrieve my
app logs ), the StartService call always fails setting the last error to
ERROR_GEN_FAILURE and I am not able to replicate this error, even with a
badly signed driver the error I get is another.
Anyone has an idea of what might cause this behaviour ?

The computer runs Windows 7 ( no sp ) 64bit, with a Intel(R) Core™2 CPU
6400 @ 2.13GHz and 2GB of ram.

From the windows event log I can see something weird is happening on the
client pc (I don’t know if this is related to my error) :

Source : Application Error
EntryType : Error
Message : Name of the application: svchost.exe, version:
6.1.7600.16385, timestamp: 0x4a5bc100

Module which generated the error: ntdll.dll, version: 6.1.7600.16385,
timestamp: 0x4a5bdb3b

Exception code: 0xc0000374
Error offset 0x000cdcbb

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

I am afraid I do not have access to that pc and I can’t replicate this behaviour on my test machines, how could I install/start/configure my minifilter driver to avoid those kind of blockings ?

Accesso 04/04/2014 13:05:39, Ladislav Zezula ha scritto:
Not sure if this is your case, but check if other tools
can load their drivers (Procmon, Procexp, FileSpy, …).
I’ve seen malware preventing loading any drivers that
are not in the database at boot time.

Worth a try.

L.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, April 4, 2014 12:25 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] ERROR_GEN_FAILURE while starting a minifilter.

Hi everybody, I’m experiencing a weird scenario with my minifilter. The
driver works 100% on every machine and the client application which installs
and then starts it too.
On a single client pc ( which I do not have access to, but I can retrieve my
app logs ), the StartService call always fails setting the last error to
ERROR_GEN_FAILURE and I am not able to replicate this error, even with a
badly signed driver the error I get is another.
Anyone has an idea of what might cause this behaviour ?

The computer runs Windows 7 ( no sp ) 64bit, with a Intel(R) Core™2 CPU
6400 @ 2.13GHz and 2GB of ram.

From the windows event log I can see something weird is happening on the
client pc (I don’t know if this is related to my error) :

Source : Application Error
EntryType : Error
Message : Name of the application: svchost.exe, version:
6.1.7600.16385, timestamp: 0x4a5bc100

Module which generated the error: ntdll.dll, version: 6.1.7600.16385,
timestamp: 0x4a5bdb3b

Exception code: 0xc0000374
Error offset 0x000cdcbb


NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

Heap corruption.

Do you have any user-mode code? check it for corruptions.

If not so - probably this is malware.

BTW: the FIRST step in troubleshooting this (as lots of other IT stuff) is to Google for 0xc0000374


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hi everybody, I’m experiencing a weird scenario with my minifilter. The driver works 100% on every machine and the client application which installs and then starts it too.
> On a single client pc ( which I do not have access to, but I can retrieve my app logs ), the StartService call always fails setting the last error to ERROR_GEN_FAILURE and I am not able to replicate this error, even with a badly signed driver the error I get is another.
> Anyone has an idea of what might cause this behaviour ?
>
> The computer runs Windows 7 ( no sp ) 64bit, with a Intel(R) Core™2 CPU 6400 @ 2.13GHz and 2GB of ram.
>
> From the windows event log I can see something weird is happening on the client pc (I don’t know if this is related to my error) :
>
> Source : Application Error
> EntryType : Error
> Message : Name of the application: svchost.exe, version: 6.1.7600.16385, timestamp: 0x4a5bc100
>
> Module which generated the error: ntdll.dll, version: 6.1.7600.16385, timestamp: 0x4a5bdb3b
>
> Exception code: 0xc0000374
> Error offset 0x000cdcbb
>
>

5

The 0xc0000374 error is from svchost.exe, I have a usermode process of course but it’s not a service or somehow related to svchost whatsoever.
Accesso 04/04/2014 14:09:05, Maxim S. Shatskih ha scritto:
Heap corruption.

Do you have any user-mode code? check it for corruptions.

If not so - probably this is malware.

BTW: the FIRST step in troubleshooting this (as lots of other IT stuff) is to Google for 0xc0000374


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hi everybody, I’m experiencing a weird scenario with my minifilter. The driver works 100% on every machine and the client application which installs and then starts it too.
> On a single client pc ( which I do not have access to, but I can retrieve my app logs ), the StartService call always fails setting the last error to ERROR_GEN_FAILURE and I am not able to replicate this error, even with a badly signed driver the error I get is another.
> Anyone has an idea of what might cause this behaviour ?
>
> The computer runs Windows 7 ( no sp ) 64bit, with a Intel(R) Core™2 CPU 6400 @ 2.13GHz and 2GB of ram.
>
> From the windows event log I can see something weird is happening on the client pc (I don’t know if this is related to my error) :
>
> Source : Application Error
> EntryType : Error
> Message : Name of the application: svchost.exe, version: 6.1.7600.16385, timestamp: 0x4a5bc100
>
> Module which generated the error: ntdll.dll, version: 6.1.7600.16385, timestamp: 0x4a5bdb3b
>
> Exception code: 0xc0000374
> Error offset 0x000cdcbb
>
>


NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer