FILE_OPEN_REPARSE_POINT and NTFS_FILE_SYSTEM Bugcheck

NTFSD
1

So long time listener, first time caller. I’ve been reading these forums for the past few years and they have greatly helped me as I develop kernel mode components. But now I am stuck and I can’t seem to find a solution. I am writing a minifilter driver that among other things, has to rename a file (not as a REPARSE). I do this in pre-create. Now, before anyone says you can’t do stuff in pre-create because the FileObject is not valid, I know. I use FltCreateFileEx to open the file (which also checks if the file exists), and if it does I issue a FltSetInformationFile command to change the name. Then if all goes smoothly, I modify the TargetFileObject and continue on. If the file doesn’t exist, I just modify the TargetFileObject to create the newly modified file. This works fine until I run into pre-create commands that have FILE_OPEN_REPARSE_POINT. When that flag is there, I get NTFS_FILE_SYSTEM (24) BugCheck for the FltSetInformationFile operation. If I just want to query the actual reparse data, via FltFsControlFile, again opening the file first with FltCreateFileEx to get the FILE_OBJECT, it also gives me NTFS_FILE_SYSTEM BugCheck.

Another sorted of related issue, is calling ObDereferenceObject on the FILE_OBJECT returned from FltCreateFileEx. The documentation says you have to do it, but when I actually make the call, Verifier throws an error. Anyone have any insight on this?

My test environment is a VMWare Windows 7 x64 with two virtual removable drives mounted, 1 FAT and 1 NTFS. Attached is the abbreviated code as well as the two !analyze dumps. Any help would be appreciated.

-Dave

FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_WITH_CALLBACK;
NTSTATUS status = 0;
PINSTANCE_CONTEXT InsCtx = NULL;
PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
PFILE_RENAME_INFORMATION fri = NULL;
PREPARSE_DATA_BUFFER rpb = NULL;

ULONG fnl = 0;
HANDLE fh;
HANDLE dh;
FILE_OBJECT fo;
FILE_OBJECT dirobj;
OBJECT_ATTRIBUTES attributes;
IO_STATUS_BLOCK iob;
BOOLEAN renameFile = FALSE;
BOOLEAN slOTD = FALSE;
UNICODE_STRING newFileName;

if (FlagOn(Data->Iopb->OperationFlags, SL_OPEN_TARGET_DIRECTORY)) {
ClearFlag(Data->Iopb->OperationFlags, SL_OPEN_TARGET_DIRECTORY);
slOTD = TRUE;
}

status = FltGetFileNameInformation(Data, FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_FILESYSTEM_ONLY, &nameInfo);
if (!NT_SUCCESS(status)) {
ret = FLT_PREOP_COMPLETE;
goto cleanup;
}

status = FltParseFileNameInformation(nameInfo);
if (!NT_SUCCESS(status)) {
ret = FLT_PREOP_COMPLETE;
goto cleanup;
}

if (nameInfo == NULL) {
ret = FLT_PREOP_COMPLETE;
goto cleanup;
}

if (slOTD)
SetFlag(Data->Iopb->OperationFlags, SL_OPEN_TARGET_DIRECTORY);

if (FlagOn(Data->Iopb->Parameters.Create.Options, FILE_OPEN_REPARSE_POINT)) {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t FILE_OPEN_REPARSE_POINT\n”);
InitializeObjectAttributes(&attributes, &nameInfo->Name, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = FltCreateFileEx(FltObjects->Filter, FltObjects->Instance, &fh, &fo, GENERIC_READ, &attributes, &iob, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, 0, NULL, 0, 0);
if (NT_SUCCESS(status)) {
fnl = MAXIMUM_REPARSE_DATA_BUFFER_SIZE;
rpb = (PREPARSE_DATA_BUFFER)ExAllocatePoolWithTag(NonPagedPool, fnl, TAG_PRE_CREATE);
if (rpb != NULL) {
RtlZeroMemory(rpb, fnl);

/*************BUG CHECK HERE**********/
status = FltFsControlFile(FltObjects->Instance, &fo, FSCTL_GET_REPARSE_POINT, NULL, 0, &rpb, fnl, &sz);
if (NT_SUCCESS(status)) {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t *** Reparse Info ***\n”);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t\t ReparseDataLength = %d\n”, rpb->ReparseDataLength);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t\t Tag = %x\n”, rpb->ReparseTag);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t\t SymbolicLinkReparseBuffer.PathBuffer = ‘%S’\n”, rpb->SymbolicLinkReparseBuffer.PathBuffer);
} else {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t FltFsControlFile = %d\n”, status);
}
ExFreePoolWithTag(rpb, TAG_PRE_CREATE);
}
FltClose(fh);
//ObDereferenceObject(&fo);
} else {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t FltCreateFileEx failed = %d\n”, status);
}
}

/*
Code removed
*/

if (renameFile) {
InitializeObjectAttributes(&attributes, &nameInfo->Name, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = FltCreateFileEx(FltObjects->Filter, FltObjects->Instance, &fh, &fo, DELETE, &attributes, &iob, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, 0, NULL, 0, 0);
if (NT_SUCCESS(status)) {
fnl = sizeof(FILE_RENAME_INFORMATION) + newFileName.Length + sizeof(WCHAR);
fri = (PFILE_RENAME_INFORMATION)FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, fnl, TAG_PRE_CREATE);
if (fri == NULL) {
goto cleanup;
}
RtlZeroMemory(fri, fnl);

fri->ReplaceIfExists = TRUE;
fri->RootDirectory = NULL;
fri->FileNameLength = newFileName.Length;
RtlCopyMemory(fri->FileName, newFileName.Buffer, newFileName.Length);

/*************BUG CHECK HERE**********/
status = FltSetInformationFile(FltObjects->Instance, &fo, fri, fnl, FileRenameInformation);
if (NT_SUCCESS(status)) {
RtlCopyMemory(Data->Iopb->TargetFileObject->FileName.Buffer + ((pos+sizeof(WCHAR))/sizeof(WCHAR)), newFileName.Buffer, newFileName.Length);
FltSetCallbackDataDirty(Data);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t\t\t TargetFileObject = ‘%wZ’\n”, Data->Iopb->TargetFileObject->FileName);
} else {
goto cleanup;
}

FltFreePoolAlignedWithTag(FltObjects->Instance, fri, TAG_PRE_CREATE);
FltClose(fh);
//ObDereferenceObject(&fo);
}
}

*** Fatal System Error: 0x00000024
(0x00000000001904FB,0xFFFFF88002892658,0xFFFFF88002891EB0,0xFFFFF880012B1E9D)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x64 target at (Tue Jul 9 14:41:47.999 2013 (UTC - 4:00)), ptr64 TRUE
Loading Kernel Symbols



Loading User Symbols



Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904fb, fffff88002892658, fffff88002891eb0, fffff880012b1e9d}

Probably caused by : SFDrv64.sys ( SFDrv64!hdPreCreate+bbf )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
fffff800`02a85f60 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff88002892658
Arg3: fffff88002891eb0
Arg4: fffff880012b1e9d

Debugging Details:

EXCEPTION_RECORD: fffff88002892658 – (.exr 0xfffff88002892658)
ExceptionAddress: fffff880012b1e9d (Ntfs!NtfsGetReparsePoint+0x0000000000000095)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: fffff88002891eb0 – (.cxr 0xfffff88002891eb0)
rax=fffff80002c9a354 rbx=fffff9800c622f68 rcx=001c033400071d54
rdx=fffff9800c622e50 rsi=fffffa80024e6b30 rdi=0000000000000000
rip=fffff880012b1e9d rsp=fffff88002892890 rbp=0000000000000002
r8=0000000000000000 r9=0000000000000000 r10=0000000000000004
r11=fffffa80024e6b30 r12=fffffa8001ea2420 r13=0000000000000001
r14=00071eb300071d80 r15=fffff9800c622e50
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
Ntfs!NtfsGetReparsePoint+0x95:
fffff880012b1e9d 45846e04 test byte ptr [r14+4],r13b ds:002b:00071eb300071d84=??
Resetting default scope

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: explorer.exe

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: ffffffffffffffff

FOLLOWUP_IP:
SFDrv64!hdPreCreate+bbf [c:\software\vs\SFDrv\x64\SFDrv.c @ 1115]
fffff880`03987fcf 898424c8020000 mov dword ptr [rsp+2C8h],eax

FAULTING_IP:
Ntfs!NtfsGetReparsePoint+95
fffff880`012b1e9d 45846e04 test byte ptr [r14+4],r13b

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from fffff880012f751e to fffff880012b1e9d

STACK_TEXT:
fffff88002892890 fffff880012f751e : fffffa80024e6b30 fffff9800c622e50 fffffa8000000000 fffff88002892a78 : Ntfs!NtfsGetReparsePoint+0x95
fffff880028929f0 fffff880012f32ed : fffffa80024e6b30 0000000000000000 0000000000000002 0000000000000000 : Ntfs!NtfsUserFsRequest+0xca
fffff88002892a30 fffff80002f33c16 : fffff9800c622e50 fffff9800c622e50 0000000000000000 fffffa80024e6b30 : Ntfs!NtfsFsdFileSystemControl+0x13d
fffff88002892ad0 fffff8800113623f : fffff9800c622fb0 fffff88002892b80 fffffa80040f8770 fffffa8001e6d650 : nt!IovCallDriver+0x566
fffff88002892b30 fffff8800113894a : 0000000000000000 0000000000000000 0000000000000000 fffffa80040f8770 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff88002892bc0 fffff8800116e0a5 : fffffa8001e73bc0 0000000000000023 fffffa8000dad810 fffffa80040f8820 : fltmgr!FltPerformSynchronousIo+0x2ca
fffff88002892c60 fffff8800116eb28 : 0000000000000000 fffff88002892f20 00000000000900a8 fffffa80024d86b0 : fltmgr!IssueControlOperation+0x395
fffff88002892cf0 fffff88001171c28 : 0000000000000000 fffffa8001e81c20 fffff88002892f20 00000000000900a8 : fltmgr!FltFsControlFile+0x48
fffff88002892d50 fffff88003987fcf : 0000000000000016 0000000000000016 fffff8a002139788 0000000000000003 : fltmgr!FltvFsControlFile+0x68
fffff88002892da0 fffff88001173c3e : fffffa8001ef9ce0 fffff88002893558 fffff88002893530 0000000000000100 : SFDrv64!hdPreCreate+0xbbf [c:\software\vs\SFDrv\x64\SFDrv.c @ 1115]
fffff880028933d0 fffff88001135027 : 0000000000000000 fffff80002a2c943 fffffa80017ea398 fffffa8001ef9d80 : fltmgr!FltvPreOperation+0xbe
fffff880028934e0 fffff880011378ca : fffffa8001e92f00 fffffa8001e92f00 fffffa8001e5b800 fffffa8000dad800 : fltmgr!FltpPerformPreCallbacks+0x2f7
fffff880028935e0 fffff880011552a3 : fffff9800c788e50 fffff9800c788e50 fffff9800c788e50 fffffa8001e92f20 : fltmgr!FltpPassThroughInternal+0x4a
fffff88002893610 fffff80002f33c16 : fffff9800c788e50 0000000000000002 0000000000000040 0000000000000000 : fltmgr!FltpCreate+0x293
fffff880028936c0 fffff80002d8e477 : 0000000000000005 fffff80002d8ded0 fffffa8003c97010 fffffa8001e6de70 : nt!IovCallDriver+0x566
fffff88002893720 fffff80002d84764 : fffffa8003f35d30 0000000000000000 fffffa80040f4010 fffff80002abae01 : nt!IopParseDevice+0x5a7
fffff880028938b0 fffff80002d89876 : fffffa80040f4010 fffff88002893a30 0000000000000040 fffffa8000cef750 : nt!ObpLookupObjectName+0x585
fffff880028939b0 fffff80002d90587 : 00000000000007ff 0000000000000001 fffffa8001e93001 0000000000000180 : nt!ObOpenObjectByName+0x306
fffff88002893a80 fffff80002da92a4 : 000000000aeea8e8 fffff8a000020080 fffff8a001954d90 00000000078cf0c0 : nt!IopCreateFile+0x2b7
fffff88002893b20 fffff80002a8d153 : fffffa80029484c0 0000000000000001 fffffa8001ea2420 fffff80002da1094 : nt!NtOpenFile+0x58
fffff88002893bb0 0000000077ba01ea : 000007fefb9d23d8 0000000000000000 000000000ae3f800 0000000000020080 : nt!KiSystemServiceCopyEnd+0x13
00000000078cf088 000007fefb9d23d8 : 0000000000000000 000000000ae3f800 0000000000020080 0000000000000000 : ntdll!NtOpenFile+0xa
00000000078cf090 000007fefb9d26b8 : 000000000aeea8e0 000000000af6b920 00000000078c0000 463356c141e90f3e : ntmarta!I_MartaFileNtOpenFile+0x58
00000000078cf110 000007fefb9d2809 : 000000000aeea8e0 000000000ae3f800 000007fefb9d2610 00000000078cf300 : ntmarta!MartaOpenFileNamedObject+0x140
00000000078cf190 000007fefef3fa34 : 000000000ae3f800 0000000000000001 0000000000000005 00000000078cf300 : ntmarta!AccRewriteGetNamedRights+0xe7
00000000078cf240 000007fef8962d14 : 000000000af154e8 000000000ae3f800 00000000078cf398 00000000078cf848 : ADVAPI32!GetNamedSecurityInfoW+0xa5
00000000078cf2b0 000007fef8963a63 : 000000000af154e8 000000000af154e0 00000000078cf3b0 000007feff7a5027 : ntshrui!CFolderAclEngine::_GetAcl+0x5c
00000000078cf320 000007fef89639b4 : 0000000000000000 00007c21132d9d43 000000000ae3f800 0000000000000000 : ntshrui!CFolderAclEngine::_IsItemPrivate+0x7b
00000000078cf380 000007fef89640bf : 0000000000000000 0000000000000000 000000000aeaaf98 00000000078cf458 : ntshrui!CSmbShareEngine::GetItemSharingStatus+0x2c
00000000078cf3b0 000007fef8963ff6 : 0000000000000000 00000000002013b8 0000000000000002 0000000000000000 : ntshrui!CSharingOverlayPrivate::_GetSharingStatus+0x87
00000000078cf3f0 000007fefdee85e3 : 0000000000231060 0000000000000000 0000000000010000 0000000000000000 : ntshrui!CSharingOverlayPrivate::IsMemberOf+0x6e
00000000078cf440 000007fefe01469c : 0000000080004005 000007fefdee7907 00000000078cf520 0000000000000001 : SHELL32!CFSIconOverlayManager::_GetFileOverlayInfo+0x13e
00000000078cf500 000007fefdee2bcb : fffffffff4fb6420 0000000000000001 0000000000000000 000007feff7a5027 : SHELL32!CFSIconOverlayManager::GetFileOverlayInfo+0x1c
00000000078cf540 000007fefdee2adc : 000000000aeea130 000000000dfb8880 000000000dfb8880 0000000000000000 : SHELL32!CFSFolder::_GetOverlayInfo+0xf1
00000000078cf7e0 000007fefdee22db : 000000000aeea130 000007fefadbce3f 0000000000000001 0000000000000001 : SHELL32!CFSFolder::GetOverlayIndex+0x23
00000000078cf810 000007fefdf09408 : 000000000b0df350 000000000dfb8880 0000000000000000 0000000000000000 : SHELL32!CIconOverlayTask::InternalResumeRT+0x129
00000000078cf890 000007fefe1b7e3c : 8000000001000000 00000000078cf920 000000000b0df350 000000000000000a : SHELL32!CRunnableTask::Run+0xda
00000000078cf8c0 000007fefe07f005 : 000000000b0df350 0000000000000000 000000000b0df350 0000000000000002 : SHELL32!CShellTask::TT_Run+0x124
00000000078cf8f0 000007fefdf2e58a : 000000000b074690 000000000b074690 0000000000000000 0000000000000000 : SHELL32!CShellTaskThread::ThreadProc+0x1d2
00000000078cf990 000007feff7a3a7f : 000007fffff96000 0000000000256a80 00000000001f0b10 0000000000000000 : SHELL32!CShellTaskThread::s_ThreadProc+0x22
00000000078cf9c0 0000000077b6f8eb : 000000000ab8c890 000000000ab8c890 00000000000004ff 000000000000000a : SHLWAPI!ExecuteWorkItemThreadProc+0xf
00000000078cf9f0 0000000077b69d9f : 0000000000000000 000000000b06e8f0 00000000001f0b10 000000000df7a828 : ntdll!RtlpTpWorkCallback+0x16b
00000000078cfad0 0000000077a4f56d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x5ff
00000000078cfdd0 0000000077b83281 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
00000000078cfe00 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

FAULTING_SOURCE_LINE: c:\software\vs\SFDrv\x64\SFDrv.c

FAULTING_SOURCE_FILE: c:\software\vs\SFDrv\x64\SFDrv.c

FAULTING_SOURCE_LINE_NUMBER: 1115

SYMBOL_STACK_INDEX: 9

SYMBOL_NAME: SFDrv64!hdPreCreate+bbf

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SFDrv64

IMAGE_NAME: SFDrv64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51dc5944

STACK_COMMAND: .cxr 0xfffff88002891eb0 ; kb

FAILURE_BUCKET_ID: X64_0x24_VRF_SFDrv64!hdPreCreate+bbf

BUCKET_ID: X64_0x24_VRF_SFDrv64!hdPreCreate+bbf

Followup: MachineOwner

kd> .exr 0xfffff88002892658
ExceptionAddress: fffff880012b1e9d (Ntfs!NtfsGetReparsePoint+0x0000000000000095)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
kd> .cxr 0xfffff88002891eb0
rax=fffff80002c9a354 rbx=fffff9800c622f68 rcx=001c033400071d54
rdx=fffff9800c622e50 rsi=fffffa80024e6b30 rdi=0000000000000000
rip=fffff880012b1e9d rsp=fffff88002892890 rbp=0000000000000002
r8=0000000000000000 r9=0000000000000000 r10=0000000000000004
r11=fffffa80024e6b30 r12=fffffa8001ea2420 r13=0000000000000001
r14=00071eb300071d80 r15=fffff9800c622e50
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
Ntfs!NtfsGetReparsePoint+0x95:
fffff880012b1e9d 45846e04 test byte ptr [r14+4],r13b ds:002b:00071eb300071d84=??

*** Fatal System Error: 0x00000024
(0x00000000001904FB,0xFFFFF880056AB468,0xFFFFF880056AACC0,0xFFFFF880012CB88D)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x64 target at (Tue Jul 9 14:43:52.286 2013 (UTC - 4:00)), ptr64 TRUE
Loading Kernel Symbols



Loading User Symbols



Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904fb, fffff880056ab468, fffff880056aacc0, fffff880012cb88d}

Probably caused by : SFDrv64.sys ( SFDrv64!hdPreCreate+1000 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
fffff800`02a85f60 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff880056ab468
Arg3: fffff880056aacc0
Arg4: fffff880012cb88d

Debugging Details:

EXCEPTION_RECORD: fffff880056ab468 – (.exr 0xfffff880056ab468)
ExceptionAddress: fffff880012cb88d (Ntfs!NtfsCommonQueryInformation+0x000000000000009d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: fffff880056aacc0 – (.cxr 0xfffff880056aacc0)
rax=fffff880056abcb8 rbx=fffffa8003f2eb60 rcx=0000000000000028
rdx=001c033400071d54 rsi=fffff880056ab820 rdi=fffff80002c9a354
rip=fffff880012cb88d rsp=fffff880056ab6a0 rbp=0000000000000002
r8=0000000000000000 r9=00071eb300071d80 r10=0000000000000004
r11=fffff880056ab778 r12=0000000000000004 r13=fffff98009e08f68
r14=0000000000000000 r15=fffff880056abf20
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
Ntfs!NtfsCommonQueryInformation+0x9d:
fffff880012cb88d 418b4104 mov eax,dword ptr [r9+4] ds:002b:00071eb300071d84=???
Resetting default scope

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: explorer.exe

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: ffffffffffffffff

FOLLOWUP_IP:
SFDrv64!hdPreCreate+1000 [c:\software\vs\SFDrv\x64\SFDrv.c @ 1220]
fffff880`03988410 898424c8020000 mov dword ptr [rsp+2C8h],eax

FAULTING_IP:
Ntfs!NtfsCommonQueryInformation+9d
fffff880`012cb88d 418b4104 mov eax,dword ptr [r9+4]

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from fffff880012cc906 to fffff880012cb88d

STACK_TEXT:
fffff880056ab6a0 fffff880012cc906 : fffff880056ab820 fffff98009e08e50 0000000000000028 fffff98000000028 : Ntfs!NtfsCommonQueryInformation+0x9d
fffff880056ab780 fffff880012ccea4 : fffff880056ab820 fffff98009e08e50 fffff98009e08e50 fffff8a0000018c0 : Ntfs!NtfsFsdDispatchSwitch+0x106
fffff880056ab800 fffff80002f33c16 : fffff98009e08e50 0000000000000002 0000000000000000 0000000000000000 : Ntfs!NtfsFsdDispatchWait+0x14
fffff880056ab9f0 fffff8800113623f : fffff98009e08fb0 fffff880056abaa0 fffffa8001f36180 fffffa8001e64a60 : nt!IovCallDriver+0x566
fffff880056aba50 fffff8800113894a : 0000000000000000 0000000000000000 0000000000000000 fffffa8001f36180 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880056abae0 fffff8800116e4e2 : fffffa8001e73bc0 000000000000001b fffffa8000dad810 fffffa8001f36230 : fltmgr!FltPerformSynchronousIo+0x2ca
fffff880056abb80 fffff8800116e8c2 : 0000000000000002 fffff880056abf20 fffffa80013b9718 fffff88000000011 : fltmgr!FltQueryInformationFile+0x52
fffff880056abbc0 fffff8800116ec01 : fffffa8001e31010 fffffa8001e310c0 0000000000000048 0000000000000000 : fltmgr!FltpOpenLinkOrRenameTarget+0x62
fffff880056abd00 fffff88001171c98 : 0000000000000048 fffffa80024535c0 fffff880056abf20 fffffa8001f04b50 : fltmgr!FltSetInformationFile+0xc1
fffff880056abd60 fffff88003988410 : 0000000000000016 0000000000000016 fffff9800abe0ffe 0000000000000003 : fltmgr!FltvSetInformationFile+0x48
fffff880056abda0 fffff88001173c3e : fffffa8002457650 fffff880056ac558 fffff880056ac530 0000000000000100 : SFDrv64!hdPreCreate+0x1000 [c:\software\vs\SFDrv\x64\SFDrv.c @ 1220]
fffff880056ac3d0 fffff88001135027 : 0000000000000000 fffff80002a2c943 fffffa80013b8498 fffffa80024576f0 : fltmgr!FltvPreOperation+0xbe
fffff880056ac4e0 fffff880011378ca : fffffa80043c8a00 fffffa80043c8a00 fffffa8001e5b800 fffffa8000dad800 : fltmgr!FltpPerformPreCallbacks+0x2f7
fffff880056ac5e0 fffff880011552a3 : fffff9800aa28e50 fffff9800aa28e50 fffff9800aa28e50 fffffa80043c8a20 : fltmgr!FltpPassThroughInternal+0x4a
fffff880056ac610 fffff80002f33c16 : fffff9800aa28e50 0000000000000002 0000000000000040 0000000000000000 : fltmgr!FltpCreate+0x293
fffff880056ac6c0 fffff80002d8e477 : 0000000000000005 fffff80002d8ded0 fffffa8001f0f730 fffffa8003d389c0 : nt!IovCallDriver+0x566
fffff880056ac720 fffff80002d84764 : fffffa8003f35d30 0000000000000000 fffffa8001e82010 fffff80002abae01 : nt!IopParseDevice+0x5a7
fffff880056ac8b0 fffff80002d89876 : fffffa8001e82010 fffff880056aca30 0000000000000040 fffffa8000cef750 : nt!ObpLookupObjectName+0x585
fffff880056ac9b0 fffff80002d90587 : 00000000000007ff 0000000000000001 fffffa80043c8b01 0000000000000180 : nt!ObOpenObjectByName+0x306
fffff880056aca80 fffff80002da92a4 : 000000000ac2cc58 fffff8a000020080 fffff8a001954cf0 000000000cf6efc0 : nt!IopCreateFile+0x2b7
fffff880056acb20 fffff80002a8d153 : fffffa80029484c0 0000000000000001 fffffa8003f2eb60 fffff80002da1094 : nt!NtOpenFile+0x58
fffff880056acbb0 0000000077ba01ea : 000007fefb9d23d8 0000000000000000 000000000b0f5030 0000000000020080 : nt!KiSystemServiceCopyEnd+0x13
000000000cf6ef88 000007fefb9d23d8 : 0000000000000000 000000000b0f5030 0000000000020080 0000000000000000 : ntdll!NtOpenFile+0xa
000000000cf6ef90 000007fefb9d26b8 : 000000000ac2cc50 000000000b11c480 000000000cf6f010 463356c141e90f3e : ntmarta!I_MartaFileNtOpenFile+0x58
000000000cf6f010 000007fefb9d2809 : 000000000ac2cc50 000000000b0f5030 000007fefb9d2610 000000000cf6f200 : ntmarta!MartaOpenFileNamedObject+0x140
000000000cf6f090 000007fefef3fa34 : 000000000b0f5030 0000000000000001 0000000000000005 000000000cf6f200 : ntmarta!AccRewriteGetNamedRights+0xe7
000000000cf6f140 000007fef8962d14 : 000000000af17548 000000000b0f5030 000000000cf6f298 000000000cf6f748 : ADVAPI32!GetNamedSecurityInfoW+0xa5
000000000cf6f1b0 000007fef8963a63 : 000000000af17548 000000000af17540 000000000cf6f2b0 000007feff7a5027 : ntshrui!CFolderAclEngine::_GetAcl+0x5c
000000000cf6f220 000007fef89639b4 : 0000000000000000 00007c2118579c43 000000000b0f5030 0000000000000000 : ntshrui!CFolderAclEngine::_IsItemPrivate+0x7b
000000000cf6f280 000007fef89640bf : 0000000000000000 0000000000000000 000000000af9b8c8 000000000cf6f358 : ntshrui!CSmbShareEngine::GetItemSharingStatus+0x2c
000000000cf6f2b0 000007fef8963ff6 : 0000000000000000 00000000002013b8 0000000000000002 0000000000000000 : ntshrui!CSharingOverlayPrivate::_GetSharingStatus+0x87
000000000cf6f2f0 000007fefdee85e3 : 0000000000231060 0000000000000000 0000000000010000 0000000000000000 : ntshrui!CSharingOverlayPrivate::IsMemberOf+0x6e
000000000cf6f340 000007fefe01469c : 0000000080004005 000007fefdee7907 000000000cf6f420 0000000000000001 : SHELL32!CFSIconOverlayManager::_GetFileOverlayInfo+0x13e
000000000cf6f400 000007fefdee2bcb : fffffffff4fb7f00 0000000000000001 0000000000000000 000007feff7a5027 : SHELL32!CFSIconOverlayManager::GetFileOverlayInfo+0x1c
000000000cf6f440 000007fefdee2adc : 0000000003f32d50 0000000000000000 000000000b241e00 00007c2118579cda : SHELL32!CFSFolder::_GetOverlayInfo+0xf1
000000000cf6f6e0 000007fefdee22db : 000000000ac2cda0 000000000ad97630 0000000000000001 000007feffa3987e : SHELL32!CFSFolder::GetOverlayIndex+0x23
000000000cf6f710 000007fefdf09408 : 000000000af486d0 000000000ad97630 0000000000000000 0000000000000000 : SHELL32!CIconOverlayTask::InternalResumeRT+0x129
000000000cf6f790 000007fefe1b7e3c : 8000000001000000 000000000cf6f820 000000000af486d0 000000000000000a : SHELL32!CRunnableTask::Run+0xda
000000000cf6f7c0 000007fefe07f005 : 000000000af486d0 0000000000000000 000000000af486d0 0000000000000002 : SHELL32!CShellTask::TT_Run+0x124
000000000cf6f7f0 000007fefdf2e58a : 000000000b06ea50 000000000b06ea50 0000000000000000 00000000029704e8 : SHELL32!CShellTaskThread::ThreadProc+0x1d2
000000000cf6f890 000007feff7a3a7f : 000007fffff5a000 0000000000256a80 00000000001f0b10 00000000029704e8 : SHELL32!CShellTaskThread::s_ThreadProc+0x22
000000000cf6f8c0 0000000077b6f8eb : 000000000df79cd0 000000000df79cd0 0000000000256a80 000000000000000a : SHLWAPI!ExecuteWorkItemThreadProc+0xf
000000000cf6f8f0 0000000077b69d9f : 0000000000000000 000000000b06ea70 00000000001f0b10 000000000aebee68 : ntdll!RtlpTpWorkCallback+0x16b
000000000cf6f9d0 0000000077a4f56d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x5ff
000000000cf6fcd0 0000000077b83281 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
000000000cf6fd00 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

FAULTING_SOURCE_LINE: c:\software\vs\SFDrv\x64\SFDrv.c

FAULTING_SOURCE_FILE: c:\software\vs\SFDrv\x64\SFDrv.c

FAULTING_SOURCE_LINE_NUMBER: 1220

SYMBOL_STACK_INDEX: a

SYMBOL_NAME: SFDrv64!hdPreCreate+1000

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SFDrv64

IMAGE_NAME: SFDrv64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51dc59bd

STACK_COMMAND: .cxr 0xfffff880056aacc0 ; kb

FAILURE_BUCKET_ID: X64_0x24_VRF_SFDrv64!hdPreCreate+1000

BUCKET_ID: X64_0x24_VRF_SFDrv64!hdPreCreate+1000

Followup: MachineOwner

kd> .exr 0xfffff880056ab468
ExceptionAddress: fffff880012cb88d (Ntfs!NtfsCommonQueryInformation+0x000000000000009d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
kd> .cxr 0xfffff880056aacc0
rax=fffff880056abcb8 rbx=fffffa8003f2eb60 rcx=0000000000000028
rdx=001c033400071d54 rsi=fffff880056ab820 rdi=fffff80002c9a354
rip=fffff880012cb88d rsp=fffff880056ab6a0 rbp=0000000000000002
r8=0000000000000000 r9=00071eb300071d80 r10=0000000000000004
r11=fffff880056ab778 r12=0000000000000004 r13=fffff98009e08f68
r14=0000000000000000 r15=fffff880056abf20
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
Ntfs!NtfsCommonQueryInformation+0x9d:
fffff880012cb88d 418b4104 mov eax,dword ptr [r9+4] ds:002b:00071eb300071d84=???

kd> !verifier

Verify Level 41b … enabled options are:
Special pool
Special irql
All pool allocations checked on unload
Io subsystem checking enabled
IRP Logging

2

First off:

[quote]
FILE_OBJECT fo;
FILE_OBJECT dirobj;

FltCreateFileEx(FltObjects->Filter, FltObjects->Instance, &fh, &fo,

[quote]

FltCreateFileEx takes a “PFILE_OBJECT *”, not a “PFILE_OBJECT”. Your local
variables should be declared as PFILE_OBJECT, not just FILE_OBJECT. Gotta
love C…I’m curious, does this pass PREfast?

Next:

The OutputBuffer parameter here should be “rpb” and not “&rpb”. In addition,
obviously once you fix your local variable declarations the second parameter
will simply be “fo”.

The ObDereferenceObject call is *not* optional, you have to make it. I
suspect that once you solve the other issues that bugcheck will go away
(again assuming you simply pass “fo”).

-scott
OSR

wrote in message news:xxxxx@ntfsd…

So long time listener, first time caller. I’ve been reading these forums
for the past few years and they have greatly helped me as I develop kernel
mode components. But now I am stuck and I can’t seem to find a solution. I
am writing a minifilter driver that among other things, has to rename a file
(not as a REPARSE). I do this in pre-create. Now, before anyone says you
can’t do stuff in pre-create because the FileObject is not valid, I know. I
use FltCreateFileEx to open the file (which also checks if the file exists),
and if it does I issue a FltSetInformationFile command to change the name.
Then if all goes smoothly, I modify the TargetFileObject and continue on.
If the file doesn’t exist, I just modify the TargetFileObject to create the
newly modified file. This works fine until I run into pre-create commands
that have FILE_OPEN_REPARSE_POINT. When that flag is there, I get
NTFS_FILE_SYSTEM (24) BugCheck for the FltSetInformationFile operation. If
I just want to query the actual reparse data, via FltFsControlFile, again
opening the file first with FltCreateFileEx to get the FILE_OBJECT, it also
gives me NTFS_FILE_SYSTEM BugCheck.

Another sorted of related issue, is calling ObDereferenceObject on the
FILE_OBJECT returned from FltCreateFileEx. The documentation says you have
to do it, but when I actually make the call, Verifier throws an error.
Anyone have any insight on this?

My test environment is a VMWare Windows 7 x64 with two virtual removable
drives mounted, 1 FAT and 1 NTFS. Attached is the abbreviated code as well
as the two !analyze dumps. Any help would be appreciated.

-Dave

FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_WITH_CALLBACK;
NTSTATUS status = 0;
PINSTANCE_CONTEXT InsCtx = NULL;
PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
PFILE_RENAME_INFORMATION fri = NULL;
PREPARSE_DATA_BUFFER rpb = NULL;

ULONG fnl = 0;
HANDLE fh;
HANDLE dh;
FILE_OBJECT fo;
FILE_OBJECT dirobj;
OBJECT_ATTRIBUTES attributes;
IO_STATUS_BLOCK iob;
BOOLEAN renameFile = FALSE;
BOOLEAN slOTD = FALSE;
UNICODE_STRING newFileName;

if (FlagOn(Data->Iopb->OperationFlags, SL_OPEN_TARGET_DIRECTORY)) {
ClearFlag(Data->Iopb->OperationFlags, SL_OPEN_TARGET_DIRECTORY);
slOTD = TRUE;
}

status = FltGetFileNameInformation(Data, FLT_FILE_NAME_OPENED |
FLT_FILE_NAME_QUERY_FILESYSTEM_ONLY, &nameInfo);
if (!NT_SUCCESS(status)) {
ret = FLT_PREOP_COMPLETE;
goto cleanup;
}

status = FltParseFileNameInformation(nameInfo);
if (!NT_SUCCESS(status)) {
ret = FLT_PREOP_COMPLETE;
goto cleanup;
}

if (nameInfo == NULL) {
ret = FLT_PREOP_COMPLETE;
goto cleanup;
}

if (slOTD)
SetFlag(Data->Iopb->OperationFlags, SL_OPEN_TARGET_DIRECTORY);

if (FlagOn(Data->Iopb->Parameters.Create.Options, FILE_OPEN_REPARSE_POINT))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t
FILE_OPEN_REPARSE_POINT\n”);
InitializeObjectAttributes(&attributes, &nameInfo->Name,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = FltCreateFileEx(FltObjects->Filter, FltObjects->Instance, &fh, &fo,
GENERIC_READ, &attributes, &iob, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, 0,
NULL, 0, 0);
if (NT_SUCCESS(status)) {
fnl = MAXIMUM_REPARSE_DATA_BUFFER_SIZE;
rpb = (PREPARSE_DATA_BUFFER)ExAllocatePoolWithTag(NonPagedPool, fnl,
TAG_PRE_CREATE);
if (rpb != NULL) {
RtlZeroMemory(rpb, fnl);

/*************BUG CHECK HERE**********/
status = FltFsControlFile(FltObjects->Instance, &fo,
FSCTL_GET_REPARSE_POINT, NULL, 0, &rpb, fnl, &sz);
if (NT_SUCCESS(status)) {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t *** Reparse Info
***\n”);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t\t ReparseDataLength =
%d\n”, rpb->ReparseDataLength);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t\t Tag = %x\n”,
rpb->ReparseTag);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t\t
SymbolicLinkReparseBuffer.PathBuffer = ‘%S’\n”,
rpb->SymbolicLinkReparseBuffer.PathBuffer);
} else {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t FltFsControlFile =
%d\n”, status);
}
ExFreePoolWithTag(rpb, TAG_PRE_CREATE);
}
FltClose(fh);
//ObDereferenceObject(&fo);
} else {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t FltCreateFileEx
failed = %d\n”, status);
}
}

/*
Code removed
*/

if (renameFile) {
InitializeObjectAttributes(&attributes, &nameInfo->Name,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = FltCreateFileEx(FltObjects->Filter, FltObjects->Instance, &fh, &fo,
DELETE, &attributes, &iob, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, 0, NULL,
0, 0);
if (NT_SUCCESS(status)) {
fnl = sizeof(FILE_RENAME_INFORMATION) + newFileName.Length + sizeof(WCHAR);
fri =
(PFILE_RENAME_INFORMATION)FltAllocatePoolAlignedWithTag(FltObjects->Instance,
NonPagedPool, fnl, TAG_PRE_CREATE);
if (fri == NULL) {
goto cleanup;
}
RtlZeroMemory(fri, fnl);

fri->ReplaceIfExists = TRUE;
fri->RootDirectory = NULL;
fri->FileNameLength = newFileName.Length;
RtlCopyMemory(fri->FileName, newFileName.Buffer, newFileName.Length);

/*************BUG CHECK HERE**********/
status = FltSetInformationFile(FltObjects->Instance, &fo, fri, fnl,
FileRenameInformation);
if (NT_SUCCESS(status)) {
RtlCopyMemory(Data->Iopb->TargetFileObject->FileName.Buffer +
((pos+sizeof(WCHAR))/sizeof(WCHAR)), newFileName.Buffer,
newFileName.Length);
FltSetCallbackDataDirty(Data);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “\t\t\t TargetFileObject
= ‘%wZ’\n”, Data->Iopb->TargetFileObject->FileName);
} else {
goto cleanup;
}

FltFreePoolAlignedWithTag(FltObjects->Instance, fri, TAG_PRE_CREATE);
FltClose(fh);
//ObDereferenceObject(&fo);
}
}

*** Fatal System Error: 0x00000024
(0x00000000001904FB,0xFFFFF88002892658,0xFFFFF88002891EB0,0xFFFFF880012B1E9D)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x64 target at (Tue Jul 9 14:41:47.999 2013
(UTC - 4:00)), ptr64 TRUE
Loading Kernel Symbols



Loading User Symbols



Loading unloaded module list

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904fb, fffff88002892658, fffff88002891eb0, fffff880012b1e9d}

Probably caused by : SFDrv64.sys ( SFDrv64!hdPreCreate+bbf )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
fffff800`02a85f60 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff88002892658
Arg3: fffff88002891eb0
Arg4: fffff880012b1e9d

Debugging Details:

EXCEPTION_RECORD: fffff88002892658 – (.exr 0xfffff88002892658)
ExceptionAddress: fffff880012b1e9d
(Ntfs!NtfsGetReparsePoint+0x0000000000000095)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: fffff88002891eb0 – (.cxr 0xfffff88002891eb0)
rax=fffff80002c9a354 rbx=fffff9800c622f68 rcx=001c033400071d54
rdx=fffff9800c622e50 rsi=fffffa80024e6b30 rdi=0000000000000000
rip=fffff880012b1e9d rsp=fffff88002892890 rbp=0000000000000002
r8=0000000000000000 r9=0000000000000000 r10=0000000000000004
r11=fffffa80024e6b30 r12=fffffa8001ea2420 r13=0000000000000001
r14=00071eb300071d80 r15=fffff9800c622e50
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010282
Ntfs!NtfsGetReparsePoint+0x95:
fffff880012b1e9d 45846e04 test byte ptr [r14+4],r13b ds:002b:00071eb300071d84=??
Resetting default scope

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: explorer.exe

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: ffffffffffffffff

FOLLOWUP_IP:
SFDrv64!hdPreCreate+bbf [c:\software\vs\SFDrv\x64\SFDrv.c @ 1115]
fffff880`03987fcf 898424c8020000 mov dword ptr [rsp+2C8h],eax

FAULTING_IP:
Ntfs!NtfsGetReparsePoint+95
fffff880`012b1e9d 45846e04 test byte ptr [r14+4],r13b

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from fffff880012f751e to fffff880012b1e9d

STACK_TEXT:
fffff88002892890 fffff880012f751e : fffffa80024e6b30 fffff9800c622e50
fffffa8000000000 fffff88002892a78 : Ntfs!NtfsGetReparsePoint+0x95
fffff880028929f0 fffff880012f32ed : fffffa80024e6b30 0000000000000000
0000000000000002 0000000000000000 : Ntfs!NtfsUserFsRequest+0xca
fffff88002892a30 fffff80002f33c16 : fffff9800c622e50 fffff9800c622e50
0000000000000000 fffffa80024e6b30 : Ntfs!NtfsFsdFileSystemControl+0x13d
fffff88002892ad0 fffff8800113623f : fffff9800c622fb0 fffff88002892b80
fffffa80040f8770 fffffa8001e6d650 : nt!IovCallDriver+0x566
fffff88002892b30 fffff8800113894a : 0000000000000000 0000000000000000
0000000000000000 fffffa80040f8770 :
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff88002892bc0 fffff8800116e0a5 : fffffa8001e73bc0 0000000000000023
fffffa8000dad810 fffffa80040f8820 : fltmgr!FltPerformSynchronousIo+0x2ca
fffff88002892c60 fffff8800116eb28 : 0000000000000000 fffff88002892f20
00000000000900a8 fffffa80024d86b0 : fltmgr!IssueControlOperation+0x395
fffff88002892cf0 fffff88001171c28 : 0000000000000000 fffffa8001e81c20
fffff88002892f20 00000000000900a8 : fltmgr!FltFsControlFile+0x48
fffff88002892d50 fffff88003987fcf : 0000000000000016 0000000000000016
fffff8a002139788 0000000000000003 : fltmgr!FltvFsControlFile+0x68
fffff88002892da0 fffff88001173c3e : fffffa8001ef9ce0 fffff88002893558
fffff88002893530 0000000000000100 : SFDrv64!hdPreCreate+0xbbf
[c:\software\vs\SFDrv\x64\SFDrv.c @ 1115]
fffff880028933d0 fffff88001135027 : 0000000000000000 fffff80002a2c943
fffffa80017ea398 fffffa8001ef9d80 : fltmgr!FltvPreOperation+0xbe
fffff880028934e0 fffff880011378ca : fffffa8001e92f00 fffffa8001e92f00
fffffa8001e5b800 fffffa8000dad800 : fltmgr!FltpPerformPreCallbacks+0x2f7
fffff880028935e0 fffff880011552a3 : fffff9800c788e50 fffff9800c788e50
fffff9800c788e50 fffffa8001e92f20 : fltmgr!FltpPassThroughInternal+0x4a
fffff88002893610 fffff80002f33c16 : fffff9800c788e50 0000000000000002
0000000000000040 0000000000000000 : fltmgr!FltpCreate+0x293
fffff880028936c0 fffff80002d8e477 : 0000000000000005 fffff80002d8ded0
fffffa8003c97010 fffffa8001e6de70 : nt!IovCallDriver+0x566
fffff88002893720 fffff80002d84764 : fffffa8003f35d30 0000000000000000
fffffa80040f4010 fffff80002abae01 : nt!IopParseDevice+0x5a7
fffff880028938b0 fffff80002d89876 : fffffa80040f4010 fffff88002893a30
0000000000000040 fffffa8000cef750 : nt!ObpLookupObjectName+0x585
fffff880028939b0 fffff80002d90587 : 00000000000007ff 0000000000000001
fffffa8001e93001 0000000000000180 : nt!ObOpenObjectByName+0x306
fffff88002893a80 fffff80002da92a4 : 000000000aeea8e8 fffff8a000020080
fffff8a001954d90 00000000078cf0c0 : nt!IopCreateFile+0x2b7
fffff88002893b20 fffff80002a8d153 : fffffa80029484c0 0000000000000001
fffffa8001ea2420 fffff80002da1094 : nt!NtOpenFile+0x58
fffff88002893bb0 0000000077ba01ea : 000007fefb9d23d8 0000000000000000
000000000ae3f800 0000000000020080 : nt!KiSystemServiceCopyEnd+0x13
00000000078cf088 000007fefb9d23d8 : 0000000000000000 000000000ae3f800
0000000000020080 0000000000000000 : ntdll!NtOpenFile+0xa
00000000078cf090 000007fefb9d26b8 : 000000000aeea8e0 000000000af6b920
00000000078c0000 463356c141e90f3e : ntmarta!I_MartaFileNtOpenFile+0x58
00000000078cf110 000007fefb9d2809 : 000000000aeea8e0 000000000ae3f800
000007fefb9d2610 00000000078cf300 : ntmarta!MartaOpenFileNamedObject+0x140
00000000078cf190 000007fefef3fa34 : 000000000ae3f800 0000000000000001
0000000000000005 00000000078cf300 : ntmarta!AccRewriteGetNamedRights+0xe7
00000000078cf240 000007fef8962d14 : 000000000af154e8 000000000ae3f800
00000000078cf398 00000000078cf848 : ADVAPI32!GetNamedSecurityInfoW+0xa5
00000000078cf2b0 000007fef8963a63 : 000000000af154e8 000000000af154e0
00000000078cf3b0 000007feff7a5027 : ntshrui!CFolderAclEngine::_GetAcl+0x5c
00000000078cf320 000007fef89639b4 : 0000000000000000 00007c21132d9d43
000000000ae3f800 0000000000000000 :
ntshrui!CFolderAclEngine::_IsItemPrivate+0x7b
00000000078cf380 000007fef89640bf : 0000000000000000 0000000000000000
000000000aeaaf98 00000000078cf458 :
ntshrui!CSmbShareEngine::GetItemSharingStatus+0x2c
00000000078cf3b0 000007fef8963ff6 : 0000000000000000 00000000002013b8
0000000000000002 0000000000000000 :
ntshrui!CSharingOverlayPrivate::_GetSharingStatus+0x87
00000000078cf3f0 000007fefdee85e3 : 0000000000231060 0000000000000000
0000000000010000 0000000000000000 :
ntshrui!CSharingOverlayPrivate::IsMemberOf+0x6e
00000000078cf440 000007fefe01469c : 0000000080004005 000007fefdee7907
00000000078cf520 0000000000000001 :
SHELL32!CFSIconOverlayManager::_GetFileOverlayInfo+0x13e
00000000078cf500 000007fefdee2bcb : fffffffff4fb6420 0000000000000001
0000000000000000 000007feff7a5027 :
SHELL32!CFSIconOverlayManager::GetFileOverlayInfo+0x1c
00000000078cf540 000007fefdee2adc : 000000000aeea130 000000000dfb8880
000000000dfb8880 0000000000000000 :
SHELL32!CFSFolder::_GetOverlayInfo+0xf1
00000000078cf7e0 000007fefdee22db : 000000000aeea130 000007fefadbce3f
0000000000000001 0000000000000001 :
SHELL32!CFSFolder::GetOverlayIndex+0x23
00000000078cf810 000007fefdf09408 : 000000000b0df350 000000000dfb8880
0000000000000000 0000000000000000 :
SHELL32!CIconOverlayTask::InternalResumeRT+0x129
00000000078cf890 000007fefe1b7e3c : 8000000001000000 00000000078cf920
000000000b0df350 000000000000000a : SHELL32!CRunnableTask::Run+0xda
00000000078cf8c0 000007fefe07f005 : 000000000b0df350 0000000000000000
000000000b0df350 0000000000000002 : SHELL32!CShellTask::TT_Run+0x124
00000000078cf8f0 000007fefdf2e58a : 000000000b074690 000000000b074690
0000000000000000 0000000000000000 :
SHELL32!CShellTaskThread::ThreadProc+0x1d2
00000000078cf990 000007feff7a3a7f : 000007fffff96000 0000000000256a80
00000000001f0b10 0000000000000000 :
SHELL32!CShellTaskThread::s_ThreadProc+0x22
00000000078cf9c0 0000000077b6f8eb : 000000000ab8c890 000000000ab8c890
00000000000004ff 000000000000000a : SHLWAPI!ExecuteWorkItemThreadProc+0xf
00000000078cf9f0 0000000077b69d9f : 0000000000000000 000000000b06e8f0
00000000001f0b10 000000000df7a828 : ntdll!RtlpTpWorkCallback+0x16b
00000000078cfad0 0000000077a4f56d : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x5ff
00000000078cfdd0 0000000077b83281 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
00000000078cfe00 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

FAULTING_SOURCE_LINE: c:\software\vs\SFDrv\x64\SFDrv.c

FAULTING_SOURCE_FILE: c:\software\vs\SFDrv\x64\SFDrv.c

FAULTING_SOURCE_LINE_NUMBER: 1115

SYMBOL_STACK_INDEX: 9

SYMBOL_NAME: SFDrv64!hdPreCreate+bbf

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SFDrv64

IMAGE_NAME: SFDrv64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51dc5944

STACK_COMMAND: .cxr 0xfffff88002891eb0 ; kb

FAILURE_BUCKET_ID: X64_0x24_VRF_SFDrv64!hdPreCreate+bbf

BUCKET_ID: X64_0x24_VRF_SFDrv64!hdPreCreate+bbf

Followup: MachineOwner

kd> .exr 0xfffff88002892658
ExceptionAddress: fffff880012b1e9d
(Ntfs!NtfsGetReparsePoint+0x0000000000000095)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
kd> .cxr 0xfffff88002891eb0
rax=fffff80002c9a354 rbx=fffff9800c622f68 rcx=001c033400071d54
rdx=fffff9800c622e50 rsi=fffffa80024e6b30 rdi=0000000000000000
rip=fffff880012b1e9d rsp=fffff88002892890 rbp=0000000000000002
r8=0000000000000000 r9=0000000000000000 r10=0000000000000004
r11=fffffa80024e6b30 r12=fffffa8001ea2420 r13=0000000000000001
r14=00071eb300071d80 r15=fffff9800c622e50
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010282
Ntfs!NtfsGetReparsePoint+0x95:
fffff880012b1e9d 45846e04 test byte ptr [r14+4],r13b ds:002b:00071eb300071d84=??

*** Fatal System Error: 0x00000024
(0x00000000001904FB,0xFFFFF880056AB468,0xFFFFF880056AACC0,0xFFFFF880012CB88D)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x64 target at (Tue Jul 9 14:43:52.286 2013
(UTC - 4:00)), ptr64 TRUE
Loading Kernel Symbols



Loading User Symbols



Loading unloaded module list

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904fb, fffff880056ab468, fffff880056aacc0, fffff880012cb88d}

Probably caused by : SFDrv64.sys ( SFDrv64!hdPreCreate+1000 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
fffff800`02a85f60 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff880056ab468
Arg3: fffff880056aacc0
Arg4: fffff880012cb88d

Debugging Details:

EXCEPTION_RECORD: fffff880056ab468 – (.exr 0xfffff880056ab468)
ExceptionAddress: fffff880012cb88d
(Ntfs!NtfsCommonQueryInformation+0x000000000000009d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: fffff880056aacc0 – (.cxr 0xfffff880056aacc0)
rax=fffff880056abcb8 rbx=fffffa8003f2eb60 rcx=0000000000000028
rdx=001c033400071d54 rsi=fffff880056ab820 rdi=fffff80002c9a354
rip=fffff880012cb88d rsp=fffff880056ab6a0 rbp=0000000000000002
r8=0000000000000000 r9=00071eb300071d80 r10=0000000000000004
r11=fffff880056ab778 r12=0000000000000004 r13=fffff98009e08f68
r14=0000000000000000 r15=fffff880056abf20
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010282
Ntfs!NtfsCommonQueryInformation+0x9d:
fffff880012cb88d 418b4104 mov eax,dword ptr [r9+4] ds:002b:00071eb300071d84=???
Resetting default scope

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: explorer.exe

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: ffffffffffffffff

FOLLOWUP_IP:
SFDrv64!hdPreCreate+1000 [c:\software\vs\SFDrv\x64\SFDrv.c @ 1220]
fffff880`03988410 898424c8020000 mov dword ptr [rsp+2C8h],eax

FAULTING_IP:
Ntfs!NtfsCommonQueryInformation+9d
fffff880`012cb88d 418b4104 mov eax,dword ptr [r9+4]

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from fffff880012cc906 to fffff880012cb88d

STACK_TEXT:
fffff880056ab6a0 fffff880012cc906 : fffff880056ab820 fffff98009e08e50
0000000000000028 fffff98000000028 : Ntfs!NtfsCommonQueryInformation+0x9d
fffff880056ab780 fffff880012ccea4 : fffff880056ab820 fffff98009e08e50
fffff98009e08e50 fffff8a0000018c0 : Ntfs!NtfsFsdDispatchSwitch+0x106
fffff880056ab800 fffff80002f33c16 : fffff98009e08e50 0000000000000002
0000000000000000 0000000000000000 : Ntfs!NtfsFsdDispatchWait+0x14
fffff880056ab9f0 fffff8800113623f : fffff98009e08fb0 fffff880056abaa0
fffffa8001f36180 fffffa8001e64a60 : nt!IovCallDriver+0x566
fffff880056aba50 fffff8800113894a : 0000000000000000 0000000000000000
0000000000000000 fffffa8001f36180 :
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880056abae0 fffff8800116e4e2 : fffffa8001e73bc0 000000000000001b
fffffa8000dad810 fffffa8001f36230 : fltmgr!FltPerformSynchronousIo+0x2ca
fffff880056abb80 fffff8800116e8c2 : 0000000000000002 fffff880056abf20
fffffa80013b9718 fffff88000000011 : fltmgr!FltQueryInformationFile+0x52
fffff880056abbc0 fffff8800116ec01 : fffffa8001e31010 fffffa8001e310c0
0000000000000048 0000000000000000 : fltmgr!FltpOpenLinkOrRenameTarget+0x62
fffff880056abd00 fffff88001171c98 : 0000000000000048 fffffa80024535c0
fffff880056abf20 fffffa8001f04b50 : fltmgr!FltSetInformationFile+0xc1
fffff880056abd60 fffff88003988410 : 0000000000000016 0000000000000016
fffff9800abe0ffe 0000000000000003 : fltmgr!FltvSetInformationFile+0x48
fffff880056abda0 fffff88001173c3e : fffffa8002457650 fffff880056ac558
fffff880056ac530 0000000000000100 : SFDrv64!hdPreCreate+0x1000
[c:\software\vs\SFDrv\x64\SFDrv.c @ 1220]
fffff880056ac3d0 fffff88001135027 : 0000000000000000 fffff80002a2c943
fffffa80013b8498 fffffa80024576f0 : fltmgr!FltvPreOperation+0xbe
fffff880056ac4e0 fffff880011378ca : fffffa80043c8a00 fffffa80043c8a00
fffffa8001e5b800 fffffa8000dad800 : fltmgr!FltpPerformPreCallbacks+0x2f7
fffff880056ac5e0 fffff880011552a3 : fffff9800aa28e50 fffff9800aa28e50
fffff9800aa28e50 fffffa80043c8a20 : fltmgr!FltpPassThroughInternal+0x4a
fffff880056ac610 fffff80002f33c16 : fffff9800aa28e50 0000000000000002
0000000000000040 0000000000000000 : fltmgr!FltpCreate+0x293
fffff880056ac6c0 fffff80002d8e477 : 0000000000000005 fffff80002d8ded0
fffffa8001f0f730 fffffa8003d389c0 : nt!IovCallDriver+0x566
fffff880056ac720 fffff80002d84764 : fffffa8003f35d30 0000000000000000
fffffa8001e82010 fffff80002abae01 : nt!IopParseDevice+0x5a7
fffff880056ac8b0 fffff80002d89876 : fffffa8001e82010 fffff880056aca30
0000000000000040 fffffa8000cef750 : nt!ObpLookupObjectName+0x585
fffff880056ac9b0 fffff80002d90587 : 00000000000007ff 0000000000000001
fffffa80043c8b01 0000000000000180 : nt!ObOpenObjectByName+0x306
fffff880056aca80 fffff80002da92a4 : 000000000ac2cc58 fffff8a000020080
fffff8a001954cf0 000000000cf6efc0 : nt!IopCreateFile+0x2b7
fffff880056acb20 fffff80002a8d153 : fffffa80029484c0 0000000000000001
fffffa8003f2eb60 fffff80002da1094 : nt!NtOpenFile+0x58
fffff880056acbb0 0000000077ba01ea : 000007fefb9d23d8 0000000000000000
000000000b0f5030 0000000000020080 : nt!KiSystemServiceCopyEnd+0x13
000000000cf6ef88 000007fefb9d23d8 : 0000000000000000 000000000b0f5030
0000000000020080 0000000000000000 : ntdll!NtOpenFile+0xa
000000000cf6ef90 000007fefb9d26b8 : 000000000ac2cc50 000000000b11c480
000000000cf6f010 463356c141e90f3e : ntmarta!I_MartaFileNtOpenFile+0x58
000000000cf6f010 000007fefb9d2809 : 000000000ac2cc50 000000000b0f5030
000007fefb9d2610 000000000cf6f200 : ntmarta!MartaOpenFileNamedObject+0x140
000000000cf6f090 000007fefef3fa34 : 000000000b0f5030 0000000000000001
0000000000000005 000000000cf6f200 : ntmarta!AccRewriteGetNamedRights+0xe7
000000000cf6f140 000007fef8962d14 : 000000000af17548 000000000b0f5030
000000000cf6f298 000000000cf6f748 : ADVAPI32!GetNamedSecurityInfoW+0xa5
000000000cf6f1b0 000007fef8963a63 : 000000000af17548 000000000af17540
000000000cf6f2b0 000007feff7a5027 : ntshrui!CFolderAclEngine::_GetAcl+0x5c
000000000cf6f220 000007fef89639b4 : 0000000000000000 00007c2118579c43
000000000b0f5030 0000000000000000 :
ntshrui!CFolderAclEngine::_IsItemPrivate+0x7b
000000000cf6f280 000007fef89640bf : 0000000000000000 0000000000000000
000000000af9b8c8 000000000cf6f358 :
ntshrui!CSmbShareEngine::GetItemSharingStatus+0x2c
000000000cf6f2b0 000007fef8963ff6 : 0000000000000000 00000000002013b8
0000000000000002 0000000000000000 :
ntshrui!CSharingOverlayPrivate::_GetSharingStatus+0x87
000000000cf6f2f0 000007fefdee85e3 : 0000000000231060 0000000000000000
0000000000010000 0000000000000000 :
ntshrui!CSharingOverlayPrivate::IsMemberOf+0x6e
000000000cf6f340 000007fefe01469c : 0000000080004005 000007fefdee7907
000000000cf6f420 0000000000000001 :
SHELL32!CFSIconOverlayManager::_GetFileOverlayInfo+0x13e
000000000cf6f400 000007fefdee2bcb : fffffffff4fb7f00 0000000000000001
0000000000000000 000007feff7a5027 :
SHELL32!CFSIconOverlayManager::GetFileOverlayInfo+0x1c
000000000cf6f440 000007fefdee2adc : 0000000003f32d50 0000000000000000
000000000b241e00 00007c2118579cda :
SHELL32!CFSFolder::_GetOverlayInfo+0xf1
000000000cf6f6e0 000007fefdee22db : 000000000ac2cda0 000000000ad97630
0000000000000001 000007feffa3987e :
SHELL32!CFSFolder::GetOverlayIndex+0x23
000000000cf6f710 000007fefdf09408 : 000000000af486d0 000000000ad97630
0000000000000000 0000000000000000 :
SHELL32!CIconOverlayTask::InternalResumeRT+0x129
000000000cf6f790 000007fefe1b7e3c : 8000000001000000 000000000cf6f820
000000000af486d0 000000000000000a : SHELL32!CRunnableTask::Run+0xda
000000000cf6f7c0 000007fefe07f005 : 000000000af486d0 0000000000000000
000000000af486d0 0000000000000002 : SHELL32!CShellTask::TT_Run+0x124
000000000cf6f7f0 000007fefdf2e58a : 000000000b06ea50 000000000b06ea50
0000000000000000 00000000029704e8 :
SHELL32!CShellTaskThread::ThreadProc+0x1d2
000000000cf6f890 000007feff7a3a7f : 000007fffff5a000 0000000000256a80
00000000001f0b10 00000000029704e8 :
SHELL32!CShellTaskThread::s_ThreadProc+0x22
000000000cf6f8c0 0000000077b6f8eb : 000000000df79cd0 000000000df79cd0
0000000000256a80 000000000000000a : SHLWAPI!ExecuteWorkItemThreadProc+0xf
000000000cf6f8f0 0000000077b69d9f : 0000000000000000 000000000b06ea70
00000000001f0b10 000000000aebee68 : ntdll!RtlpTpWorkCallback+0x16b
000000000cf6f9d0 0000000077a4f56d : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x5ff
000000000cf6fcd0 0000000077b83281 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
000000000cf6fd00 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

FAULTING_SOURCE_LINE: c:\software\vs\SFDrv\x64\SFDrv.c

FAULTING_SOURCE_FILE: c:\software\vs\SFDrv\x64\SFDrv.c

FAULTING_SOURCE_LINE_NUMBER: 1220

SYMBOL_STACK_INDEX: a

SYMBOL_NAME: SFDrv64!hdPreCreate+1000

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SFDrv64

IMAGE_NAME: SFDrv64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51dc59bd

STACK_COMMAND: .cxr 0xfffff880056aacc0 ; kb

FAILURE_BUCKET_ID: X64_0x24_VRF_SFDrv64!hdPreCreate+1000

BUCKET_ID: X64_0x24_VRF_SFDrv64!hdPreCreate+1000

Followup: MachineOwner

kd> .exr 0xfffff880056ab468
ExceptionAddress: fffff880012cb88d
(Ntfs!NtfsCommonQueryInformation+0x000000000000009d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
kd> .cxr 0xfffff880056aacc0
rax=fffff880056abcb8 rbx=fffffa8003f2eb60 rcx=0000000000000028
rdx=001c033400071d54 rsi=fffff880056ab820 rdi=fffff80002c9a354
rip=fffff880012cb88d rsp=fffff880056ab6a0 rbp=0000000000000002
r8=0000000000000000 r9=00071eb300071d80 r10=0000000000000004
r11=fffff880056ab778 r12=0000000000000004 r13=fffff98009e08f68
r14=0000000000000000 r15=fffff880056abf20
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010282
Ntfs!NtfsCommonQueryInformation+0x9d:
fffff880012cb88d 418b4104 mov eax,dword ptr [r9+4] ds:002b:00071eb300071d84=???

kd> !verifier

Verify Level 41b … enabled options are:
Special pool
Special irql
All pool allocations checked on unload
Io subsystem checking enabled
IRP Logging

3

Scott,

Thank you. I am professionally embarrassed that I missed that. I guess that’s what happens when you stay up to 3am coding.

-Dave

4

No worries! Happens to all of us, glad to provide the extra set of eyes
necessary to resolve the problem :slight_smile:

-scott
OSR

wrote in message news:xxxxx@ntfsd…

Scott,

Thank you. I am professionally embarrassed that I missed that. I guess
that’s what happens when you stay up to 3am coding.

-Dave

5

> FltCreateFileEx takes a “PFILE_OBJECT *”, not a “PFILE_OBJECT”.

Your local variables should be declared as PFILE_OBJECT, not
just FILE_OBJECT. Gotta love C…I’m curious, does this pass PREfast?

I am rather curious how could this pass through
the compiler at the first place :slight_smile:

L.