FilterAttach causes preoperation callback to be called

Forgive me for posting this basic question, the answer is probably something
simple. I got a minifilter which is working fine except when I call
FilterAttach from my application it causes the preoperation callback to be
called and accessing the fields in the Data parameter then cause access
violations. The question is how can I detect this inside my preoperation
callback (since the Data parameter is bogus) or better how can I prevent
this from getting called ? My filter does not register an
InstanceSetupCallback.

Here is the stack (running on Windows Xp x64 edition):

kd> kp

fffffadfe1f779a8 fffffadfe59b6e67 rspmmfs64!SpyPreOperationCallback(struct
_FLT_CALLBACK_DATA * Data = 0xfffffadfe8e54000, struct _FLT_RELATED_OBJECTS \* FltObjects = 0xfffffadf00000030, void ** CompletionContext =
0xfffffadfe85a4460) [s:\mm\fs\rspmmfs.c @ 691] fffffadfe1f779b0 fffffadfe59bd666 fltMgr!FltpPerformPreMountCallbacks+0x2a7 fffffadfe1f77a60 fffffadfe59bdee0 fltMgr!FltpFsControlMountVolume+0x1e6 fffffadfe1f77b20 fffff80001013628 fltMgr!FltpFsControl+0x80 fffffadfe1f77b80 fffff800012b9fcf nt!IopCheckVpbMounted+0x334 fffffadfe1f77cf0 fffff800012b345e nt!IopParseDevice+0x735 fffffadfe1f77ea0 fffff800012b983a nt!ObpLookupObjectName+0x92c fffffadfe1f77fb0 fffff800012c13c9 nt!ObOpenObjectByName+0x180 fffffadfe1f781a0 fffff800012c1577 nt!IopCreateFile+0x62f fffffadfe1f78330 fffff800012c3d89 nt!IoCreateFile+0x12f fffffadfe1f78410 fffff80001041422 nt!NtCreateFile+0x69 fffffadfe1f78490 fffff80001041880 nt!KiSystemServiceCopyEnd+0x3 fffffadfe1f78698 fffffadfe59b82fe nt!KiServiceLinkage fffffadfe1f786a0 fffffadfe59b71ad fltMgr!FltpGetVolumeFromName+0xde fffffadfe1f78870 fffffadfe59bcd21 fltMgr!FltpAttachVolume+0x22d fffffadfe1f78950 fffffadfe59a1ab2 fltMgr!FltpCommonDeviceControl+0x1a1 fffffadfe1f78990 fffffadfe59a27c2 fltMgr!FltpControlDispatch+0xe2 fffffadfe1f78a10 fffff800012cdd2f fltMgr!FltpDispatch+0x22 fffffadfe1f78a70 fffff800012de406 nt!IopXxxControlFile+0xa4c fffffadfe1f78b90 fffff800`01041422 nt!NtDeviceIoControlFile+0x56

Thanks,

/Daniel

Daniel, provide a bit more information:

Which fields of CALLBACK_DATA do you acess? What is happening in line 691?
Post the output of “analyze -v”.

The pointer to CALLBACK_DATA seems to be ok. Perhaps you are at raised IRQL
during access.

By the way: why do you find the “Data”-parameter to be bogus?

“Daniel Terhell” schrieb im Newsbeitrag
news:xxxxx@ntfsd…
> Forgive me for posting this basic question, the answer is probably
> something simple. I got a minifilter which is working fine except when I
> call FilterAttach from my application it causes the preoperation callback
> to be called and accessing the fields in the Data parameter then cause
> access violations. The question is how can I detect this inside my
> preoperation callback (since the Data parameter is bogus) or better how
> can I prevent this from getting called ? My filter does not register an
> InstanceSetupCallback.
>
> Here is the stack (running on Windows Xp x64 edition):
>
> kd> kp
>
> fffffadfe1f779a8 fffffadfe59b6e67
> rspmmfs64!SpyPreOperationCallback(struct _FLT_CALLBACK_DATA * Data =
> 0xfffffadfe8e54000, struct _FLT_RELATED_OBJECTS * FltObjects = <br>&gt; 0xfffffadf00000030, void ** CompletionContext = 0xfffffadfe85a4460) <br>&gt; [s:\mm\fs\rspmmfs.c @ 691]<br>&gt; fffffadfe1f779b0 fffffadfe59bd666 <br>&gt; fltMgr!FltpPerformPreMountCallbacks+0x2a7<br>&gt; fffffadfe1f77a60 fffffadfe59bdee0 fltMgr!FltpFsControlMountVolume+0x1e6<br>&gt; fffffadfe1f77b20 fffff80001013628 fltMgr!FltpFsControl+0x80<br>&gt; fffffadfe1f77b80 fffff800012b9fcf nt!IopCheckVpbMounted+0x334<br>&gt; fffffadfe1f77cf0 fffff800012b345e nt!IopParseDevice+0x735<br>&gt; fffffadfe1f77ea0 fffff800012b983a nt!ObpLookupObjectName+0x92c<br>&gt; fffffadfe1f77fb0 fffff800012c13c9 nt!ObOpenObjectByName+0x180<br>&gt; fffffadfe1f781a0 fffff800012c1577 nt!IopCreateFile+0x62f<br>&gt; fffffadfe1f78330 fffff800012c3d89 nt!IoCreateFile+0x12f<br>&gt; fffffadfe1f78410 fffff80001041422 nt!NtCreateFile+0x69<br>&gt; fffffadfe1f78490 fffff80001041880 nt!KiSystemServiceCopyEnd+0x3<br>&gt; fffffadfe1f78698 fffffadfe59b82fe nt!KiServiceLinkage<br>&gt; fffffadfe1f786a0 fffffadfe59b71ad fltMgr!FltpGetVolumeFromName+0xde<br>&gt; fffffadfe1f78870 fffffadfe59bcd21 fltMgr!FltpAttachVolume+0x22d<br>&gt; fffffadfe1f78950 fffffadfe59a1ab2 fltMgr!FltpCommonDeviceControl+0x1a1<br>&gt; fffffadfe1f78990 fffffadfe59a27c2 fltMgr!FltpControlDispatch+0xe2<br>&gt; fffffadfe1f78a10 fffff800012cdd2f fltMgr!FltpDispatch+0x22<br>&gt; fffffadfe1f78a70 fffff800012de406 nt!IopXxxControlFile+0xa4c<br>&gt; fffffadfe1f78b90 fffff800`01041422 nt!NtDeviceIoControlFile+0x56
>
> Thanks,
>
> /Daniel
>
>
>
>

Thanks for your response. This is running at PASSIVE_LEVEL, it is a pre
operation callback and it is not supposed to be called at higher IRQL
according to the new WDK documentation. Also, I am using the PAGED_CODE in
this path to be sure of lower IRQL. The bugcheck shows an IRQL of 2 but this
is the responsability of FltGetFileNameInformation.

I put a breakpoint on line 551, just before the exception occurs. Accessing
the members of Data in the debugger sometimes gives access violations, but
not this time. The fields seem to contain arbitrary values.

Regards,

/Daniel

kd> ??Data
struct _FLT_CALLBACK_DATA * 0xfffffadfe90cb6e8 +0x000 Flags : 2 +0x008 Thread : 0xfffffadfe855e810 _KTHREAD
+0x010 Iopb : 0xfffffadfe90cb740 _FLT_IO_PARAMETER_BLOCK +0x018 IoStatus : _IO_STATUS_BLOCK +0x028 TagData : (null) +0x030 QueueLinks : _LIST_ENTRY [0x0000000000000000 - 0x0]
+0x040 QueueContext : [2] (null)
+0x030 FilterContext : [4] (null)
+0x050 RequestorMode : 0 ‘’
kd> ??Data->Iopb
struct _FLT_IO_PARAMETER_BLOCK * 0xfffffadf`e90cb740
+0x000 IrpFlags : 0
+0x004 MajorFunction : 0 ‘’
+0x005 MinorFunction : 0 ‘’
+0x006 OperationFlags : 0 ‘’
+0x007 Reserved : 0 ‘’
+0x008 TargetFileObject : (null)
+0x010 TargetInstance : (null)
+0x018 Parameters : _FLT_PARAMETERS

kd> !irql
Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)
kd> g
Access violation - code c0000005 (!!! second chance !!!)
fltMgr!FltGetFileNameInformation+0xa0:
fffffadf`e59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0
kd> gn

*** Fatal System Error: 0x0000001e
(0xFFFFFFFFC0000005,0xFFFFFADFE59A5AE0,0x0000000000000000,0x0000000000000018)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2003 3790 x64 target, ptr64 TRUE
Loading Kernel Symbols
…
Loading User Symbols
…
Loading unloaded module list
…
Loading Wow64 Symbols
…
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc0000005, fffffadfe59a5ae0, 0, 18}

*** ERROR: Symbol file could not be found. Defaulted to export symbols for
win32k.sys -
Probably caused by : rspmmfs64.sys ( rspmmfs64!LogFS+3e )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
fffff800`0103a240 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffffadfe59a5ae0, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000018, Parameter 1 of the exception

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
fltMgr!FltGetFileNameInformation+a0
fffffadf`e59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000018

READ_ADDRESS: 0000000000000018

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

PROCESS_NAME: mm.exe

CURRENT_IRQL: 2

EXCEPTION_RECORD: fffffadfe22c05f0 – (.exr fffffadfe22c05f0)
ExceptionAddress: fffffadfe59a5ae0
(fltMgr!FltGetFileNameInformation+0x00000000000000a0)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000018
Attempt to read from address 0000000000000018

TRAP_FRAME: fffffadfe22c0680 – (.trap fffffadfe22c0680)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffadfe90cb740
rdx=0000000000000102 rsi=0000000000000000 rdi=0000000000000000
rip=fffffadfe59a5ae0 rsp=fffffadfe22c0810 rbp=0000000000000003
r8=fffffadfe22c0910 r9=0000000000000000 r10=fffffadfe9106048
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
fltMgr!FltGetFileNameInformation+0xa0:
fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0 ds:0000000000000018=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800010d72be to fffff8000103a240

STACK_TEXT:
fffffadfe22bf818 fffff800010d72be : ffffffffc0000005 0000000000000000
000000000000001e fffff80001059abe : nt!RtlpBreakWithStatusInstruction
fffffadfe22bf820 fffff800010d8a4d : fffff80000000003 000000000000001e
ffffffffc0000005 fffffadfe59a5ae0 : nt!KiBugCheckDebugBreak+0x1e
fffffadfe22bf880 fffff80001041a14 : 0000000048000000 fffffadfe22c0901
fffffadfe9106001 0000000000000000 : nt!KeBugCheck2+0x6fd
fffffadfe22bfec0 fffff8000109a361 : 000000000000001e ffffffffc0000005
fffffadfe59a5ae0 0000000000000000 : nt!KeBugCheckEx+0x104
fffffadfe22bff00 fffff8000104172f : fffffadfe22c05f0 fffff800012c955d
fffffadfe22c0680 0000000000000200 : nt!KiDispatchException+0x128
fffffadfe22c0500 fffff80001040621 : 0000000080000004 0000000000000000
fffffadfe59a5a00 0000000000000000 : nt!KiExceptionExit
fffffadfe22c0680 fffffadfe59a5ae0 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KiPageFault+0x1e1
fffffadfe22c0810 fffffadfe240476e : fffffadfe8a47400 fffffadfe93da4a0
fffffadfe90cb640 fffffadfe90cb6e8 : fltMgr!FltGetFileNameInformation+0xa0
fffffadfe22c08b0 fffffadfe2404b07 : fffffadfe90cb6e8 fffffadfe8a19dae
fffffadfe8a19dae fffffadfe93da4a0 : rspmmfs64!LogFS+0x3e
[s:\mm\mmpsy\fs\rspmmfs.c @ 551]
fffffadfe22c0950 fffffadfe59b6e67 : fffffadfe90cb6e8 fffffadfe22c0a10
fffffadfe22c0a00 fffffadfe90cb6e8 : rspmmfs64!SpyPreOperationCallback+0xa7
[s:\mm\mmpsy\fs\rspmmfs.c @ 887]
fffffadfe22c09b0 fffffadfe59bd666 : 0000000000000000 fffffadfe93d6190
fffffadfe9307240 fffffadfe8a97650 :
fltMgr!FltpPerformPreMountCallbacks+0x2a7
fffffadfe22c0a60 fffffadfe59bdee0 : fffffadfe8a97650 000000000000000d
fffffadfe93d6040 fffffadfe93da450 : fltMgr!FltpFsControlMountVolume+0x1e6
fffffadfe22c0b20 fffff80001013628 : fffffadfe93d6040 fffffadfe93da4a0
fffffadfe93d6040 fffffadfe8a97650 : fltMgr!FltpFsControl+0x80
fffffadfe22c0b80 fffff800012b9fcf : fffffadfe22c11e0 fffffadfe90ed490
fffffadfe22c0f20 fffffadfe22c0d74 : nt!IopCheckVpbMounted+0x334
fffffadfe22c0cf0 fffff800012b345e : fffffadfe90ed490 fffffadfe90ed440
fffffadfe22c1020 0000000000000000 : nt!IopParseDevice+0x735
fffffadfe22c0ea0 fffff800012b983a : 0000000000000000 fffffadfe22c1010
0000000000000240 0000000000000000 : nt!ObpLookupObjectName+0x92c
fffffadfe22c0fb0 fffff800012c13c9 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!ObOpenObjectByName+0x180
fffffadfe22c11a0 fffff800012c1577 : fffffadfe93ce4c0 0000000000000000
0000000000000000 fffff800012b3cb6 : nt!IopCreateFile+0x62f
fffffadfe22c1330 fffff800012c3d89 : 0000000000000000 fffff80001047a0c
0000000000120100 fffff8000104f7c7 : nt!IoCreateFile+0x12f
fffffadfe22c1410 fffff80001041422 : fffffadf00000000 fffff78000000000
fffffadfe22c1580 fffffadfe22c14e4 : nt!NtCreateFile+0x69
fffffadfe22c1490 fffff80001041880 : fffffadfe59b82fe 0000000000000000
fffffadfe8697c20 0000000000f8000c : nt!KiSystemServiceCopyEnd+0x3
fffffadfe22c1698 fffffadfe59b82fe : 0000000000000000 fffffadfe8697c20
0000000000f8000c fffffa8001dedb48 : nt!KiServiceLinkage
fffffadfe22c16a0 fffffadfe59b71ad : 0000000000000000 fffffadfe86c5010
fffffadfe86c5010 0000000000000000 : fltMgr!FltpGetVolumeFromName+0xde
fffffadfe22c1870 fffffadfe59bcd21 : fffffadfe8a47400 fffffadfe89e5f40
fffffadf00000000 0000000000000001 : fltMgr!FltpAttachVolume+0x22d
fffffadfe22c1950 fffffadfe59a1ab2 : 0000000000000000 0000000000000000
00000000000000ec fffffadfe8e11d90 : fltMgr!FltpCommonDeviceControl+0x1a1
fffffadfe22c1990 fffffadfe59a27c2 : fffffadfe8e11d90 fffffadfe22c1cf0
0000000000000000 fffffadfe90a8c20 : fltMgr!FltpControlDispatch+0xe2
fffffadfe22c1a10 fffff800012cdd2f : 000000000000003e fffffadfe22c1cf0
0000000000000001 fffffadfe89e5f40 : fltMgr!FltpDispatch+0x22
fffffadfe22c1a70 fffff800012de406 : 00000000000000f0 0000000000000000
0000000000000000 0000000000000000 : nt!IopXxxControlFile+0xa4c
fffffadfe22c1b90 fffff80001041422 : fffffadfe8697c20 fffffadfe855e810
0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
fffffadfe22c1c00 0000000078b83e48 : fffffadfe22c1c70 000000000012edb8
0000000200000030 0000000078b842d9 : nt!KiSystemServiceCopyEnd+0x3
000000000012ed78 0000000078be6a5a : 000000007efdf000 0000000000000001
0000000000000000 000000007efdf000 : wow64cpu!DeviceIoctlFileFault+0x35
000000000012ee60 0000000078be5e0d : 0000000000000000 000000000012f1a0
000000000012fab0 0000000000000000 : wow64!RunCpuSimulation+0xa
000000000012ee90 0000000078ed8501 : 000000000012f700 0000000000000000
000000000012fab0 0000000000000003 : wow64!Wow64LdrpInitialize+0x2ed
000000000012f6c0 0000000078ed6416 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!LdrpInitializeProcess+0x17d9
000000000012f9d0 0000000078ef3925 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!LdrpInitialize+0x18f
000000000012fab0 0000000078d59630 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!KiUserApcDispatch+0x15
000000000012ffa8 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x78d59630
000000000012ffb0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffb8 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffc0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffc8 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffd0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffd8 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffe0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000002078746341 : 0x0
000000000012ffe8 0000000000000000 : 0000000000000000 0000000000000000
0000002078746341 0000537000000001 : 0x0
000000000012fff0 0000000000000000 : 0000000000000000 0000002078746341
0000537000000001 0000000000000124 : 0x0
000000000012fff8 0000000000000000 : 0000002078746341 0000537000000001
0000000000000124 0000000000000020 : 0x0
0000000000130000 0000002078746341 : 0000537000000001 0000000000000124
0000000000000020 0000000100000014 : 0x0
0000000000130008 0000537000000001 : 0000000000000124 0000000000000020
0000000100000014 000000340000000a : 0x2078746341 0000000000130010 0000000000000124 : 0000000000000020 0000000100000014 000000340000000a 00000001000001b4 : 0x537000000001
0000000000130018 0000000000000020 : 0000000100000014 000000340000000a
00000001000001b4 0000000000000000 : 0x124
0000000000130020 0000000100000014 : 000000340000000a 00000001000001b4
0000000000000000 0000000000000000 : 0x20
0000000000130028 000000340000000a : 00000001000001b4 0000000000000000
0000000000000000 0000000200000000 : 0x100000014 0000000000130030 00000001000001b4 : 0000000000000000 0000000000000000 0000000200000000 0000000000000000 : 0x340000000a
0000000000130038 0000000000000000 : 0000000000000000 0000000200000000
0000000000000000 0000031400000000 : 0x1000001b4 0000000000130040 0000000000000000 : 0000000200000000 0000000000000000 0000031400000000 000000000000019c : 0x0 0000000000130048 0000000200000000 : 0000000000000000 0000031400000000 000000000000019c 000004b02d59495b : 0x0 0000000000130050 0000000000000000 : 0000031400000000 000000000000019c 000004b02d59495b 000004e400000032 : 0x200000000
0000000000130058 0000031400000000 : 000000000000019c 000004b02d59495b
000004e400000032 00000000000002d2 : 0x0
0000000000130060 000000000000019c : 000004b02d59495b 000004e400000032
00000000000002d2 000007b8f33271ba : 0x31400000000 0000000000130068 000004b02d59495b : 000004e400000032 00000000000002d2 000007b8f33271ba 000008040000004a : 0x19c 0000000000130070 000004e400000032 : 00000000000002d2 000007b8f33271ba 000008040000004a 000000000000031a : 0x4b02d59495b
0000000000130078 00000000000002d2 : 000007b8f33271ba 000008040000004a
000000000000031a 00000b2032ceeacd : 0x4e400000032 0000000000130080 000007b8f33271ba : 000008040000004a 000000000000031a 00000b2032ceeacd 00000b6400000042 : 0x2d2 0000000000130088 000008040000004a : 000000000000031a 00000b2032ceeacd 00000b6400000042 0000000000000308 : 0x7b8f33271ba
0000000000130090 000000000000031a : 00000b2032ceeacd 00000b6400000042
0000000000000308 00000e6ce23ce879 : 0x8040000004a 0000000000130098 00000b2032ceeacd : 00000b6400000042 0000000000000308 00000e6ce23ce879 00000ea000000032 : 0x31a 00000000001300a0 00000b6400000042 : 0000000000000308 00000e6ce23ce879 00000ea000000032 00000000000002d2 : 0xb2032ceeacd
00000000001300a8 0000000000000308 : 00000e6ce23ce879 00000ea000000032
00000000000002d2 00001174830202e4 : 0xb6400000042 00000000001300b0 00000e6ce23ce879 : 00000ea000000032 00000000000002d2 00001174830202e4 000011bc00000046 : 0x308 00000000001300b8 00000ea000000032 : 00000000000002d2 00001174830202e4 000011bc00000046 00000000000002fc : 0xe6ce23ce879
00000000001300c0 00000000000002d2 : 00001174830202e4 000011bc00000046
00000000000002fc 000014b8d18cd5d2 : 0xea000000032 00000000001300c8 00001174830202e4 : 000011bc00000046 00000000000002fc 000014b8d18cd5d2 0000150000000046 : 0x2d2 00000000001300d0 000011bc00000046 : 00000000000002fc 000014b8d18cd5d2 0000150000000046 00000000000002fc : 0x1174830202e4
00000000001300d8 00000000000002fc : 000014b8d18cd5d2 0000150000000046
00000000000002fc 000017fc38505fc8 : 0x11bc`00000046

STACK_COMMAND: kb

FOLLOWUP_IP:
rspmmfs64!LogFS+3e [s:\mm\mmpsy\fs\rspmmfs.c @ 551]
fffffadf`e240476e 85c0 test eax,eax

FAULTING_SOURCE_CODE:
547:
548: if (!Data) return;
549:
550:

551: if (!NT_SUCCESS(FltGetFileNameInformation( Data,
FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo )))
552: {
553: return;
554: }
555:
556:

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rspmmfs64

IMAGE_NAME: rspmmfs64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 456aed7f

SYMBOL_NAME: rspmmfs64!LogFS+3e

FAILURE_BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e

BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e

Followup: MachineOwner

“frank” wrote in message news:xxxxx@ntfsd…
> Daniel, provide a bit more information:
>
> Which fields of CALLBACK_DATA do you acess? What is happening in line 691?
> Post the output of “analyze -v”.
>
> The pointer to CALLBACK_DATA seems to be ok. Perhaps you are at raised
> IRQL during access.
>
> By the way: why do you find the “Data”-parameter to be bogus?
>
>
>
>
> “Daniel Terhell” schrieb im Newsbeitrag
> news:xxxxx@ntfsd…
>> Forgive me for posting this basic question, the answer is probably
>> something simple. I got a minifilter which is working fine except when I
>> call FilterAttach from my application it causes the preoperation callback
>> to be called and accessing the fields in the Data parameter then cause
>> access violations. The question is how can I detect this inside my
>> preoperation callback (since the Data parameter is bogus) or better how
>> can I prevent this from getting called ? My filter does not register an
>> InstanceSetupCallback.
>>
>> Here is the stack (running on Windows Xp x64 edition):
>>
>> kd> kp

I’m exhausted/brain dead here as always… Those return statements look
odd… Your not returning anything…
Fltmgr is expecting something…

This is in pre-create right?

Windbg fibs sometimes… I’ve often seen it several lines off, even
with correct symbols. Still pretty accurate though.

Try returning something like FLT_PREOP_SUCCESS_WITH_CALLBACK or
whatever… Give it some food…

guessing…

m.

Daniel Terhell wrote:

Thanks for your response. This is running at PASSIVE_LEVEL, it is a pre
operation callback and it is not supposed to be called at higher IRQL
according to the new WDK documentation. Also, I am using the PAGED_CODE in
this path to be sure of lower IRQL. The bugcheck shows an IRQL of 2 but this
is the responsability of FltGetFileNameInformation.

I put a breakpoint on line 551, just before the exception occurs. Accessing
the members of Data in the debugger sometimes gives access violations, but
not this time. The fields seem to contain arbitrary values.

Regards,

/Daniel

kd> ??Data
struct _FLT_CALLBACK_DATA * 0xfffffadfe90cb6e8 +0x000 Flags : 2 +0x008 Thread : 0xfffffadfe855e810 _KTHREAD
+0x010 Iopb : 0xfffffadfe90cb740 _FLT_IO_PARAMETER_BLOCK +0x018 IoStatus : _IO_STATUS_BLOCK +0x028 TagData : (null) +0x030 QueueLinks : _LIST_ENTRY [0x0000000000000000 - 0x0]
+0x040 QueueContext : [2] (null)
+0x030 FilterContext : [4] (null)
+0x050 RequestorMode : 0 ‘’
kd> ??Data->Iopb
struct _FLT_IO_PARAMETER_BLOCK * 0xfffffadf`e90cb740
+0x000 IrpFlags : 0
+0x004 MajorFunction : 0 ‘’
+0x005 MinorFunction : 0 ‘’
+0x006 OperationFlags : 0 ‘’
+0x007 Reserved : 0 ‘’
+0x008 TargetFileObject : (null)
+0x010 TargetInstance : (null)
+0x018 Parameters : _FLT_PARAMETERS

kd> !irql
Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)
kd> g
Access violation - code c0000005 (!!! second chance !!!)
fltMgr!FltGetFileNameInformation+0xa0:
fffffadf`e59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0
kd> gn

*** Fatal System Error: 0x0000001e
(0xFFFFFFFFC0000005,0xFFFFFADFE59A5AE0,0x0000000000000000,0x0000000000000018)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2003 3790 x64 target, ptr64 TRUE
Loading Kernel Symbols
…
Loading User Symbols
…
Loading unloaded module list
…
Loading Wow64 Symbols
…
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc0000005, fffffadfe59a5ae0, 0, 18}

*** ERROR: Symbol file could not be found. Defaulted to export symbols for
win32k.sys -
Probably caused by : rspmmfs64.sys ( rspmmfs64!LogFS+3e )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
fffff800`0103a240 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffffadfe59a5ae0, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000018, Parameter 1 of the exception

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
fltMgr!FltGetFileNameInformation+a0
fffffadf`e59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000018

READ_ADDRESS: 0000000000000018

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

PROCESS_NAME: mm.exe

CURRENT_IRQL: 2

EXCEPTION_RECORD: fffffadfe22c05f0 – (.exr fffffadfe22c05f0)
ExceptionAddress: fffffadfe59a5ae0
(fltMgr!FltGetFileNameInformation+0x00000000000000a0)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000018
Attempt to read from address 0000000000000018

TRAP_FRAME: fffffadfe22c0680 – (.trap fffffadfe22c0680)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffadfe90cb740
rdx=0000000000000102 rsi=0000000000000000 rdi=0000000000000000
rip=fffffadfe59a5ae0 rsp=fffffadfe22c0810 rbp=0000000000000003
r8=fffffadfe22c0910 r9=0000000000000000 r10=fffffadfe9106048
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
fltMgr!FltGetFileNameInformation+0xa0:
fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0 ds:0000000000000018=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800010d72be to fffff8000103a240

STACK_TEXT:
fffffadfe22bf818 fffff800010d72be : ffffffffc0000005 0000000000000000
000000000000001e fffff80001059abe : nt!RtlpBreakWithStatusInstruction
fffffadfe22bf820 fffff800010d8a4d : fffff80000000003 000000000000001e
ffffffffc0000005 fffffadfe59a5ae0 : nt!KiBugCheckDebugBreak+0x1e
fffffadfe22bf880 fffff80001041a14 : 0000000048000000 fffffadfe22c0901
fffffadfe9106001 0000000000000000 : nt!KeBugCheck2+0x6fd
fffffadfe22bfec0 fffff8000109a361 : 000000000000001e ffffffffc0000005
fffffadfe59a5ae0 0000000000000000 : nt!KeBugCheckEx+0x104
fffffadfe22bff00 fffff8000104172f : fffffadfe22c05f0 fffff800012c955d
fffffadfe22c0680 0000000000000200 : nt!KiDispatchException+0x128
fffffadfe22c0500 fffff80001040621 : 0000000080000004 0000000000000000
fffffadfe59a5a00 0000000000000000 : nt!KiExceptionExit
fffffadfe22c0680 fffffadfe59a5ae0 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KiPageFault+0x1e1
fffffadfe22c0810 fffffadfe240476e : fffffadfe8a47400 fffffadfe93da4a0
fffffadfe90cb640 fffffadfe90cb6e8 : fltMgr!FltGetFileNameInformation+0xa0
fffffadfe22c08b0 fffffadfe2404b07 : fffffadfe90cb6e8 fffffadfe8a19dae
fffffadfe8a19dae fffffadfe93da4a0 : rspmmfs64!LogFS+0x3e
[s:\mm\mmpsy\fs\rspmmfs.c @ 551]
fffffadfe22c0950 fffffadfe59b6e67 : fffffadfe90cb6e8 fffffadfe22c0a10
fffffadfe22c0a00 fffffadfe90cb6e8 : rspmmfs64!SpyPreOperationCallback+0xa7
[s:\mm\mmpsy\fs\rspmmfs.c @ 887]
fffffadfe22c09b0 fffffadfe59bd666 : 0000000000000000 fffffadfe93d6190
fffffadfe9307240 fffffadfe8a97650 :
fltMgr!FltpPerformPreMountCallbacks+0x2a7
fffffadfe22c0a60 fffffadfe59bdee0 : fffffadfe8a97650 000000000000000d
fffffadfe93d6040 fffffadfe93da450 : fltMgr!FltpFsControlMountVolume+0x1e6
fffffadfe22c0b20 fffff80001013628 : fffffadfe93d6040 fffffadfe93da4a0
fffffadfe93d6040 fffffadfe8a97650 : fltMgr!FltpFsControl+0x80
fffffadfe22c0b80 fffff800012b9fcf : fffffadfe22c11e0 fffffadfe90ed490
fffffadfe22c0f20 fffffadfe22c0d74 : nt!IopCheckVpbMounted+0x334
fffffadfe22c0cf0 fffff800012b345e : fffffadfe90ed490 fffffadfe90ed440
fffffadfe22c1020 0000000000000000 : nt!IopParseDevice+0x735
fffffadfe22c0ea0 fffff800012b983a : 0000000000000000 fffffadfe22c1010
0000000000000240 0000000000000000 : nt!ObpLookupObjectName+0x92c
fffffadfe22c0fb0 fffff800012c13c9 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!ObOpenObjectByName+0x180
fffffadfe22c11a0 fffff800012c1577 : fffffadfe93ce4c0 0000000000000000
0000000000000000 fffff800012b3cb6 : nt!IopCreateFile+0x62f
fffffadfe22c1330 fffff800012c3d89 : 0000000000000000 fffff80001047a0c
0000000000120100 fffff8000104f7c7 : nt!IoCreateFile+0x12f
fffffadfe22c1410 fffff80001041422 : fffffadf00000000 fffff78000000000
fffffadfe22c1580 fffffadfe22c14e4 : nt!NtCreateFile+0x69
fffffadfe22c1490 fffff80001041880 : fffffadfe59b82fe 0000000000000000
fffffadfe8697c20 0000000000f8000c : nt!KiSystemServiceCopyEnd+0x3
fffffadfe22c1698 fffffadfe59b82fe : 0000000000000000 fffffadfe8697c20
0000000000f8000c fffffa8001dedb48 : nt!KiServiceLinkage
fffffadfe22c16a0 fffffadfe59b71ad : 0000000000000000 fffffadfe86c5010
fffffadfe86c5010 0000000000000000 : fltMgr!FltpGetVolumeFromName+0xde
fffffadfe22c1870 fffffadfe59bcd21 : fffffadfe8a47400 fffffadfe89e5f40
fffffadf00000000 0000000000000001 : fltMgr!FltpAttachVolume+0x22d
fffffadfe22c1950 fffffadfe59a1ab2 : 0000000000000000 0000000000000000
00000000000000ec fffffadfe8e11d90 : fltMgr!FltpCommonDeviceControl+0x1a1
fffffadfe22c1990 fffffadfe59a27c2 : fffffadfe8e11d90 fffffadfe22c1cf0
0000000000000000 fffffadfe90a8c20 : fltMgr!FltpControlDispatch+0xe2
fffffadfe22c1a10 fffff800012cdd2f : 000000000000003e fffffadfe22c1cf0
0000000000000001 fffffadfe89e5f40 : fltMgr!FltpDispatch+0x22
fffffadfe22c1a70 fffff800012de406 : 00000000000000f0 0000000000000000
0000000000000000 0000000000000000 : nt!IopXxxControlFile+0xa4c
fffffadfe22c1b90 fffff80001041422 : fffffadfe8697c20 fffffadfe855e810
0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
fffffadfe22c1c00 0000000078b83e48 : fffffadfe22c1c70 000000000012edb8
0000000200000030 0000000078b842d9 : nt!KiSystemServiceCopyEnd+0x3
000000000012ed78 0000000078be6a5a : 000000007efdf000 0000000000000001
0000000000000000 000000007efdf000 : wow64cpu!DeviceIoctlFileFault+0x35
000000000012ee60 0000000078be5e0d : 0000000000000000 000000000012f1a0
000000000012fab0 0000000000000000 : wow64!RunCpuSimulation+0xa
000000000012ee90 0000000078ed8501 : 000000000012f700 0000000000000000
000000000012fab0 0000000000000003 : wow64!Wow64LdrpInitialize+0x2ed
000000000012f6c0 0000000078ed6416 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!LdrpInitializeProcess+0x17d9
000000000012f9d0 0000000078ef3925 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!LdrpInitialize+0x18f
000000000012fab0 0000000078d59630 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : ntdll!KiUserApcDispatch+0x15
000000000012ffa8 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x78d59630
000000000012ffb0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffb8 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffc0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffc8 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffd0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffd8 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x0
000000000012ffe0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000002078746341 : 0x0
000000000012ffe8 0000000000000000 : 0000000000000000 0000000000000000
0000002078746341 0000537000000001 : 0x0
000000000012fff0 0000000000000000 : 0000000000000000 0000002078746341
0000537000000001 0000000000000124 : 0x0
000000000012fff8 0000000000000000 : 0000002078746341 0000537000000001
0000000000000124 0000000000000020 : 0x0
0000000000130000 0000002078746341 : 0000537000000001 0000000000000124
0000000000000020 0000000100000014 : 0x0
0000000000130008 0000537000000001 : 0000000000000124 0000000000000020
0000000100000014 000000340000000a : 0x2078746341 0000000000130010 0000000000000124 : 0000000000000020 0000000100000014 000000340000000a 00000001000001b4 : 0x537000000001
0000000000130018 0000000000000020 : 0000000100000014 000000340000000a
00000001000001b4 0000000000000000 : 0x124
0000000000130020 0000000100000014 : 000000340000000a 00000001000001b4
0000000000000000 0000000000000000 : 0x20
0000000000130028 000000340000000a : 00000001000001b4 0000000000000000
0000000000000000 0000000200000000 : 0x100000014 0000000000130030 00000001000001b4 : 0000000000000000 0000000000000000 0000000200000000 0000000000000000 : 0x340000000a
0000000000130038 0000000000000000 : 0000000000000000 0000000200000000
0000000000000000 0000031400000000 : 0x1000001b4 0000000000130040 0000000000000000 : 0000000200000000 0000000000000000 0000031400000000 000000000000019c : 0x0 0000000000130048 0000000200000000 : 0000000000000000 0000031400000000 000000000000019c 000004b02d59495b : 0x0 0000000000130050 0000000000000000 : 0000031400000000 000000000000019c 000004b02d59495b 000004e400000032 : 0x200000000
0000000000130058 0000031400000000 : 000000000000019c 000004b02d59495b
000004e400000032 00000000000002d2 : 0x0
0000000000130060 000000000000019c : 000004b02d59495b 000004e400000032
00000000000002d2 000007b8f33271ba : 0x31400000000 0000000000130068 000004b02d59495b : 000004e400000032 00000000000002d2 000007b8f33271ba 000008040000004a : 0x19c 0000000000130070 000004e400000032 : 00000000000002d2 000007b8f33271ba 000008040000004a 000000000000031a : 0x4b02d59495b
0000000000130078 00000000000002d2 : 000007b8f33271ba 000008040000004a
000000000000031a 00000b2032ceeacd : 0x4e400000032 0000000000130080 000007b8f33271ba : 000008040000004a 000000000000031a 00000b2032ceeacd 00000b6400000042 : 0x2d2 0000000000130088 000008040000004a : 000000000000031a 00000b2032ceeacd 00000b6400000042 0000000000000308 : 0x7b8f33271ba
0000000000130090 000000000000031a : 00000b2032ceeacd 00000b6400000042
0000000000000308 00000e6ce23ce879 : 0x8040000004a 0000000000130098 00000b2032ceeacd : 00000b6400000042 0000000000000308 00000e6ce23ce879 00000ea000000032 : 0x31a 00000000001300a0 00000b6400000042 : 0000000000000308 00000e6ce23ce879 00000ea000000032 00000000000002d2 : 0xb2032ceeacd
00000000001300a8 0000000000000308 : 00000e6ce23ce879 00000ea000000032
00000000000002d2 00001174830202e4 : 0xb6400000042 00000000001300b0 00000e6ce23ce879 : 00000ea000000032 00000000000002d2 00001174830202e4 000011bc00000046 : 0x308 00000000001300b8 00000ea000000032 : 00000000000002d2 00001174830202e4 000011bc00000046 00000000000002fc : 0xe6ce23ce879
00000000001300c0 00000000000002d2 : 00001174830202e4 000011bc00000046
00000000000002fc 000014b8d18cd5d2 : 0xea000000032 00000000001300c8 00001174830202e4 : 000011bc00000046 00000000000002fc 000014b8d18cd5d2 0000150000000046 : 0x2d2 00000000001300d0 000011bc00000046 : 00000000000002fc 000014b8d18cd5d2 0000150000000046 00000000000002fc : 0x1174830202e4
00000000001300d8 00000000000002fc : 000014b8d18cd5d2 0000150000000046
00000000000002fc 000017fc38505fc8 : 0x11bc`00000046

STACK_COMMAND: kb

FOLLOWUP_IP:
rspmmfs64!LogFS+3e [s:\mm\mmpsy\fs\rspmmfs.c @ 551]
fffffadf`e240476e 85c0 test eax,eax

FAULTING_SOURCE_CODE:
547:
548: if (!Data) return;
549:
550:

> 551: if (!NT_SUCCESS(FltGetFileNameInformation( Data,
>FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo )))
>
>
552: {
553: return;
554: }
555:
556:

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rspmmfs64

IMAGE_NAME: rspmmfs64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 456aed7f

SYMBOL_NAME: rspmmfs64!LogFS+3e

FAILURE_BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e

BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e

Followup: MachineOwner

“frank” wrote in message news:xxxxx@ntfsd…
>
>
>>Daniel, provide a bit more information:
>>
>>Which fields of CALLBACK_DATA do you acess? What is happening in line 691?
>>Post the output of “analyze -v”.
>>
>>The pointer to CALLBACK_DATA seems to be ok. Perhaps you are at raised
>>IRQL during access.
>>
>>By the way: why do you find the “Data”-parameter to be bogus?
>>
>>
>>
>>
>>“Daniel Terhell” schrieb im Newsbeitrag
>>news:xxxxx@ntfsd…
>>
>>
>>>Forgive me for posting this basic question, the answer is probably
>>>something simple. I got a minifilter which is working fine except when I
>>>call FilterAttach from my application it causes the preoperation callback
>>>to be called and accessing the fields in the Data parameter then cause
>>>access violations. The question is how can I detect this inside my
>>>preoperation callback (since the Data parameter is bogus) or better how
>>>can I prevent this from getting called ? My filter does not register an
>>>InstanceSetupCallback.
>>>
>>>Here is the stack (running on Windows Xp x64 edition):
>>>
>>>kd> kp
>>>
>>>
>
>
>
>—
>Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Thanks but this is a subroutine which is called by my preoperation callback
of type void. I would like to return something in my preoperation callback
as soon as I will be able to detect that the preoperation callback is called
because I attach a volume to the filter. Also, it is not clear to me why
this is called at all, it is supposed to call InstanceSetupCallback if it is
registered.

/Daniel

“MM” wrote in message news:xxxxx@ntfsd…
> I’m exhausted/brain dead here as always… Those return statements look
> odd… Your not returning anything…
> Fltmgr is expecting something…
>
> This is in pre-create right?
>
> Windbg fibs sometimes… I’ve often seen it several lines off, even with
> correct symbols. Still pretty accurate though.
>
> Try returning something like FLT_PREOP_SUCCESS_WITH_CALLBACK or
> whatever… Give it some food…
>
> guessing…
>
> m.
>
>
> Daniel Terhell wrote:
>
>>Thanks for your response. This is running at PASSIVE_LEVEL, it is a pre
>>operation callback and it is not supposed to be called at higher IRQL
>>according to the new WDK documentation. Also, I am using the PAGED_CODE in
>>this path to be sure of lower IRQL. The bugcheck shows an IRQL of 2 but
>>this is the responsability of FltGetFileNameInformation.
>>
>>I put a breakpoint on line 551, just before the exception occurs.
>>Accessing the members of Data in the debugger sometimes gives access
>>violations, but not this time. The fields seem to contain arbitrary
>>values.
>>
>>Regards,
>>
>>/Daniel
>>
>>
>>kd> ??Data
>>struct _FLT_CALLBACK_DATA * 0xfffffadfe90cb6e8<br>&gt;&gt; +0x000 Flags : 2<br>&gt;&gt; +0x008 Thread : 0xfffffadfe855e810 _KTHREAD
>> +0x010 Iopb : 0xfffffadfe90cb740 _FLT_IO_PARAMETER_BLOCK<br>&gt;&gt; +0x018 IoStatus : _IO_STATUS_BLOCK<br>&gt;&gt; +0x028 TagData : (null)<br>&gt;&gt; +0x030 QueueLinks : _LIST_ENTRY [0x0000000000000000 - 0x0]
>> +0x040 QueueContext : [2] (null)
>> +0x030 FilterContext : [4] (null)
>> +0x050 RequestorMode : 0 ‘’
>>kd> ??Data->Iopb
>>struct _FLT_IO_PARAMETER_BLOCK * 0xfffffadfe90cb740<br>&gt;&gt; +0x000 IrpFlags : 0<br>&gt;&gt; +0x004 MajorFunction : 0 ''<br>&gt;&gt; +0x005 MinorFunction : 0 ''<br>&gt;&gt; +0x006 OperationFlags : 0 ''<br>&gt;&gt; +0x007 Reserved : 0 ''<br>&gt;&gt; +0x008 TargetFileObject : (null)<br>&gt;&gt; +0x010 TargetInstance : (null)<br>&gt;&gt; +0x018 Parameters : _FLT_PARAMETERS<br>&gt;&gt;<br>&gt;&gt;kd&gt; !irql<br>&gt;&gt;Debugger saved IRQL for processor 0x0 -- 0 (LOW_LEVEL)<br>&gt;&gt;kd&gt; g<br>&gt;&gt;Access violation - code c0000005 (!!! second chance !!!)<br>&gt;&gt;fltMgr!FltGetFileNameInformation+0xa0:<br>&gt;&gt;fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0
>>kd> gn
>>
>>Fatal System Error: 0x0000001e
>>
>> (0xFFFFFFFFC0000005,0xFFFFFADFE59A5AE0,0x0000000000000000,0x0000000000000018)
>>
>>Break instruction exception - code 80000003 (first chance)
>>
>>A fatal system error has occurred.
>>Debugger entered on first try; Bugcheck callbacks have not been invoked.
>>
>>A fatal system error has occurred.
>>
>>Connected to Windows Server 2003 3790 x64 target, ptr64 TRUE
>>Loading Kernel Symbols
>>…
>>Loading User Symbols
>>…
>>Loading unloaded module list
>>…
>>Loading Wow64 Symbols
>>…
>>***************************************************************************
>>
>> Bugcheck Analysis
>> *
>> ****************************************************************************
>>
>>Use !analyze -v to get detailed debugging information.
>>
>>BugCheck 1E, {ffffffffc0000005, fffffadfe59a5ae0, 0, 18}
>>
>> ERROR: Symbol file could not be found. Defaulted to export symbols
>>for win32k.sys -
>>Probably caused by : rspmmfs64.sys ( rspmmfs64!LogFS+3e )
>>
>>Followup: MachineOwner
>>---------
>>
>>nt!RtlpBreakWithStatusInstruction:
>>fffff8000103a240 cc int 3<br>&gt;&gt;kd&gt; !analyze -v<br>&gt;&gt; *******************************************************************************<br>&gt;&gt;* *<br>&gt;&gt;* Bugcheck Analysis *<br>&gt;&gt;* *<br>&gt;&gt;******************************************************************************* <br>&gt;&gt;<br>&gt;&gt;KMODE_EXCEPTION_NOT_HANDLED (1e)<br>&gt;&gt;This is a very common bugcheck. Usually the exception address pinpoints<br>&gt;&gt;the driver/function that caused the problem. Always note this address<br>&gt;&gt;as well as the link date of the driver/image that contains this address.<br>&gt;&gt;Arguments:<br>&gt;&gt;Arg1: ffffffffc0000005, The exception code that was not handled<br>&gt;&gt;Arg2: fffffadfe59a5ae0, The address that the exception occurred at<br>&gt;&gt;Arg3: 0000000000000000, Parameter 0 of the exception<br>&gt;&gt;Arg4: 0000000000000018, Parameter 1 of the exception<br>&gt;&gt;<br>&gt;&gt;Debugging Details:<br>&gt;&gt;------------------<br>&gt;&gt;<br>&gt;&gt;<br>&gt;&gt;EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" <br>&gt;&gt;referenced memory at "0x%08lx". The memory could not be "%s".<br>&gt;&gt;<br>&gt;&gt;FAULTING_IP:<br>&gt;&gt;fltMgr!FltGetFileNameInformation+a0<br>&gt;&gt;fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0
>>
>>EXCEPTION_PARAMETER1: 0000000000000000
>>
>>EXCEPTION_PARAMETER2: 0000000000000018
>>
>>READ_ADDRESS: 0000000000000018
>>
>>DEFAULT_BUCKET_ID: DRIVER_FAULT
>>
>>BUGCHECK_STR: 0x1E
>>
>>PROCESS_NAME: mm.exe
>>
>>CURRENT_IRQL: 2
>>
>>EXCEPTION_RECORD: fffffadfe22c05f0 – (.exr fffffadfe22c05f0)
>>ExceptionAddress: fffffadfe59a5ae0
>>(fltMgr!FltGetFileNameInformation+0x00000000000000a0)
>> ExceptionCode: c0000005 (Access violation)
>> ExceptionFlags: 00000000
>>NumberParameters: 2
>> Parameter[0]: 0000000000000000
>> Parameter[1]: 0000000000000018
>>Attempt to read from address 0000000000000018
>>
>>TRAP_FRAME: fffffadfe22c0680 – (.trap fffffadfe22c0680)
>>NOTE: The trap frame does not contain all registers.
>>Some register values may be zeroed.
>>rax=0000000000000000 rbx=0000000000000000 rcx=fffffadfe90cb740
>>rdx=0000000000000102 rsi=0000000000000000 rdi=0000000000000000
>>rip=fffffadfe59a5ae0 rsp=fffffadfe22c0810 rbp=0000000000000003
>> r8=fffffadfe22c0910 r9=0000000000000000 r10=fffffadfe9106048
>>r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
>>r14=0000000000000000 r15=0000000000000000
>>iopl=0 nv up ei pl zr na po nc
>>fltMgr!FltGetFileNameInformation+0xa0:
>>fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0 <br>&gt;&gt;ds:0000000000000018=???
>>Resetting default scope
>>
>>LAST_CONTROL_TRANSFER: from fffff800010d72be to fffff8000103a240
>>
>>STACK_TEXT:
>>fffffadfe22bf818 fffff800010d72be : ffffffffc0000005 0000000000000000
>>000000000000001e fffff80001059abe : nt!RtlpBreakWithStatusInstruction
>>fffffadfe22bf820 fffff800010d8a4d : fffff80000000003 000000000000001e
>>ffffffffc0000005 fffffadfe59a5ae0 : nt!KiBugCheckDebugBreak+0x1e
>>fffffadfe22bf880 fffff80001041a14 : 0000000048000000 fffffadfe22c0901
>>fffffadfe9106001 0000000000000000 : nt!KeBugCheck2+0x6fd
>>fffffadfe22bfec0 fffff8000109a361 : 000000000000001e ffffffffc0000005
>>fffffadfe59a5ae0 0000000000000000 : nt!KeBugCheckEx+0x104
>>fffffadfe22bff00 fffff8000104172f : fffffadfe22c05f0 fffff800012c955d
>>fffffadfe22c0680 0000000000000200 : nt!KiDispatchException+0x128
>>fffffadfe22c0500 fffff80001040621 : 0000000080000004 0000000000000000
>>fffffadfe59a5a00 0000000000000000 : nt!KiExceptionExit
>>fffffadfe22c0680 fffffadfe59a5ae0 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : nt!KiPageFault+0x1e1
>>fffffadfe22c0810 fffffadfe240476e : fffffadfe8a47400 fffffadfe93da4a0
>>fffffadfe90cb640 fffffadfe90cb6e8 :
>>fltMgr!FltGetFileNameInformation+0xa0
>>fffffadfe22c08b0 fffffadfe2404b07 : fffffadfe90cb6e8 fffffadfe8a19dae
>>fffffadfe8a19dae fffffadfe93da4a0 : rspmmfs64!LogFS+0x3e
>>[s:\mm\mmpsy\fs\rspmmfs.c @ 551]
>>fffffadfe22c0950 fffffadfe59b6e67 : fffffadfe90cb6e8 fffffadfe22c0a10
>>fffffadfe22c0a00 fffffadfe90cb6e8 :
>>rspmmfs64!SpyPreOperationCallback+0xa7 [s:\mm\mmpsy\fs\rspmmfs.c @ 887]
>>fffffadfe22c09b0 fffffadfe59bd666 : 0000000000000000 fffffadfe93d6190
>>fffffadfe9307240 fffffadfe8a97650 :
>>fltMgr!FltpPerformPreMountCallbacks+0x2a7
>>fffffadfe22c0a60 fffffadfe59bdee0 : fffffadfe8a97650 000000000000000d
>>fffffadfe93d6040 fffffadfe93da450 :
>>fltMgr!FltpFsControlMountVolume+0x1e6
>>fffffadfe22c0b20 fffff80001013628 : fffffadfe93d6040 fffffadfe93da4a0
>>fffffadfe93d6040 fffffadfe8a97650 : fltMgr!FltpFsControl+0x80
>>fffffadfe22c0b80 fffff800012b9fcf : fffffadfe22c11e0 fffffadfe90ed490
>>fffffadfe22c0f20 fffffadfe22c0d74 : nt!IopCheckVpbMounted+0x334
>>fffffadfe22c0cf0 fffff800012b345e : fffffadfe90ed490 fffffadfe90ed440
>>fffffadfe22c1020 0000000000000000 : nt!IopParseDevice+0x735
>>fffffadfe22c0ea0 fffff800012b983a : 0000000000000000 fffffadfe22c1010
>>0000000000000240 0000000000000000 : nt!ObpLookupObjectName+0x92c
>>fffffadfe22c0fb0 fffff800012c13c9 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : nt!ObOpenObjectByName+0x180
>>fffffadfe22c11a0 fffff800012c1577 : fffffadfe93ce4c0 0000000000000000
>>0000000000000000 fffff800012b3cb6 : nt!IopCreateFile+0x62f
>>fffffadfe22c1330 fffff800012c3d89 : 0000000000000000 fffff80001047a0c
>>0000000000120100 fffff8000104f7c7 : nt!IoCreateFile+0x12f
>>fffffadfe22c1410 fffff80001041422 : fffffadf00000000 fffff78000000000
>>fffffadfe22c1580 fffffadfe22c14e4 : nt!NtCreateFile+0x69
>>fffffadfe22c1490 fffff80001041880 : fffffadfe59b82fe 0000000000000000
>>fffffadfe8697c20 0000000000f8000c : nt!KiSystemServiceCopyEnd+0x3
>>fffffadfe22c1698 fffffadfe59b82fe : 0000000000000000 fffffadfe8697c20
>>0000000000f8000c fffffa8001dedb48 : nt!KiServiceLinkage
>>fffffadfe22c16a0 fffffadfe59b71ad : 0000000000000000 fffffadfe86c5010
>>fffffadfe86c5010 0000000000000000 : fltMgr!FltpGetVolumeFromName+0xde
>>fffffadfe22c1870 fffffadfe59bcd21 : fffffadfe8a47400 fffffadfe89e5f40
>>fffffadf00000000 0000000000000001 : fltMgr!FltpAttachVolume+0x22d
>>fffffadfe22c1950 fffffadfe59a1ab2 : 0000000000000000 0000000000000000
>>00000000000000ec fffffadfe8e11d90 : fltMgr!FltpCommonDeviceControl+0x1a1
>>fffffadfe22c1990 fffffadfe59a27c2 : fffffadfe8e11d90 fffffadfe22c1cf0
>>0000000000000000 fffffadfe90a8c20 : fltMgr!FltpControlDispatch+0xe2
>>fffffadfe22c1a10 fffff800012cdd2f : 000000000000003e fffffadfe22c1cf0
>>0000000000000001 fffffadfe89e5f40 : fltMgr!FltpDispatch+0x22
>>fffffadfe22c1a70 fffff800012de406 : 00000000000000f0 0000000000000000
>>0000000000000000 0000000000000000 : nt!IopXxxControlFile+0xa4c
>>fffffadfe22c1b90 fffff80001041422 : fffffadfe8697c20 fffffadfe855e810
>>0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
>>fffffadfe22c1c00 0000000078b83e48 : fffffadfe22c1c70 000000000012edb8
>>0000000200000030 0000000078b842d9 : nt!KiSystemServiceCopyEnd+0x3
>>000000000012ed78 0000000078be6a5a : 000000007efdf000 0000000000000001
>>0000000000000000 000000007efdf000 : wow64cpu!DeviceIoctlFileFault+0x35
>>000000000012ee60 0000000078be5e0d : 0000000000000000 000000000012f1a0
>>000000000012fab0 0000000000000000 : wow64!RunCpuSimulation+0xa
>>000000000012ee90 0000000078ed8501 : 000000000012f700 0000000000000000
>>000000000012fab0 0000000000000003 : wow64!Wow64LdrpInitialize+0x2ed
>>000000000012f6c0 0000000078ed6416 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : ntdll!LdrpInitializeProcess+0x17d9
>>000000000012f9d0 0000000078ef3925 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : ntdll!LdrpInitialize+0x18f
>>000000000012fab0 0000000078d59630 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : ntdll!KiUserApcDispatch+0x15
>>000000000012ffa8 0000000000000000 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : 0x78d59630
>>000000000012ffb0 0000000000000000 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : 0x0
>>000000000012ffb8 0000000000000000 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : 0x0
>>000000000012ffc0 0000000000000000 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : 0x0
>>000000000012ffc8 0000000000000000 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : 0x0
>>000000000012ffd0 0000000000000000 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : 0x0
>>000000000012ffd8 0000000000000000 : 0000000000000000 0000000000000000
>>0000000000000000 0000000000000000 : 0x0
>>000000000012ffe0 0000000000000000 : 0000000000000000 0000000000000000
>>0000000000000000 0000002078746341 : 0x0
>>000000000012ffe8 0000000000000000 : 0000000000000000 0000000000000000
>>0000002078746341 0000537000000001 : 0x0
>>000000000012fff0 0000000000000000 : 0000000000000000 0000002078746341
>>0000537000000001 0000000000000124 : 0x0
>>000000000012fff8 0000000000000000 : 0000002078746341 0000537000000001
>>0000000000000124 0000000000000020 : 0x0
>>0000000000130000 0000002078746341 : 0000537000000001 0000000000000124
>>0000000000000020 0000000100000014 : 0x0
>>0000000000130008 0000537000000001 : 0000000000000124 0000000000000020
>>0000000100000014 000000340000000a : 0x2078746341<br>&gt;&gt;0000000000130010 0000000000000124 : 0000000000000020 0000000100000014 <br>&gt;&gt;000000340000000a 00000001000001b4 : 0x537000000001
>>0000000000130018 0000000000000020 : 0000000100000014 000000340000000a
>>00000001000001b4 0000000000000000 : 0x124
>>0000000000130020 0000000100000014 : 000000340000000a 00000001000001b4
>>0000000000000000 0000000000000000 : 0x20
>>0000000000130028 000000340000000a : 00000001000001b4 0000000000000000
>>0000000000000000 0000000200000000 : 0x100000014<br>&gt;&gt;0000000000130030 00000001000001b4 : 0000000000000000 0000000000000000 <br>&gt;&gt;0000000200000000 0000000000000000 : 0x340000000a
>>0000000000130038 0000000000000000 : 0000000000000000 0000000200000000
>>0000000000000000 0000031400000000 : 0x1000001b4<br>&gt;&gt;0000000000130040 0000000000000000 : 0000000200000000 0000000000000000 <br>&gt;&gt;0000031400000000 000000000000019c : 0x0<br>&gt;&gt;0000000000130048 0000000200000000 : 0000000000000000 0000031400000000 <br>&gt;&gt;000000000000019c 000004b02d59495b : 0x0<br>&gt;&gt;0000000000130050 0000000000000000 : 0000031400000000 000000000000019c <br>&gt;&gt;000004b02d59495b 000004e400000032 : 0x200000000
>>0000000000130058 0000031400000000 : 000000000000019c 000004b02d59495b
>>000004e400000032 00000000000002d2 : 0x0
>>0000000000130060 000000000000019c : 000004b02d59495b 000004e400000032
>>00000000000002d2 000007b8f33271ba : 0x31400000000<br>&gt;&gt;0000000000130068 000004b02d59495b : 000004e400000032 00000000000002d2 <br>&gt;&gt;000007b8f33271ba 000008040000004a : 0x19c<br>&gt;&gt;0000000000130070 000004e400000032 : 00000000000002d2 000007b8f33271ba <br>&gt;&gt;000008040000004a 000000000000031a : 0x4b02d59495b
>>0000000000130078 00000000000002d2 : 000007b8f33271ba 000008040000004a
>>000000000000031a 00000b2032ceeacd : 0x4e400000032<br>&gt;&gt;0000000000130080 000007b8f33271ba : 000008040000004a 000000000000031a <br>&gt;&gt;00000b2032ceeacd 00000b6400000042 : 0x2d2<br>&gt;&gt;0000000000130088 000008040000004a : 000000000000031a 00000b2032ceeacd <br>&gt;&gt;00000b6400000042 0000000000000308 : 0x7b8f33271ba
>>0000000000130090 000000000000031a : 00000b2032ceeacd 00000b6400000042
>>0000000000000308 00000e6ce23ce879 : 0x8040000004a<br>&gt;&gt;0000000000130098 00000b2032ceeacd : 00000b6400000042 0000000000000308 <br>&gt;&gt;00000e6ce23ce879 00000ea000000032 : 0x31a<br>&gt;&gt;00000000001300a0 00000b6400000042 : 0000000000000308 00000e6ce23ce879 <br>&gt;&gt;00000ea000000032 00000000000002d2 : 0xb2032ceeacd
>>00000000001300a8 0000000000000308 : 00000e6ce23ce879 00000ea000000032
>>00000000000002d2 00001174830202e4 : 0xb6400000042<br>&gt;&gt;00000000001300b0 00000e6ce23ce879 : 00000ea000000032 00000000000002d2 <br>&gt;&gt;00001174830202e4 000011bc00000046 : 0x308<br>&gt;&gt;00000000001300b8 00000ea000000032 : 00000000000002d2 00001174830202e4 <br>&gt;&gt;000011bc00000046 00000000000002fc : 0xe6ce23ce879
>>00000000001300c0 00000000000002d2 : 00001174830202e4 000011bc00000046
>>00000000000002fc 000014b8d18cd5d2 : 0xea000000032<br>&gt;&gt;00000000001300c8 00001174830202e4 : 000011bc00000046 00000000000002fc <br>&gt;&gt;000014b8d18cd5d2 0000150000000046 : 0x2d2<br>&gt;&gt;00000000001300d0 000011bc00000046 : 00000000000002fc 000014b8d18cd5d2 <br>&gt;&gt;0000150000000046 00000000000002fc : 0x1174830202e4
>>00000000001300d8 00000000000002fc : 000014b8d18cd5d2 0000150000000046
>>00000000000002fc 000017fc38505fc8 : 0x11bc00000046<br>&gt;&gt;<br>&gt;&gt;<br>&gt;&gt;STACK_COMMAND: kb<br>&gt;&gt;<br>&gt;&gt;FOLLOWUP_IP:<br>&gt;&gt;rspmmfs64!LogFS+3e [s:\mm\mmpsy\fs\rspmmfs.c @ 551]<br>&gt;&gt;fffffadfe240476e 85c0 test eax,eax
>>
>>FAULTING_SOURCE_CODE:
>> 547:
>> 548: if (!Data) return;
>> 549:
>> 550:
>>
>>> 551: if (!NT_SUCCESS(FltGetFileNameInformation( Data,
>>> FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo )))
>>>
>> 552: {
>> 553: return;
>> 554: }
>> 555:
>> 556:
>>
>>
>>SYMBOL_STACK_INDEX: 8
>>
>>FOLLOWUP_NAME: MachineOwner
>>
>>MODULE_NAME: rspmmfs64
>>
>>IMAGE_NAME: rspmmfs64.sys
>>
>>DEBUG_FLR_IMAGE_TIMESTAMP: 456aed7f
>>
>>SYMBOL_NAME: rspmmfs64!LogFS+3e
>>
>>FAILURE_BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e
>>
>>BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e
>>
>>Followup: MachineOwner
>>---------
>>
>>
>>
>>“frank” wrote in message news:xxxxx@ntfsd…
>>
>>>Daniel, provide a bit more information:
>>>
>>>Which fields of CALLBACK_DATA do you acess? What is happening in line
>>>691? Post the output of “analyze -v”.
>>>
>>>The pointer to CALLBACK_DATA seems to be ok. Perhaps you are at raised
>>>IRQL during access.
>>>
>>>By the way: why do you find the “Data”-parameter to be bogus?
>>>
>>>
>>>
>>>
>>>“Daniel Terhell” schrieb im Newsbeitrag
>>>news:xxxxx@ntfsd…
>>>
>>>>Forgive me for posting this basic question, the answer is probably
>>>>something simple. I got a minifilter which is working fine except when
>>>>I call FilterAttach from my application it causes the preoperation
>>>>callback to be called and accessing the fields in the Data parameter
>>>>then cause access violations. The question is how can I detect this
>>>>inside my preoperation callback (since the Data parameter is bogus) or
>>>>better how can I prevent this from getting called ? My filter does not
>>>>register an InstanceSetupCallback.
>>>>
>>>>Here is the stack (running on Windows Xp x64 edition):
>>>>
>>>>kd> kp
>>>>
>>
>>
>>
>>—
>>Questions? First check the IFS FAQ at
>>https://www.osronline.com/article.cfm?id=17
>>
>>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>

Daniel,

as you can see your callback is called by “FltpPerformPreMountCallbacks”
(you probably borrowed your code form MiniSpy, which registers with
IRP_MJ_VOLUME_MOUNT)…and MOUNT is not a normal “operation on a file” as
you might expect. Do you check FltObjects->FileObject != NULL in your code
(like MiniSpy does)?

“Daniel Terhell” schrieb im Newsbeitrag
news:xxxxx@ntfsd…
> Thanks for your response. This is running at PASSIVE_LEVEL, it is a pre
> operation callback and it is not supposed to be called at higher IRQL
> according to the new WDK documentation. Also, I am using the PAGED_CODE in
> this path to be sure of lower IRQL. The bugcheck shows an IRQL of 2 but
> this is the responsability of FltGetFileNameInformation.
>
> I put a breakpoint on line 551, just before the exception occurs.
> Accessing the members of Data in the debugger sometimes gives access
> violations, but not this time. The fields seem to contain arbitrary
> values.
>
> Regards,
>
> /Daniel
>
>
> kd> ??Data
> struct _FLT_CALLBACK_DATA * 0xfffffadfe90cb6e8<br>&gt; +0x000 Flags : 2<br>&gt; +0x008 Thread : 0xfffffadfe855e810 _KTHREAD
> +0x010 Iopb : 0xfffffadfe90cb740 _FLT_IO_PARAMETER_BLOCK<br>&gt; +0x018 IoStatus : _IO_STATUS_BLOCK<br>&gt; +0x028 TagData : (null)<br>&gt; +0x030 QueueLinks : _LIST_ENTRY [0x0000000000000000 - 0x0]
> +0x040 QueueContext : [2] (null)
> +0x030 FilterContext : [4] (null)
> +0x050 RequestorMode : 0 ‘’
> kd> ??Data->Iopb
> struct _FLT_IO_PARAMETER_BLOCK * 0xfffffadfe90cb740<br>&gt; +0x000 IrpFlags : 0<br>&gt; +0x004 MajorFunction : 0 ''<br>&gt; +0x005 MinorFunction : 0 ''<br>&gt; +0x006 OperationFlags : 0 ''<br>&gt; +0x007 Reserved : 0 ''<br>&gt; +0x008 TargetFileObject : (null)<br>&gt; +0x010 TargetInstance : (null)<br>&gt; +0x018 Parameters : _FLT_PARAMETERS<br>&gt;<br>&gt; kd&gt; !irql<br>&gt; Debugger saved IRQL for processor 0x0 -- 0 (LOW_LEVEL)<br>&gt; kd&gt; g<br>&gt; Access violation - code c0000005 (!!! second chance !!!)<br>&gt; fltMgr!FltGetFileNameInformation+0xa0:<br>&gt; fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0
> kd> gn
>
> Fatal System Error: 0x0000001e
>
> (0xFFFFFFFFC0000005,0xFFFFFADFE59A5AE0,0x0000000000000000,0x0000000000000018)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Connected to Windows Server 2003 3790 x64 target, ptr64 TRUE
> Loading Kernel Symbols
> …
> Loading User Symbols
> …
> Loading unloaded module list
> …
> Loading Wow64 Symbols
> …
>****************************************************************************
> * *
> * Bugcheck Analysis *
> * *
> ****************************************************************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck 1E, {ffffffffc0000005, fffffadfe59a5ae0, 0, 18}
>
> ERROR: Symbol file could not be found. Defaulted to export symbols
> for win32k.sys -
> Probably caused by : rspmmfs64.sys ( rspmmfs64!LogFS+3e )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> fffff8000103a240 cc int 3<br>&gt; kd&gt; !analyze -v<br>&gt; *******************************************************************************<br>&gt; * *<br>&gt; * Bugcheck Analysis *<br>&gt; * *<br>&gt;******************************************************************************* <br>&gt;<br>&gt; KMODE_EXCEPTION_NOT_HANDLED (1e)<br>&gt; This is a very common bugcheck. Usually the exception address pinpoints<br>&gt; the driver/function that caused the problem. Always note this address<br>&gt; as well as the link date of the driver/image that contains this address.<br>&gt; Arguments:<br>&gt; Arg1: ffffffffc0000005, The exception code that was not handled<br>&gt; Arg2: fffffadfe59a5ae0, The address that the exception occurred at<br>&gt; Arg3: 0000000000000000, Parameter 0 of the exception<br>&gt; Arg4: 0000000000000018, Parameter 1 of the exception<br>&gt;<br>&gt; Debugging Details:<br>&gt; ------------------<br>&gt;<br>&gt;<br>&gt; EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" <br>&gt; referenced memory at "0x%08lx". The memory could not be "%s".<br>&gt;<br>&gt; FAULTING_IP:<br>&gt; fltMgr!FltGetFileNameInformation+a0<br>&gt; fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0
>
> EXCEPTION_PARAMETER1: 0000000000000000
>
> EXCEPTION_PARAMETER2: 0000000000000018
>
> READ_ADDRESS: 0000000000000018
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0x1E
>
> PROCESS_NAME: mm.exe
>
> CURRENT_IRQL: 2
>
> EXCEPTION_RECORD: fffffadfe22c05f0 – (.exr fffffadfe22c05f0)
> ExceptionAddress: fffffadfe59a5ae0
> (fltMgr!FltGetFileNameInformation+0x00000000000000a0)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 0000000000000000
> Parameter[1]: 0000000000000018
> Attempt to read from address 0000000000000018
>
> TRAP_FRAME: fffffadfe22c0680 – (.trap fffffadfe22c0680)
> NOTE: The trap frame does not contain all registers.
> Some register values may be zeroed.
> rax=0000000000000000 rbx=0000000000000000 rcx=fffffadfe90cb740
> rdx=0000000000000102 rsi=0000000000000000 rdi=0000000000000000
> rip=fffffadfe59a5ae0 rsp=fffffadfe22c0810 rbp=0000000000000003
> r8=fffffadfe22c0910 r9=0000000000000000 r10=fffffadfe9106048
> r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
> r14=0000000000000000 r15=0000000000000000
> iopl=0 nv up ei pl zr na po nc
> fltMgr!FltGetFileNameInformation+0xa0:
> fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0 <br>&gt; ds:0000000000000018=???
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from fffff800010d72be to fffff8000103a240
>
> STACK_TEXT:
> fffffadfe22bf818 fffff800010d72be : ffffffffc0000005 0000000000000000
> 000000000000001e fffff80001059abe : nt!RtlpBreakWithStatusInstruction
> fffffadfe22bf820 fffff800010d8a4d : fffff80000000003 000000000000001e
> ffffffffc0000005 fffffadfe59a5ae0 : nt!KiBugCheckDebugBreak+0x1e
> fffffadfe22bf880 fffff80001041a14 : 0000000048000000 fffffadfe22c0901
> fffffadfe9106001 0000000000000000 : nt!KeBugCheck2+0x6fd
> fffffadfe22bfec0 fffff8000109a361 : 000000000000001e ffffffffc0000005
> fffffadfe59a5ae0 0000000000000000 : nt!KeBugCheckEx+0x104
> fffffadfe22bff00 fffff8000104172f : fffffadfe22c05f0 fffff800012c955d
> fffffadfe22c0680 0000000000000200 : nt!KiDispatchException+0x128
> fffffadfe22c0500 fffff80001040621 : 0000000080000004 0000000000000000
> fffffadfe59a5a00 0000000000000000 : nt!KiExceptionExit
> fffffadfe22c0680 fffffadfe59a5ae0 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : nt!KiPageFault+0x1e1
> fffffadfe22c0810 fffffadfe240476e : fffffadfe8a47400 fffffadfe93da4a0
> fffffadfe90cb640 fffffadfe90cb6e8 :
> fltMgr!FltGetFileNameInformation+0xa0
> fffffadfe22c08b0 fffffadfe2404b07 : fffffadfe90cb6e8 fffffadfe8a19dae
> fffffadfe8a19dae fffffadfe93da4a0 : rspmmfs64!LogFS+0x3e
> [s:\mm\mmpsy\fs\rspmmfs.c @ 551]
> fffffadfe22c0950 fffffadfe59b6e67 : fffffadfe90cb6e8 fffffadfe22c0a10
> fffffadfe22c0a00 fffffadfe90cb6e8 :
> rspmmfs64!SpyPreOperationCallback+0xa7 [s:\mm\mmpsy\fs\rspmmfs.c @ 887]
> fffffadfe22c09b0 fffffadfe59bd666 : 0000000000000000 fffffadfe93d6190
> fffffadfe9307240 fffffadfe8a97650 :
> fltMgr!FltpPerformPreMountCallbacks+0x2a7
> fffffadfe22c0a60 fffffadfe59bdee0 : fffffadfe8a97650 000000000000000d
> fffffadfe93d6040 fffffadfe93da450 :
> fltMgr!FltpFsControlMountVolume+0x1e6
> fffffadfe22c0b20 fffff80001013628 : fffffadfe93d6040 fffffadfe93da4a0
> fffffadfe93d6040 fffffadfe8a97650 : fltMgr!FltpFsControl+0x80
> fffffadfe22c0b80 fffff800012b9fcf : fffffadfe22c11e0 fffffadfe90ed490
> fffffadfe22c0f20 fffffadfe22c0d74 : nt!IopCheckVpbMounted+0x334
> fffffadfe22c0cf0 fffff800012b345e : fffffadfe90ed490 fffffadfe90ed440
> fffffadfe22c1020 0000000000000000 : nt!IopParseDevice+0x735
> fffffadfe22c0ea0 fffff800012b983a : 0000000000000000 fffffadfe22c1010
> 0000000000000240 0000000000000000 : nt!ObpLookupObjectName+0x92c
> fffffadfe22c0fb0 fffff800012c13c9 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : nt!ObOpenObjectByName+0x180
> fffffadfe22c11a0 fffff800012c1577 : fffffadfe93ce4c0 0000000000000000
> 0000000000000000 fffff800012b3cb6 : nt!IopCreateFile+0x62f
> fffffadfe22c1330 fffff800012c3d89 : 0000000000000000 fffff80001047a0c
> 0000000000120100 fffff8000104f7c7 : nt!IoCreateFile+0x12f
> fffffadfe22c1410 fffff80001041422 : fffffadf00000000 fffff78000000000
> fffffadfe22c1580 fffffadfe22c14e4 : nt!NtCreateFile+0x69
> fffffadfe22c1490 fffff80001041880 : fffffadfe59b82fe 0000000000000000
> fffffadfe8697c20 0000000000f8000c : nt!KiSystemServiceCopyEnd+0x3
> fffffadfe22c1698 fffffadfe59b82fe : 0000000000000000 fffffadfe8697c20
> 0000000000f8000c fffffa8001dedb48 : nt!KiServiceLinkage
> fffffadfe22c16a0 fffffadfe59b71ad : 0000000000000000 fffffadfe86c5010
> fffffadfe86c5010 0000000000000000 : fltMgr!FltpGetVolumeFromName+0xde
> fffffadfe22c1870 fffffadfe59bcd21 : fffffadfe8a47400 fffffadfe89e5f40
> fffffadf00000000 0000000000000001 : fltMgr!FltpAttachVolume+0x22d
> fffffadfe22c1950 fffffadfe59a1ab2 : 0000000000000000 0000000000000000
> 00000000000000ec fffffadfe8e11d90 : fltMgr!FltpCommonDeviceControl+0x1a1
> fffffadfe22c1990 fffffadfe59a27c2 : fffffadfe8e11d90 fffffadfe22c1cf0
> 0000000000000000 fffffadfe90a8c20 : fltMgr!FltpControlDispatch+0xe2
> fffffadfe22c1a10 fffff800012cdd2f : 000000000000003e fffffadfe22c1cf0
> 0000000000000001 fffffadfe89e5f40 : fltMgr!FltpDispatch+0x22
> fffffadfe22c1a70 fffff800012de406 : 00000000000000f0 0000000000000000
> 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0xa4c
> fffffadfe22c1b90 fffff80001041422 : fffffadfe8697c20 fffffadfe855e810
> 0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
> fffffadfe22c1c00 0000000078b83e48 : fffffadfe22c1c70 000000000012edb8
> 0000000200000030 0000000078b842d9 : nt!KiSystemServiceCopyEnd+0x3
> 000000000012ed78 0000000078be6a5a : 000000007efdf000 0000000000000001
> 0000000000000000 000000007efdf000 : wow64cpu!DeviceIoctlFileFault+0x35
> 000000000012ee60 0000000078be5e0d : 0000000000000000 000000000012f1a0
> 000000000012fab0 0000000000000000 : wow64!RunCpuSimulation+0xa
> 000000000012ee90 0000000078ed8501 : 000000000012f700 0000000000000000
> 000000000012fab0 0000000000000003 : wow64!Wow64LdrpInitialize+0x2ed
> 000000000012f6c0 0000000078ed6416 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : ntdll!LdrpInitializeProcess+0x17d9
> 000000000012f9d0 0000000078ef3925 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : ntdll!LdrpInitialize+0x18f
> 000000000012fab0 0000000078d59630 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : ntdll!KiUserApcDispatch+0x15
> 000000000012ffa8 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x78d59630
> 000000000012ffb0 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x0
> 000000000012ffb8 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x0
> 000000000012ffc0 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x0
> 000000000012ffc8 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x0
> 000000000012ffd0 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x0
> 000000000012ffd8 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x0
> 000000000012ffe0 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000002078746341 : 0x0
> 000000000012ffe8 0000000000000000 : 0000000000000000 0000000000000000
> 0000002078746341 0000537000000001 : 0x0
> 000000000012fff0 0000000000000000 : 0000000000000000 0000002078746341
> 0000537000000001 0000000000000124 : 0x0
> 000000000012fff8 0000000000000000 : 0000002078746341 0000537000000001
> 0000000000000124 0000000000000020 : 0x0
> 0000000000130000 0000002078746341 : 0000537000000001 0000000000000124
> 0000000000000020 0000000100000014 : 0x0
> 0000000000130008 0000537000000001 : 0000000000000124 0000000000000020
> 0000000100000014 000000340000000a : 0x2078746341<br>&gt; 0000000000130010 0000000000000124 : 0000000000000020 0000000100000014 <br>&gt; 000000340000000a 00000001000001b4 : 0x537000000001
> 0000000000130018 0000000000000020 : 0000000100000014 000000340000000a
> 00000001000001b4 0000000000000000 : 0x124
> 0000000000130020 0000000100000014 : 000000340000000a 00000001000001b4
> 0000000000000000 0000000000000000 : 0x20
> 0000000000130028 000000340000000a : 00000001000001b4 0000000000000000
> 0000000000000000 0000000200000000 : 0x100000014<br>&gt; 0000000000130030 00000001000001b4 : 0000000000000000 0000000000000000 <br>&gt; 0000000200000000 0000000000000000 : 0x340000000a
> 0000000000130038 0000000000000000 : 0000000000000000 0000000200000000
> 0000000000000000 0000031400000000 : 0x1000001b4<br>&gt; 0000000000130040 0000000000000000 : 0000000200000000 0000000000000000 <br>&gt; 0000031400000000 000000000000019c : 0x0<br>&gt; 0000000000130048 0000000200000000 : 0000000000000000 0000031400000000 <br>&gt; 000000000000019c 000004b02d59495b : 0x0<br>&gt; 0000000000130050 0000000000000000 : 0000031400000000 000000000000019c <br>&gt; 000004b02d59495b 000004e400000032 : 0x200000000
> 0000000000130058 0000031400000000 : 000000000000019c 000004b02d59495b
> 000004e400000032 00000000000002d2 : 0x0
> 0000000000130060 000000000000019c : 000004b02d59495b 000004e400000032
> 00000000000002d2 000007b8f33271ba : 0x31400000000<br>&gt; 0000000000130068 000004b02d59495b : 000004e400000032 00000000000002d2 <br>&gt; 000007b8f33271ba 000008040000004a : 0x19c<br>&gt; 0000000000130070 000004e400000032 : 00000000000002d2 000007b8f33271ba <br>&gt; 000008040000004a 000000000000031a : 0x4b02d59495b
> 0000000000130078 00000000000002d2 : 000007b8f33271ba 000008040000004a
> 000000000000031a 00000b2032ceeacd : 0x4e400000032<br>&gt; 0000000000130080 000007b8f33271ba : 000008040000004a 000000000000031a <br>&gt; 00000b2032ceeacd 00000b6400000042 : 0x2d2<br>&gt; 0000000000130088 000008040000004a : 000000000000031a 00000b2032ceeacd <br>&gt; 00000b6400000042 0000000000000308 : 0x7b8f33271ba
> 0000000000130090 000000000000031a : 00000b2032ceeacd 00000b6400000042
> 0000000000000308 00000e6ce23ce879 : 0x8040000004a<br>&gt; 0000000000130098 00000b2032ceeacd : 00000b6400000042 0000000000000308 <br>&gt; 00000e6ce23ce879 00000ea000000032 : 0x31a<br>&gt; 00000000001300a0 00000b6400000042 : 0000000000000308 00000e6ce23ce879 <br>&gt; 00000ea000000032 00000000000002d2 : 0xb2032ceeacd
> 00000000001300a8 0000000000000308 : 00000e6ce23ce879 00000ea000000032
> 00000000000002d2 00001174830202e4 : 0xb6400000042<br>&gt; 00000000001300b0 00000e6ce23ce879 : 00000ea000000032 00000000000002d2 <br>&gt; 00001174830202e4 000011bc00000046 : 0x308<br>&gt; 00000000001300b8 00000ea000000032 : 00000000000002d2 00001174830202e4 <br>&gt; 000011bc00000046 00000000000002fc : 0xe6ce23ce879
> 00000000001300c0 00000000000002d2 : 00001174830202e4 000011bc00000046
> 00000000000002fc 000014b8d18cd5d2 : 0xea000000032<br>&gt; 00000000001300c8 00001174830202e4 : 000011bc00000046 00000000000002fc <br>&gt; 000014b8d18cd5d2 0000150000000046 : 0x2d2<br>&gt; 00000000001300d0 000011bc00000046 : 00000000000002fc 000014b8d18cd5d2 <br>&gt; 0000150000000046 00000000000002fc : 0x1174830202e4
> 00000000001300d8 00000000000002fc : 000014b8d18cd5d2 0000150000000046
> 00000000000002fc 000017fc38505fc8 : 0x11bc00000046<br>&gt;<br>&gt;<br>&gt; STACK_COMMAND: kb<br>&gt;<br>&gt; FOLLOWUP_IP:<br>&gt; rspmmfs64!LogFS+3e [s:\mm\mmpsy\fs\rspmmfs.c @ 551]<br>&gt; fffffadfe240476e 85c0 test eax,eax
>
> FAULTING_SOURCE_CODE:
> 547:
> 548: if (!Data) return;
> 549:
> 550:
>> 551: if (!NT_SUCCESS(FltGetFileNameInformation( Data,
>> FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo )))
> 552: {
> 553: return;
> 554: }
> 555:
> 556:
>
>
> SYMBOL_STACK_INDEX: 8
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: rspmmfs64
>
> IMAGE_NAME: rspmmfs64.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 456aed7f
>
> SYMBOL_NAME: rspmmfs64!LogFS+3e
>
> FAILURE_BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e
>
> BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e
>
> Followup: MachineOwner
> ---------
>
>
>
> “frank” wrote in message news:xxxxx@ntfsd…
>> Daniel, provide a bit more information:
>>
>> Which fields of CALLBACK_DATA do you acess? What is happening in line
>> 691? Post the output of “analyze -v”.
>>
>> The pointer to CALLBACK_DATA seems to be ok. Perhaps you are at raised
>> IRQL during access.
>>
>> By the way: why do you find the “Data”-parameter to be bogus?
>>
>>
>>
>>
>> “Daniel Terhell” schrieb im Newsbeitrag
>> news:xxxxx@ntfsd…
>>> Forgive me for posting this basic question, the answer is probably
>>> something simple. I got a minifilter which is working fine except when
>>> I call FilterAttach from my application it causes the preoperation
>>> callback to be called and accessing the fields in the Data parameter
>>> then cause access violations. The question is how can I detect this
>>> inside my preoperation callback (since the Data parameter is bogus) or
>>> better how can I prevent this from getting called ? My filter does not
>>> register an InstanceSetupCallback.
>>>
>>> Here is the stack (running on Windows Xp x64 edition):
>>>
>>> kd> kp
>
>
>

You are right, although I had already been looking at this it appears I had
some code accidentially commented out. Also I was unreasonably assuming I
should be able to detect these mounts in the Data->Iopb->Irp fields. There
was something wrong with my attitude as I was getting thus upset by
receiving a bogus Data parameter that I did not look back in there again.

Sorry,

/Daniel

“frank” wrote in message news:xxxxx@ntfsd…
> Daniel,
>
> as you can see your callback is called by “FltpPerformPreMountCallbacks”
> (you probably borrowed your code form MiniSpy, which registers with
> IRP_MJ_VOLUME_MOUNT)…and MOUNT is not a normal “operation on a file” as
> you might expect. Do you check FltObjects->FileObject != NULL in your code
> (like MiniSpy does)?
>
>
>
> “Daniel Terhell” schrieb im Newsbeitrag
> news:xxxxx@ntfsd…
>> Thanks for your response. This is running at PASSIVE_LEVEL, it is a pre
>> operation callback and it is not supposed to be called at higher IRQL
>> according to the new WDK documentation. Also, I am using the PAGED_CODE
>> in this path to be sure of lower IRQL. The bugcheck shows an IRQL of 2
>> but this is the responsability of FltGetFileNameInformation.
>>
>> I put a breakpoint on line 551, just before the exception occurs.
>> Accessing the members of Data in the debugger sometimes gives access
>> violations, but not this time. The fields seem to contain arbitrary
>> values.
>>
>> Regards,
>>
>> /Daniel
>>
>>
>> kd> ??Data
>> struct _FLT_CALLBACK_DATA * 0xfffffadfe90cb6e8<br>&gt;&gt; +0x000 Flags : 2<br>&gt;&gt; +0x008 Thread : 0xfffffadfe855e810 _KTHREAD
>> +0x010 Iopb : 0xfffffadfe90cb740 _FLT_IO_PARAMETER_BLOCK<br>&gt;&gt; +0x018 IoStatus : _IO_STATUS_BLOCK<br>&gt;&gt; +0x028 TagData : (null)<br>&gt;&gt; +0x030 QueueLinks : _LIST_ENTRY [0x0000000000000000 - 0x0]
>> +0x040 QueueContext : [2] (null)
>> +0x030 FilterContext : [4] (null)
>> +0x050 RequestorMode : 0 ‘’
>> kd> ??Data->Iopb
>> struct _FLT_IO_PARAMETER_BLOCK * 0xfffffadfe90cb740<br>&gt;&gt; +0x000 IrpFlags : 0<br>&gt;&gt; +0x004 MajorFunction : 0 ''<br>&gt;&gt; +0x005 MinorFunction : 0 ''<br>&gt;&gt; +0x006 OperationFlags : 0 ''<br>&gt;&gt; +0x007 Reserved : 0 ''<br>&gt;&gt; +0x008 TargetFileObject : (null)<br>&gt;&gt; +0x010 TargetInstance : (null)<br>&gt;&gt; +0x018 Parameters : _FLT_PARAMETERS<br>&gt;&gt;<br>&gt;&gt; kd&gt; !irql<br>&gt;&gt; Debugger saved IRQL for processor 0x0 -- 0 (LOW_LEVEL)<br>&gt;&gt; kd&gt; g<br>&gt;&gt; Access violation - code c0000005 (!!! second chance !!!)<br>&gt;&gt; fltMgr!FltGetFileNameInformation+0xa0:<br>&gt;&gt; fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0
>> kd> gn
>>
>> Fatal System Error: 0x0000001e
>>
>> (0xFFFFFFFFC0000005,0xFFFFFADFE59A5AE0,0x0000000000000000,0x0000000000000018)
>>
>> Break instruction exception - code 80000003 (first chance)
>>
>> A fatal system error has occurred.
>> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>>
>> A fatal system error has occurred.
>>
>> Connected to Windows Server 2003 3790 x64 target, ptr64 TRUE
>> Loading Kernel Symbols
>> …
>> Loading User Symbols
>> …
>> Loading unloaded module list
>> …
>> Loading Wow64 Symbols
>> …
>>****************************************************************************
>> * *
>> * Bugcheck Analysis *
>> * *
>> ****************************************************************************
>>
>> Use !analyze -v to get detailed debugging information.
>>
>> BugCheck 1E, {ffffffffc0000005, fffffadfe59a5ae0, 0, 18}
>>
>> ERROR: Symbol file could not be found. Defaulted to export symbols
>> for win32k.sys -
>> Probably caused by : rspmmfs64.sys ( rspmmfs64!LogFS+3e )
>>
>> Followup: MachineOwner
>> ---------
>>
>> nt!RtlpBreakWithStatusInstruction:
>> fffff8000103a240 cc int 3<br>&gt;&gt; kd&gt; !analyze -v<br>&gt;&gt; *******************************************************************************<br>&gt;&gt; * *<br>&gt;&gt; * Bugcheck Analysis *<br>&gt;&gt; * *<br>&gt;&gt;******************************************************************************* <br>&gt;&gt;<br>&gt;&gt; KMODE_EXCEPTION_NOT_HANDLED (1e)<br>&gt;&gt; This is a very common bugcheck. Usually the exception address pinpoints<br>&gt;&gt; the driver/function that caused the problem. Always note this address<br>&gt;&gt; as well as the link date of the driver/image that contains this address.<br>&gt;&gt; Arguments:<br>&gt;&gt; Arg1: ffffffffc0000005, The exception code that was not handled<br>&gt;&gt; Arg2: fffffadfe59a5ae0, The address that the exception occurred at<br>&gt;&gt; Arg3: 0000000000000000, Parameter 0 of the exception<br>&gt;&gt; Arg4: 0000000000000018, Parameter 1 of the exception<br>&gt;&gt;<br>&gt;&gt; Debugging Details:<br>&gt;&gt; ------------------<br>&gt;&gt;<br>&gt;&gt;<br>&gt;&gt; EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" <br>&gt;&gt; referenced memory at "0x%08lx". The memory could not be "%s".<br>&gt;&gt;<br>&gt;&gt; FAULTING_IP:<br>&gt;&gt; fltMgr!FltGetFileNameInformation+a0<br>&gt;&gt; fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0
>>
>> EXCEPTION_PARAMETER1: 0000000000000000
>>
>> EXCEPTION_PARAMETER2: 0000000000000018
>>
>> READ_ADDRESS: 0000000000000018
>>
>> DEFAULT_BUCKET_ID: DRIVER_FAULT
>>
>> BUGCHECK_STR: 0x1E
>>
>> PROCESS_NAME: mm.exe
>>
>> CURRENT_IRQL: 2
>>
>> EXCEPTION_RECORD: fffffadfe22c05f0 – (.exr fffffadfe22c05f0)
>> ExceptionAddress: fffffadfe59a5ae0
>> (fltMgr!FltGetFileNameInformation+0x00000000000000a0)
>> ExceptionCode: c0000005 (Access violation)
>> ExceptionFlags: 00000000
>> NumberParameters: 2
>> Parameter[0]: 0000000000000000
>> Parameter[1]: 0000000000000018
>> Attempt to read from address 0000000000000018
>>
>> TRAP_FRAME: fffffadfe22c0680 – (.trap fffffadfe22c0680)
>> NOTE: The trap frame does not contain all registers.
>> Some register values may be zeroed.
>> rax=0000000000000000 rbx=0000000000000000 rcx=fffffadfe90cb740
>> rdx=0000000000000102 rsi=0000000000000000 rdi=0000000000000000
>> rip=fffffadfe59a5ae0 rsp=fffffadfe22c0810 rbp=0000000000000003
>> r8=fffffadfe22c0910 r9=0000000000000000 r10=fffffadfe9106048
>> r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
>> r14=0000000000000000 r15=0000000000000000
>> iopl=0 nv up ei pl zr na po nc
>> fltMgr!FltGetFileNameInformation+0xa0:
>> fffffadfe59a5ae0 48837f1800 cmp qword ptr [rdi+18h],0 <br>&gt;&gt; ds:0000000000000018=???
>> Resetting default scope
>>
>> LAST_CONTROL_TRANSFER: from fffff800010d72be to fffff8000103a240
>>
>> STACK_TEXT:
>> fffffadfe22bf818 fffff800010d72be : ffffffffc0000005 0000000000000000
>> 000000000000001e fffff80001059abe : nt!RtlpBreakWithStatusInstruction
>> fffffadfe22bf820 fffff800010d8a4d : fffff80000000003 000000000000001e
>> ffffffffc0000005 fffffadfe59a5ae0 : nt!KiBugCheckDebugBreak+0x1e
>> fffffadfe22bf880 fffff80001041a14 : 0000000048000000 fffffadfe22c0901
>> fffffadfe9106001 0000000000000000 : nt!KeBugCheck2+0x6fd
>> fffffadfe22bfec0 fffff8000109a361 : 000000000000001e ffffffffc0000005
>> fffffadfe59a5ae0 0000000000000000 : nt!KeBugCheckEx+0x104
>> fffffadfe22bff00 fffff8000104172f : fffffadfe22c05f0 fffff800012c955d
>> fffffadfe22c0680 0000000000000200 : nt!KiDispatchException+0x128
>> fffffadfe22c0500 fffff80001040621 : 0000000080000004 0000000000000000
>> fffffadfe59a5a00 0000000000000000 : nt!KiExceptionExit
>> fffffadfe22c0680 fffffadfe59a5ae0 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : nt!KiPageFault+0x1e1
>> fffffadfe22c0810 fffffadfe240476e : fffffadfe8a47400 fffffadfe93da4a0
>> fffffadfe90cb640 fffffadfe90cb6e8 :
>> fltMgr!FltGetFileNameInformation+0xa0
>> fffffadfe22c08b0 fffffadfe2404b07 : fffffadfe90cb6e8 fffffadfe8a19dae
>> fffffadfe8a19dae fffffadfe93da4a0 : rspmmfs64!LogFS+0x3e
>> [s:\mm\mmpsy\fs\rspmmfs.c @ 551]
>> fffffadfe22c0950 fffffadfe59b6e67 : fffffadfe90cb6e8 fffffadfe22c0a10
>> fffffadfe22c0a00 fffffadfe90cb6e8 :
>> rspmmfs64!SpyPreOperationCallback+0xa7 [s:\mm\mmpsy\fs\rspmmfs.c @ 887]
>> fffffadfe22c09b0 fffffadfe59bd666 : 0000000000000000 fffffadfe93d6190
>> fffffadfe9307240 fffffadfe8a97650 :
>> fltMgr!FltpPerformPreMountCallbacks+0x2a7
>> fffffadfe22c0a60 fffffadfe59bdee0 : fffffadfe8a97650 000000000000000d
>> fffffadfe93d6040 fffffadfe93da450 :
>> fltMgr!FltpFsControlMountVolume+0x1e6
>> fffffadfe22c0b20 fffff80001013628 : fffffadfe93d6040 fffffadfe93da4a0
>> fffffadfe93d6040 fffffadfe8a97650 : fltMgr!FltpFsControl+0x80
>> fffffadfe22c0b80 fffff800012b9fcf : fffffadfe22c11e0 fffffadfe90ed490
>> fffffadfe22c0f20 fffffadfe22c0d74 : nt!IopCheckVpbMounted+0x334
>> fffffadfe22c0cf0 fffff800012b345e : fffffadfe90ed490 fffffadfe90ed440
>> fffffadfe22c1020 0000000000000000 : nt!IopParseDevice+0x735
>> fffffadfe22c0ea0 fffff800012b983a : 0000000000000000 fffffadfe22c1010
>> 0000000000000240 0000000000000000 : nt!ObpLookupObjectName+0x92c
>> fffffadfe22c0fb0 fffff800012c13c9 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : nt!ObOpenObjectByName+0x180
>> fffffadfe22c11a0 fffff800012c1577 : fffffadfe93ce4c0 0000000000000000
>> 0000000000000000 fffff800012b3cb6 : nt!IopCreateFile+0x62f
>> fffffadfe22c1330 fffff800012c3d89 : 0000000000000000 fffff80001047a0c
>> 0000000000120100 fffff8000104f7c7 : nt!IoCreateFile+0x12f
>> fffffadfe22c1410 fffff80001041422 : fffffadf00000000 fffff78000000000
>> fffffadfe22c1580 fffffadfe22c14e4 : nt!NtCreateFile+0x69
>> fffffadfe22c1490 fffff80001041880 : fffffadfe59b82fe 0000000000000000
>> fffffadfe8697c20 0000000000f8000c : nt!KiSystemServiceCopyEnd+0x3
>> fffffadfe22c1698 fffffadfe59b82fe : 0000000000000000 fffffadfe8697c20
>> 0000000000f8000c fffffa8001dedb48 : nt!KiServiceLinkage
>> fffffadfe22c16a0 fffffadfe59b71ad : 0000000000000000 fffffadfe86c5010
>> fffffadfe86c5010 0000000000000000 : fltMgr!FltpGetVolumeFromName+0xde
>> fffffadfe22c1870 fffffadfe59bcd21 : fffffadfe8a47400 fffffadfe89e5f40
>> fffffadf00000000 0000000000000001 : fltMgr!FltpAttachVolume+0x22d
>> fffffadfe22c1950 fffffadfe59a1ab2 : 0000000000000000 0000000000000000
>> 00000000000000ec fffffadfe8e11d90 :
>> fltMgr!FltpCommonDeviceControl+0x1a1
>> fffffadfe22c1990 fffffadfe59a27c2 : fffffadfe8e11d90 fffffadfe22c1cf0
>> 0000000000000000 fffffadfe90a8c20 : fltMgr!FltpControlDispatch+0xe2
>> fffffadfe22c1a10 fffff800012cdd2f : 000000000000003e fffffadfe22c1cf0
>> 0000000000000001 fffffadfe89e5f40 : fltMgr!FltpDispatch+0x22
>> fffffadfe22c1a70 fffff800012de406 : 00000000000000f0 0000000000000000
>> 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0xa4c
>> fffffadfe22c1b90 fffff80001041422 : fffffadfe8697c20 fffffadfe855e810
>> 0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
>> fffffadfe22c1c00 0000000078b83e48 : fffffadfe22c1c70 000000000012edb8
>> 0000000200000030 0000000078b842d9 : nt!KiSystemServiceCopyEnd+0x3
>> 000000000012ed78 0000000078be6a5a : 000000007efdf000 0000000000000001
>> 0000000000000000 000000007efdf000 : wow64cpu!DeviceIoctlFileFault+0x35
>> 000000000012ee60 0000000078be5e0d : 0000000000000000 000000000012f1a0
>> 000000000012fab0 0000000000000000 : wow64!RunCpuSimulation+0xa
>> 000000000012ee90 0000000078ed8501 : 000000000012f700 0000000000000000
>> 000000000012fab0 0000000000000003 : wow64!Wow64LdrpInitialize+0x2ed
>> 000000000012f6c0 0000000078ed6416 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : ntdll!LdrpInitializeProcess+0x17d9
>> 000000000012f9d0 0000000078ef3925 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : ntdll!LdrpInitialize+0x18f
>> 000000000012fab0 0000000078d59630 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : ntdll!KiUserApcDispatch+0x15
>> 000000000012ffa8 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : 0x78d59630
>> 000000000012ffb0 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : 0x0
>> 000000000012ffb8 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : 0x0
>> 000000000012ffc0 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : 0x0
>> 000000000012ffc8 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : 0x0
>> 000000000012ffd0 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : 0x0
>> 000000000012ffd8 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : 0x0
>> 000000000012ffe0 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000002078746341 : 0x0
>> 000000000012ffe8 0000000000000000 : 0000000000000000 0000000000000000
>> 0000002078746341 0000537000000001 : 0x0
>> 000000000012fff0 0000000000000000 : 0000000000000000 0000002078746341
>> 0000537000000001 0000000000000124 : 0x0
>> 000000000012fff8 0000000000000000 : 0000002078746341 0000537000000001
>> 0000000000000124 0000000000000020 : 0x0
>> 0000000000130000 0000002078746341 : 0000537000000001 0000000000000124
>> 0000000000000020 0000000100000014 : 0x0
>> 0000000000130008 0000537000000001 : 0000000000000124 0000000000000020
>> 0000000100000014 000000340000000a : 0x2078746341<br>&gt;&gt; 0000000000130010 0000000000000124 : 0000000000000020 0000000100000014 <br>&gt;&gt; 000000340000000a 00000001000001b4 : 0x537000000001
>> 0000000000130018 0000000000000020 : 0000000100000014 000000340000000a
>> 00000001000001b4 0000000000000000 : 0x124
>> 0000000000130020 0000000100000014 : 000000340000000a 00000001000001b4
>> 0000000000000000 0000000000000000 : 0x20
>> 0000000000130028 000000340000000a : 00000001000001b4 0000000000000000
>> 0000000000000000 0000000200000000 : 0x100000014<br>&gt;&gt; 0000000000130030 00000001000001b4 : 0000000000000000 0000000000000000 <br>&gt;&gt; 0000000200000000 0000000000000000 : 0x340000000a
>> 0000000000130038 0000000000000000 : 0000000000000000 0000000200000000
>> 0000000000000000 0000031400000000 : 0x1000001b4<br>&gt;&gt; 0000000000130040 0000000000000000 : 0000000200000000 0000000000000000 <br>&gt;&gt; 0000031400000000 000000000000019c : 0x0<br>&gt;&gt; 0000000000130048 0000000200000000 : 0000000000000000 0000031400000000 <br>&gt;&gt; 000000000000019c 000004b02d59495b : 0x0<br>&gt;&gt; 0000000000130050 0000000000000000 : 0000031400000000 000000000000019c <br>&gt;&gt; 000004b02d59495b 000004e400000032 : 0x200000000
>> 0000000000130058 0000031400000000 : 000000000000019c 000004b02d59495b
>> 000004e400000032 00000000000002d2 : 0x0
>> 0000000000130060 000000000000019c : 000004b02d59495b 000004e400000032
>> 00000000000002d2 000007b8f33271ba : 0x31400000000<br>&gt;&gt; 0000000000130068 000004b02d59495b : 000004e400000032 00000000000002d2 <br>&gt;&gt; 000007b8f33271ba 000008040000004a : 0x19c<br>&gt;&gt; 0000000000130070 000004e400000032 : 00000000000002d2 000007b8f33271ba <br>&gt;&gt; 000008040000004a 000000000000031a : 0x4b02d59495b
>> 0000000000130078 00000000000002d2 : 000007b8f33271ba 000008040000004a
>> 000000000000031a 00000b2032ceeacd : 0x4e400000032<br>&gt;&gt; 0000000000130080 000007b8f33271ba : 000008040000004a 000000000000031a <br>&gt;&gt; 00000b2032ceeacd 00000b6400000042 : 0x2d2<br>&gt;&gt; 0000000000130088 000008040000004a : 000000000000031a 00000b2032ceeacd <br>&gt;&gt; 00000b6400000042 0000000000000308 : 0x7b8f33271ba
>> 0000000000130090 000000000000031a : 00000b2032ceeacd 00000b6400000042
>> 0000000000000308 00000e6ce23ce879 : 0x8040000004a<br>&gt;&gt; 0000000000130098 00000b2032ceeacd : 00000b6400000042 0000000000000308 <br>&gt;&gt; 00000e6ce23ce879 00000ea000000032 : 0x31a<br>&gt;&gt; 00000000001300a0 00000b6400000042 : 0000000000000308 00000e6ce23ce879 <br>&gt;&gt; 00000ea000000032 00000000000002d2 : 0xb2032ceeacd
>> 00000000001300a8 0000000000000308 : 00000e6ce23ce879 00000ea000000032
>> 00000000000002d2 00001174830202e4 : 0xb6400000042<br>&gt;&gt; 00000000001300b0 00000e6ce23ce879 : 00000ea000000032 00000000000002d2 <br>&gt;&gt; 00001174830202e4 000011bc00000046 : 0x308<br>&gt;&gt; 00000000001300b8 00000ea000000032 : 00000000000002d2 00001174830202e4 <br>&gt;&gt; 000011bc00000046 00000000000002fc : 0xe6ce23ce879
>> 00000000001300c0 00000000000002d2 : 00001174830202e4 000011bc00000046
>> 00000000000002fc 000014b8d18cd5d2 : 0xea000000032<br>&gt;&gt; 00000000001300c8 00001174830202e4 : 000011bc00000046 00000000000002fc <br>&gt;&gt; 000014b8d18cd5d2 0000150000000046 : 0x2d2<br>&gt;&gt; 00000000001300d0 000011bc00000046 : 00000000000002fc 000014b8d18cd5d2 <br>&gt;&gt; 0000150000000046 00000000000002fc : 0x1174830202e4
>> 00000000001300d8 00000000000002fc : 000014b8d18cd5d2 0000150000000046
>> 00000000000002fc 000017fc38505fc8 : 0x11bc00000046<br>&gt;&gt;<br>&gt;&gt;<br>&gt;&gt; STACK_COMMAND: kb<br>&gt;&gt;<br>&gt;&gt; FOLLOWUP_IP:<br>&gt;&gt; rspmmfs64!LogFS+3e [s:\mm\mmpsy\fs\rspmmfs.c @ 551]<br>&gt;&gt; fffffadfe240476e 85c0 test eax,eax
>>
>> FAULTING_SOURCE_CODE:
>> 547:
>> 548: if (!Data) return;
>> 549:
>> 550:
>>> 551: if (!NT_SUCCESS(FltGetFileNameInformation( Data,
>>> FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo )))
>> 552: {
>> 553: return;
>> 554: }
>> 555:
>> 556:
>>
>>
>> SYMBOL_STACK_INDEX: 8
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> MODULE_NAME: rspmmfs64
>>
>> IMAGE_NAME: rspmmfs64.sys
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 456aed7f
>>
>> SYMBOL_NAME: rspmmfs64!LogFS+3e
>>
>> FAILURE_BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e
>>
>> BUCKET_ID: X64_0x1E_rspmmfs64!LogFS+3e
>>
>> Followup: MachineOwner
>> ---------
>>
>>
>>
>> “frank” wrote in message news:xxxxx@ntfsd…
>>> Daniel, provide a bit more information:
>>>
>>> Which fields of CALLBACK_DATA do you acess? What is happening in line
>>> 691? Post the output of “analyze -v”.
>>>
>>> The pointer to CALLBACK_DATA seems to be ok. Perhaps you are at raised
>>> IRQL during access.
>>>
>>> By the way: why do you find the “Data”-parameter to be bogus?
>>>
>>>
>>>
>>>
>>> “Daniel Terhell” schrieb im Newsbeitrag
>>> news:xxxxx@ntfsd…
>>>> Forgive me for posting this basic question, the answer is probably
>>>> something simple. I got a minifilter which is working fine except when
>>>> I call FilterAttach from my application it causes the preoperation
>>>> callback to be called and accessing the fields in the Data parameter
>>>> then cause access violations. The question is how can I detect this
>>>> inside my preoperation callback (since the Data parameter is bogus) or
>>>> better how can I prevent this from getting called ? My filter does not
>>>> register an InstanceSetupCallback.
>>>>
>>>> Here is the stack (running on Windows Xp x64 edition):
>>>>
>>>> kd> kp
>>
>>
>>
>
>
>