FltMgr heads up: TPM module

OSR_Community_User · August 15, 2007, 11:19am

A heads up for people writing mini-filters.
We’ve been debugging an issue with TPM module, and (after the
customer finally sent the right dump…:), we remembered to run the
default mini-filter samples (MiniSpy and SwapBuffers).
It turns out if a mini-filter attaches to a TPM module’s secure
drive automatically the system will bugcheck if the mini-filter tries to
query the file name on that volume. (the first open - the crash doesn’t
occur if the mini-filter manually attaches to the drive after it was
already mounted). I didn’t go any further on whether this is an FltMgr
issue ot TPM Module’s driver issue.

–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.

OSR_Community_User · August 16, 2007, 2:25am

Bleh. That means the problem might be in FileSpy as well,
it can use Minispy as one of kernel drivers. And because it
has option to attach volume on its mount, I guess that
leads to BSOD.

Any chance you send me some information about how to avoid attaching
to that TPM drive ?

L.

OSR_Community_User · August 16, 2007, 2:33am

It is present in FileSpy - I used MSpy from FileSpy to test
Exactly what I needed - a way to auto-attach and to manually attach
(first thing = BOOM, second thing = no booms).
I’m facing the same problem really, the TPM driver is a volume
driver, not a file system - the file system on the volume we tested was
NTFS, and it’s a fixed drive - I really don’t see any way to detect that
it’s a TPM drive without querying the storage driver name.

D.

Ladislav Zezula wrote:

Bleh. That means the problem might be in FileSpy as well, it can use
Minispy as one of kernel drivers. And because it has option to attach
volume on its mount, I guess that
leads to BSOD.

Any chance you send me some information about how to avoid attaching
to that TPM drive ?

–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.

OSR_Community_User · August 16, 2007, 2:34am

BTW - thanks for FileSpy! Great test helper! (in general not just
here)

Ladislav Zezula wrote:

Bleh. That means the problem might be in FileSpy as well,
it can use Minispy as one of kernel drivers. And because it
has option to attach volume on its mount, I guess that
leads to BSOD.

Any chance you send me some information about how to avoid attaching
to that TPM drive ?

–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.