FsRtlCreateSectioForDataScan crashes kernel on FAT32

OSR_Community_User · August 28, 2010, 10:39pm

HI,
I’m deveoping a realtime file moniter using minifilter,i use
FsRtlCreateSectionForDataScan in the PostCreate callback like this:
status = FsRtlCreateSectionForDataScan(&hSection,
&secObject,
&lsize,
FltObjects->FileObject,
SECTION_MAP_READ,
NULL,
NULL,
PAGE_READONLY,
SEC_COMMIT,
0);

if(NT_SUCCESS(status))
{

//ZwClose(hSection);
ObDereferenceObject(secObject);
// hSection=0;
DbgPrint(“FsRtlCreateSectionForDataScan Successfully!!!\n”);
}
else
{
if(status!=STATUS_END_OF_FILE)
DbgPrint(“FsRtlCreateSectionForDataScan Failed in PostCreate
status=%x!!!\n”,status);
//goto __Cleanup;
}

KeUnstackDetachProcess(&apcState);

this code works fine on NTFS,but when some file access happens on FAT32,it
will crash the kernel,the stack is here:
STACK_TEXT:
f8ac4888 804f89f7 00000003 f8ac4be4 00000000
nt!RtlpBreakWithStatusInstruction
f8ac48d4 804f95e4 00000003 00000000 f5cfaca0 nt!KiBugCheckDebugBreak+0x19
f8ac4cb4 804f9b0f 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
f8ac4cd4 80544f06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f8ac4d24 805b66db f5cfaca8 e56c6946 823ea090 nt!ExFreePoolWithTag+0x2a0
f8ac4d48 805b08a7 00000000 f5cfacc0 823b78b8 nt!ObpFreeObject+0x18d
f8ac4d60 805b0d5a f5cfacc0 00000001 80559ba0 nt!ObpRemoveObjectRoutine+0xe7
f8ac4d74 8053500e 00000000 00000000 823b78b8
nt!ObpProcessRemoveObjectQueue+0x38
f8ac4dac 805c5d5e 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f8ac4ddc 805421f2 80534f0e 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

the reason i use FsRtlCreateSectionForDataScan is that i don’t want to
reopen the file,Do someone knows why this happen???Thanks!!!

OSR_Community_User · August 28, 2010, 10:40pm

HI,
I’m deveoping a realtime file moniter using minifilter,i use
FsRtlCreateSectionForDataScan in the PostCreate callback like this:
KeStackAttachProcess(ScannerData.UserProcess,&apcState);
status = FsRtlCreateSectionForDataScan(&hSection,
&secObject,
&lsize,
FltObjects->FileObject,
SECTION_MAP_READ,
NULL,
NULL,
PAGE_READONLY,
SEC_COMMIT,
0);

if(NT_SUCCESS(status))
{

//ZwClose(hSection);
ObDereferenceObject(secObject);
// hSection=0;
DbgPrint(“FsRtlCreateSectionForDataScan Successfully!!!\n”);
}
else
{
if(status!=STATUS_END_OF_FILE)
DbgPrint(“FsRtlCreateSectionForDataScan Failed in PostCreate
status=%x!!!\n”,status);
//goto __Cleanup;
}

KeUnstackDetachProcess(&apcState);

this code works fine on NTFS,but when some file access happens on FAT32,it
will crash the kernel,the stack is here:
STACK_TEXT:
f8ac4888 804f89f7 00000003 f8ac4be4 00000000
nt!RtlpBreakWithStatusInstruction
f8ac48d4 804f95e4 00000003 00000000 f5cfaca0 nt!KiBugCheckDebugBreak+0x19
f8ac4cb4 804f9b0f 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
f8ac4cd4 80544f06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f8ac4d24 805b66db f5cfaca8 e56c6946 823ea090 nt!ExFreePoolWithTag+0x2a0
f8ac4d48 805b08a7 00000000 f5cfacc0 823b78b8 nt!ObpFreeObject+0x18d
f8ac4d60 805b0d5a f5cfacc0 00000001 80559ba0 nt!ObpRemoveObjectRoutine+0xe7
f8ac4d74 8053500e 00000000 00000000 823b78b8
nt!ObpProcessRemoveObjectQueue+0x38
f8ac4dac 805c5d5e 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f8ac4ddc 805421f2 80534f0e 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

the reason i use FsRtlCreateSectionForDataScan is that i don’t want to
reopen the file,Do someone knows why this happen???Thanks!!!

OSR_Community_User · August 28, 2010, 10:43pm

there’s missing line above status = FsRtlCreateSectionForDataScan(

&hSection,

that’s KeStackAttachProcess(ScannerData.UserProcess,&apcState);

status = FsRtlCreateSectionForDataScan(&hSection,
&secObject,
&lsize,
FltObjects->FileObject,
SECTION_MAP_READ,
NULL,
NULL,
PAGE_READONLY,
SEC_COMMIT,
0);

2010/8/29 ???

> HI,
> I’m deveoping a realtime file moniter using minifilter,i use
> FsRtlCreateSectionForDataScan in the PostCreate callback like this:
> status = FsRtlCreateSectionForDataScan(&hSection,
> &secObject,
> &lsize,
> FltObjects->FileObject,
> SECTION_MAP_READ,
> NULL,
> NULL,
> PAGE_READONLY,
> SEC_COMMIT,
> 0);
>
> if(NT_SUCCESS(status))
> {
>
> //ZwClose(hSection);
> ObDereferenceObject(secObject);
> // hSection=0;
> DbgPrint(“FsRtlCreateSectionForDataScan Successfully!!!\n”);
> }
> else
> {
> if(status!=STATUS_END_OF_FILE)
> DbgPrint(“FsRtlCreateSectionForDataScan Failed in PostCreate
> status=%x!!!\n”,status);
> //goto __Cleanup;
> }
>
> KeUnstackDetachProcess(&apcState);
>
> this code works fine on NTFS,but when some file access happens on FAT32,it
> will crash the kernel,the stack is here:
> STACK_TEXT:
> f8ac4888 804f89f7 00000003 f8ac4be4 00000000
> nt!RtlpBreakWithStatusInstruction
> f8ac48d4 804f95e4 00000003 00000000 f5cfaca0 nt!KiBugCheckDebugBreak+0x19
> f8ac4cb4 804f9b0f 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
> f8ac4cd4 80544f06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
> f8ac4d24 805b66db f5cfaca8 e56c6946 823ea090 nt!ExFreePoolWithTag+0x2a0
> f8ac4d48 805b08a7 00000000 f5cfacc0 823b78b8 nt!ObpFreeObject+0x18d
> f8ac4d60 805b0d5a f5cfacc0 00000001 80559ba0 nt!ObpRemoveObjectRoutine+0xe7
> f8ac4d74 8053500e 00000000 00000000 823b78b8
> nt!ObpProcessRemoveObjectQueue+0x38
> f8ac4dac 805c5d5e 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
> f8ac4ddc 805421f2 80534f0e 00000000 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
> the reason i use FsRtlCreateSectionForDataScan is that i don’t want to
> reopen the file,Do someone knows why this happen???Thanks!!!
>

mm1 · August 28, 2010, 10:45pm

FS/FSF’s are not my thing, but a good place to start might be to (a) get
familiar with the FAT source code (comes with the WDK) and (b) build and
install a CHK version of it on your target. In order to do the later, you
will have to jump through some hopes that depend on the version of your
target.

If it’s pre-vista, the easiest thing to do is to use .kdfiles in windbg (see
the docs) to replace it.

If it’s vista, I think that your only options are either to take ownership
of the FAT driver (on disk, that is) and overwrite it or to change the
ImagePath value of the service entry for FAT (I think that should work).

On Win7 (or S2K8R2), you could do any of these.

Good luck,

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ???
Sent: Saturday, August 28, 2010 10:39 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FsRtlCreateSectioForDataScan crashes kernel on FAT32

HI,
I’m deveoping a realtime file moniter using minifilter,i use
FsRtlCreateSectionForDataScan in the PostCreate callback like this:
status = FsRtlCreateSectionForDataScan(&hSection,
&secObject,
&lsize,
FltObjects->FileObject,
SECTION_MAP_READ,
NULL,
NULL,
PAGE_READONLY,
SEC_COMMIT,
0);

if(NT_SUCCESS(status))
{

//ZwClose(hSection);
ObDereferenceObject(secObject);
// hSection=0;
DbgPrint(“FsRtlCreateSectionForDataScan Successfully!!!\n”);
}
else
{
if(status!=STATUS_END_OF_FILE)
DbgPrint(“FsRtlCreateSectionForDataScan Failed in PostCreate
status=%x!!!\n”,status);
//goto __Cleanup;
}

KeUnstackDetachProcess(&apcState);

this code works fine on NTFS,but when some file access happens on FAT32,it
will crash the kernel,the stack is here:
STACK_TEXT:
f8ac4888 804f89f7 00000003 f8ac4be4 00000000
nt!RtlpBreakWithStatusInstruction
f8ac48d4 804f95e4 00000003 00000000 f5cfaca0 nt!KiBugCheckDebugBreak+0x19
f8ac4cb4 804f9b0f 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
f8ac4cd4 80544f06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f8ac4d24 805b66db f5cfaca8 e56c6946 823ea090 nt!ExFreePoolWithTag+0x2a0
f8ac4d48 805b08a7 00000000 f5cfacc0 823b78b8 nt!ObpFreeObject+0x18d
f8ac4d60 805b0d5a f5cfacc0 00000001 80559ba0 nt!ObpRemoveObjectRoutine+0xe7
f8ac4d74 8053500e 00000000 00000000 823b78b8
nt!ObpProcessRemoveObjectQueue+0x38
f8ac4dac 805c5d5e 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f8ac4ddc 805421f2 80534f0e 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

the reason i use FsRtlCreateSectionForDataScan is that i don’t want to
reopen the file,Do someone knows why this happen???Thanks!!!
— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · August 28, 2010, 10:51pm

Well,Thanks,i think i need to read the fat source code now,thanks for your
suggestion…

2010/8/29 M. M. O’Brien

> FS/FSF?s are not my thing, but a good place to start might be to (a) get
> familiar with the FAT source code (comes with the WDK) and (b) build and
> install a CHK version of it on your target. In order to do the later, you
> will have to jump through some hopes that depend on the version of your
> target.
>
>
>
> If it?s pre-vista, the easiest thing to do is to use .kdfiles in windbg
> (see the docs) to replace it.
>
>
>
> If it?s vista, I think that your only options are either to take ownership
> of the FAT driver (on disk, that is) and overwrite it or to change the
> ImagePath value of the service entry for FAT (I think that should work).
>
>
>
> On Win7 (or S2K8R2), you could do any of these.
>
>
>
>
>
> Good luck,
>
>
>
> mm
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *???
> Sent: Saturday, August 28, 2010 10:39 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] FsRtlCreateSectioForDataScan crashes kernel on FAT32
>
>
>
> HI,
> I’m deveoping a realtime file moniter using minifilter,i use
> FsRtlCreateSectionForDataScan in the PostCreate callback like this:
> status = FsRtlCreateSectionForDataScan(&hSection,
> &secObject,
> &lsize,
> FltObjects->FileObject,
> SECTION_MAP_READ,
> NULL,
> NULL,
> PAGE_READONLY,
> SEC_COMMIT,
> 0);
>
> if(NT_SUCCESS(status))
> {
>
> //ZwClose(hSection);
> ObDereferenceObject(secObject);
> // hSection=0;
> DbgPrint(“FsRtlCreateSectionForDataScan Successfully!!!\n”);
> }
> else
> {
> if(status!=STATUS_END_OF_FILE)
> DbgPrint(“FsRtlCreateSectionForDataScan Failed in PostCreate
> status=%x!!!\n”,status);
> //goto __Cleanup;
> }
>
> KeUnstackDetachProcess(&apcState);
>
> this code works fine on NTFS,but when some file access happens on FAT32,it
> will crash the kernel,the stack is here:
> STACK_TEXT:
> f8ac4888 804f89f7 00000003 f8ac4be4 00000000
> nt!RtlpBreakWithStatusInstruction
> f8ac48d4 804f95e4 00000003 00000000 f5cfaca0 nt!KiBugCheckDebugBreak+0x19
> f8ac4cb4 804f9b0f 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
> f8ac4cd4 80544f06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
> f8ac4d24 805b66db f5cfaca8 e56c6946 823ea090 nt!ExFreePoolWithTag+0x2a0
> f8ac4d48 805b08a7 00000000 f5cfacc0 823b78b8 nt!ObpFreeObject+0x18d
> f8ac4d60 805b0d5a f5cfacc0 00000001 80559ba0 nt!ObpRemoveObjectRoutine+0xe7
> f8ac4d74 8053500e 00000000 00000000 823b78b8
> nt!ObpProcessRemoveObjectQueue+0x38
> f8ac4dac 805c5d5e 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
> f8ac4ddc 805421f2 80534f0e 00000000 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
> the reason i use FsRtlCreateSectionForDataScan is that i don’t want to
> reopen the file,Do someone knows why this happen???Thanks!!!
> — NTFSD is sponsored by OSR For our schedule of debugging and file system
> seminars (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars To unsubscribe, visit the List Server section
> of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

mm1 · August 28, 2010, 10:57pm

Not a problem.

Good luck,

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ???
Sent: Saturday, August 28, 2010 10:50 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] FsRtlCreateSectioForDataScan crashes kernel on FAT32

Well,Thanks,i think i need to read the fat source code now,thanks for your
suggestion…

2010/8/29 M. M. O’Brien

FS/FSF’s are not my thing, but a good place to start might be to (a) get
familiar with the FAT source code (comes with the WDK) and (b) build and
install a CHK version of it on your target. In order to do the later, you
will have to jump through some hopes that depend on the version of your
target.

If it’s pre-vista, the easiest thing to do is to use .kdfiles in windbg (see
the docs) to replace it.

If it’s vista, I think that your only options are either to take ownership
of the FAT driver (on disk, that is) and overwrite it or to change the
ImagePath value of the service entry for FAT (I think that should work).

On Win7 (or S2K8R2), you could do any of these.

Good luck,

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ???
Sent: Saturday, August 28, 2010 10:39 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FsRtlCreateSectioForDataScan crashes kernel on FAT32

HI,
I’m deveoping a realtime file moniter using minifilter,i use
FsRtlCreateSectionForDataScan in the PostCreate callback like this:
status = FsRtlCreateSectionForDataScan(&hSection,
&secObject,
&lsize,
FltObjects->FileObject,
SECTION_MAP_READ,
NULL,
NULL,
PAGE_READONLY,
SEC_COMMIT,
0);

if(NT_SUCCESS(status))
{

//ZwClose(hSection);
ObDereferenceObject(secObject);
// hSection=0;
DbgPrint(“FsRtlCreateSectionForDataScan Successfully!!!\n”);
}
else
{
if(status!=STATUS_END_OF_FILE)
DbgPrint(“FsRtlCreateSectionForDataScan Failed in PostCreate
status=%x!!!\n”,status);
//goto __Cleanup;
}

KeUnstackDetachProcess(&apcState);

this code works fine on NTFS,but when some file access happens on FAT32,it
will crash the kernel,the stack is here:
STACK_TEXT:
f8ac4888 804f89f7 00000003 f8ac4be4 00000000
nt!RtlpBreakWithStatusInstruction
f8ac48d4 804f95e4 00000003 00000000 f5cfaca0 nt!KiBugCheckDebugBreak+0x19
f8ac4cb4 804f9b0f 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
f8ac4cd4 80544f06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f8ac4d24 805b66db f5cfaca8 e56c6946 823ea090 nt!ExFreePoolWithTag+0x2a0
f8ac4d48 805b08a7 00000000 f5cfacc0 823b78b8 nt!ObpFreeObject+0x18d
f8ac4d60 805b0d5a f5cfacc0 00000001 80559ba0 nt!ObpRemoveObjectRoutine+0xe7
f8ac4d74 8053500e 00000000 00000000 823b78b8
nt!ObpProcessRemoveObjectQueue+0x38
f8ac4dac 805c5d5e 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f8ac4ddc 805421f2 80534f0e 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

the reason i use FsRtlCreateSectionForDataScan is that i don’t want to
reopen the file,Do someone knows why this happen???Thanks!!!

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer

rod_widdowson · August 29, 2010, 5:09am

What OS?

In general what you are suggesting is pretty unsafe:
http://www.osronline.com/article.cfm?article=219

At the very least you should check that the file object is *not* a stack
based one. I have no idea whether that is your issue, but it certainly
might cause such problems and the FAT/NTFS distinction could certainly be
explained. Stack based file objects are less common in Vista than XP, but
they are still there.

Rod

Rod Widdowson
Consulting Partner
Steading System Software LLP
+44 1368 850217 +1 508 915 4790

“é«˜æ™“æ˜Ž” wrote in message news:xxxxx@ntfsd…
HI,
I’m deveoping a realtime file moniter using minifilter,i use
FsRtlCreateSectionForDataScan in the PostCreate callback like this:
status = FsRtlCreateSectionForDataScan(&hSection,
&secObject,
&lsize,
FltObjects->FileObject,
SECTION_MAP_READ,
NULL,
NULL,
PAGE_READONLY,
SEC_COMMIT,
0);

if(NT_SUCCESS(status))
{

//ZwClose(hSection);
ObDereferenceObject(secObject);
// hSection=0;
DbgPrint(“FsRtlCreateSectionForDataScan Successfully!!!\n”);
}
else
{
if(status!=STATUS_END_OF_FILE)
DbgPrint(“FsRtlCreateSectionForDataScan Failed in PostCreate
status=%x!!!\n”,status);
//goto __Cleanup;
}

KeUnstackDetachProcess(&apcState);

this code works fine on NTFS,but when some file access happens on FAT32,it
will crash the kernel,the stack is here:
STACK_TEXT:
f8ac4888 804f89f7 00000003 f8ac4be4 00000000
nt!RtlpBreakWithStatusInstruction
f8ac48d4 804f95e4 00000003 00000000 f5cfaca0 nt!KiBugCheckDebugBreak+0x19
f8ac4cb4 804f9b0f 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
f8ac4cd4 80544f06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f8ac4d24 805b66db f5cfaca8 e56c6946 823ea090 nt!ExFreePoolWithTag+0x2a0
f8ac4d48 805b08a7 00000000 f5cfacc0 823b78b8 nt!ObpFreeObject+0x18d
f8ac4d60 805b0d5a f5cfacc0 00000001 80559ba0 nt!ObpRemoveObjectRoutine+0xe7
f8ac4d74 8053500e 00000000 00000000 823b78b8
nt!ObpProcessRemoveObjectQueue+0x38
f8ac4dac 805c5d5e 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f8ac4ddc 805421f2 80534f0e 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

the reason i use FsRtlCreateSectionForDataScan is that i don’t want to
reopen the file,Do someone knows why this happen???Thanks!!!

OSR_Community_User · August 29, 2010, 5:38am

Thanks Rod Widdowson ,i think the problem is just the stack based one ,i
should filter theme ,Thansk !!!

2010/8/29 Rod Widdowson

> What OS?
>
> In general what you are suggesting is pretty unsafe:
> http://www.osronline.com/article.cfm?article=219
>
> At the very least you should check that the file object is not a stack
> based one. I have no idea whether that is your issue, but it certainly
> might cause such problems and the FAT/NTFS distinction could certainly be
> explained. Stack based file objects are less common in Vista than XP, but
> they are still there.
>
> Rod
> –
> Rod Widdowson
> Consulting Partner
> Steading System Software LLP
> +44 1368 850217 +1 508 915 4790
>
>
> ---------------------------------------------------------------------------------------------------------------------------------
> “???” wrote in message news:xxxxx@ntfsd…
>
> HI,
> I’m deveoping a realtime file moniter using minifilter,i use
> FsRtlCreateSectionForDataScan in the PostCreate callback like this:
> status = FsRtlCreateSectionForDataScan(&hSection,
> &secObject,
> &lsize,
> FltObjects->FileObject,
> SECTION_MAP_READ,
> NULL,
> NULL,
> PAGE_READONLY,
> SEC_COMMIT,
> 0);
>
> if(NT_SUCCESS(status))
> {
>
> //ZwClose(hSection);
> ObDereferenceObject(secObject);
> // hSection=0;
> DbgPrint(“FsRtlCreateSectionForDataScan Successfully!!!\n”);
> }
> else
> {
> if(status!=STATUS_END_OF_FILE)
> DbgPrint(“FsRtlCreateSectionForDataScan Failed in PostCreate
> status=%x!!!\n”,status);
> //goto __Cleanup;
> }
>
> KeUnstackDetachProcess(&apcState);
>
> this code works fine on NTFS,but when some file access happens on FAT32,it
> will crash the kernel,the stack is here:
> STACK_TEXT:
> f8ac4888 804f89f7 00000003 f8ac4be4 00000000
> nt!RtlpBreakWithStatusInstruction
> f8ac48d4 804f95e4 00000003 00000000 f5cfaca0 nt!KiBugCheckDebugBreak+0x19
> f8ac4cb4 804f9b0f 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
> f8ac4cd4 80544f06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
> f8ac4d24 805b66db f5cfaca8 e56c6946 823ea090 nt!ExFreePoolWithTag+0x2a0
> f8ac4d48 805b08a7 00000000 f5cfacc0 823b78b8 nt!ObpFreeObject+0x18d
> f8ac4d60 805b0d5a f5cfacc0 00000001 80559ba0 nt!ObpRemoveObjectRoutine+0xe7
> f8ac4d74 8053500e 00000000 00000000 823b78b8
> nt!ObpProcessRemoveObjectQueue+0x38
> f8ac4dac 805c5d5e 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
> f8ac4ddc 805421f2 80534f0e 00000000 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
> the reason i use FsRtlCreateSectionForDataScan is that i don’t want to
> reopen the file,Do someone knows why this happen???Thanks!!!
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>