Hangs with EFS

Ray · November 13, 2007, 12:25am

Hi guys,

I have a mini-filter driver for anti-virus/anti-spyware purpose. It sends file events to a user-mode service to scan the file content then gets replies. This driver works well except accessing encrypted files. System hangs when the service tries to open the file. It seems that IRP_MJ_CREATE on encrypted files blocks FltSendMessage from sending new file events. And in most cases the deadlock is nt!CmpRegistryLock.

Is there any clue for this issue? Thanks in advance.

The output from WinDbg:

kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks…

Resource @ nt!CmpRegistryLock (0x8054fe60) Exclusively owned
Contention Count = 131
NumberOfSharedWaiters = 6
Threads: 82e39460-01<*> 830beda8-01 8305f020-01 83028b30-01
82f23b30-01 82e85c18-01 831c63c8-01
KD: Scanning for held locks…

Resource @ 0x83092a58 Shared 1 owning threads
Threads: 831c78bb-01<*> *** Actual Thread 831c78b8
3576 total locks, 2 locks currently held
kd> !locks -v 0x8054fe60

Resource @ nt!CmpRegistryLock (0x8054fe60) Exclusively owned
Contention Count = 131
NumberOfSharedWaiters = 6
Threads: 82e39460-01<*>

THREAD 82e39460 Cid 02b0.0314 Teb: 7ffab000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
830867f8 NotificationEvent
830867c8 Semaphore Limit 0x7fffffff
82e39550 NotificationTimer
IRP List:
82d96390: (0006,0190) Flags: 00000834 Mdl: 00000000
Impersonation token: e2103998 (Level Impersonation)
Owning Process 82e6b128 Image: lsass.exe
Wait Start TickCount 27509 Ticks: 318 (0:00:00:04.968)
Context Switch Count 60
UserTime 00:00:00.0015
KernelTime 00:00:00.0062
Win32 Start Address 0x75738c23
Start Address 0x7c810856
Stack Init f6f04000 Current f6f035c8 Base f6f04000 Limit f6f01000 Call 0
Priority 14 BasePriority 9 PriorityDecrement 5 DecrementCount 16
ChildEBP RetAddr
f6f035e0 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f6f035ec 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
f6f03624 f73b833f nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
f6f03738 f73ab6a2 fltmgr!FltSendMessage+0x149 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f6f0376c f73a092c mydriver+0xd6a2
f6f037e0 f73b4944 mydriver+0x292c
f6f03840 f73b6352 fltmgr!FltpPerformPreCallbacks+0x2d4 (FPO: [Non-Fpo])
f6f03854 f73b6c15 fltmgr!FltpPassThroughInternal+0x32 (FPO: [Non-Fpo])
f6f03870 f73b6ffb fltmgr!FltpPassThrough+0x1df (FPO: [Non-Fpo])
f6f038a0 804eddf9 fltmgr!FltpDispatch+0xf3 (FPO: [Non-Fpo])
f6f038b0 8056f673 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f6f0395c 8053c808 nt!NtSetInformationFile+0x56f (FPO: [Non-Fpo])
f6f0395c 804fe405 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6f03978)
f6f039e8 80630bb6 nt!ZwSetInformationFile+0x11 (FPO: [5,0,0])
f6f03a28 806304d2 nt!CmpDoFileSetSize+0x5e (FPO: [Non-Fpo])
f6f03a40 8062e5ba nt!CmpFileSetSize+0x16 (FPO: [Non-Fpo])
f6f03a60 8062f2b7 nt!HvpGrowLog1+0x52 (FPO: [Non-Fpo])
f6f03a7c 806303f0 nt!HvMarkDirty+0x19d (FPO: [Non-Fpo])
f6f03aa0 80627a74 nt!HvMarkCellDirty+0xbc (FPO: [Non-Fpo])
f6f03b08 806174c2 nt!CmSetValueKey+0x110 (FPO: [Non-Fpo])
f6f03b9c f5b5efe5 nt!NtSetValueKey+0x228 (FPO: [Non-Fpo])

830beda8-01

THREAD 830beda8 Cid 06b0.07e4 Teb: 7ffad000 Win32Thread: e205d008 WAIT: (Executive) KernelMode Non-Alertable
8302ecd0 Semaphore Limit 0x7fffffff
830bee98 NotificationTimer
Not impersonating
DeviceMap e1bc56d0
Owning Process 8306fb08 Image: explorer.exe
Wait Start TickCount 27819 Ticks: 8 (0:00:00:00.125)
Context Switch Count 7632 LargeStack
UserTime 00:00:00.0015
KernelTime 00:00:01.0171
Win32 Start Address 0x762836f7
Start Address 0x7c810856
Stack Init f56ef000 Current f56eebb0 Base f56ef000 Limit f56ea000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16
ChildEBP RetAddr
f56eebc8 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f56eebd4 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
f56eebfc 80531544 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f56eec38 80531ab0 nt!ExpWaitForResource+0xd2 (FPO: [Non-Fpo])
f56eec4c 806208b1 nt!ExAcquireResourceSharedLite+0xb2 (FPO: [Non-Fpo])
f56eec58 8062642f nt!CmpLockRegistry+0x27 (FPO: [0,0,0])
f56eec9c 80616f60 nt!CmQueryValueKey+0x15 (FPO: [Non-Fpo])
f56eed44 8053c808 nt!NtQueryValueKey+0x2cc (FPO: [Non-Fpo])
f56eed44 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f56eed64)
01e9f470 7c90e20a ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01e9f474 77dd6edc ntdll!NtQueryValueKey+0xc (FPO: [6,0,0])
WARNING: Frame IP not in any known module. Following frames may be wrong.
01e9f560 77dd7054 0x77dd6edc
01e9f598 76d62901 0x77dd7054
01e9f5e0 76d630d1 0x76d62901
01e9f834 76d6366c 0x76d630d1
01e9f86c 76d661af 0x76d6366c
01e9f8c0 76442c35 0x76d661af
01e9fb40 7645f6dc 0x76442c35
01e9fbc8 76460d32 0x7645f6dc
01e9fbec 7645d7a4 0x76460d32
01e9fc10 7645e7eb 0x7645d7a4
01e9fc24 77d48734 0x7645e7eb
01e9fc50 77d49857 0x77d48734
01e9fcb8 77d49791 0x77d49857
01e9fd10 77d48a10 0x77d49791
01e9fe14 80543dfd 0x77d48a10
01e9fd8c 76283746 nt!ExFreePoolWithTag+0x417 (FPO: [Non-Fpo])
01e9ffb4 7c80b50b 0x76283746
01e9ffec 00000000 0x7c80b50b

8305f020-01

THREAD 8305f020 Cid 02a4.040c Teb: 7ffa3000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
8302ecd0 Semaphore Limit 0x7fffffff
8305f110 NotificationTimer
Not impersonating
DeviceMap e1008700
Owning Process 8305fda0 Image: services.exe
Wait Start TickCount 27588 Ticks: 239 (0:00:00:03.734)
Context Switch Count 1587
UserTime 00:00:00.0000
KernelTime 00:00:00.0281
Win32 Start Address 0x00002c72
LPC Server thread working on message Id 2c72
Start Address 0x7c810856
Stack Init f5713000 Current f5712930 Base f5713000 Limit f5710000 Call 0
Priority 10 BasePriority 9 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f5712948 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f5712954 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
f571297c 80531544 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f57129b8 80531ab0 nt!ExpWaitForResource+0xd2 (FPO: [Non-Fpo])
f57129cc 806208b1 nt!ExAcquireResourceSharedLite+0xb2 (FPO: [Non-Fpo])
f57129d8 80623eb3 nt!CmpLockRegistry+0x27 (FPO: [0,0,0])
f5712ba0 805b3642 nt!CmpParseKey+0x9d (FPO: [Non-Fpo])
f5712c28 805afb23 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f5712c7c 8061a11f nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
f5712d50 8053c808 nt!NtOpenKey+0x1af (FPO: [Non-Fpo])
f5712d50 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f5712d64)
00ddf810 00ff0000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
WARNING: Frame IP not in any known module. Following frames may be wrong.
00ddf858 00ffffff 0xff0000
00ffffff 00000000 0xffffff
…

OSR_Community_User · November 13, 2007, 12:44am

Try to skip scan lsass.exe’s file access.

call PsGetCurrentProcessId(), if the current process id equal lsass.exe’s
pid then skip scan the file.

On Nov 13, 2007 1:24 PM, wrote:

> Hi guys,
>
> I have a mini-filter driver for anti-virus/anti-spyware purpose. It sends
> file events to a user-mode service to scan the file content then gets
> replies. This driver works well except accessing encrypted files. System
> hangs when the service tries to open the file. It seems that IRP_MJ_CREATE
> on encrypted files blocks FltSendMessage from sending new file events. And
> in most cases the deadlock is nt!CmpRegistryLock.
>
> Is there any clue for this issue? Thanks in advance.
>
> The output from WinDbg:
>
> kd> !locks
> DUMP OF ALL RESOURCE OBJECTS
> KD: Scanning for held locks…
>
> Resource @ nt!CmpRegistryLock (0x8054fe60) Exclusively owned
> Contention Count = 131
> NumberOfSharedWaiters = 6
> Threads: 82e39460-01<> 830beda8-01 8305f020-01 83028b30-01
> 82f23b30-01 82e85c18-01 831c63c8-01
> KD: Scanning for held
> locks…
>
> Resource @ 0x83092a58 Shared 1 owning threads
> Threads: 831c78bb-01<> *** Actual Thread 831c78b8
> 3576 total locks, 2 locks currently held
> kd> !locks -v 0x8054fe60
>
> Resource @ nt!CmpRegistryLock (0x8054fe60) Exclusively owned
> Contention Count = 131
> NumberOfSharedWaiters = 6
> Threads: 82e39460-01<*>
>
> THREAD 82e39460 Cid 02b0.0314 Teb: 7ffab000 Win32Thread: 00000000
> WAIT: (Executive) KernelMode Non-Alertable
> 830867f8 NotificationEvent
> 830867c8 Semaphore Limit 0x7fffffff
> 82e39550 NotificationTimer
> IRP List:
> 82d96390: (0006,0190) Flags: 00000834 Mdl: 00000000
> Impersonation token: e2103998 (Level Impersonation)
> Owning Process 82e6b128 Image: lsass.exe
> Wait Start TickCount 27509 Ticks: 318 (0:00:00:04.968)
> Context Switch Count 60
> UserTime 00:00:00.0015
> KernelTime 00:00:00.0062
> Win32 Start Address 0x75738c23
> Start Address 0x7c810856
> Stack Init f6f04000 Current f6f035c8 Base f6f04000 Limit f6f01000 Call
> 0
> Priority 14 BasePriority 9 PriorityDecrement 5 DecrementCount 16
> ChildEBP RetAddr
> f6f035e0 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> f6f035ec 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
> f6f03624 f73b833f nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
> f6f03738 f73ab6a2 fltmgr!FltSendMessage+0x149 (FPO: [Non-Fpo])
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> f6f0376c f73a092c mydriver+0xd6a2
> f6f037e0 f73b4944 mydriver+0x292c
> f6f03840 f73b6352 fltmgr!FltpPerformPreCallbacks+0x2d4 (FPO:
> [Non-Fpo])
> f6f03854 f73b6c15 fltmgr!FltpPassThroughInternal+0x32 (FPO: [Non-Fpo])
> f6f03870 f73b6ffb fltmgr!FltpPassThrough+0x1df (FPO: [Non-Fpo])
> f6f038a0 804eddf9 fltmgr!FltpDispatch+0xf3 (FPO: [Non-Fpo])
> f6f038b0 8056f673 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
> f6f0395c 8053c808 nt!NtSetInformationFile+0x56f (FPO: [Non-Fpo])
> f6f0395c 804fe405 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @
> f6f03978)
> f6f039e8 80630bb6 nt!ZwSetInformationFile+0x11 (FPO: [5,0,0])
> f6f03a28 806304d2 nt!CmpDoFileSetSize+0x5e (FPO: [Non-Fpo])
> f6f03a40 8062e5ba nt!CmpFileSetSize+0x16 (FPO: [Non-Fpo])
> f6f03a60 8062f2b7 nt!HvpGrowLog1+0x52 (FPO: [Non-Fpo])
> f6f03a7c 806303f0 nt!HvMarkDirty+0x19d (FPO: [Non-Fpo])
> f6f03aa0 80627a74 nt!HvMarkCellDirty+0xbc (FPO: [Non-Fpo])
> f6f03b08 806174c2 nt!CmSetValueKey+0x110 (FPO: [Non-Fpo])
> f6f03b9c f5b5efe5 nt!NtSetValueKey+0x228 (FPO: [Non-Fpo])
>
> 830beda8-01
>
> THREAD 830beda8 Cid 06b0.07e4 Teb: 7ffad000 Win32Thread: e205d008
> WAIT: (Executive) KernelMode Non-Alertable
> 8302ecd0 Semaphore Limit 0x7fffffff
> 830bee98 NotificationTimer
> Not impersonating
> DeviceMap e1bc56d0
> Owning Process 8306fb08 Image: explorer.exe
> Wait Start TickCount 27819 Ticks: 8 (0:00:00:00.125)
> Context Switch Count 7632 LargeStack
> UserTime 00:00:00.0015
> KernelTime 00:00:01.0171
> Win32 Start Address 0x762836f7
> Start Address 0x7c810856
> Stack Init f56ef000 Current f56eebb0 Base f56ef000 Limit f56ea000 Call
> 0
> Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16
> ChildEBP RetAddr
> f56eebc8 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> f56eebd4 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
> f56eebfc 80531544 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
> f56eec38 80531ab0 nt!ExpWaitForResource+0xd2 (FPO: [Non-Fpo])
> f56eec4c 806208b1 nt!ExAcquireResourceSharedLite+0xb2 (FPO: [Non-Fpo])
> f56eec58 8062642f nt!CmpLockRegistry+0x27 (FPO: [0,0,0])
> f56eec9c 80616f60 nt!CmQueryValueKey+0x15 (FPO: [Non-Fpo])
> f56eed44 8053c808 nt!NtQueryValueKey+0x2cc (FPO: [Non-Fpo])
> f56eed44 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @
> f56eed64)
> 01e9f470 7c90e20a ntdll!KiFastSystemCallRet (FPO: [0,0,0])
> 01e9f474 77dd6edc ntdll!NtQueryValueKey+0xc (FPO: [6,0,0])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 01e9f560 77dd7054 0x77dd6edc
> 01e9f598 76d62901 0x77dd7054
> 01e9f5e0 76d630d1 0x76d62901
> 01e9f834 76d6366c 0x76d630d1
> 01e9f86c 76d661af 0x76d6366c
> 01e9f8c0 76442c35 0x76d661af
> 01e9fb40 7645f6dc 0x76442c35
> 01e9fbc8 76460d32 0x7645f6dc
> 01e9fbec 7645d7a4 0x76460d32
> 01e9fc10 7645e7eb 0x7645d7a4
> 01e9fc24 77d48734 0x7645e7eb
> 01e9fc50 77d49857 0x77d48734
> 01e9fcb8 77d49791 0x77d49857
> 01e9fd10 77d48a10 0x77d49791
> 01e9fe14 80543dfd 0x77d48a10
> 01e9fd8c 76283746 nt!ExFreePoolWithTag+0x417 (FPO: [Non-Fpo])
> 01e9ffb4 7c80b50b 0x76283746
> 01e9ffec 00000000 0x7c80b50b
>
> 8305f020-01
>
> THREAD 8305f020 Cid 02a4.040c Teb: 7ffa3000 Win32Thread: 00000000
> WAIT: (Executive) KernelMode Non-Alertable
> 8302ecd0 Semaphore Limit 0x7fffffff
> 8305f110 NotificationTimer
> Not impersonating
> DeviceMap e1008700
> Owning Process 8305fda0 Image: services.exe
> Wait Start TickCount 27588 Ticks: 239 (0:00:00:03.734)
> Context Switch Count 1587
> UserTime 00:00:00.0000
> KernelTime 00:00:00.0281
> Win32 Start Address 0x00002c72
> LPC Server thread working on message Id 2c72
> Start Address 0x7c810856
> Stack Init f5713000 Current f5712930 Base f5713000 Limit f5710000 Call
> 0
> Priority 10 BasePriority 9 PriorityDecrement 0 DecrementCount 0
> ChildEBP RetAddr
> f5712948 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> f5712954 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
> f571297c 80531544 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
> f57129b8 80531ab0 nt!ExpWaitForResource+0xd2 (FPO: [Non-Fpo])
> f57129cc 806208b1 nt!ExAcquireResourceSharedLite+0xb2 (FPO: [Non-Fpo])
> f57129d8 80623eb3 nt!CmpLockRegistry+0x27 (FPO: [0,0,0])
> f5712ba0 805b3642 nt!CmpParseKey+0x9d (FPO: [Non-Fpo])
> f5712c28 805afb23 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
> f5712c7c 8061a11f nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
> f5712d50 8053c808 nt!NtOpenKey+0x1af (FPO: [Non-Fpo])
> f5712d50 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @
> f5712d64)
> 00ddf810 00ff0000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 00ddf858 00ffffff 0xff0000
> 00ffffff 00000000 0xffffff
> …
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

–
Best regards,
Leo Jiang

MSN: xxxxx@live.com
http://www.shamuma.net/

OSR_Community_User · November 13, 2007, 3:35am

Exactly so. EFS will send FEK decrypt requests to LSASS, and, if LSASS will
try to access some files for this - you have a deadlock.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hi guys,
>
> I have a mini-filter driver for anti-virus/anti-spyware purpose. It sends
file events to a user-mode service to scan the file content then gets replies.
This driver works well except accessing encrypted files. System hangs when the
service tries to open the file. It seems that IRP_MJ_CREATE on encrypted files
blocks FltSendMessage from sending new file events. And in most cases the
deadlock is nt!CmpRegistryLock.
>
> Is there any clue for this issue? Thanks in advance.
>
> The output from WinDbg:
>
> kd> !locks
> DUMP OF ALL RESOURCE OBJECTS
> KD: Scanning for held locks…
>
> Resource @ nt!CmpRegistryLock (0x8054fe60) Exclusively owned
> Contention Count = 131
> NumberOfSharedWaiters = 6
> Threads: 82e39460-01<> 830beda8-01 8305f020-01 83028b30-01
> 82f23b30-01 82e85c18-01 831c63c8-01
> KD: Scanning for held
locks…
…
>
> Resource @ 0x83092a58 Shared 1 owning threads
> Threads: 831c78bb-01<> *** Actual Thread 831c78b8
> 3576 total locks, 2 locks currently held
> kd> !locks -v 0x8054fe60
>
> Resource @ nt!CmpRegistryLock (0x8054fe60) Exclusively owned
> Contention Count = 131
> NumberOfSharedWaiters = 6
> Threads: 82e39460-01<*>
>
> THREAD 82e39460 Cid 02b0.0314 Teb: 7ffab000 Win32Thread: 00000000
WAIT: (Executive) KernelMode Non-Alertable
> 830867f8 NotificationEvent
> 830867c8 Semaphore Limit 0x7fffffff
> 82e39550 NotificationTimer
> IRP List:
> 82d96390: (0006,0190) Flags: 00000834 Mdl: 00000000
> Impersonation token: e2103998 (Level Impersonation)
> Owning Process 82e6b128 Image: lsass.exe
> Wait Start TickCount 27509 Ticks: 318 (0:00:00:04.968)
> Context Switch Count 60
> UserTime 00:00:00.0015
> KernelTime 00:00:00.0062
> Win32 Start Address 0x75738c23
> Start Address 0x7c810856
> Stack Init f6f04000 Current f6f035c8 Base f6f04000 Limit f6f01000 Call 0
> Priority 14 BasePriority 9 PriorityDecrement 5 DecrementCount 16
> ChildEBP RetAddr
> f6f035e0 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> f6f035ec 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
> f6f03624 f73b833f nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
> f6f03738 f73ab6a2 fltmgr!FltSendMessage+0x149 (FPO: [Non-Fpo])
> WARNING: Stack unwind information not available. Following frames may be
wrong.
> f6f0376c f73a092c mydriver+0xd6a2
> f6f037e0 f73b4944 mydriver+0x292c
> f6f03840 f73b6352 fltmgr!FltpPerformPreCallbacks+0x2d4 (FPO: [Non-Fpo])
> f6f03854 f73b6c15 fltmgr!FltpPassThroughInternal+0x32 (FPO: [Non-Fpo])
> f6f03870 f73b6ffb fltmgr!FltpPassThrough+0x1df (FPO: [Non-Fpo])
> f6f038a0 804eddf9 fltmgr!FltpDispatch+0xf3 (FPO: [Non-Fpo])
> f6f038b0 8056f673 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
> f6f0395c 8053c808 nt!NtSetInformationFile+0x56f (FPO: [Non-Fpo])
> f6f0395c 804fe405 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @
f6f03978)
> f6f039e8 80630bb6 nt!ZwSetInformationFile+0x11 (FPO: [5,0,0])
> f6f03a28 806304d2 nt!CmpDoFileSetSize+0x5e (FPO: [Non-Fpo])
> f6f03a40 8062e5ba nt!CmpFileSetSize+0x16 (FPO: [Non-Fpo])
> f6f03a60 8062f2b7 nt!HvpGrowLog1+0x52 (FPO: [Non-Fpo])
> f6f03a7c 806303f0 nt!HvMarkDirty+0x19d (FPO: [Non-Fpo])
> f6f03aa0 80627a74 nt!HvMarkCellDirty+0xbc (FPO: [Non-Fpo])
> f6f03b08 806174c2 nt!CmSetValueKey+0x110 (FPO: [Non-Fpo])
> f6f03b9c f5b5efe5 nt!NtSetValueKey+0x228 (FPO: [Non-Fpo])
>
> 830beda8-01
>
> THREAD 830beda8 Cid 06b0.07e4 Teb: 7ffad000 Win32Thread: e205d008
WAIT: (Executive) KernelMode Non-Alertable
> 8302ecd0 Semaphore Limit 0x7fffffff
> 830bee98 NotificationTimer
> Not impersonating
> DeviceMap e1bc56d0
> Owning Process 8306fb08 Image: explorer.exe
> Wait Start TickCount 27819 Ticks: 8 (0:00:00:00.125)
> Context Switch Count 7632 LargeStack
> UserTime 00:00:00.0015
> KernelTime 00:00:01.0171
> Win32 Start Address 0x762836f7
> Start Address 0x7c810856
> Stack Init f56ef000 Current f56eebb0 Base f56ef000 Limit f56ea000 Call 0
> Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16
> ChildEBP RetAddr
> f56eebc8 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> f56eebd4 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
> f56eebfc 80531544 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
> f56eec38 80531ab0 nt!ExpWaitForResource+0xd2 (FPO: [Non-Fpo])
> f56eec4c 806208b1 nt!ExAcquireResourceSharedLite+0xb2 (FPO: [Non-Fpo])
> f56eec58 8062642f nt!CmpLockRegistry+0x27 (FPO: [0,0,0])
> f56eec9c 80616f60 nt!CmQueryValueKey+0x15 (FPO: [Non-Fpo])
> f56eed44 8053c808 nt!NtQueryValueKey+0x2cc (FPO: [Non-Fpo])
> f56eed44 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @
f56eed64)
> 01e9f470 7c90e20a ntdll!KiFastSystemCallRet (FPO: [0,0,0])
> 01e9f474 77dd6edc ntdll!NtQueryValueKey+0xc (FPO: [6,0,0])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 01e9f560 77dd7054 0x77dd6edc
> 01e9f598 76d62901 0x77dd7054
> 01e9f5e0 76d630d1 0x76d62901
> 01e9f834 76d6366c 0x76d630d1
> 01e9f86c 76d661af 0x76d6366c
> 01e9f8c0 76442c35 0x76d661af
> 01e9fb40 7645f6dc 0x76442c35
> 01e9fbc8 76460d32 0x7645f6dc
> 01e9fbec 7645d7a4 0x76460d32
> 01e9fc10 7645e7eb 0x7645d7a4
> 01e9fc24 77d48734 0x7645e7eb
> 01e9fc50 77d49857 0x77d48734
> 01e9fcb8 77d49791 0x77d49857
> 01e9fd10 77d48a10 0x77d49791
> 01e9fe14 80543dfd 0x77d48a10
> 01e9fd8c 76283746 nt!ExFreePoolWithTag+0x417 (FPO: [Non-Fpo])
> 01e9ffb4 7c80b50b 0x76283746
> 01e9ffec 00000000 0x7c80b50b
>
> 8305f020-01
>
> THREAD 8305f020 Cid 02a4.040c Teb: 7ffa3000 Win32Thread: 00000000
WAIT: (Executive) KernelMode Non-Alertable
> 8302ecd0 Semaphore Limit 0x7fffffff
> 8305f110 NotificationTimer
> Not impersonating
> DeviceMap e1008700
> Owning Process 8305fda0 Image: services.exe
> Wait Start TickCount 27588 Ticks: 239 (0:00:00:03.734)
> Context Switch Count 1587
> UserTime 00:00:00.0000
> KernelTime 00:00:00.0281
> Win32 Start Address 0x00002c72
> LPC Server thread working on message Id 2c72
> Start Address 0x7c810856
> Stack Init f5713000 Current f5712930 Base f5713000 Limit f5710000 Call 0
> Priority 10 BasePriority 9 PriorityDecrement 0 DecrementCount 0
> ChildEBP RetAddr
> f5712948 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> f5712954 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
> f571297c 80531544 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
> f57129b8 80531ab0 nt!ExpWaitForResource+0xd2 (FPO: [Non-Fpo])
> f57129cc 806208b1 nt!ExAcquireResourceSharedLite+0xb2 (FPO: [Non-Fpo])
> f57129d8 80623eb3 nt!CmpLockRegistry+0x27 (FPO: [0,0,0])
> f5712ba0 805b3642 nt!CmpParseKey+0x9d (FPO: [Non-Fpo])
> f5712c28 805afb23 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
> f5712c7c 8061a11f nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
> f5712d50 8053c808 nt!NtOpenKey+0x1af (FPO: [Non-Fpo])
> f5712d50 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @
f5712d64)
> 00ddf810 00ff0000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 00ddf858 00ffffff 0xff0000
> 00ffffff 00000000 0xffffff
> …
>

Ray · November 13, 2007, 6:51pm

Thanks guys. Verified this with my little test program. However it’s not good to ignore lsass.exe which usually could be infected by virus and malware. Looks like it’s time to re-design our scan engine.

David_J_Craig · November 13, 2007, 9:07pm

Why not look at the file during pre-create saving the name. Check the
attributes to see if it is encrypted and if so when you see lsass try to
open the same file, you can just ignore it and catch it in the main path.

wrote in message news:xxxxx@ntfsd…
> Thanks guys. Verified this with my little test program. However it’s not
> good to ignore lsass.exe which usually could be infected by virus and
> malware. Looks like it’s time to re-design our scan engine.
>