Help with a bugcheck required!

NTFSD
1

Hi everyone,

A small part of my filesystem minifilter driver is the registry filtering
functionality. However sometimes i get this bugcheck, specifically while
running internet explorer:

*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad
or it
is pointing at freed memory.
Arguments:
Arg1: fffffff4, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 82a9fd34, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: fffffff4

FAULTING_IP:
nt!ObpQueryNameString+2b
82a9fd34 0fb6460c movzx eax,byte ptr [esi+0Ch]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: iexplore.exe

CURRENT_IRQL: 2

TRAP_FRAME: 964f768c -- (.trap 0xffffffff964f768c)
ErrCode = 00000000
eax=964f7754 ebx=00000000 ecx=869d3008 edx=964f7884 esi=ffffffe8
edi=00000000
eip=82a9fd34 esp=964f7700 ebp=964f7764 iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
nt!ObpQueryNameString+0x2b:
82a9fd34 0fb6460c movzx eax,byte ptr [esi+0Ch]
ds:0023:fffffff4=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 82930083 to 828cc110

STACK_TEXT:
964f71d4 82930083 00000003 13c85746 00000065
nt!RtlpBreakWithStatusInstruction
964f7224 82930b81 00000003 868db538 00000000 nt!KiBugCheckDebugBreak+0x1c
964f75e8 828df41b 00000050 fffffff4 00000000 nt!KeBugCheck2+0x68b
964f7674 828923d8 00000000 fffffff4 00000000 nt!MmAccessFault+0x106
964f7674 82a9fd34 00000000 fffffff4 00000000 nt!KiTrap0E+0xdc
964f7764 82ab9a50 00000000 869d3008 00000400 nt!ObpQueryNameString+0x2b
964f7780 95ecba20 00000000 869d3008 00000400 nt!ObQueryNameString+0x18
964f77e4 82aefbde 00000000 0000001b 964f7884
SimpleMiniFilter!SfRegCallback+0xd0
[c:\winddk\7600.16385.1\src\simpleminifilter\simpleminifilter.c @ 1287]
964f7858 82a84dbe 0000001b 963ab608 8e752008 nt!CmpCallCallBacks+0x336
964f78a0 82a81207 0000001b 00000000 964f7958
nt!CmPostCallbackNotification+0x55
964f7a30 82a77ac5 a5de2218 8503c0e8 85a4f918 nt!CmpParseKey+0x14b2
964f7aac 82a87ed6 00000018 964f7b00 00000040 nt!ObpLookupObjectName+0x4fa
964f7b08 82a53a02 0664d3ac 8503c0e8 0009b601 nt!ObOpenObjectByName+0x165
964f7be8 82a53e49 0664d6a0 000f003f 0664d3ac nt!CmCreateKey+0x2b2
964f7c10 8288f1ea 0664d6a0 000f003f 0664d3ac nt!NtCreateKey+0x1f
964f7c10 76df70b4 0664d6a0 000f003f 0664d3ac nt!KiFastCallEntry+0x12a
0664d378 76df5614 753f2a2a 0664d6a0 000f003f ntdll!KiFastSystemCallRet
0664d37c 753f2a2a 0664d6a0 000f003f 0664d3ac ntdll!ZwCreateKey+0xc
0664d5a0 753f2e9b 00000018 0664d5f8 0664d600
kernel32!LocalBaseRegCreateKey+0x31f
0664d634 753f2da9 00000018 7664622c 00000000
kernel32!RegCreateKeyExInternalA+0x15d
0664d664 76645fa2 80000002 7664622c 00000000 kernel32!RegCreateKeyExA+0x2d
0664d6a4 7664621c 80000002 7664622c 76646250 urlmon!GetRegDword+0x2c
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 319]
0664d6c0 76646747 035e94c8 0023e75c 00000000
urlmon!CFileDownload::KickOffDownload+0x24
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 1567]
0664d6d8 6da3e36e 00000000 0023e75c 0664d914
urlmon!URLDownloadToFileW+0x51
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 1871]
WARNING: Stack unwind information not available. Following frames may be
wrong.
0664db20 6da61ac4 0023e75c 035087f0 0664db64 IEFRAME!Ordinal326+0x202d0
0664dd70 6da62203 0664de00 035087f0 00000001 IEFRAME!Ordinal326+0x43a26
0664f070 6da62303 0664f0ac 035087f0 037f4da8 IEFRAME!Ordinal326+0x44165
0664f08c 6da623af 0664f0ac 00000000 00000001 IEFRAME!Ordinal326+0x44265
0664f0b4 6d95bbd1 00000001 3357301b 0664f0d4 IEFRAME!Ordinal326+0x44311
0664f0c4 6d8d4425 000303d0 74fa189f 0664fa4c IEFRAME!Ordinal257+0x2ba16
0664f0d4 6d8d37ae 0381d020 00000000 000303d0 IEFRAME!Ordinal303+0x265b
0664fa4c 6d8eac15 000303d0 035f8bd8 0664fad0 IEFRAME!Ordinal303+0x19e4
0664fa5c 76ddd877 0381d020 70960da5 001a3b80 IEFRAME!Ordinal224+0x3b0c
0664fad0 76de0842 0381d020 035f8bd8 70960b45 ntdll!RtlpTpWorkCallback+0x11d
0664fc30 75403c45 001a3b78 0664fc7c 76e137f5 ntdll!TppWorkerThread+0x572
0664fc3c 76e137f5 001a3b78 70960b09 00000000
kernel32!BaseThreadInitThunk+0xe
0664fc7c 76e137c8 76de03e7 001a3b78 00000000
ntdll!__RtlUserThreadStart+0x70
0664fc94 00000000 76de03e7 001a3b78 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: kb

FOLLOWUP_IP:
SimpleMiniFilter!SfRegCallback+d0
[c:\winddk\7600.16385.1\src\simpleminifilter\simpleminifilter.c @ 1287]
95ecba20 8945dc mov dword ptr [ebp-24h],eax

FAULTING_SOURCE_CODE:
1283: KeyCreateInfo =
(PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;
1284:
1285: if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))
1286: {

1287: status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
&DummyLength);
1288:
1289: if(!NT_SUCCESS(status))
1290: {
1291: ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
1292: break;

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: SimpleMiniFilter!SfRegCallback+d0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SimpleMiniFilter

IMAGE_NAME: SimpleMiniFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51607fab

FAILURE_BUCKET_ID: 0x50_SimpleMiniFilter!SfRegCallback+d0

BUCKET_ID: 0x50_SimpleMiniFilter!SfRegCallback+d0

Followup: MachineOwner

Now, this is part of the function that the bugcheck is refering to:

NTSTATUS
SfRegCallback(
__in PVOID CallbackContext,
__in_opt PVOID RegNotifyClass,
__in_opt PVOID RegNotifyInfo
)
{
NTSTATUS status;
PREG_POST_OPERATION_INFORMATION OpInfo = NULL;
PREG_CREATE_KEY_INFORMATION_V1 KeyCreateInfo = NULL;
PREG_DELETE_KEY_INFORMATION KeyDeleteInfo = NULL;
PREG_DELETE_VALUE_KEY_INFORMATION KeyValueDeleteInfo = NULL;
PREG_RENAME_KEY_INFORMATION KeyRenameInfo = NULL;
PREG_SET_VALUE_KEY_INFORMATION KeySetInfo = NULL;
POBJECT_NAME_INFORMATION KeyNameInfo = NULL;
HANDLE KeyHandle = NULL;
PVOID KeyValueInformation = NULL;
OBJECT_ATTRIBUTES KeyAttributes;
ULONG DummyLength;
int count = 0;

OpInfo = (PREG_POST_OPERATION_INFORMATION)RegNotifyInfo;
KeyNameInfo =
(POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 1024,
SF_REG_KEY_OBJECT_POOL_TAG);

if(KeyNameInfo == NULL)
return STATUS_CALLBACK_BYPASS;

switch((REG_NOTIFY_CLASS)(ULONG_PTR)RegNotifyClass) {

case RegNtPostCreateKeyEx:
KeyCreateInfo = (PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;

if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))
{
status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
&DummyLength);

if(!NT_SUCCESS(status))
{
ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
break;
}
else
{
//SfQueueMessage(processName, keyCreated, &KeyNameInfo->Name, NULL);
DbgPrint("keyCreated#%wZ\n", &KeyNameInfo->Name);
ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
break;
}
}
else
break;

.
.
.
}

Specifically to this line:

status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
&DummyLength);

Now, is there any check that i might have missed? What could be causing
this problem?

Thanks!

--
Using Opera's revolutionary email client: Opera Web Browser | Faster, Safer, Smarter | Opera

2

The address 0xFFFF FFF4 is particularly suspect, because that is -8. My
suspicion is that you have called a function with a NULL pointer, and the
routine expects to find some useful data (some kind of “hidden” header to
the block of memory) at -8 from the address you pass. It looks like the
first parameter to ObQueryNameString is NULL. I would suggest either an
ASSERT/ASSERTMSG call to report this, or some code to gracefully recover
from it, or preferrably both, be added.

Note the address in ESI is bogus, and the code probably resembles

NTSTATUS ObQueryNameString(LPVOID object, …others…)
{
POBJECT_HEADER obj = (POBJECT_HEADER)(((PUCHAR)object) -
sizeof(OBJECT_HEADER));

Since the value you have is -8, and the offset is 0xC, we can infer
sizeof(OBJECT_HEADER) == 20.

Your code should look soething like

ASSERT(object != NULL);
if(object == NULL)
{
…clean up whatever might need to be cleaned up
…get out of the function
}
else
{
NTSTATUS status = ObQueryNameString(object, …whatever…);
…do stuff
}

In general, if you see very high addresses like this, it is because you
have passed a NULL pointer. This can be because (a) you screwed up or (b)
your caller did not say that you might be called with a NULL pointer, but
it did. If RTFM tells you that the pointer could be NULL, then you are
back in (a). If this is unspecified, but happens, then the FM is wrong;
report it as a bug, but in the meantime, deal with it.

Note that if that object pointer is something you have computed, make sure
you have tested all NTSTATUS codes that may have been returned by previous
calls; if not NT_SUCCESS() then you are in (a). Or, if a call returns a
pointer, but returns NULL if an error, deal with that because that is an
(a) case.

In general, it is best never to trust that a pointer will not be NULL.
You can often get away with this in app space because all that happens is
that the app crashes. The kernel world is less forgiving, and it requires
that you be constantly vigilant. Some people say you need to be paranoid.
This is an incorrect characterization. Paranoia is a condition
stereotypically characterized by a delusion that people are out to get
you. In security work and in kernel code, this is not a delusion. Trust
no one, or at least not very far.
joe

Hi everyone,

A small part of my filesystem minifilter driver is the registry filtering
functionality. However sometimes i get this bugcheck, specifically while
running internet explorer:

*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad
or it
is pointing at freed memory.
Arguments:
Arg1: fffffff4, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 82a9fd34, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: fffffff4

FAULTING_IP:
nt!ObpQueryNameString+2b
82a9fd34 0fb6460c movzx eax,byte ptr [esi+0Ch]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: iexplore.exe

CURRENT_IRQL: 2

TRAP_FRAME: 964f768c – (.trap 0xffffffff964f768c)
ErrCode = 00000000
eax=964f7754 ebx=00000000 ecx=869d3008 edx=964f7884 esi=ffffffe8
edi=00000000
eip=82a9fd34 esp=964f7700 ebp=964f7764 iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
nt!ObpQueryNameString+0x2b:
82a9fd34 0fb6460c movzx eax,byte ptr [esi+0Ch]
ds:0023:fffffff4=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 82930083 to 828cc110

STACK_TEXT:
964f71d4 82930083 00000003 13c85746 00000065
nt!RtlpBreakWithStatusInstruction
964f7224 82930b81 00000003 868db538 00000000 nt!KiBugCheckDebugBreak+0x1c
964f75e8 828df41b 00000050 fffffff4 00000000 nt!KeBugCheck2+0x68b
964f7674 828923d8 00000000 fffffff4 00000000 nt!MmAccessFault+0x106
964f7674 82a9fd34 00000000 fffffff4 00000000 nt!KiTrap0E+0xdc
964f7764 82ab9a50 00000000 869d3008 00000400 nt!ObpQueryNameString+0x2b
964f7780 95ecba20 00000000 869d3008 00000400 nt!ObQueryNameString+0x18
964f77e4 82aefbde 00000000 0000001b 964f7884
SimpleMiniFilter!SfRegCallback+0xd0
[c:\winddk\7600.16385.1\src\simpleminifilter\simpleminifilter.c @ 1287]
964f7858 82a84dbe 0000001b 963ab608 8e752008 nt!CmpCallCallBacks+0x336
964f78a0 82a81207 0000001b 00000000 964f7958
nt!CmPostCallbackNotification+0x55
964f7a30 82a77ac5 a5de2218 8503c0e8 85a4f918 nt!CmpParseKey+0x14b2
964f7aac 82a87ed6 00000018 964f7b00 00000040 nt!ObpLookupObjectName+0x4fa
964f7b08 82a53a02 0664d3ac 8503c0e8 0009b601 nt!ObOpenObjectByName+0x165
964f7be8 82a53e49 0664d6a0 000f003f 0664d3ac nt!CmCreateKey+0x2b2
964f7c10 8288f1ea 0664d6a0 000f003f 0664d3ac nt!NtCreateKey+0x1f
964f7c10 76df70b4 0664d6a0 000f003f 0664d3ac nt!KiFastCallEntry+0x12a
0664d378 76df5614 753f2a2a 0664d6a0 000f003f ntdll!KiFastSystemCallRet
0664d37c 753f2a2a 0664d6a0 000f003f 0664d3ac ntdll!ZwCreateKey+0xc
0664d5a0 753f2e9b 00000018 0664d5f8 0664d600
kernel32!LocalBaseRegCreateKey+0x31f
0664d634 753f2da9 00000018 7664622c 00000000
kernel32!RegCreateKeyExInternalA+0x15d
0664d664 76645fa2 80000002 7664622c 00000000 kernel32!RegCreateKeyExA+0x2d
0664d6a4 7664621c 80000002 7664622c 76646250 urlmon!GetRegDword+0x2c
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 319]
0664d6c0 76646747 035e94c8 0023e75c 00000000
urlmon!CFileDownload::KickOffDownload+0x24
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 1567]
0664d6d8 6da3e36e 00000000 0023e75c 0664d914
urlmon!URLDownloadToFileW+0x51
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 1871]
WARNING: Stack unwind information not available. Following frames may be
wrong.
0664db20 6da61ac4 0023e75c 035087f0 0664db64 IEFRAME!Ordinal326+0x202d0
0664dd70 6da62203 0664de00 035087f0 00000001 IEFRAME!Ordinal326+0x43a26
0664f070 6da62303 0664f0ac 035087f0 037f4da8 IEFRAME!Ordinal326+0x44165
0664f08c 6da623af 0664f0ac 00000000 00000001 IEFRAME!Ordinal326+0x44265
0664f0b4 6d95bbd1 00000001 3357301b 0664f0d4 IEFRAME!Ordinal326+0x44311
0664f0c4 6d8d4425 000303d0 74fa189f 0664fa4c IEFRAME!Ordinal257+0x2ba16
0664f0d4 6d8d37ae 0381d020 00000000 000303d0 IEFRAME!Ordinal303+0x265b
0664fa4c 6d8eac15 000303d0 035f8bd8 0664fad0 IEFRAME!Ordinal303+0x19e4
0664fa5c 76ddd877 0381d020 70960da5 001a3b80 IEFRAME!Ordinal224+0x3b0c
0664fad0 76de0842 0381d020 035f8bd8 70960b45
ntdll!RtlpTpWorkCallback+0x11d
0664fc30 75403c45 001a3b78 0664fc7c 76e137f5 ntdll!TppWorkerThread+0x572
0664fc3c 76e137f5 001a3b78 70960b09 00000000
kernel32!BaseThreadInitThunk+0xe
0664fc7c 76e137c8 76de03e7 001a3b78 00000000
ntdll!__RtlUserThreadStart+0x70
0664fc94 00000000 76de03e7 001a3b78 00000000
ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: kb

FOLLOWUP_IP:
SimpleMiniFilter!SfRegCallback+d0
[c:\winddk\7600.16385.1\src\simpleminifilter\simpleminifilter.c @ 1287]
95ecba20 8945dc mov dword ptr [ebp-24h],eax

FAULTING_SOURCE_CODE:
1283: KeyCreateInfo =
(PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;
1284:
1285: if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))
1286: {
> 1287: status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
> &DummyLength);
1288:
1289: if(!NT_SUCCESS(status))
1290: {
1291: ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
1292: break;

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: SimpleMiniFilter!SfRegCallback+d0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SimpleMiniFilter

IMAGE_NAME: SimpleMiniFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51607fab

FAILURE_BUCKET_ID: 0x50_SimpleMiniFilter!SfRegCallback+d0

BUCKET_ID: 0x50_SimpleMiniFilter!SfRegCallback+d0

Followup: MachineOwner

Now, this is part of the function that the bugcheck is refering to:

NTSTATUS
SfRegCallback(
__in PVOID CallbackContext,
__in_opt PVOID RegNotifyClass,
__in_opt PVOID RegNotifyInfo
)
{
NTSTATUS status;
PREG_POST_OPERATION_INFORMATION OpInfo = NULL;
PREG_CREATE_KEY_INFORMATION_V1 KeyCreateInfo = NULL;
PREG_DELETE_KEY_INFORMATION KeyDeleteInfo = NULL;
PREG_DELETE_VALUE_KEY_INFORMATION KeyValueDeleteInfo = NULL;
PREG_RENAME_KEY_INFORMATION KeyRenameInfo = NULL;
PREG_SET_VALUE_KEY_INFORMATION KeySetInfo = NULL;
POBJECT_NAME_INFORMATION KeyNameInfo = NULL;
HANDLE KeyHandle = NULL;
PVOID KeyValueInformation = NULL;
OBJECT_ATTRIBUTES KeyAttributes;
ULONG DummyLength;
int count = 0;

OpInfo = (PREG_POST_OPERATION_INFORMATION)RegNotifyInfo;
KeyNameInfo =
(POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 1024,
SF_REG_KEY_OBJECT_POOL_TAG);

if(KeyNameInfo == NULL)
return STATUS_CALLBACK_BYPASS;

switch((REG_NOTIFY_CLASS)(ULONG_PTR)RegNotifyClass) {

case RegNtPostCreateKeyEx:
KeyCreateInfo = (PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;

if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))
{
status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
&DummyLength);

if(!NT_SUCCESS(status))
{
ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
break;
}
else
{
//SfQueueMessage(processName, keyCreated, &KeyNameInfo->Name, NULL);
DbgPrint(“keyCreated#%wZ\n”, &KeyNameInfo->Name);
ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
break;
}
}
else
break;

.
.
.
}

Specifically to this line:

status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
&DummyLength);

Now, is there any check that i might have missed? What could be causing
this problem?

Thanks!


Using Opera’s revolutionary email client: http://www.opera.com/mail/

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

Also, be aware that the name of a Registry value can be NULL, in which
case it is asking for te “default” value. Since you showed no code of how
you got that value that is NULL, there is a reasonable chance that it
/might/ be related to this usage, but since my PTP client is broken, I
can’t use the Psychic Transfer Protocol to examine your code.
joe

Hi everyone,

A small part of my filesystem minifilter driver is the registry filtering
functionality. However sometimes i get this bugcheck, specifically while
running internet explorer:

*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad
or it
is pointing at freed memory.
Arguments:
Arg1: fffffff4, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 82a9fd34, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: fffffff4

FAULTING_IP:
nt!ObpQueryNameString+2b
82a9fd34 0fb6460c movzx eax,byte ptr [esi+0Ch]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: iexplore.exe

CURRENT_IRQL: 2

TRAP_FRAME: 964f768c – (.trap 0xffffffff964f768c)
ErrCode = 00000000
eax=964f7754 ebx=00000000 ecx=869d3008 edx=964f7884 esi=ffffffe8
edi=00000000
eip=82a9fd34 esp=964f7700 ebp=964f7764 iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
nt!ObpQueryNameString+0x2b:
82a9fd34 0fb6460c movzx eax,byte ptr [esi+0Ch]
ds:0023:fffffff4=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 82930083 to 828cc110

STACK_TEXT:
964f71d4 82930083 00000003 13c85746 00000065
nt!RtlpBreakWithStatusInstruction
964f7224 82930b81 00000003 868db538 00000000 nt!KiBugCheckDebugBreak+0x1c
964f75e8 828df41b 00000050 fffffff4 00000000 nt!KeBugCheck2+0x68b
964f7674 828923d8 00000000 fffffff4 00000000 nt!MmAccessFault+0x106
964f7674 82a9fd34 00000000 fffffff4 00000000 nt!KiTrap0E+0xdc
964f7764 82ab9a50 00000000 869d3008 00000400 nt!ObpQueryNameString+0x2b
964f7780 95ecba20 00000000 869d3008 00000400 nt!ObQueryNameString+0x18
964f77e4 82aefbde 00000000 0000001b 964f7884
SimpleMiniFilter!SfRegCallback+0xd0
[c:\winddk\7600.16385.1\src\simpleminifilter\simpleminifilter.c @ 1287]
964f7858 82a84dbe 0000001b 963ab608 8e752008 nt!CmpCallCallBacks+0x336
964f78a0 82a81207 0000001b 00000000 964f7958
nt!CmPostCallbackNotification+0x55
964f7a30 82a77ac5 a5de2218 8503c0e8 85a4f918 nt!CmpParseKey+0x14b2
964f7aac 82a87ed6 00000018 964f7b00 00000040 nt!ObpLookupObjectName+0x4fa
964f7b08 82a53a02 0664d3ac 8503c0e8 0009b601 nt!ObOpenObjectByName+0x165
964f7be8 82a53e49 0664d6a0 000f003f 0664d3ac nt!CmCreateKey+0x2b2
964f7c10 8288f1ea 0664d6a0 000f003f 0664d3ac nt!NtCreateKey+0x1f
964f7c10 76df70b4 0664d6a0 000f003f 0664d3ac nt!KiFastCallEntry+0x12a
0664d378 76df5614 753f2a2a 0664d6a0 000f003f ntdll!KiFastSystemCallRet
0664d37c 753f2a2a 0664d6a0 000f003f 0664d3ac ntdll!ZwCreateKey+0xc
0664d5a0 753f2e9b 00000018 0664d5f8 0664d600
kernel32!LocalBaseRegCreateKey+0x31f
0664d634 753f2da9 00000018 7664622c 00000000
kernel32!RegCreateKeyExInternalA+0x15d
0664d664 76645fa2 80000002 7664622c 00000000 kernel32!RegCreateKeyExA+0x2d
0664d6a4 7664621c 80000002 7664622c 76646250 urlmon!GetRegDword+0x2c
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 319]
0664d6c0 76646747 035e94c8 0023e75c 00000000
urlmon!CFileDownload::KickOffDownload+0x24
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 1567]
0664d6d8 6da3e36e 00000000 0023e75c 0664d914
urlmon!URLDownloadToFileW+0x51
[d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 1871]
WARNING: Stack unwind information not available. Following frames may be
wrong.
0664db20 6da61ac4 0023e75c 035087f0 0664db64 IEFRAME!Ordinal326+0x202d0
0664dd70 6da62203 0664de00 035087f0 00000001 IEFRAME!Ordinal326+0x43a26
0664f070 6da62303 0664f0ac 035087f0 037f4da8 IEFRAME!Ordinal326+0x44165
0664f08c 6da623af 0664f0ac 00000000 00000001 IEFRAME!Ordinal326+0x44265
0664f0b4 6d95bbd1 00000001 3357301b 0664f0d4 IEFRAME!Ordinal326+0x44311
0664f0c4 6d8d4425 000303d0 74fa189f 0664fa4c IEFRAME!Ordinal257+0x2ba16
0664f0d4 6d8d37ae 0381d020 00000000 000303d0 IEFRAME!Ordinal303+0x265b
0664fa4c 6d8eac15 000303d0 035f8bd8 0664fad0 IEFRAME!Ordinal303+0x19e4
0664fa5c 76ddd877 0381d020 70960da5 001a3b80 IEFRAME!Ordinal224+0x3b0c
0664fad0 76de0842 0381d020 035f8bd8 70960b45
ntdll!RtlpTpWorkCallback+0x11d
0664fc30 75403c45 001a3b78 0664fc7c 76e137f5 ntdll!TppWorkerThread+0x572
0664fc3c 76e137f5 001a3b78 70960b09 00000000
kernel32!BaseThreadInitThunk+0xe
0664fc7c 76e137c8 76de03e7 001a3b78 00000000
ntdll!__RtlUserThreadStart+0x70
0664fc94 00000000 76de03e7 001a3b78 00000000
ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: kb

FOLLOWUP_IP:
SimpleMiniFilter!SfRegCallback+d0
[c:\winddk\7600.16385.1\src\simpleminifilter\simpleminifilter.c @ 1287]
95ecba20 8945dc mov dword ptr [ebp-24h],eax

FAULTING_SOURCE_CODE:
1283: KeyCreateInfo =
(PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;
1284:
1285: if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))
1286: {
> 1287: status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
> &DummyLength);
1288:
1289: if(!NT_SUCCESS(status))
1290: {
1291: ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
1292: break;

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: SimpleMiniFilter!SfRegCallback+d0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SimpleMiniFilter

IMAGE_NAME: SimpleMiniFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51607fab

FAILURE_BUCKET_ID: 0x50_SimpleMiniFilter!SfRegCallback+d0

BUCKET_ID: 0x50_SimpleMiniFilter!SfRegCallback+d0

Followup: MachineOwner

Now, this is part of the function that the bugcheck is refering to:

NTSTATUS
SfRegCallback(
__in PVOID CallbackContext,
__in_opt PVOID RegNotifyClass,
__in_opt PVOID RegNotifyInfo
)
{
NTSTATUS status;
PREG_POST_OPERATION_INFORMATION OpInfo = NULL;
PREG_CREATE_KEY_INFORMATION_V1 KeyCreateInfo = NULL;
PREG_DELETE_KEY_INFORMATION KeyDeleteInfo = NULL;
PREG_DELETE_VALUE_KEY_INFORMATION KeyValueDeleteInfo = NULL;
PREG_RENAME_KEY_INFORMATION KeyRenameInfo = NULL;
PREG_SET_VALUE_KEY_INFORMATION KeySetInfo = NULL;
POBJECT_NAME_INFORMATION KeyNameInfo = NULL;
HANDLE KeyHandle = NULL;
PVOID KeyValueInformation = NULL;
OBJECT_ATTRIBUTES KeyAttributes;
ULONG DummyLength;
int count = 0;

OpInfo = (PREG_POST_OPERATION_INFORMATION)RegNotifyInfo;
KeyNameInfo =
(POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 1024,
SF_REG_KEY_OBJECT_POOL_TAG);

if(KeyNameInfo == NULL)
return STATUS_CALLBACK_BYPASS;

switch((REG_NOTIFY_CLASS)(ULONG_PTR)RegNotifyClass) {

case RegNtPostCreateKeyEx:
KeyCreateInfo = (PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;

if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))
{
status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
&DummyLength);

if(!NT_SUCCESS(status))
{
ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
break;
}
else
{
//SfQueueMessage(processName, keyCreated, &KeyNameInfo->Name, NULL);
DbgPrint(“keyCreated#%wZ\n”, &KeyNameInfo->Name);
ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
break;
}
}
else
break;

.
.
.
}

Specifically to this line:

status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
&DummyLength);

Now, is there any check that i might have missed? What could be causing
this problem?

Thanks!


Using Opera’s revolutionary email client: http://www.opera.com/mail/

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

4

Thanks for all your help, i am going to put those checks in place and then
wait and see; actually the error is kind of frustrating to reproduce, as
it occurs occasionally.

Anyways, the reason i haven’t showed any code is because there isn’t any,
with regards to this function. This is the RegistryCallback routine:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff560903(v=vs.85).aspx

that i register through the CmRegisterCallbackEx routine:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff541921(v=vs.85).aspx

The arguments to the SfRegCallback function are thus not computed by me
and are passed automatically by the system when a registry operation is
about to occur, or has occurred. For this specific problem, the function
is being notified after a registry key has been created:

case RegNtPostCreateKeyEx:
KeyCreateInfo = (PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;

if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))
{
status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
&DummyLength);

and since the status of the operation is being checked, and the
ObQueryNameString is only being called if the status holds a success code
“if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))”, the OpInfo->Object, is not supposed to be
NULL.

Any thoughts?

And once again, thanks for your help and time.

Regards.

On Sun, 07 Apr 2013 12:40:33 +0500, wrote:

> Also, be aware that the name of a Registry value can be NULL, in which
> case it is asking for te “default” value. Since you showed no code of
> how
> you got that value that is NULL, there is a reasonable chance that it
> /might/ be related to this usage, but since my PTP client is broken, I
> can’t use the Psychic Transfer Protocol to examine your code.
> joe
>
>> Hi everyone,
>>
>> A small part of my filesystem minifilter driver is the registry
>> filtering
>> functionality. However sometimes i get this bugcheck, specifically while
>> running internet explorer:
>>
>>
>> ***
>>
>>
>> * Bugcheck
>> Analysis
>>
>>
>>
>>
>> PAGE_FAULT_IN_NONPAGED_AREA (50)
>> Invalid system memory was referenced. This cannot be protected by
>> try-except,
>> it must be protected by a Probe. Typically the address is just plain
>> bad
>> or it
>> is pointing at freed memory.
>> Arguments:
>> Arg1: fffffff4, memory referenced.
>> Arg2: 00000000, value 0 = read operation, 1 = write operation.
>> Arg3: 82a9fd34, If non-zero, the instruction address which referenced
>> the
>> bad memory
>> address.
>> Arg4: 00000000, (reserved)
>>
>> Debugging Details:
>> ------------------
>>
>>
>> READ_ADDRESS: fffffff4
>>
>> FAULTING_IP:
>> nt!ObpQueryNameString+2b
>> 82a9fd34 0fb6460c movzx eax,byte ptr [esi+0Ch]
>>
>> MM_INTERNAL_CODE: 0
>>
>> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
>>
>> BUGCHECK_STR: 0x50
>>
>> PROCESS_NAME: iexplore.exe
>>
>> CURRENT_IRQL: 2
>>
>> TRAP_FRAME: 964f768c – (.trap 0xffffffff964f768c)
>> ErrCode = 00000000
>> eax=964f7754 ebx=00000000 ecx=869d3008 edx=964f7884 esi=ffffffe8
>> edi=00000000
>> eip=82a9fd34 esp=964f7700 ebp=964f7764 iopl=0 nv up ei pl zr na
>> pe
>> nc
>> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
>> efl=00010246
>> nt!ObpQueryNameString+0x2b:
>> 82a9fd34 0fb6460c movzx eax,byte ptr [esi+0Ch]
>> ds:0023:fffffff4=??
>> Resetting default scope
>>
>> LAST_CONTROL_TRANSFER: from 82930083 to 828cc110
>>
>> STACK_TEXT:
>> 964f71d4 82930083 00000003 13c85746 00000065
>> nt!RtlpBreakWithStatusInstruction
>> 964f7224 82930b81 00000003 868db538 00000000
>> nt!KiBugCheckDebugBreak+0x1c
>> 964f75e8 828df41b 00000050 fffffff4 00000000 nt!KeBugCheck2+0x68b
>> 964f7674 828923d8 00000000 fffffff4 00000000 nt!MmAccessFault+0x106
>> 964f7674 82a9fd34 00000000 fffffff4 00000000 nt!KiTrap0E+0xdc
>> 964f7764 82ab9a50 00000000 869d3008 00000400 nt!ObpQueryNameString+0x2b
>> 964f7780 95ecba20 00000000 869d3008 00000400 nt!ObQueryNameString+0x18
>> 964f77e4 82aefbde 00000000 0000001b 964f7884
>> SimpleMiniFilter!SfRegCallback+0xd0
>> [c:\winddk\7600.16385.1\src\simpleminifilter\simpleminifilter.c @ 1287]
>> 964f7858 82a84dbe 0000001b 963ab608 8e752008 nt!CmpCallCallBacks+0x336
>> 964f78a0 82a81207 0000001b 00000000 964f7958
>> nt!CmPostCallbackNotification+0x55
>> 964f7a30 82a77ac5 a5de2218 8503c0e8 85a4f918 nt!CmpParseKey+0x14b2
>> 964f7aac 82a87ed6 00000018 964f7b00 00000040
>> nt!ObpLookupObjectName+0x4fa
>> 964f7b08 82a53a02 0664d3ac 8503c0e8 0009b601 nt!ObOpenObjectByName+0x165
>> 964f7be8 82a53e49 0664d6a0 000f003f 0664d3ac nt!CmCreateKey+0x2b2
>> 964f7c10 8288f1ea 0664d6a0 000f003f 0664d3ac nt!NtCreateKey+0x1f
>> 964f7c10 76df70b4 0664d6a0 000f003f 0664d3ac nt!KiFastCallEntry+0x12a
>> 0664d378 76df5614 753f2a2a 0664d6a0 000f003f ntdll!KiFastSystemCallRet
>> 0664d37c 753f2a2a 0664d6a0 000f003f 0664d3ac ntdll!ZwCreateKey+0xc
>> 0664d5a0 753f2e9b 00000018 0664d5f8 0664d600
>> kernel32!LocalBaseRegCreateKey+0x31f
>> 0664d634 753f2da9 00000018 7664622c 00000000
>> kernel32!RegCreateKeyExInternalA+0x15d
>> 0664d664 76645fa2 80000002 7664622c 00000000
>> kernel32!RegCreateKeyExA+0x2d
>> 0664d6a4 7664621c 80000002 7664622c 76646250 urlmon!GetRegDword+0x2c
>> [d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 319]
>> 0664d6c0 76646747 035e94c8 0023e75c 00000000
>> urlmon!CFileDownload::KickOffDownload+0x24
>> [d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 1567]
>> 0664d6d8 6da3e36e 00000000 0023e75c 0664d914
>> urlmon!URLDownloadToFileW+0x51
>> [d:\w7rtm\inetcore\urlmon\urlhlink\urlostrm.cxx @ 1871]
>> WARNING: Stack unwind information not available. Following frames may be
>> wrong.
>> 0664db20 6da61ac4 0023e75c 035087f0 0664db64 IEFRAME!Ordinal326+0x202d0
>> 0664dd70 6da62203 0664de00 035087f0 00000001 IEFRAME!Ordinal326+0x43a26
>> 0664f070 6da62303 0664f0ac 035087f0 037f4da8 IEFRAME!Ordinal326+0x44165
>> 0664f08c 6da623af 0664f0ac 00000000 00000001 IEFRAME!Ordinal326+0x44265
>> 0664f0b4 6d95bbd1 00000001 3357301b 0664f0d4 IEFRAME!Ordinal326+0x44311
>> 0664f0c4 6d8d4425 000303d0 74fa189f 0664fa4c IEFRAME!Ordinal257+0x2ba16
>> 0664f0d4 6d8d37ae 0381d020 00000000 000303d0 IEFRAME!Ordinal303+0x265b
>> 0664fa4c 6d8eac15 000303d0 035f8bd8 0664fad0 IEFRAME!Ordinal303+0x19e4
>> 0664fa5c 76ddd877 0381d020 70960da5 001a3b80 IEFRAME!Ordinal224+0x3b0c
>> 0664fad0 76de0842 0381d020 035f8bd8 70960b45
>> ntdll!RtlpTpWorkCallback+0x11d
>> 0664fc30 75403c45 001a3b78 0664fc7c 76e137f5 ntdll!TppWorkerThread+0x572
>> 0664fc3c 76e137f5 001a3b78 70960b09 00000000
>> kernel32!BaseThreadInitThunk+0xe
>> 0664fc7c 76e137c8 76de03e7 001a3b78 00000000
>> ntdll!__RtlUserThreadStart+0x70
>> 0664fc94 00000000 76de03e7 001a3b78 00000000
>> ntdll!_RtlUserThreadStart+0x1b
>>
>>
>> STACK_COMMAND: kb
>>
>> FOLLOWUP_IP:
>> SimpleMiniFilter!SfRegCallback+d0
>> [c:\winddk\7600.16385.1\src\simpleminifilter\simpleminifilter.c @ 1287]
>> 95ecba20 8945dc mov dword ptr [ebp-24h],eax
>>
>> FAULTING_SOURCE_CODE:
>> 1283: KeyCreateInfo =
>> (PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;
>> 1284:
>> 1285: if((KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
>> NT_SUCCESS(OpInfo->Status))
>> 1286: {
>>> 1287: status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
>>> &DummyLength);
>> 1288:
>> 1289: if(!NT_SUCCESS(status))
>> 1290: {
>> 1291: ExFreePoolWithTag(KeyNameInfo,
>> SF_REG_KEY_OBJECT_POOL_TAG);
>> 1292: break;
>>
>>
>> SYMBOL_STACK_INDEX: 7
>>
>> SYMBOL_NAME: SimpleMiniFilter!SfRegCallback+d0
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> MODULE_NAME: SimpleMiniFilter
>>
>> IMAGE_NAME: SimpleMiniFilter.sys
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 51607fab
>>
>> FAILURE_BUCKET_ID: 0x50_SimpleMiniFilter!SfRegCallback+d0
>>
>> BUCKET_ID: 0x50_SimpleMiniFilter!SfRegCallback+d0
>>
>> Followup: MachineOwner
>> ---------
>>
>>
>> Now, this is part of the function that the bugcheck is refering to:
>>
>>
>> NTSTATUS
>> SfRegCallback(
>>__in PVOID CallbackContext,
>> in_opt PVOID RegNotifyClass,
>> in_opt PVOID RegNotifyInfo
>> )
>> {
>> NTSTATUS status;
>> PREG_POST_OPERATION_INFORMATION OpInfo = NULL;
>> PREG_CREATE_KEY_INFORMATION_V1 KeyCreateInfo = NULL;
>> PREG_DELETE_KEY_INFORMATION KeyDeleteInfo = NULL;
>> PREG_DELETE_VALUE_KEY_INFORMATION KeyValueDeleteInfo = NULL;
>> PREG_RENAME_KEY_INFORMATION KeyRenameInfo = NULL;
>> PREG_SET_VALUE_KEY_INFORMATION KeySetInfo = NULL;
>> POBJECT_NAME_INFORMATION KeyNameInfo = NULL;
>> HANDLE KeyHandle = NULL;
>> PVOID KeyValueInformation = NULL;
>> OBJECT_ATTRIBUTES KeyAttributes;
>> ULONG DummyLength;
>> int count = 0;
>>
>> OpInfo = (PREG_POST_OPERATION_INFORMATION)RegNotifyInfo;
>> KeyNameInfo =
>> (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, 1024,
>> SF_REG_KEY_OBJECT_POOL_TAG);
>>
>> if(KeyNameInfo == NULL)
>> return STATUS_CALLBACK_BYPASS;
>>
>> switch((REG_NOTIFY_CLASS)(ULONG_PTR)RegNotifyClass) {
>>
>> case RegNtPostCreateKeyEx:
>> KeyCreateInfo =
>> (PREG_CREATE_KEY_INFORMATION_V1)OpInfo->PreInformation;
>>
>> if((KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
>> NT_SUCCESS(OpInfo->Status))
>> {
>> status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
>> &DummyLength);
>>
>> if(!NT_SUCCESS(status))
>> {
>> ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
>> break;
>> }
>> else
>> {
>> //SfQueueMessage(processName, keyCreated, &KeyNameInfo->Name,
>> NULL);
>> DbgPrint(“keyCreated#%wZ\n”, &KeyNameInfo->Name);
>> ExFreePoolWithTag(KeyNameInfo, SF_REG_KEY_OBJECT_POOL_TAG);
>> break;
>> }
>> }
>> else
>> break;
>>
>> .
>> .
>> .
>> }
>>
>>
>> Specifically to this line:
>>
>> status = ObQueryNameString(OpInfo->Object, KeyNameInfo, 1024,
>> &DummyLength);
>>
>>
>> Now, is there any check that i might have missed? What could be causing
>> this problem?
>>
>>
>> Thanks!
>>
>> –
>> Using Opera’s revolutionary email client: http://www.opera.com/mail/
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>


Using Opera’s mail client: http://www.opera.com/mail/

5

I suspect a NULL object because the resulting address 0xfffffff4 is likely
the result of a CONTAINING_RECORD adjustment of a NULL pointer in an effort
to reach the object header. Are you sure that the information in
RegNotifyInfo->PreInformation is of type REG_CREATE_KEY_INFORMATION_V1 ?
This is only available on Windows 7 and higher.

//Daniel

6

Yes, it is of type REG_CREATE_KEY_INFORMATION_V1, since i am building the
driver only for Windows 7 32-bit. Thanks for all your help guys; i have
put in place checks to avoid the crash, so far it hasn’t occurred, lets
just hope that it disappears permanently.

Regards.

On Sun, 07 Apr 2013 14:58:51 +0500, wrote:

> I suspect a NULL object because the resulting address 0xfffffff4 is
> likely the result of a CONTAINING_RECORD adjustment of a NULL pointer in
> an effort to reach the object header. Are you sure that the information
> in RegNotifyInfo->PreInformation is of type
> REG_CREATE_KEY_INFORMATION_V1 ? This is only available on Windows 7 and
> higher.
>
> //Daniel
>
>


Using Opera’s mail client: http://www.opera.com/mail/

7

Don’t check status with macro NT_SUCCESS but for code STATUS_SUCCESS as
stated here:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff548191(v=vs.85).aspx

// like this
if (*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
OpInfo->Status==STATUS_SUCCESS )",

“Muhammad Umair” wrote news:xxxxx@ntfsd…

and since the status of the operation is being checked, and the
ObQueryNameString is only being called if the status holds a success code
“if(*(KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
NT_SUCCESS(OpInfo->Status))”, the OpInfo->Object, is not supposed to be
NULL.

Any thoughts?

And once again, thanks for your help and time.

Regards.

8

Thanks for the info man, this shows exactly what the problem was!

On Mon, 08 Apr 2013 19:47:26 +0500, wrote:

> Don’t check status with macro NT_SUCCESS but for code STATUS_SUCCESS as
> stated here:
>
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff548191(v=vs.85).aspx
>
>
> // like this
> if ((KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
> OpInfo->Status==STATUS_SUCCESS )",
>
> “Muhammad Umair” wrote news:xxxxx@ntfsd…
>
> …
>
> and since the status of the operation is being checked, and the
> ObQueryNameString is only being called if the status holds a success code
> "if((KeyCreateInfo->Disposition) == REG_CREATED_NEW_KEY &&
> NT_SUCCESS(OpInfo->Status))", the OpInfo->Object, is not supposed to be
> NULL.
>
> Any thoughts?
>
> And once again, thanks for your help and time.
>
> Regards.
>
>
>


Using Opera’s mail client: http://www.opera.com/mail/