I have a mini-filter driver, which seems to cause this bug-check when I keep
it running for a while. The bug-check does not happen when its not running
(so obviously it is due to my driver).
The bug check is due a kernel mode APC still pending on a thread that was
exiting (due to call to NtTerminateProcess as in the stack below).
From the bug check Arg1(8a3a1304) and looking around nt!PspExitThread where
KeBugCheckEx was called, I was able to get that APC object as below:
1: kd> dt nt!_KAPC 8a3a1304-0xc
+0x000 Type : 18
+0x002 Size : 48
+0x004 Spare0 : 0
+0x008 Thread : 0x89ec8508 _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY [0x8a3a1304 - 0x8a3a1304]
+0x014 KernelRoutine : 0x805d104e void nt!PsExitSpecialApc+0
+0x018 RundownRoutine : 0x805f177e void nt!ExFreeCallBack+0
+0x01c NormalRoutine : 0x805d107a void nt!PspExitNormalApc+0
+0x020 NormalContext : (null)
+0x024 SystemArgument1 : 0x8a3a12f8
+0x028 SystemArgument2 : (null)
+0x02c ApcStateIndex : 0 ''
+0x02d ApcMode : 0 ''
+0x02e Inserted : 0 ''
From this info, can anyone suggest the probable cause of this bug-check due
to a mini-filter driver?
I had a feeling that this bugcheck is related to improper returning of
FLT_PREOP_CALLBACK_STATUS(or POST OP_CALLBACK STATUS).
I have done a several review of my pre-op and post-op routines and nothing
sticks out.
Thanks
Chandra
1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************
KERNEL_APC_PENDING_DURING_EXIT (20)
The key data item is the thread's APC disable count.
If this is non-zero, then this is the source of the problem.
The APC disable count is decremented each time a driver calls
KeEnterCriticalRegion, KeInitializeMutex, or FsRtlEnterFileSystem. The APC
disable count is incremented each time a driver calls KeLeaveCriticalRegion,
KeReleaseMutex, or FsRtlExitFileSystem. Since these calls should always be
in
pairs, this value should be zero when a thread exits. A negative value
indicates that a driver has disabled APC calls without re-enabling them. A
positive value indicates that the reverse is true.
If you ever see this error, be very suspicious of all drivers installed on
the
machine -- especially unusual or non-standard drivers. Third party file
system redirectors are especially suspicious since they do not generally
receive the heavy duty testing that NTFS, FAT, RDR, etc receive.
This current IRQL should also be 0. If it is not, that a driver's
cancelation routine can cause this bugcheck by returning at an elevated
IRQL. Always attempt to note what you were doing/closing at the
time of the crash, and note all of the installed drivers at the time of
the crash. This symptom is usually a severe bug in a third party
driver.
Arguments:
Arg1: 8a3a1304, The address of the APC found pending during exit.
Arg2: ffffffff, The thread's APC disable count
Arg3: 00000000, The current IRQL
Arg4: 00000000
Debugging Details:
BUGCHECK_STR: 0x20_KAPC_NEGATIVE
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: imapi.exe
LAST_CONTROL_TRANSFER: from 804f8cb1 to 8052a834
STACK_TEXT:
a7f75824 804f8cb1 00000003 a7f75b80 00000000
nt!RtlpBreakWithStatusInstruction
a7f75870 804f989c 00000003 8a3a1304 89ec8508 nt!KiBugCheckDebugBreak+0x19
a7f75c50 804f9deb 00000020 8a3a1304 ffffffff nt!KeBugCheck2+0x574
a7f75c70 805d0fc9 00000020 8a3a1304 ffffffff nt!KeBugCheckEx+0x1b
a7f75d08 805d1150 00000000 89ec8508 00000000 nt!PspExitThread+0x65d
a7f75d28 805d132b 89ec8508 00000000 a7f75d64
nt!PspTerminateThreadByPointer+0x52
a7f75d54 8054086c 00000000 00000000 0093ff64 nt!NtTerminateProcess+0x105
a7f75d54 7c90eb94 00000000 00000000 0093ff64 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0093ff64 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PspExitThread+65d
805d0fc9 e896c8f2ff call nt!KeTerminateThread (804fd864)
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!PspExitThread+65d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d
FAILURE_BUCKET_ID: 0x20_KAPC_NEGATIVE_nt!PspExitThread+65d
BUCKET_ID: 0x20_KAPC_NEGATIVE_nt!PspExitThread+65d