Hello,
We recently ran into an issue with our mini-filter where a third party driver was issuing ZwCreateFile call on NTFS metadata file $AttrDef. Our minifilter attempted to issue a FltReadFile call on it resulting in following BSOD.
b9ad2f80 80a614a9 badb0d00 b9ad3004 b9ad2f58 nt!KiTrap0E+0x18c (FPO: [0,0] TrapFrame @ b9ad2f80)
b9ad2ff0 8087f02f 898a6418 e26860d0 898bdac8 hal!KeAcquireInStackQueuedSpinLockRaiseToSynch+0x19 (FPO: [0,0,0])
b9ad3010 f7b52b43 00000000 b9ad3001 b9ad30fc nt!ExAcquireSharedWaitForExclusive+0x23 (FPO: [Non-Fpo])
b9ad3020 f7b50d31 898bdac8 e26860d0 b9ad3001 Ntfs!NtfsAcquirePagingResourceSharedWaitForExclusive+0x20 (FPO: [Non-Fpo])
b9ad30fc f7b51079 898bdac8 898a62d0 00000001 Ntfs!NtfsCommonRead+0x429 (FPO: [Non-Fpo])
b9ad31a0 8081e185 8a18d718 898a62d0 898a62d0 Ntfs!NtfsFsdRead+0x113 (FPO: [Non-Fpo])
b9ad31b4 f76d2b39 00000000 89862064 00000000 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
b9ad31d8 f76d3687 b9ad31f8 89fd2838 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b (FPO: [Non-Fpo])
b9ad3210 f76d3a85 89d66dd0 00000a00 b9ad349c fltmgr!FltPerformSynchronousIo+0xb9 (FPO: [Non-Fpo])
b9ad327c f7860690 89d66dd0 89acbb18 b9ad32b4 fltmgr!FltReadFile+0x2c9 (FPO: [Non-Fpo])
I have few questions on this.
- What is causing this crash in NTFS? Is mini-filter supposed to ignore NTFS metadata files?
- How does mini-filter ignore the metadata files? I see two options.
a. Compare the name against well known NTFS metadata files.
b. Somebody suggested to check the file id between 0 to 16. Is this guaranteed that none of the NTFS metadata files have file id > 16 and none of the non-metadata files will have file id in the range of 0 to 16?
Is there any other option?
- Do we need to ignore certain files on other file systems viz. ReFS or CDFS?
Any inputs will be greatly appreciated!
Thanks.
-Prasad
The only technique I know of is the one Malcolm mentions in this post:
https://www.osronline.com/showThread.CFM?link=150367
"
Typically filters detect these files by FileId and path
(FileInternalInformation). Files < 16 by ID or beginning with “$Extend”
are NTFS system files.
"
Thanks,
Alex.
On Wed, Feb 26, 2014 at 2:32 AM, wrote:
> Hello,
>
> We recently ran into an issue with our mini-filter where a third party
> driver was issuing ZwCreateFile call on NTFS metadata file $AttrDef. Our
> minifilter attempted to issue a FltReadFile call on it resulting in
> following BSOD.
>
> b9ad2f80 80a614a9 badb0d00 b9ad3004 b9ad2f58 nt!KiTrap0E+0x18c (FPO: [0,0]
> TrapFrame @ b9ad2f80)
> b9ad2ff0 8087f02f 898a6418 e26860d0 898bdac8
> hal!KeAcquireInStackQueuedSpinLockRaiseToSynch+0x19 (FPO: [0,0,0])
> b9ad3010 f7b52b43 00000000 b9ad3001 b9ad30fc
> nt!ExAcquireSharedWaitForExclusive+0x23 (FPO: [Non-Fpo])
> b9ad3020 f7b50d31 898bdac8 e26860d0 b9ad3001
> Ntfs!NtfsAcquirePagingResourceSharedWaitForExclusive+0x20 (FPO: [Non-Fpo])
> b9ad30fc f7b51079 898bdac8 898a62d0 00000001 Ntfs!NtfsCommonRead+0x429
> (FPO: [Non-Fpo])
> b9ad31a0 8081e185 8a18d718 898a62d0 898a62d0 Ntfs!NtfsFsdRead+0x113 (FPO:
> [Non-Fpo])
> b9ad31b4 f76d2b39 00000000 89862064 00000000 nt!IofCallDriver+0x45 (FPO:
> [Non-Fpo])
> b9ad31d8 f76d3687 b9ad31f8 89fd2838 00000000
> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b (FPO: [Non-Fpo])
> b9ad3210 f76d3a85 89d66dd0 00000a00 b9ad349c
> fltmgr!FltPerformSynchronousIo+0xb9 (FPO: [Non-Fpo])
> b9ad327c f7860690 89d66dd0 89acbb18 b9ad32b4 fltmgr!FltReadFile+0x2c9
> (FPO: [Non-Fpo])
>
> I have few questions on this.
>
> 1. What is causing this crash in NTFS? Is mini-filter supposed to ignore
> NTFS metadata files?
> 2. How does mini-filter ignore the metadata files? I see two options.
> a. Compare the name against well known NTFS metadata files.
> b. Somebody suggested to check the file id between 0 to 16. Is this
> guaranteed that none of the NTFS metadata files have file id > 16 and none
> of the non-metadata files will have file id in the range of 0 to 16?
> Is there any other option?
> 3. Do we need to ignore certain files on other file systems viz. ReFS or
> CDFS?
>
> Any inputs will be greatly appreciated!
>
> Thanks.
> -Prasad
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>