Interference with Norton AntiVirus 2002

Just my two cents. A reaction on suggestion to use ExAllocatePool.
In my experience with NT (I’m not sure if this remains true with W2K+)
frequent alloc/dealloc of small chunks of memory may cause significant
performance degradation of the system in general. “In general” means
that after a while it doesn’t matter, whether your driver is active or
not. The entire system works much slower than it was at the beginning.
Why I blame alloc/dealloc? Well, as soon as I have switched on using
zone allocs (instead of pool allocs) that performance problem went away.

Regards,

Vladimir

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Friday, December 14, 2001 10:44 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Surly this is a very odd idea unless you know exactly what you are
doing. Do not send requests directly to the FSD at the bottom.

A couple of points:

• Spend plenty of time reviewing your code and get everything off the
  stack you can. Use ExAllocatePool() is you must.

• Review FASTFAT source in IFSKIT. It uses a mechanism to determine
  stack space. It checks the threshold and if there is insufficent stack
  space, the request is posted off to an FSP (thread in a known process is
  a better description than FSP).

• Only call the base FSD directly if you know what you are doing; unless
  you are adding or extending functionality of a very specific nature to
  an existing FSD that you are intimate with. For example, EFS is tightly
  bound to NTFS and it is possible that this driver could use this
  technique; but I doubt it.

• Using this method of calling the FSD directly will bypass
  functionality in many filter drivers; mine included. Please do not do
  this. You can not assume that you are the top dog (or bottom).

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ravisankar
Pudipeddi
Sent: Friday, December 21, 2001 9:57 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Are you suggesting that in NT 4 & Win 2K filters should directly send
the IRP to the base filesystem so as to counter stack overflow
situations?
This is very unacceptable. Bypassing filters below you can have very
indeterminate effects.

Posting to a different thread is the best option available for
create/close in NT 4 & Win2K. Read/Write’s can be handrolled & sent down
to the next lower driver.

Thanks,
Ravi

–
This posting is provided “AS IS” with no warranties, and confers no
rights. You assume all risk for your use

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Friday, December 21, 2001 6:30 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

To clarify a point, you pass in a PFILE_OBJECT to
IoGetBaseFileSystemDeviceObject() and it’ll give you back the VDO for
the file system.

-----Original Message-----
From: Kelley, Jerry
Sent: Friday, December 21, 2001 8:42 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Note that IoCreateFileSpecifyDeviceObjectHint() is not available in W2K
or NT4. For W2K and NT4, here’s a hint: look at
IoGetBaseFileSystemDeviceObject() which is defined in NTIFS.H. It’ll get
you the file system’s DO. You’ll need to roll your own IRP and catch it
on the way back up.

The stack overflow situation is familiar to me as well. The general rule
about conserving stack space should be adhered to or else you’re going
to see this as soon as you get another filter or two in the stack. If
you have a lot of variables or need a fair amount of space in a routine,
consider lookaside lists that the routines can use instead of automatic
variables.

You can get stack space estimates as you’re called and take some actions
(at least in debugging) to find out when the stack is getting low.

-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, December 20, 2001 3:07 PM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Please be very conservative with stack space. I’d even say, take a
defensive approach to this problem. It’s very easy to blow the stack
with 2 filters on x86. I see this happen too often nowadays …

If you HAVE to issue a re-entrant operation - such as a ZwCreateFile
(and on XP you shouldn’t, you should be using
IoCreateFileSpecifyDeviceObjectHint()), please make sure that you have
enough stack space before issuing this. You can use
IoGetRemainingStackSize() to check how much stack is left.

If not, consider giving this operation a fresh stack by posting it to a
worker thread.

Please don’t put MAX_PATH buffers on the stack. Allocate them. Check for
allocation failures.

Please don’t try to put file path-names in a buffer that’s only MAX_PATH
long. Regardless of whether MAX_PATH is your own define or not.

A refresh of these rules seemed timely, though I know most of you are
aware of them (or found out the hard way :-)), already.

Thanks,
Ravi

–
This posting is provided “AS IS” with no warranties, and confers no
rights. You assume all risk for your use

-----Original Message-----
From: Ronen Agam [mailto:xxxxx@hotmail.com]
Sent: Thursday, December 20, 2001 11:37 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

The _MAX_PATH is my own define of 260 bytes. After all give me some
credit
that I know what I am doing. My point was also that we sometimes call
other
functions which consumes stack space, and thus shuold over look those
functions gets called from the dispatch func.

Ronen

From: Dejan Maksimovic
>Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002
>Date: Thu, 20 Dec 2001 16:51:51 +0100
>
> > I know its hard to beleive that our driver is the cause for the
> > problem.
>I
> > thought the same.
>
> Well, from the points below, it wouldn’t be hard to believe:-)
>
> > I removed my fiter driver and scan the machine - it worked fine. I
> > put
>it
> > back and crash after norton was scanning 3/4 of the files. It didn’t

> > happened every time but 70% of the times. In my dispatch routine all

> > data I was using on the stack, such as the
>buffer
> > that holds the file name (_MAX_PATH) and other routine I was calling
>from my
> > dispatch routine I allocated those local variables from the heap.
> > That solved my problem. If it doesn’t, then try to contact NAV, who
> > knows
>what
> > are they doing there. Buy the way on NT 4.0 I never saw the problem,

> > it
>only
> > happens on 2000.
>
> Just a few notes:
> - This doesn’t mean the stack is the problem. NT has a smaller
>stack space!
> - MAX_PATH is not enough to hold many paths on Server
environments,
>which
>can easily go over 260 characters. It would be wise to do extra
checking
>for
>file name size before using the buffer and overflowing it potentially,
or
>to
>dynamically allocate the buffer after checking how big it needs to be.
>
>–
>Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
>E-mail: xxxxx@alfasp.com
>ICQ#: 56570367
>Alfa File Monitor - File monitoring system for Win32 developers. Alfa
>File Protector - File protection and hiding system for Win32
>developers.
>
>
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com To
>unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

—
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@Starbase.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Sure, it was only a elementary suggestion. It is surly better to use a
heap if you have access to one.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chtchetkine,
Vladimir
Sent: Friday, December 21, 2001 11:53 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Just my two cents. A reaction on suggestion to use ExAllocatePool.
In my experience with NT (I’m not sure if this remains true with W2K+)
frequent alloc/dealloc of small chunks of memory may cause significant
performance degradation of the system in general. “In general” means
that after a while it doesn’t matter, whether your driver is active or
not. The entire system works much slower than it was at the beginning.
Why I blame alloc/dealloc? Well, as soon as I have switched on using
zone allocs (instead of pool allocs) that performance problem went away.

Regards,

Vladimir

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Friday, December 14, 2001 10:44 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Surly this is a very odd idea unless you know exactly what you are
doing. Do not send requests directly to the FSD at the bottom.

A couple of points:

• Spend plenty of time reviewing your code and get everything off the
  stack you can. Use ExAllocatePool() is you must.

• Review FASTFAT source in IFSKIT. It uses a mechanism to determine
  stack space. It checks the threshold and if there is insufficent stack
  space, the request is posted off to an FSP (thread in a known process is

a better description than FSP).

• Only call the base FSD directly if you know what you are doing; unless

you are adding or extending functionality of a very specific nature to
an existing FSD that you are intimate with. For example, EFS is tightly
bound to NTFS and it is possible that this driver could use this
technique; but I doubt it.

• Using this method of calling the FSD directly will bypass
  functionality in many filter drivers; mine included. Please do not do
  this. You can not assume that you are the top dog (or bottom).

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ravisankar
Pudipeddi
Sent: Friday, December 21, 2001 9:57 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Are you suggesting that in NT 4 & Win 2K filters should directly send
the IRP to the base filesystem so as to counter stack overflow
situations?
This is very unacceptable. Bypassing filters below you can have very
indeterminate effects.

Posting to a different thread is the best option available for
create/close in NT 4 & Win2K. Read/Write’s can be handrolled & sent down

to the next lower driver.

Thanks,
Ravi

–
This posting is provided “AS IS” with no warranties, and confers no
rights. You assume all risk for your use

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Friday, December 21, 2001 6:30 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

To clarify a point, you pass in a PFILE_OBJECT to
IoGetBaseFileSystemDeviceObject() and it’ll give you back the VDO for
the file system.

-----Original Message-----
From: Kelley, Jerry
Sent: Friday, December 21, 2001 8:42 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Note that IoCreateFileSpecifyDeviceObjectHint() is not available in W2K
or NT4. For W2K and NT4, here’s a hint: look at
IoGetBaseFileSystemDeviceObject() which is defined in NTIFS.H. It’ll get

you the file system’s DO. You’ll need to roll your own IRP and catch it
on the way back up.

The stack overflow situation is familiar to me as well. The general rule

about conserving stack space should be adhered to or else you’re going
to see this as soon as you get another filter or two in the stack. If
you have a lot of variables or need a fair amount of space in a routine,

consider lookaside lists that the routines can use instead of automatic
variables.

You can get stack space estimates as you’re called and take some actions

(at least in debugging) to find out when the stack is getting low.

-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, December 20, 2001 3:07 PM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Please be very conservative with stack space. I’d even say, take a
defensive approach to this problem. It’s very easy to blow the stack
with 2 filters on x86. I see this happen too often nowadays …

If you HAVE to issue a re-entrant operation - such as a ZwCreateFile
(and on XP you shouldn’t, you should be using
IoCreateFileSpecifyDeviceObjectHint()), please make sure that you have
enough stack space before issuing this. You can use
IoGetRemainingStackSize() to check how much stack is left.

If not, consider giving this operation a fresh stack by posting it to a
worker thread.

Please don’t put MAX_PATH buffers on the stack. Allocate them. Check for

allocation failures.

Please don’t try to put file path-names in a buffer that’s only MAX_PATH

long. Regardless of whether MAX_PATH is your own define or not.

A refresh of these rules seemed timely, though I know most of you are
aware of them (or found out the hard way :-)), already.

Thanks,
Ravi

–
This posting is provided “AS IS” with no warranties, and confers no
rights. You assume all risk for your use

-----Original Message-----
From: Ronen Agam [mailto:xxxxx@hotmail.com]
Sent: Thursday, December 20, 2001 11:37 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

The _MAX_PATH is my own define of 260 bytes. After all give me some
credit
that I know what I am doing. My point was also that we sometimes call
other
functions which consumes stack space, and thus shuold over look those
functions gets called from the dispatch func.

Ronen

From: Dejan Maksimovic
>Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002
>Date: Thu, 20 Dec 2001 16:51:51 +0100
>
> > I know its hard to beleive that our driver is the cause for the
> > problem.
>I
> > thought the same.
>
> Well, from the points below, it wouldn’t be hard to believe:-)
>
> > I removed my fiter driver and scan the machine - it worked fine. I
> > put
>it
> > back and crash after norton was scanning 3/4 of the files. It didn’t

> > happened every time but 70% of the times. In my dispatch routine all

> > data I was using on the stack, such as the
>buffer
> > that holds the file name (_MAX_PATH) and other routine I was calling

>from my
> > dispatch routine I allocated those local variables from the heap.
> > That solved my problem. If it doesn’t, then try to contact NAV, who
> > knows
>what
> > are they doing there. Buy the way on NT 4.0 I never saw the problem,

> > it
>only
> > happens on 2000.
>
> Just a few notes:
> - This doesn’t mean the stack is the problem. NT has a smaller
>stack space!
> - MAX_PATH is not enough to hold many paths on Server
environments,
>which
>can easily go over 260 characters. It would be wise to do extra
checking
>for
>file name size before using the buffer and overflowing it potentially,
or
>to
>dynamically allocate the buffer after checking how big it needs to be.
>
>–
>Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
>E-mail: xxxxx@alfasp.com
>ICQ#: 56570367
>Alfa File Monitor - File monitoring system for Win32 developers. Alfa
>File Protector - File protection and hiding system for Win32
>developers.
>
>
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com To
>unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

—
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@Starbase.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Dear all:

On Fri, 21 Dec 2001 11:52:51 -0800, you wrote:

Just my two cents. A reaction on suggestion to use ExAllocatePool.
In my experience with NT (I’m not sure if this remains true with W2K+)
frequent alloc/dealloc of small chunks of memory may cause significant
performance degradation of the system in general. “In general” means
that after a while it doesn’t matter, whether your driver is active or
not. The entire system works much slower than it was at the beginning.
Why I blame alloc/dealloc? Well, as soon as I have switched on using
zone allocs (instead of pool allocs) that performance problem went away.

Regards,

Vladimir

Does anyone know if W2K+ has better memory defragmentation algorithms than
NT 4.0?

Ralph Shnelvar

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

No. You should not rely on ExAllocatePool() for frequent allocs and
deallocs. Lookaside lists and Zones are a much better method to manage
memory. If your allocate/deallocate requirements require frequent use
variable size allocations, you may consider implementing your own heap.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Tuesday, December 25, 2001 5:18 PM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Dear all:

On Fri, 21 Dec 2001 11:52:51 -0800, you wrote:

Just my two cents. A reaction on suggestion to use ExAllocatePool. In
my experience with NT (I’m not sure if this remains true with W2K+)
frequent alloc/dealloc of small chunks of memory may cause significant
performance degradation of the system in general. “In general” means
that after a while it doesn’t matter, whether your driver is active or
not. The entire system works much slower than it was at the beginning.
Why I blame alloc/dealloc? Well, as soon as I have switched on using
zone allocs (instead of pool allocs) that performance problem went
away.

Regards,

Vladimir

Does anyone know if W2K+ has better memory defragmentation algorithms
than NT 4.0?

Ralph Shnelvar

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> memory. If your allocate/deallocate requirements require frequent use

variable size allocations, you may consider implementing your own heap.

In this case one must spend lots of labour to make something better than the native pool.

At my previous job, we tried to do the user-mode allocator faster then MSVCRT!malloc().
After several days of experiments, we ended with a lookaside list, which gave us only a tiny advantage.
So, we had to rewrite several C++ classes to merge their objects together in a single allocation.

Max

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> Does anyone know if W2K+ has better memory defragmentation algorithms than

NT 4.0?

For kernel mode pool, IIRC the algorithm was always nearly perfect. Binary buddy. Not fastest, but lesser fragmentation -> better
worse-case time.

As about the user-mode heap - it depends not only on RtlAllocateHeap, but on MSVCRT too, since malloc() performs suballocation of
blocks allocated by RtlAllocateHeap.

Max

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Well, on my experience with KM programming (again, on NT platform),
lookaside pool was the answer to my performance
problems.

Regards,

Vladimir

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Wednesday, December 26, 2001 6:36 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

memory. If your allocate/deallocate requirements require frequent use
variable size allocations, you may consider implementing your own heap.

In this case one must spend lots of labour to make something better than the
native pool.

At my previous job, we tried to do the user-mode allocator faster then
MSVCRT!malloc().
After several days of experiments, we ended with a lookaside list, which
gave us only a tiny advantage.
So, we had to rewrite several C++ classes to merge their objects together in
a single allocation.

Max

You are currently subscribed to ntfsd as: xxxxx@Starbase.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

An easy approach is to determine the most common size for the
allocations, and use lookasides for that size and anything below that size,
and normal ExAllocatexxx for anything above the size.
For example, for filenames, under NT and 2K, the lookasides could be
used to store names that are under 64 bytes, and under XP under 128.
Driver Verifier tells me that with a maximum of 64 free lookasides, I
never allocate over 13,000 times.

Regards, Dejan.

Jamey Kirby wrote:

No. You should not rely on ExAllocatePool() for frequent allocs and
deallocs. Lookaside lists and Zones are a much better method to manage
memory. If your allocate/deallocate requirements require frequent use
variable size allocations, you may consider implementing your own heap.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Tuesday, December 25, 2001 5:18 PM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Dear all:

On Fri, 21 Dec 2001 11:52:51 -0800, you wrote:

>Just my two cents. A reaction on suggestion to use ExAllocatePool. In
>my experience with NT (I’m not sure if this remains true with W2K+)
>frequent alloc/dealloc of small chunks of memory may cause significant
>performance degradation of the system in general. “In general” means
>that after a while it doesn’t matter, whether your driver is active or
>not. The entire system works much slower than it was at the beginning.
>Why I blame alloc/dealloc? Well, as soon as I have switched on using
>zone allocs (instead of pool allocs) that performance problem went
>away.
>
>Regards,
>
>Vladimir

Does anyone know if W2K+ has better memory defragmentation algorithms
than NT 4.0?

Ralph Shnelvar

---

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

---

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

–
Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Alfa File Monitor - File monitoring system for Win32 developers.
Alfa File Protector - File protection and hiding system for Win32
developers.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hi,

On one single workstation in our organization I’m facing the same 0x7F
bugcheck (EXCEPTION_DOUBLE_FAULT). The system runs W2K. The problem seems
to occur at or after a call to ExAllocatePool to allocate 82 bytes. The
last remaining stack size that I see is 4888 bytes.

Is it possible that a call to ExAllocatePool is the bad guy ?

–
Bartjan.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

I’ve been reading this thread, and subsequent ones with interest as I have
the same problem with a decryption filter of mine and NAV.

And I notice no-one has actually answered the question of why we are
running out of stack in the first place.

I think I have found the answer, I believe NAV is commiting a cardinal sin
and calling IoCallDriver in its completion routine. This of cause leads to
excessive stack usage. It took me some time but by unraveling the stack a
bit I came up with the following trace:

8046e264 8042bdfd 00000003 8046e2ac 00000008
nt!RtlpBreakWithStatusInstruction
8046e294 8042c1c1 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x31
8046e620 80464cbe 0000007f 00000008 00000000 nt!KeBugCheckEx+0x390
8046e620 8043f650 0000007f 00000008 00000000 nt!KiTrap08+0x3e
f3480038 8044824a 00000000 bfefa2b0 c02ffbe8 nt!MiDispatchFault+0x108
f3480084 80465fc6 00000000 00000000 00000000 nt!MmAccessFault+0x67b
f3480084 bfefa2b0 00000000 00000000 00000000 nt!KiTrap0E+0xc3
f3480c60 bfef9dd0 810ded48 a867de28 f3480cc0 Ntfs!NtfsCommonCreate+0xa1c
f3480d00 8041f511 818b7020 a867de28 000000c9 Ntfs!NtfsFsdCreate+0x157
f3480d14 8052cf9b f3521e5c f3480d8c 00000000 nt!IopfCallDriver+0x35
f3480d30 f351825a 00000000 f3480d8c 00000000 nt!IovCallDriver+0x77
***f3480d58 f351ae6b 818b7020 81207f00 f3480d8c SYMEVENT+0x125a
***f3480dac 8041f511 81207f00 a867de28 000000c9
Ntfs!NtfsCommonCreate+0xa1c
***f3480ddc f2fccb5a f3480edc f2fcb796 811e23e0 nt!IopfCallDriver+0x35
***f3480de4 f2fcb796 811e23e0 a867de28 00000000
cdac24ba!SelOpenCipherText+0x4a [.\create.c @ 712]
f3480edc f2fc5734 811e23e0 a867de28 f3480f48 cdac24ba!SelFilterCreate+0x746
[.\create.c @ 287]
f3480f9c eb47939b 811e23e0 a867de28 811e23e0 cdac24ba!SelDispatchIrp+0x653
[.\seldisp.c @ 239]
f3481010 8041f511 811e23e0 a867de28 a867de38
CDAC25BA!StubFastIoMdlReadComplete+0x81 [.\fastio.c @ 1275]
f3481024 8049c7cf 8049c2a5 8187cbb8 f3481314 nt!IopfCallDriver+0x35
f34811ac 8044f0f2 8187cbd0 00000000 f3481258 nt!IopParseDevice+0xa04
f3481218 8049a7fb 00000000 f3481300 00000040 nt!ObpLookupObjectName+0x4c4
f3481328 8049caab 00000000 00000000 8196ce00 nt!ObOpenObjectByName+0xc5
f34813fc 8049a61f ff5a2ea8 80100080 ff5a2ebc nt!IoCreateFile+0x3ec
f348143c 80462cf1 ff5a2ea8 80100080 ff5a2ebc nt!NtCreateFile+0x2e
f348143c 804009d1 ff5a2ea8 80100080 ff5a2ebc nt!KiSystemService+0xc4
f34814e0 f3350990 ff5a2ea8 80100080 ff5a2ebc nt!ZwCreateFile+0xb
WARNING: Stack unwind information not available. Following frames may be
wrong.
ff5a2e4c f3351546 ff5a2ea8 80100080 ff5a2ebc NAVAP+0x2990
ff5a2ed4 f336d23d e3301914 00000040 e1bf9010 NAVAP+0x3546
ff5a2f04 f336d347 e3301914 ff5a2f20 00000000 NAVAP+0x1f23d
ff5a2f2c f336cdbb e1b645f0 f348159c f336d120 NAVAP+0x1f347
ff5a2f54 f336cc7b f348159c 00000000 f3481514 NAVAP+0x1edbb

Have a good look at the entries marked with ***, notice NTFS calling into
SYMEVENT, and then SYMEVENT calling IoCallDriver. (BTW Cda24ba and Cda25ba
are my drivers)

Why did no-one else discover this ?

There is nothing much we can do to limit our stack usage in our filter,
it’s less than 1K on its most complex path, unless we decide to re-write
it.

Regards,

David.

On 12/19/01, “xxxxx@storactive.com” wrote:

Hi all
I’ve got a problem: it seems NAV2002 File System Filter interferes with
other ones (if Symantec’s software is being installed after Storactive
LiveBakcup Client 2.5, it causes UNEXPECTED_KERNEL_MODE_TRAP code 8, i.e.
double fault exception). But it seems to be a Symantec’s problem, not mine,
since I reproduced this behaviour with another third-party software,
F-Secure Anti-Virus 5.30. Has anyone here noticed this before?
Thanx in advance.

---

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

The stack overflow problem is a difficult one - no single component uses
“too much” but enough re-entrancy and you get clobbered because the calls
overflow the stack.

If this is a stack overflow (and from the trace alone that isn’t clear - it
looks to me like a page fault occurred before the double fault occurred.)
Knowing the stack boundaries for this thread would be helpful (!thread)
since that would tell us exactly where they were (I’d guess f3480000, but
that’s just a guess.)

Again, I can’t see from this stack trace that symevent is being called from
a completion routine (being able to see the IRP at a867de28 would be helpful
in confirming this.)

But let’s assume you are right. To the best of my knowledge, there’s no
“cardinal rule” that you cannot call IoCallDriver from a completion routine.
In general, you should not call it at DISPATCH_LEVEL, but that doesn’t seem
to apply here (the OS would have caught a page fault at elevated IRQL before
the call to MmAccessFault.)

There are no easy fixes to stack overflow problems - essentially, someone,
at some point, must “overflow” to a new stack, which is traditionally done
by posting to a worker thread (see the examples of this in the FAT file
system.) There are locking considerations here (since locks are typically
“owned” by one thread, posting to a different thread can generate deadlocks

• I’ve seen those in multi-filter combinations as well.)

What I’d suggest is showing up at PlugFest out in Redmond and talking with
the Symantec folk about this, since they may be able to provide you with
additional insight and perhaps even work out a resolution to the problem.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

See the new NTFSD FAQ on the OSR Web Site!

-----Original Message-----
From: David Wyles [mailto:xxxxx@macrovisioneurope.com]
Sent: Wednesday, January 02, 2002 6:17 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

I’ve been reading this thread, and subsequent ones with interest as I have
the same problem with a decryption filter of mine and NAV.

And I notice no-one has actually answered the question of why we are
running out of stack in the first place.

I think I have found the answer, I believe NAV is commiting a cardinal sin
and calling IoCallDriver in its completion routine. This of cause leads to
excessive stack usage. It took me some time but by unraveling the stack a
bit I came up with the following trace:

8046e264 8042bdfd 00000003 8046e2ac 00000008
nt!RtlpBreakWithStatusInstruction
8046e294 8042c1c1 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x31
8046e620 80464cbe 0000007f 00000008 00000000 nt!KeBugCheckEx+0x390
8046e620 8043f650 0000007f 00000008 00000000 nt!KiTrap08+0x3e
f3480038 8044824a 00000000 bfefa2b0 c02ffbe8 nt!MiDispatchFault+0x108
f3480084 80465fc6 00000000 00000000 00000000 nt!MmAccessFault+0x67b
f3480084 bfefa2b0 00000000 00000000 00000000 nt!KiTrap0E+0xc3
f3480c60 bfef9dd0 810ded48 a867de28 f3480cc0 Ntfs!NtfsCommonCreate+0xa1c
f3480d00 8041f511 818b7020 a867de28 000000c9 Ntfs!NtfsFsdCreate+0x157
f3480d14 8052cf9b f3521e5c f3480d8c 00000000 nt!IopfCallDriver+0x35
f3480d30 f351825a 00000000 f3480d8c 00000000 nt!IovCallDriver+0x77
***f3480d58 f351ae6b 818b7020 81207f00 f3480d8c SYMEVENT+0x125a
***f3480dac 8041f511 81207f00 a867de28 000000c9
Ntfs!NtfsCommonCreate+0xa1c
***f3480ddc f2fccb5a f3480edc f2fcb796 811e23e0 nt!IopfCallDriver+0x35
***f3480de4 f2fcb796 811e23e0 a867de28 00000000
cdac24ba!SelOpenCipherText+0x4a [.\create.c @ 712]
f3480edc f2fc5734 811e23e0 a867de28 f3480f48 cdac24ba!SelFilterCreate+0x746
[.\create.c @ 287]
f3480f9c eb47939b 811e23e0 a867de28 811e23e0 cdac24ba!SelDispatchIrp+0x653
[.\seldisp.c @ 239]
f3481010 8041f511 811e23e0 a867de28 a867de38
CDAC25BA!StubFastIoMdlReadComplete+0x81 [.\fastio.c @ 1275]
f3481024 8049c7cf 8049c2a5 8187cbb8 f3481314 nt!IopfCallDriver+0x35
f34811ac 8044f0f2 8187cbd0 00000000 f3481258 nt!IopParseDevice+0xa04
f3481218 8049a7fb 00000000 f3481300 00000040 nt!ObpLookupObjectName+0x4c4
f3481328 8049caab 00000000 00000000 8196ce00 nt!ObOpenObjectByName+0xc5
f34813fc 8049a61f ff5a2ea8 80100080 ff5a2ebc nt!IoCreateFile+0x3ec
f348143c 80462cf1 ff5a2ea8 80100080 ff5a2ebc nt!NtCreateFile+0x2e
f348143c 804009d1 ff5a2ea8 80100080 ff5a2ebc nt!KiSystemService+0xc4
f34814e0 f3350990 ff5a2ea8 80100080 ff5a2ebc nt!ZwCreateFile+0xb
WARNING: Stack unwind information not available. Following frames may be
wrong.
ff5a2e4c f3351546 ff5a2ea8 80100080 ff5a2ebc NAVAP+0x2990
ff5a2ed4 f336d23d e3301914 00000040 e1bf9010 NAVAP+0x3546
ff5a2f04 f336d347 e3301914 ff5a2f20 00000000 NAVAP+0x1f23d
ff5a2f2c f336cdbb e1b645f0 f348159c f336d120 NAVAP+0x1f347
ff5a2f54 f336cc7b f348159c 00000000 f3481514 NAVAP+0x1edbb

Have a good look at the entries marked with ***, notice NTFS calling into
SYMEVENT, and then SYMEVENT calling IoCallDriver. (BTW Cda24ba and Cda25ba
are my drivers)

Why did no-one else discover this ?

There is nothing much we can do to limit our stack usage in our filter,
it’s less than 1K on its most complex path, unless we decide to re-write
it.

Regards,

David.

On 12/19/01, “xxxxx@storactive.com” wrote:

Hi all
I’ve got a problem: it seems NAV2002 File System Filter interferes with
other ones (if Symantec’s software is being installed after Storactive
LiveBakcup Client 2.5, it causes UNEXPECTED_KERNEL_MODE_TRAP code 8, i.e.
double fault exception). But it seems to be a Symantec’s problem, not
mine,
since I reproduced this behaviour with another third-party software,
F-Secure Anti-Virus 5.30. Has anyone here noticed this before?
Thanx in advance.

---

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hmmm,

Talking to Symantec indicates that although they do re-enter the the stack
perform I/O but they do not do it from there completion routine. So I
retract my statement.

Although they have said they are working on a bug where they issued a
IRP_MJ_CREATE under low conditions in SYMTDI which I have also seen in a
stack trace.

I’ve been to plugfest twice before and have interopt with Symantec but
missed the last one in August as I was on Holiday. I know it isn’t a
cardinal rule, I was just noting that something odd was going on.

It’s a bit of a problem unwinding the stack on the free build of the
symantec drivers as the compiler has optimised some calls out (and
consequently hasn’t stored ebp) and Windbg gets a bit confused.

Currently we have no “low stack” solution in our filters and so I shall
spend some time seeking an alternative to a BSOD.

Many thanks,

David.

-----Original Message-----
From: Tony Mason [mailto:xxxxx@osr.com]
Sent: 02 January 2002 16:50
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

The stack overflow problem is a difficult one - no single component uses
“too much” but enough re-entrancy and you get clobbered because the calls
overflow the stack.

If this is a stack overflow (and from the trace alone that isn’t clear - it
looks to me like a page fault occurred before the double fault occurred.)
Knowing the stack boundaries for this thread would be helpful (!thread)
since that would tell us exactly where they were (I’d guess f3480000, but
that’s just a guess.)

Again, I can’t see from this stack trace that symevent is being called from
a completion routine (being able to see the IRP at a867de28 would be helpful
in confirming this.)

But let’s assume you are right. To the best of my knowledge, there’s no
“cardinal rule” that you cannot call IoCallDriver from a completion routine.
In general, you should not call it at DISPATCH_LEVEL, but that doesn’t seem
to apply here (the OS would have caught a page fault at elevated IRQL before
the call to MmAccessFault.)

There are no easy fixes to stack overflow problems - essentially, someone,
at some point, must “overflow” to a new stack, which is traditionally done
by posting to a worker thread (see the examples of this in the FAT file
system.) There are locking considerations here (since locks are typically
“owned” by one thread, posting to a different thread can generate deadlocks

• I’ve seen those in multi-filter combinations as well.)

What I’d suggest is showing up at PlugFest out in Redmond and talking with
the Symantec folk about this, since they may be able to provide you with
additional insight and perhaps even work out a resolution to the problem.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

See the new NTFSD FAQ on the OSR Web Site!

-----Original Message-----
From: David Wyles [mailto:xxxxx@macrovisioneurope.com]
Sent: Wednesday, January 02, 2002 6:17 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

I’ve been reading this thread, and subsequent ones with interest as I have
the same problem with a decryption filter of mine and NAV.

And I notice no-one has actually answered the question of why we are
running out of stack in the first place.

I think I have found the answer, I believe NAV is commiting a cardinal sin
and calling IoCallDriver in its completion routine. This of cause leads to
excessive stack usage. It took me some time but by unraveling the stack a
bit I came up with the following trace:

8046e264 8042bdfd 00000003 8046e2ac 00000008
nt!RtlpBreakWithStatusInstruction
8046e294 8042c1c1 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x31
8046e620 80464cbe 0000007f 00000008 00000000 nt!KeBugCheckEx+0x390
8046e620 8043f650 0000007f 00000008 00000000 nt!KiTrap08+0x3e
f3480038 8044824a 00000000 bfefa2b0 c02ffbe8 nt!MiDispatchFault+0x108
f3480084 80465fc6 00000000 00000000 00000000 nt!MmAccessFault+0x67b
f3480084 bfefa2b0 00000000 00000000 00000000 nt!KiTrap0E+0xc3
f3480c60 bfef9dd0 810ded48 a867de28 f3480cc0 Ntfs!NtfsCommonCreate+0xa1c
f3480d00 8041f511 818b7020 a867de28 000000c9 Ntfs!NtfsFsdCreate+0x157
f3480d14 8052cf9b f3521e5c f3480d8c 00000000 nt!IopfCallDriver+0x35
f3480d30 f351825a 00000000 f3480d8c 00000000 nt!IovCallDriver+0x77
***f3480d58 f351ae6b 818b7020 81207f00 f3480d8c SYMEVENT+0x125a
***f3480dac 8041f511 81207f00 a867de28 000000c9
Ntfs!NtfsCommonCreate+0xa1c
***f3480ddc f2fccb5a f3480edc f2fcb796 811e23e0 nt!IopfCallDriver+0x35
***f3480de4 f2fcb796 811e23e0 a867de28 00000000
cdac24ba!SelOpenCipherText+0x4a [.\create.c @ 712]
f3480edc f2fc5734 811e23e0 a867de28 f3480f48 cdac24ba!SelFilterCreate+0x746
[.\create.c @ 287]
f3480f9c eb47939b 811e23e0 a867de28 811e23e0 cdac24ba!SelDispatchIrp+0x653
[.\seldisp.c @ 239]
f3481010 8041f511 811e23e0 a867de28 a867de38
CDAC25BA!StubFastIoMdlReadComplete+0x81 [.\fastio.c @ 1275]
f3481024 8049c7cf 8049c2a5 8187cbb8 f3481314 nt!IopfCallDriver+0x35
f34811ac 8044f0f2 8187cbd0 00000000 f3481258 nt!IopParseDevice+0xa04
f3481218 8049a7fb 00000000 f3481300 00000040 nt!ObpLookupObjectName+0x4c4
f3481328 8049caab 00000000 00000000 8196ce00 nt!ObOpenObjectByName+0xc5
f34813fc 8049a61f ff5a2ea8 80100080 ff5a2ebc nt!IoCreateFile+0x3ec
f348143c 80462cf1 ff5a2ea8 80100080 ff5a2ebc nt!NtCreateFile+0x2e
f348143c 804009d1 ff5a2ea8 80100080 ff5a2ebc nt!KiSystemService+0xc4
f34814e0 f3350990 ff5a2ea8 80100080 ff5a2ebc nt!ZwCreateFile+0xb
WARNING: Stack unwind information not available. Following frames may be
wrong.
ff5a2e4c f3351546 ff5a2ea8 80100080 ff5a2ebc NAVAP+0x2990
ff5a2ed4 f336d23d e3301914 00000040 e1bf9010 NAVAP+0x3546
ff5a2f04 f336d347 e3301914 ff5a2f20 00000000 NAVAP+0x1f23d
ff5a2f2c f336cdbb e1b645f0 f348159c f336d120 NAVAP+0x1f347
ff5a2f54 f336cc7b f348159c 00000000 f3481514 NAVAP+0x1edbb

Have a good look at the entries marked with ***, notice NTFS calling into
SYMEVENT, and then SYMEVENT calling IoCallDriver. (BTW Cda24ba and Cda25ba
are my drivers)

Why did no-one else discover this ?

There is nothing much we can do to limit our stack usage in our filter,
it’s less than 1K on its most complex path, unless we decide to re-write
it.

Regards,

David.

On 12/19/01, “xxxxx@storactive.com” wrote:

Hi all
I’ve got a problem: it seems NAV2002 File System Filter interferes with
other ones (if Symantec’s software is being installed after Storactive
LiveBakcup Client 2.5, it causes UNEXPECTED_KERNEL_MODE_TRAP code 8, i.e.
double fault exception). But it seems to be a Symantec’s problem, not
mine,
since I reproduced this behaviour with another third-party software,
F-Secure Anti-Virus 5.30. Has anyone here noticed this before?
Thanx in advance.

---

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@macrovisioneurope.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

PRIVACY AND CONFIDENTIALITY NOTICE
This email and any attachments are confidential and may also be privileged.
If you have received this message by mistake, please contact us immediately
and then delete the message from your system. You must not copy,
distribute, disclose or act upon the contents of this email.
This e-mail and/or any replies to it, and any attachments may be
intercepted, copied or monitored by Macrovision Europe Limited for the
purposes set out in the Telecommunications (Lawful Business Practices)
(Interception of Communications) Regulations 2000.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

David,

One thing that would greatly aid debugging crashes where Symantec drivers
are present would be to obtain the matching symbols for the drivers you are
using - the debugger can then unwind back across the calling stacks.

Barring that, the “!stack” command in kdex2x86.dll can be used (albeit with
GREAT caution) to probe for interesting information. Essentially, it works
by walking through each potential return address on the stack (any four byte
numeric range) and attempting to determine if that corresponds to the return
from a previous call. This isn’t a guaranteed way of reconstructing a call
sequence as it can show “garbage” calls (from previous uses of the stack)
but it can walk across optimized calls. A rather treacherous tool to use in
general, but one that can be useful when you are faced with a situation like
this one.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

See the new NTFSD FAQ on the OSR Web Site!

-----Original Message-----
From: David Wyles [mailto:xxxxx@macrovisioneurope.com]
Sent: Thursday, January 03, 2002 3:03 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Hmmm,

Talking to Symantec indicates that although they do re-enter the the stack
perform I/O but they do not do it from there completion routine. So I
retract my statement.

Although they have said they are working on a bug where they issued a
IRP_MJ_CREATE under low conditions in SYMTDI which I have also seen in a
stack trace.

I’ve been to plugfest twice before and have interopt with Symantec but
missed the last one in August as I was on Holiday. I know it isn’t a
cardinal rule, I was just noting that something odd was going on.

It’s a bit of a problem unwinding the stack on the free build of the
symantec drivers as the compiler has optimised some calls out (and
consequently hasn’t stored ebp) and Windbg gets a bit confused.

Currently we have no “low stack” solution in our filters and so I shall
spend some time seeking an alternative to a BSOD.

Many thanks,

David.

-----Original Message-----
From: Tony Mason [mailto:xxxxx@osr.com]
Sent: 02 January 2002 16:50
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

The stack overflow problem is a difficult one - no single component uses
“too much” but enough re-entrancy and you get clobbered because the calls
overflow the stack.

If this is a stack overflow (and from the trace alone that isn’t clear - it
looks to me like a page fault occurred before the double fault occurred.)
Knowing the stack boundaries for this thread would be helpful (!thread)
since that would tell us exactly where they were (I’d guess f3480000, but
that’s just a guess.)

Again, I can’t see from this stack trace that symevent is being called from
a completion routine (being able to see the IRP at a867de28 would be helpful
in confirming this.)

But let’s assume you are right. To the best of my knowledge, there’s no
“cardinal rule” that you cannot call IoCallDriver from a completion routine.
In general, you should not call it at DISPATCH_LEVEL, but that doesn’t seem
to apply here (the OS would have caught a page fault at elevated IRQL before
the call to MmAccessFault.)

There are no easy fixes to stack overflow problems - essentially, someone,
at some point, must “overflow” to a new stack, which is traditionally done
by posting to a worker thread (see the examples of this in the FAT file
system.) There are locking considerations here (since locks are typically
“owned” by one thread, posting to a different thread can generate deadlocks

• I’ve seen those in multi-filter combinations as well.)

What I’d suggest is showing up at PlugFest out in Redmond and talking with
the Symantec folk about this, since they may be able to provide you with
additional insight and perhaps even work out a resolution to the problem.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

See the new NTFSD FAQ on the OSR Web Site!

-----Original Message-----
From: David Wyles [mailto:xxxxx@macrovisioneurope.com]
Sent: Wednesday, January 02, 2002 6:17 AM
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

I’ve been reading this thread, and subsequent ones with interest as I have
the same problem with a decryption filter of mine and NAV.

And I notice no-one has actually answered the question of why we are
running out of stack in the first place.

I think I have found the answer, I believe NAV is commiting a cardinal sin
and calling IoCallDriver in its completion routine. This of cause leads to
excessive stack usage. It took me some time but by unraveling the stack a
bit I came up with the following trace:

8046e264 8042bdfd 00000003 8046e2ac 00000008
nt!RtlpBreakWithStatusInstruction
8046e294 8042c1c1 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x31
8046e620 80464cbe 0000007f 00000008 00000000 nt!KeBugCheckEx+0x390
8046e620 8043f650 0000007f 00000008 00000000 nt!KiTrap08+0x3e
f3480038 8044824a 00000000 bfefa2b0 c02ffbe8 nt!MiDispatchFault+0x108
f3480084 80465fc6 00000000 00000000 00000000 nt!MmAccessFault+0x67b
f3480084 bfefa2b0 00000000 00000000 00000000 nt!KiTrap0E+0xc3
f3480c60 bfef9dd0 810ded48 a867de28 f3480cc0 Ntfs!NtfsCommonCreate+0xa1c
f3480d00 8041f511 818b7020 a867de28 000000c9 Ntfs!NtfsFsdCreate+0x157
f3480d14 8052cf9b f3521e5c f3480d8c 00000000 nt!IopfCallDriver+0x35
f3480d30 f351825a 00000000 f3480d8c 00000000 nt!IovCallDriver+0x77
***f3480d58 f351ae6b 818b7020 81207f00 f3480d8c SYMEVENT+0x125a
***f3480dac 8041f511 81207f00 a867de28 000000c9
Ntfs!NtfsCommonCreate+0xa1c
***f3480ddc f2fccb5a f3480edc f2fcb796 811e23e0 nt!IopfCallDriver+0x35
***f3480de4 f2fcb796 811e23e0 a867de28 00000000
cdac24ba!SelOpenCipherText+0x4a [.\create.c @ 712]
f3480edc f2fc5734 811e23e0 a867de28 f3480f48 cdac24ba!SelFilterCreate+0x746
[.\create.c @ 287]
f3480f9c eb47939b 811e23e0 a867de28 811e23e0 cdac24ba!SelDispatchIrp+0x653
[.\seldisp.c @ 239]
f3481010 8041f511 811e23e0 a867de28 a867de38
CDAC25BA!StubFastIoMdlReadComplete+0x81 [.\fastio.c @ 1275]
f3481024 8049c7cf 8049c2a5 8187cbb8 f3481314 nt!IopfCallDriver+0x35
f34811ac 8044f0f2 8187cbd0 00000000 f3481258 nt!IopParseDevice+0xa04
f3481218 8049a7fb 00000000 f3481300 00000040 nt!ObpLookupObjectName+0x4c4
f3481328 8049caab 00000000 00000000 8196ce00 nt!ObOpenObjectByName+0xc5
f34813fc 8049a61f ff5a2ea8 80100080 ff5a2ebc nt!IoCreateFile+0x3ec
f348143c 80462cf1 ff5a2ea8 80100080 ff5a2ebc nt!NtCreateFile+0x2e
f348143c 804009d1 ff5a2ea8 80100080 ff5a2ebc nt!KiSystemService+0xc4
f34814e0 f3350990 ff5a2ea8 80100080 ff5a2ebc nt!ZwCreateFile+0xb
WARNING: Stack unwind information not available. Following frames may be
wrong.
ff5a2e4c f3351546 ff5a2ea8 80100080 ff5a2ebc NAVAP+0x2990
ff5a2ed4 f336d23d e3301914 00000040 e1bf9010 NAVAP+0x3546
ff5a2f04 f336d347 e3301914 ff5a2f20 00000000 NAVAP+0x1f23d
ff5a2f2c f336cdbb e1b645f0 f348159c f336d120 NAVAP+0x1f347
ff5a2f54 f336cc7b f348159c 00000000 f3481514 NAVAP+0x1edbb

Have a good look at the entries marked with ***, notice NTFS calling into
SYMEVENT, and then SYMEVENT calling IoCallDriver. (BTW Cda24ba and Cda25ba
are my drivers)

Why did no-one else discover this ?

There is nothing much we can do to limit our stack usage in our filter,
it’s less than 1K on its most complex path, unless we decide to re-write
it.

Regards,

David.

On 12/19/01, “xxxxx@storactive.com” wrote:

Hi all
I’ve got a problem: it seems NAV2002 File System Filter interferes with
other ones (if Symantec’s software is being installed after Storactive
LiveBakcup Client 2.5, it causes UNEXPECTED_KERNEL_MODE_TRAP code 8, i.e.
double fault exception). But it seems to be a Symantec’s problem, not
mine,
since I reproduced this behaviour with another third-party software,
F-Secure Anti-Virus 5.30. Has anyone here noticed this before?
Thanx in advance.

---

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@macrovisioneurope.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

PRIVACY AND CONFIDENTIALITY NOTICE
This email and any attachments are confidential and may also be privileged.
If you have received this message by mistake, please contact us immediately
and then delete the message from your system. You must not copy,
distribute, disclose or act upon the contents of this email.
This e-mail and/or any replies to it, and any attachments may be
intercepted, copied or monitored by Macrovision Europe Limited for the
purposes set out in the Telecommunications (Lawful Business Practices)
(Interception of Communications) Regulations 2000.

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

The problem occurs on Symantec’s side, this is confirmed (our TechSupport
manager talked to Symantec’s CTO Leo Cohen). The patch is expected ASAP and
would be distributed via LiveUpdate.

On 01/03/02, “Tony Mason ” wrote:
> David,
>
> One thing that would greatly aid debugging crashes where Symantec drivers
> are present would be to obtain the matching symbols for the drivers you are
> using - the debugger can then unwind back across the calling stacks.
>
> Barring that, the “!stack” command in kdex2x86.dll can be used (albeit with
> GREAT caution) to probe for interesting information. Essentially, it works
> by walking through each potential return address on the stack (any four byte
> numeric range) and attempting to determine if that corresponds to the return
> from a previous call. This isn’t a guaranteed way of reconstructing a call
> sequence as it can show “garbage” calls (from previous uses of the stack)
> but it can walk across optimized calls. A rather treacherous tool to use in
> general, but one that can be useful when you are faced with a situation like
> this one.
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
> See the new NTFSD FAQ on the OSR Web Site!
>
> -----Original Message-----
> From: David Wyles [mailto:xxxxx@macrovisioneurope.com]
> Sent: Thursday, January 03, 2002 3:03 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002
>
> Hmmm,
>
> Talking to Symantec indicates that although they do re-enter the the stack
> perform I/O but they do not do it from there completion routine. So I
> retract my statement.
>
> Although they have said they are working on a bug where they issued a
> IRP_MJ_CREATE under low conditions in SYMTDI which I have also seen in a
> stack trace.
>
> I’ve been to plugfest twice before and have interopt with Symantec but
> missed the last one in August as I was on Holiday. I know it isn’t a
> cardinal rule, I was just noting that something odd was going on.
>
> It’s a bit of a problem unwinding the stack on the free build of the
> symantec drivers as the compiler has optimised some calls out (and
> consequently hasn’t stored ebp) and Windbg gets a bit confused.
>
> Currently we have no “low stack” solution in our filters and so I shall
> spend some time seeking an alternative to a BSOD.
>
> Many thanks,
>
> David.
>
> -----Original Message-----
> From: Tony Mason [mailto:xxxxx@osr.com]
> Sent: 02 January 2002 16:50
> To: File Systems Developers
> Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002
>
>
> The stack overflow problem is a difficult one - no single component uses
> “too much” but enough re-entrancy and you get clobbered because the calls
> overflow the stack.
>
> If this is a stack overflow (and from the trace alone that isn’t clear - it
> looks to me like a page fault occurred before the double fault occurred.)
> Knowing the stack boundaries for this thread would be helpful (!thread)
> since that would tell us exactly where they were (I’d guess f3480000, but
> that’s just a guess.)
>
> Again, I can’t see from this stack trace that symevent is being called from
> a completion routine (being able to see the IRP at a867de28 would be helpful
> in confirming this.)
>
> But let’s assume you are right. To the best of my knowledge, there’s no
> “cardinal rule” that you cannot call IoCallDriver from a completion routine.
> In general, you should not call it at DISPATCH_LEVEL, but that doesn’t seem
> to apply here (the OS would have caught a page fault at elevated IRQL before
> the call to MmAccessFault.)
>
> There are no easy fixes to stack overflow problems - essentially, someone,
> at some point, must “overflow” to a new stack, which is traditionally done
> by posting to a worker thread (see the examples of this in the FAT file
> system.) There are locking considerations here (since locks are typically
> “owned” by one thread, posting to a different thread can generate deadlocks
> - I’ve seen those in multi-filter combinations as well.)
>
> What I’d suggest is showing up at PlugFest out in Redmond and talking with
> the Symantec folk about this, since they may be able to provide you with
> additional insight and perhaps even work out a resolution to the problem.
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
> See the new NTFSD FAQ on the OSR Web Site!
>
> -----Original Message-----
> From: David Wyles [mailto:xxxxx@macrovisioneurope.com]
> Sent: Wednesday, January 02, 2002 6:17 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002
>
> I’ve been reading this thread, and subsequent ones with interest as I have
> the same problem with a decryption filter of mine and NAV.
>
> And I notice no-one has actually answered the question of why we are
> running out of stack in the first place.
>
> I think I have found the answer, I believe NAV is commiting a cardinal sin
> and calling IoCallDriver in its completion routine. This of cause leads to
> excessive stack usage. It took me some time but by unraveling the stack a
> bit I came up with the following trace:
>
> 8046e264 8042bdfd 00000003 8046e2ac 00000008
> nt!RtlpBreakWithStatusInstruction
> 8046e294 8042c1c1 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x31
> 8046e620 80464cbe 0000007f 00000008 00000000 nt!KeBugCheckEx+0x390
> 8046e620 8043f650 0000007f 00000008 00000000 nt!KiTrap08+0x3e
> f3480038 8044824a 00000000 bfefa2b0 c02ffbe8 nt!MiDispatchFault+0x108
> f3480084 80465fc6 00000000 00000000 00000000 nt!MmAccessFault+0x67b
> f3480084 bfefa2b0 00000000 00000000 00000000 nt!KiTrap0E+0xc3
> f3480c60 bfef9dd0 810ded48 a867de28 f3480cc0 Ntfs!NtfsCommonCreate+0xa1c
> f3480d00 8041f511 818b7020 a867de28 000000c9 Ntfs!NtfsFsdCreate+0x157
> f3480d14 8052cf9b f3521e5c f3480d8c 00000000 nt!IopfCallDriver+0x35
> f3480d30 f351825a 00000000 f3480d8c 00000000 nt!IovCallDriver+0x77
> f3480d58 f351ae6b 818b7020 81207f00 f3480d8c SYMEVENT+0x125a
> f3480dac 8041f511 81207f00 a867de28 000000c9
> Ntfs!NtfsCommonCreate+0xa1c
> f3480ddc f2fccb5a f3480edc f2fcb796 811e23e0 nt!IopfCallDriver+0x35
> f3480de4 f2fcb796 811e23e0 a867de28 00000000
> cdac24ba!SelOpenCipherText+0x4a [.\create.c @ 712]
> f3480edc f2fc5734 811e23e0 a867de28 f3480f48 cdac24ba!SelFilterCreate+0x746
> [.\create.c @ 287]
> f3480f9c eb47939b 811e23e0 a867de28 811e23e0 cdac24ba!SelDispatchIrp+0x653
> [.\seldisp.c @ 239]
> f3481010 8041f511 811e23e0 a867de28 a867de38
> CDAC25BA!StubFastIoMdlReadComplete+0x81 [.\fastio.c @ 1275]
> f3481024 8049c7cf 8049c2a5 8187cbb8 f3481314 nt!IopfCallDriver+0x35
> f34811ac 8044f0f2 8187cbd0 00000000 f3481258 nt!IopParseDevice+0xa04
> f3481218 8049a7fb 00000000 f3481300 00000040 nt!ObpLookupObjectName+0x4c4
> f3481328 8049caab 00000000 00000000 8196ce00 nt!ObOpenObjectByName+0xc5
> f34813fc 8049a61f ff5a2ea8 80100080 ff5a2ebc nt!IoCreateFile+0x3ec
> f348143c 80462cf1 ff5a2ea8 80100080 ff5a2ebc nt!NtCreateFile+0x2e
> f348143c 804009d1 ff5a2ea8 80100080 ff5a2ebc nt!KiSystemService+0xc4
> f34814e0 f3350990 ff5a2ea8 80100080 ff5a2ebc nt!ZwCreateFile+0xb
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> ff5a2e4c f3351546 ff5a2ea8 80100080 ff5a2ebc NAVAP+0x2990
> ff5a2ed4 f336d23d e3301914 00000040 e1bf9010 NAVAP+0x3546
> ff5a2f04 f336d347 e3301914 ff5a2f20 00000000 NAVAP+0x1f23d
> ff5a2f2c f336cdbb e1b645f0 f348159c f336d120 NAVAP+0x1f347
> ff5a2f54 f336cc7b f348159c 00000000 f3481514 NAVAP+0x1edbb
>
> Have a good look at the entries marked with ***, notice NTFS calling into
> SYMEVENT, and then SYMEVENT calling IoCallDriver. (BTW Cda24ba and Cda25ba
> are my drivers)
>
> Why did no-one else discover this ?
>
> There is nothing much we can do to limit our stack usage in our filter,
> it’s less than 1K on its most complex path, unless we decide to re-write
> it.
>
> Regards,
>
> David.
>
>
> On 12/19/01, “xxxxx@storactive.com” wrote:
> > Hi all
> > I’ve got a problem: it seems NAV2002 File System Filter interferes with
> > other ones (if Symantec’s software is being installed after Storactive
> > LiveBakcup Client 2.5, it causes UNEXPECTED_KERNEL_MODE_TRAP code 8, i.e.
> > double fault exception). But it seems to be a Symantec’s problem, not
> mine,
> > since I reproduced this behaviour with another third-party software,
> > F-Secure Anti-Virus 5.30. Has anyone here noticed this before?
> > Thanx in advance.
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@osr.com
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@osr.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@macrovisioneurope.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
> PRIVACY AND CONFIDENTIALITY NOTICE
> This email and any attachments are confidential and may also be privileged.
> If you have received this message by mistake, please contact us immediately
> and then delete the message from your system. You must not copy,
> distribute, disclose or act upon the contents of this email.
> This e-mail and/or any replies to it, and any attachments may be
> intercepted, copied or monitored by Macrovision Europe Limited for the
> purposes set out in the Telecommunications (Lawful Business Practices)
> (Interception of Communications) Regulations 2000.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@osr.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Can you tell us what the problem was? This could help others to make a
workaround, perhaps.
Although the problem in your case is on Symantec’s side, the real world won’t
take that as an excuse for your product not working with NAV:-)))

Regards, Dejan.

xxxxx@storactive.com wrote:

The problem occurs on Symantec’s side, this is confirmed (our TechSupport
manager talked to Symantec’s CTO Leo Cohen). The patch is expected ASAP and
would be distributed via LiveUpdate.

–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa Registry Monitor - Registry monitoring library for Win32 developers.
Alfa Registry Protector - Registry protection library for Win32 developers.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

I implemented a solution of:

For the create IRP I call IoGetRemainingStackSize(), if its less than, say
4K (this is configurable in the registry for my filter) then we complete the
IRP with status STATUS_STACK_OVERFLOW. (NTFS on 2K uses a lot more than I
was expecting, hence the 4k sugestion)

This does not normally result in the user failing to open the file, more of
a case of failing the open that the NAV filter wanted so it could scan it.
Hence the virus scanner will have failed to check for viruses but the user
can still access the file, i.e. its original IRP should be OK. This solution
prevents a BSOD.

My actual soltion was by default to not check the stack size unless the
registry entry existed, that way any customers that report a BSOD can run
our .reg file and try again. Remember that the limits will vary dependent on
the OS, for NT4 I suspect NTFS uses less than the 2000 version so the limit
should be lower.

Of cause this is cheating a little bit as you are failing the create IRP.
The alternative it to process the IRP in a system thread but I have no idea
how to do this yet.

David.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: 04 January 2002 09:32
To: File Systems Developers
Subject: [ntfsd] Re: Interference with Norton AntiVirus 2002

Can you tell us what the problem was? This could help others to make a
workaround, perhaps.
Although the problem in your case is on Symantec’s side, the real world
won’t
take that as an excuse for your product not working with NAV:-)))

Regards, Dejan.

xxxxx@storactive.com wrote:

The problem occurs on Symantec’s side, this is confirmed (our TechSupport
manager talked to Symantec’s CTO Leo Cohen). The patch is expected ASAP
and
would be distributed via LiveUpdate.

–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa Registry Monitor - Registry monitoring library for Win32 developers.
Alfa Registry Protector - Registry protection library for Win32 developers.

You are currently subscribed to ntfsd as: xxxxx@macrovisioneurope.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

PRIVACY AND CONFIDENTIALITY NOTICE
This email and any attachments are confidential and may also be privileged.
If you have received this message by mistake, please contact us immediately
and then delete the message from your system. You must not copy,
distribute, disclose or act upon the contents of this email.
This e-mail and/or any replies to it, and any attachments may be
intercepted, copied or monitored by Macrovision Europe Limited for the
purposes set out in the Telecommunications (Lawful Business Practices)
(Interception of Communications) Regulations 2000.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

I don’t know the details but the problem seems to be in excessive stack
usage in the IRP completion routine (as also was mentioned by David Wyles
before).

On 01/04/02, “Dejan Maksimovic ” wrote:
> Can you tell us what the problem was? This could help others to make a
> workaround, perhaps.
> Although the problem in your case is on Symantec’s side, the real world won’t
> take that as an excuse for your product not working with NAV:-)))
>
> Regards, Dejan.
>
> xxxxx@storactive.com wrote:
>
> > The problem occurs on Symantec’s side, this is confirmed (our TechSupport
> > manager talked to Symantec’s CTO Leo Cohen). The patch is expected ASAP and
> > would be distributed via LiveUpdate.
>
> –
> Kind regards, Dejan M. www.alfasp.com
> E-mail: xxxxx@alfasp.com ICQ#: 56570367
> Alfa File Monitor - File monitoring library for Win32 developers.
> Alfa File Protector - File protection and hiding library for Win32 developers.
> Alfa Registry Monitor - Registry monitoring library for Win32 developers.
> Alfa Registry Protector - Registry protection library for Win32 developers.
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> For the create IRP I call IoGetRemainingStackSize(), if its less than, say

4K (this is configurable in the registry for my filter) then we complete the
IRP with status STATUS_STACK_OVERFLOW. (NTFS on 2K uses a lot more than I was
expecting, hence the 4k sugestion)

This does not normally result in the user failing to open the file, more of
a case of failing the open that the NAV filter wanted so it could scan it.
Hence the virus scanner will have failed to check for viruses but the user
can still access the file, i.e. its original IRP should be OK. This solution
prevents a BSOD.

My actual soltion was by default to not check the stack size unless the
registry entry existed, that way any customers that report a BSOD can run
our .reg file and try again. Remember that the limits will vary dependent on
the OS, for NT4 I suspect NTFS uses less than the 2000 version so the limit
should be lower.

NT4 has a lower stack limit, too, however.
In my case, users are reporting a hang, but not a BSOD. That’s what scares
me:-)

Of cause this is cheating a little bit as you are failing the create IRP. The
alternative it to process the IRP in a system thread but I have no idea how to
do this yet.

Since the Create IRP has the user token information, I don’t think posting
it to the worker thread would be a problem, even for NTFS, though I never tried
this.

–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa Registry Monitor - Registry monitoring library for Win32 developers.
Alfa Registry Protector - Registry protection library for Win32 developers.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

My apologies, I have been on vacation (still am) and didn’t realize that I
was no longer receiving NTFSD mailings (something about my status being on
hold??). My thanks to Storactive for sending me an e-mail informing me of
this thread.

NAV 2002 did ship with a bug in its SYMTDI driver. This driver issues a
ZwCreateFile wihtout checking the amount of remaining stack. Hence, adding
filter drivers increases the possibility of overflowing the stack. A fix
was made (it is being tested) that posts this operation to a system thread
and we hope to release it later this month. The patch will be available
via Symantec’s LiveUpdate.

Regards,
Leo Cohen
Chief Architect
Symantec Corporation

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com