Need hook KeBugCheck2 under 64bit, but because of Ms’s patchguard, it’s very hard now, so is there any alternate way?
I have tried KeRegisterBugCheckReasonCallback, but the time is just too late when the callback routine is called.
can use object manager, and mini filtering?
Hope can help me, thanks very much.
> Need hook KeBugCheck2 under 64bit, but because of Ms’s patchguard, it’s
very hard now, so is there any alternate way?
I have tried KeRegisterBugCheckReasonCallback, but the time is just too
late when the callback routine is called.
You have not stated what problem you are trying to solve. In general,
when a KeBugCheck is called, it is because the kernel has decided it is
FUBARed (F***ed Up Beyond All Recognition, or, in some dialects, Beyond
Any Recovery). Nothing can be trusted to work at this point. Therefore,
it is critical to know what problem you think this is going to solve.
The object manager is completely irrelevant to achieving this goal, and
minifilters apply strictly to IRP-based layers. Since KeBugCheck uses no
objects and generates no IRPs, neither idea could have any relevance.
You can establish a system shutdown callback, but under bugcheck
conditions it is a “best delivery attempt” model and the decision might be
that no delivery should be attempted because of the nature of the error.
A driver should never issue a bugcheck; this is considered extremely
antisocial. Internally, it means long lines of unhappy users queueing up
at your office door; in a product, this act enhances the belief in your
customers that your driver is unreliable. Never forget the lesson of
Diamond Graphics. They built bad drivers, and after a while, potential
customers would react to the brand name very strongly, and no matter hiw
good the hardware was, nobody was willing to spend money on one of their
cards. Don’t position yourself as the next Diamond Graphics.
Depending on your goal, there are a number of things you could do when
untoward things happen. So unless we know the problem, it is impossible
to suggest a solution. In general, if your solution requires activiti
What do you think you are going to be able to do if this happens? And
what is the real problem for which you think this strange implementation
can solve for you.
Inquiring Minds Want To Know.
joe
can use object manager, and mini filtering?
Hope can help me, thanks very much.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Hi, Joseph, thanks, I want to send the bugcheck code and four parameters to server throug network (in xp, I can make 70% of them upload to server)
and in xp, i used hook method, but it’s not possible now in 64bit, and if I put the code in bugcheck callback, it’s too late, and the network function can not work (since the interrupt is disabled), so do you have good suggestions, you’re one of the wise men in this community.
Thank you very much for your attention and effort.
the correct way to achieve this is get bsod information from event manager and send to server. you just happened to still can use the network stack in xp. think about how would you do if nic driver crash? you would loose an instance.
===================
best regards!
zhang pei
xxxxx@gmail.com编写:
Hi, Joseph, thanks, I want to send the bugcheck code and four parameters to server throug network (in xp, I can make 70% of them upload to server)
and in xp, i used hook method, but it’s not possible now in 64bit, and if I put the code in bugcheck callback, it’s too late, and the network function can not work (since the interrupt is disabled), so do you have good suggestions, you’re one of the wise men in this community.
Thank you very much for your attention and effort.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
i think they are developing some similar protuct that run a client in customer system and when system crash happens, gather bsod info to server. when system reboot, it could give an automatical analyza ui shown to customer which would make customer feel good. it’s good idea, but long way that could be really helpful.
===================
best regards!
zhang pei
xxxxx@flounder.com编写:
Need hook KeBugCheck2 under 64bit, but because of Ms’s patchguard, it’s
very hard now, so is there any alternate way?I have tried KeRegisterBugCheckReasonCallback, but the time is just too
late when the callback routine is called.
You have not stated what problem you are trying to solve. In general,
when a KeBugCheck is called, it is because the kernel has decided it is
FUBARed (F***ed Up Beyond All Recognition, or, in some dialects, Beyond
Any Recovery). Nothing can be trusted to work at this point. Therefore,
it is critical to know what problem you think this is going to solve.
The object manager is completely irrelevant to achieving this goal, and
minifilters apply strictly to IRP-based layers. Since KeBugCheck uses no
objects and generates no IRPs, neither idea could have any relevance.
You can establish a system shutdown callback, but under bugcheck
conditions it is a “best delivery attempt” model and the decision might be
that no delivery should be attempted because of the nature of the error.
A driver should never issue a bugcheck; this is considered extremely
antisocial. Internally, it means long lines of unhappy users queueing up
at your office door; in a product, this act enhances the belief in your
customers that your driver is unreliable. Never forget the lesson of
Diamond Graphics. They built bad drivers, and after a while, potential
customers would react to the brand name very strongly, and no matter hiw
good the hardware was, nobody was willing to spend money on one of their
cards. Don’t position yourself as the next Diamond Graphics.
Depending on your goal, there are a number of things you could do when
untoward things happen. So unless we know the problem, it is impossible
to suggest a solution. In general, if your solution requires activiti
What do you think you are going to be able to do if this happens? And
what is the real problem for which you think this strange implementation
can solve for you.
Inquiring Minds Want To Know.
joe
can use object manager, and mini filtering?
Hope can help me, thanks very much.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
pei zhang, thanks, yes, if NIC crashes, it can not, so I already mentioned: “in xp, I can make 70% of them upload to server”
Event manager is not a good way either, since in my special circumstance, the whole OS would restore after reboot.
Anyway, thanks for your feedback.
Can you restore everything except for c:\windows\memory.dmp? Then on the reboot you could check for a previous crash by analyzing the dump file, and upload your data that way.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, July 23, 2014 9:01 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] KeBugCheck2 under 64bit
pei zhang, thanks, yes, if NIC crashes, it can not, so I already mentioned: “in xp, I can make 70% of them upload to server”
Event manager is not a good way either, since in my special circumstance, the whole OS would restore after reboot.
Anyway, thanks for your feedback.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
As it’s said, the proper way to report a crash is NOT to do it at the time of the crash.
Upon reboot, check for a bugcheck report record in the system event log. By now, the system is in a reliable state (yet), and you can safely send data to your management host.
If this guess is correct, this is what dump files are all about. Trying
to upload one before the crash seems extreme. What I would do would be to
start a service. Each time the service starts, it checks the dump
file(s), and if the timestamp is greater than the last one I uploaded,
upload the new one. Nothing in the system can be trusted when a BugCheck
is called. Nothing. There is no trustworthy way to read or transmit the
dump file. And I don’t mean “trust” as in “secure”, I mean it in the
sense of “no part of the operating system can be trusted to execute
correctly, thus making a bad situation far worse”
Joe
i think they are developing some similar protuct that run a client in
customer system and when system crash happens, gather bsod info to server.
when system reboot, it could give an automatical analyza ui shown to
customer which would make customer feel good. it’s good idea, but long way
that could be really helpful.===================
best regards!
zhang peixxxxx@flounder.com编写:
> Need hook KeBugCheck2 under 64bit, but because of Ms’s patchguard, it’s
> very hard now, so is there any alternate way?
>
> I have tried KeRegisterBugCheckReasonCallback, but the time is just too
> late when the callback routine is called.
>
You have not stated what problem you are trying to solve. In general,
when a KeBugCheck is called, it is because the kernel has decided it is
FUBARed (F***ed Up Beyond All Recognition, or, in some dialects, Beyond
Any Recovery). Nothing can be trusted to work at this point. Therefore,
it is critical to know what problem you think this is going to solve.The object manager is completely irrelevant to achieving this goal, and
minifilters apply strictly to IRP-based layers. Since KeBugCheck uses no
objects and generates no IRPs, neither idea could have any relevance.You can establish a system shutdown callback, but under bugcheck
conditions it is a “best delivery attempt” model and the decision might be
that no delivery should be attempted because of the nature of the error.
A driver should never issue a bugcheck; this is considered extremely
antisocial. Internally, it means long lines of unhappy users queueing up
at your office door; in a product, this act enhances the belief in your
customers that your driver is unreliable. Never forget the lesson of
Diamond Graphics. They built bad drivers, and after a while, potential
customers would react to the brand name very strongly, and no matter hiw
good the hardware was, nobody was willing to spend money on one of their
cards. Don’t position yourself as the next Diamond Graphics.Depending on your goal, there are a number of things you could do when
untoward things happen. So unless we know the problem, it is impossible
to suggest a solution. In general, if your solution requires activitiWhat do you think you are going to be able to do if this happens? And
what is the real problem for which you think this strange implementation
can solve for you.Inquiring Minds Want To Know.
joe
> can use object manager, and mini filtering?
>
> Hope can help me, thanks very much.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Actually the restore has to also not clobber the pagefile, as that is the
origin of memory.dmp. That works well enough.
Mark Roddy
On Wed, Jul 23, 2014 at 1:01 PM, Peter Wieland
wrote:
> Can you restore everything except for c:\windows\memory.dmp? Then on the
> reboot you could check for a previous crash by analyzing the dump file, and
> upload your data that way.
>
> -p
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
> Sent: Wednesday, July 23, 2014 9:01 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] KeBugCheck2 under 64bit
>
> pei zhang, thanks, yes, if NIC crashes, it can not, so I already
> mentioned: “in xp, I can make 70% of them upload to server”
>
> Event manager is not a good way either, since in my special circumstance,
> the whole OS would restore after reboot.
>
> Anyway, thanks for your feedback.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
On 23-Jul-2014 20:28, xxxxx@broadcom.com wrote:
As it’s said, the proper way to report a crash is NOT to do it at the time of the crash.
Upon reboot, check for a bugcheck report record in the system event log. By now, the system is in a reliable state (yet), and you can safely send data to your management host.
What if this is a virtual machine that resets the disk state on restart.
– pa
Thanks for all of your help, as I said, after reboot, all are restored, our system actually does not have disk at all, it’s based on AOE, it treats an image from server as disk, can think it as httpDisk, or diskless system.
So get the dmp after restore is impossible, would rather use the current hook way, actually we already make it work under xp, but for 64bit, meet great problem.
So in my later procedure, in the callback function, would do something reverse in KeBugCheck2, like enable Interrupt …
Anyways thanks for all of your help
> Thanks for all of your help, as I said, after reboot, all are restored,
our system actually does not have disk at all, it’s based on AOE, it
treats an image from server as disk, can think it as httpDisk, or diskless
system.So get the dmp after restore is impossible, would rather use the current
hook way, actually we already make it work under xp, but for 64bit, meet
great problem.So in my later procedure, in the callback function, would do something
reverse in KeBugCheck2, like enable Interrupt …Anyways thanks for all of your help
OK, but the problem is that you cannot rely on any aspect of the system to
be correctly functional at this point. The network stack is toast. The
disk, or virtual disk, system, is toast. The memory manager is toast.
Bottom line, there is not a single piece of the system that you can use
for any purpose whatsoever. The dump file is handled by very-low-level
functions that know how to write to the paging file. Upon reboot, the
paging file is examined to see if it contains the “memory dump” signature,
and if it does, its contents are copied to the “official” dump file. Now,
if there were a hook at this lowest level, which makes some very
conservative assumptions and treads VERY lightly on the hardware and
software base, then you could hook that, but you need to be at a very low
level, and have a very basic communication mechanism that does not involve
any operating system component that supports “normal” networking, file
actions, etc. It must not call the allocator to obtain any memory it
needs. It cannot rely on any part of the OS-managed environment, not the
object manager, not the memory manager, etc.
I have worked on these components in other operating systems, and I have
had friends work on them in others. In one, we reserved an entire disk
cylinder to hold the dump image, and wrote it out by I/O operations that
did things like direct writes to controller registers, and poll for
completion, with interrupts very carefully masked off. All of this is
handled for you in a normal OS configuration. When you go to a diskless
configuration, you have to figure out how it is doing this, or provide
components to do this. But I suspect that it is happening at a much lower
level than you are talking about intercepting.
joe
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Yes, Joseph, you’re right:
“at a very low level, and have a very basic communication mechanism that does not involve
any operating system component that supports “normal” networking, file
actions, etc.”
So I would like to increase the level, and let it have the communication mechanism, if under tight schedule, this is the one I like to try, and also can learn lots of useful stuff when work is going on.
Thanks.