KeRemoveQueue ATTEMPTED_TO_SWITCH_FROM_DPC

RsQUE · May 21, 2025, 6:44pm

I am using an IRP queue as suggested to me in my previous topic.
This piece of code runs in DriverEntry.

LARGE_INTEGER DueTime = {0};
DueTime.QuadPart = RELATIVE(SECONDS(1));

KeInitializeQueue(&IrpQueue, 10);
KeInitializeTimer(&IrpTimer);
KeInitializeDpc(&IrpDpc, &DeferredIrpTimer, NULL);
KeSetTimerEx(&IrpTimer, DueTime, 1000, &IrpDpc);

And this is my DeferredIrpTimer.

UNREFERENCED_PARAMETER(Dpc);
UNREFERENCED_PARAMETER(DeferredContext);
UNREFERENCED_PARAMETER(SystemArgument1);
UNREFERENCED_PARAMETER(SystemArgument2);

ULONG_PTR QueueStatus;
PPENDING_IRP PendingIrp;

QueueStatus = (ULONG_PTR)KeRemoveQueue(&IrpQueue, UserMode, NULL); // ATTEMPTED_TO_SWITCH_FROM_DPC
if (QueueStatus == STATUS_TIMEOUT || QueueStatus == STATUS_USER_APC
|| QueueStatus == STATUS_ABANDONED || QueueStatus == NULL) return;

PendingIrp = CONTAINING_RECORD((PLIST_ENTRY)QueueStatus, PENDING_IRP, List);
....
}

It works in first call, no problem. But BSODs in the second call to the DeferredIrpTimer.
I see the following output from WinDbg !analyze -v:

ATTEMPTED_SWITCH_FROM_DPC (b8)
A wait operation, attach process, or yield was attempted from a DPC routine.
This is an illegal operation and the stack track will lead to the offending
code and original DPC routine.
Arguments:
Arg1: fffff801bcdd0640, Original thread which is the cause of the failure
Arg2: ffffa602e81de040, New thread
Arg3: 0000000000000000, Stack address of the original thread
Arg4: 0000000000000000

Any ideas why it could be?

Tim_Roberts · May 21, 2025, 11:42pm

By specifying NULL for the timeout argument, you are saying you are willing to wait forever, but a thread is not allowed to wait at all at dispatch level. You can pass a LARGE_INTEGER with the value 0 to check whether there is anything queued.

Mark_Roddy · May 22, 2025, 12:59am

Also at DISPATCH_LEVEL you cannot specify usermode.

I have no idea why you are using the Ke*Queue functions. Use a cancel safe queue instead.