Hi,
I have written mini-filter which hangs on particular win 7(x86) machine.
This mini-filter mainly do following tasks
- Create file notification.
- Process create notification.
I did some kernel debugging and after running cmd
!stacks 2 fltmgr!
I get following info
Proc.Thread .Thread Ticks ThreadState Blocker
Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Prototype PTEs are implicitly decoded
[83f2fb50 System]
4.00003c 83fa6d48 0000272 Blocked nt!KiSwapContext+0x26
nt!KiSwapThread+0x266
nt!KiCommitThreadWait+0x1df
nt!KeWaitForSingleObject+0x393
nt!ExfWaitForRundownProtectionRelease+0xdc
fltmgr!FltpObjectRundownWait+0x11
fltmgr!FltUnregisterFilter+0xfa
arwflt+0x1235
fltmgr!FltpMiniFilterDriverUnload+0xab
nt!IopLoadUnloadDriver+0x1e
nt!ExpWorkerThread+0x10d
nt!PspSystemThreadStartup+0x9e
nt!KiThreadStartup+0x19
[84e89508 smss.exe]
[856144e8 csrss.exe]
[85663d40 wininit.exe]
[856650a0 csrss.exe]
[8568b170 winlogon.exe]
[856cb820 services.exe]
[856d4798 lsass.exe]
[856d99c0 lsm.exe]
[85845508 svchost.exe]
[85881030 arwsrvc.exe]
[85889960 SCSECSVC.EXE]
[856d3530 VBoxService.ex]
[858c4488 svchost.exe]
[8597c4c8 svchost.exe]
[85a395f0 svchost.exe]
424.000500 855f5030 0002843 Blocked nt!KiSwapContext+0x26
nt!KiSwapThread+0x266
nt!KiCommitThreadWait+0x1df
nt!KeRemoveQueueEx+0x4f8
nt!KeRemoveQueue+0x1b
csc!UpCallRemoveQueueRequest+0x32
csc!CscDclpCreateUpcallItemChangeNotificationInformation+0xa9c
csc!CscDclInternalFsControl+0xa47
csc!CscFsCtl+0x119
rdbss!RxLowIoSubmit+0x24c
rdbss!RxLowIoFsCtlShell+0x18b
rdbss!RxCommonFileSystemControl+0x229
rdbss!RxFsdCommonDispatch+0x646
rdbss!RxFsdDispatch+0x1ab
csc!CscFsdDispatch+0x29e
nt!IofCallDriver+0x63
csc!CscSurrogatePreProcess+0x5fa
mup!MupCallSurrogatePrePost+0xf6
mup!MupStateMachine+0xb1
mup!MupFsControl+0x77
nt!IofCallDriver+0x63
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa
fltmgr!FltpFsControl+0xe8
nt!IofCallDriver+0x63
nt!IopSynchronousServiceTail+0x1f8
nt!IopXxxControlFile+0x6aa
nt!NtFsControlFile+0x2a
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
[85ae27f0 svchost.exe]
[85aed200 audiodg.exe]
[85b242b0 svchost.exe]
[85b752b8 svchost.exe]
[85c24838 spoolsv.exe]
[84d55d40 svchost.exe]
[85ccd258 BDSSVC.EXE]
[85cd5528 EMLPROXY.EXE]
[85dc1030 SAPISSVC.EXE]
[85d8ec38 svchost.exe]
[85dab248 OPSSVC.EXE]
[85dd5d40 QUHLPSVC.EXE]
[85e2f118 SCANWSCS.EXE]
[84cd8030 taskhost.exe]
[95d35120 sppsvc.exe]
[85aa6030 dwm.exe]
[85a292e8 explorer.exe]
[85980a98 VBoxTray.exe]
*** ERROR: Module load completed but symbols could not be loaded for VBoxGuest.sys
[95de9120 ONLINENT.EXE]
[95e1d090 reader_sl.exe]
[95ec9120 SearchIndexer.]
[8403f120 SearchProtocol]
[840b9120 SearchFilterHo]
[8436f120 cmd.exe]
[8594abe0 conhost.exe]
[95cdd658 sc.exe]
Threads Processed: 737
Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Transition PTEs are implicitly decoded
** Prototype PTEs are implicitly decoded
So actually whats going on, why my mini-filter is not getting unload?
Thanks