Hello,
I have debugged more information from the bug check stop code
0x00000024.
Scenario: Win2000 Sp2, Explorer.exe dragging and dropping a file from
my
file system onto a
local NTFS volume. Nothing else going on, no file system filters
running.
Result: BugCheck stop 0x00000024
I have attached the text from the debugger containing what I hope is
as
much relevant information
as possible, below, including stack trace disassembly of offending
code,
IRP, file object, ETHREAD structures too.
It appears that there was a write operation and that it is now in the
complete request
and Irp context clean up part of the code. The code calls
IoGetTopLevelIrp
and
the return result is used to save, ReturnPtr+0x14 (if ReturnPtr == Irp
then
it is the ThreadListEntry),
onto the stack and pass it to a call to IoSetTopLevelIrp().
Unfortunately,
IoGetTopLevelIrp() returns NULL in
this case, hence leading to an access violation and the exception
handler
being called.
I am assuming that the code on entry into NTFSWrite calls
IoSetTopLevelIrp
with the
current Irp or some internal data structure and relies on this at the
clean
up context stage.
My question is how or why would a IoSetTopLevelIrp(NULL) get called
for the
thread and cause this failure?
Is this an NTFS bug or is it a result of an earlier error, possibly on
my
part.
Thanks for any help on this,
Steve
[
ChildEBP RetAddr Args to Child
00 f871a804 bff06e3e 8135f7e8 00000001 00000000
Ntfs!NtfsCleanupIrpContext+0xe0 (FPO: [2,0,3])
01 f871a818 bff07c04 8135f7e8 b0f5ce90 00000000
Ntfs!NtfsCompleteRequest+0x32 (FPO: [3,0,2])
02 f871ab94 bff089a3 8135f7e8 b0f5ce90 81746540
Ntfs!NtfsCommonWrite+0x2b15 (FPO: [Non-Fpo])
03 f871abfc 80528156 81746540 b0f5ce90 80064c20 Ntfs!NtfsFsdWrite+0xee
(FPO: [Non-Fpo])
04 f871ac48 804b0512 b0f5cfd8 00000000 b0f5ce90
nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
05 f871ac5c 804ad73e 81746540 b0f5ce90 812ef6e8
nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo])
06 f871ad38 80465679 000008cc 00000000 00000000 nt!NtWriteFile+0x666
(FPO: [Non-Fpo])
07 f871ad38 77f8286f 000008cc 00000000 00000000
nt!KiSystemService+0xc9 (FPO: [0,0] TrapFrame @ f871ad64)
08 05d5e99c 77f829c0 00070000 00071378 00000045 NTDLL!ZwWriteFile+0xb
(FPO: [9,0,0])
09 05d5e9f8 77f82dc2 77fcf170 77f89472 77f89458
NTDLL!RtlpAllocateFromHeapLookaside+0x40 (FPO: [Non-Fpo])
0a 05d5ea00 77f89472 77f89458 00000208 0000021a
NTDLL!RtlReleasePebLock+0xf (FPO: [0,0,0])
0b 05d5eab4 77f89458 00000208 0000021a 0301a440
NTDLL!RtlGetFullPathName_Ustr+0x7c1 (FPO: [Non-Fpo])
0c 77f89472 ffff9090 0000ffff 946d0000 8b5577f8
NTDLL!RtlGetFullPathName_Ustr+0x7c2 (FPO: [Non-Fpo])
0d 909090c3 ffffffff ffffffff ffffffff ffffffff 0xffff9090
0e ffffffff 00000000 00000000 00000000 00000000 0xffffffff
bff07018 3bc7 cmp eax,edi
bff0701a 0f85ab000000 jne Ntfs!NtfsCleanupIrpContext+0x5c
(bff070cb)
bff07020 395e18 cmp [esi+0x18],ebx
bff07023 0f85c9f6ffff jne Ntfs!NtfsCleanupIrpContext+0x6d
(bff066f2)
bff07029 53 push ebx
bff0702a 56 push esi
bff0702b e872fdffff call Ntfs!NtfsFreeSnapshotsForFcb
(bff06da2)
bff07030 8b4660 mov eax,[esi+0x60]
bff07033 8b3dcc85f1bf mov edi,[Ntfs!_imp__ExFreePool
(bff185cc)]
bff07039 3bc3 cmp eax,ebx
bff0703b 0f854d060100 jne Ntfs!NtfsCleanupIrpContext+0x87
(bff1768e)
bff07041 f6460504 test byte ptr [esi+0x5],0x4
bff07045 0f85a4000000 jne Ntfs!NtfsCleanupIrpContext+0x106
(bff070ef)
bff0704b 8b4e08 mov ecx,[esi+0x8]
bff0704e f7c100000100 test ecx,0x10000
bff07054 0f8595000000 jne Ntfs!NtfsCleanupIrpContext+0x106
(bff070ef)
bff0705a 8b4658 mov eax,[esi+0x58]
bff0705d 3bc3 cmp eax,ebx
bff0705f 7531 jnz Ntfs!NtfsCleanupIrpContext+0xae
(bff07092)
bff07061 f6460a10 test byte ptr [esi+0xa],0x10
bff07065 7419 jz Ntfs!NtfsCleanupIr
pContext+0xf3 (bff07080)
bff07067 ff150c86f1bf call dword ptr [Ntfs!_imp__IoGetTopLevelIrp
(bff1860c)]
-> FAULTING line EAX = 0 returned by IoGetTopLevelIrp
bff0706d ff7014 push dword ptr [eax+0x14]
bff07070 895804 mov [eax+0x4],ebx
bff07073 895818 mov [eax+0x18],ebx
bff07076 ff15b486f1bf call dword ptr [Ntfs!_imp__IoSetTopLevelIrp
(bff186b4)]
bff0707c 80660aef and byte ptr [esi+0xa],0xef
bff07080 f6460a08 test byte ptr [esi+0xa],0x8
bff07084 7534 jnz Ntfs!NtfsCleanupIrpContext+0xf9
(bff070ba)
bff07086 5f pop edi
bff07087 5e pop esi
bff07088 5b pop ebx
bff07089 c20800 ret 0x8
bff0708c 5f pop edi
bff0708d 5e pop esi
bff0708e 5b pop ebx
bff0708f c20800 ret 0x8
bff07092 f6c110 test cl,0x10
bff07095 740d jz Ntfs!NtfsCleanupIrpContext+0xc0
(bff070a4)
bff07097 50 push eax
bff07098 6820b9f1bf push 0xbff1b920
bff0709d e8b4000000 call Ntfs!ExFreeToNPagedLookasideList
(bff07156)
bff070a2 eb11 jmp Ntfs!NtfsCleanupIrpContext+0xd1
(bff070b5)
bff070a4 f6c120 test cl,0x20
bff070a7 740c jz Ntfs!NtfsCleanupIrpContext+0xd1
(bff070b5)
0: kd> !ethread 812ec600
struct _ETHREAD (sizeof=584)
+000 struct _KTHREAD Tcb
+000 struct _DISPATCHER_HEADER Header
+000 byte Type = 06
.
+001 byte Absolute = 00
.
+002 byte Size = 6c
l
+003 byte Inserted = 00
.
+004 int32 SignalState = 00000000
+008 struct _LIST_ENTRY WaitListHead
+008 struct _LIST_ENTRY *Flink = 812EC608
+00c struct _LIST_ENTRY *Blink = 812EC608
+010 struct _LIST_ENTRY MutantListHead
+010 struct _LIST_ENTRY *Flink = 812EC610
+014 struct _LIST_ENTRY *Blink = 812EC610
+018 void *InitialStack = F871B000
+01c void *StackLimit = F8717000
+020 void *Teb = 7FFA8000
+024 void *TlsArray = 00000000
+028 void *KernelStack = F8719F9C
+02c byte DebugActive = 00
.
+02d byte State = 02
.
+02e byte Alerted[2] = 00 00
.
.
+030 byte Iopl = 00
.
+031 byte NpxState = 0a
.
+032 char Saturation = 00
.
+033 char Priority = 09
.
+034 struct _KAPC_STATE ApcState
+034 struct _LIST_ENTRY ApcListHead[2]
+034 ApcListHead[0]
+034 struct _LIST_ENTRY *Flink =
812EC634
+038 struct _LIST_ENTRY *Blink =
812EC634
+03c ApcListHead[1]
+03c struct _LIST_ENTRY *Flink =
812EC63C
+040 struct _LIST_ENTRY *Blink =
812EC63C
+044 struct _KPROCESS *Process = 81498880
+048 byte KernelApcInProgress = 00
.
+049 byte KernelApcPending = 00
.
+04a byte UserApcPending = 00
.
+04c uint32 ContextSwitches = 000000d9
+050 int32 WaitStatus = 00000000
+054 byte WaitIrql = 00
.
+055 char WaitMode = 00
.
+056 byte WaitNext = 00
.
+057 byte WaitReason = 00
.
+058 struct _KWAIT_BLOCK *WaitBlockList = 812EC66C
+05c struct _LIST_ENTRY WaitListEntry
+05c struct _LIST_ENTRY *Flink = 8188DDFC
+060 struct _LIST_ENTRY *Blink = 8188135C
+064 uint32 WaitTime = 0005ba46
+068 char BasePriority = 08
.
+069 byte DecrementCount = 00
.
+06a char PriorityDecrement = 00
.
+06b char Quantum = 14
.
+06c struct _KWAIT_BLOCK WaitBlock[4]
+06c WaitBlock[0]
+06c struct _LIST_ENTRY WaitListEntry
+06c struct _LIST_ENTRY *Flink =
81450638
+070 struct _LIST_ENTRY *Blink =
81450638
+074 struct _KTHREAD *Thread = 812EC600
+078 void *Object = 81450630
+07c struct _KWAIT_BLOCK *NextWaitBlock =
812EC66C
+080 uint16 WaitKey = 0000
+082 uint16 WaitType = 0001
+084 WaitBlock[1]
+084 struct _LIST_ENTRY WaitListEntry
+084 struct _LIST_ENTRY *Flink =
812F18A8
+088 struct _LIST_ENTRY *Blink =
812F18A8
+08c struct _KTHREAD *Thread = 812EC600
+090 void *Object = 812F18A0
+094 struct _KWAIT_BLOCK *NextWaitBlock =
812EC6B4
+098 uint16 WaitKey = 0001
+09a uint16 WaitType = 0001
+09c WaitBlock[2]
+09c struct _LIST_ENTRY WaitListEntry
+09c struct _LIST_ENTRY *Flink =
00000000
+0a0 struct _LIST_ENTRY *Blink =
00000000
+0a4 struct _KTHREAD *Thread = 812EC600
+0a8 void *Object = 00000000
+0ac struct _KWAIT_BLOCK *NextWaitBlock =
00000000
+0b0 uint16 WaitKey = 0000
+0b2 uint16 WaitType = 0000
+0b4 WaitBlock[3]
+0b4 struct _LIST_ENTRY WaitListEntry
+0b4 struct _LIST_ENTRY *Flink =
812EC6F0
+0b8 struct _LIST_ENTRY *Blink =
812EC6F0
+0bc struct _KTHREAD *Thread = 812EC600
+0c0 void *Object = 812EC6E8
+0c4 struct _KWAIT_BLOCK *NextWaitBlock =
812EC66C
+0c8 uint16 WaitKey = 0102
+0ca uint16 WaitType = 0001
+0cc void *LegoData = 00000000
+0d0 uint32 KernelApcDisable = ffffffff
+0d4 uint32 UserAffinity = 00000003
+0d8 byte SystemAffinityActive = 00
.
+0d9 byte PowerState = 03
.
+0da byte NpxIrql = 00
.
+0db byte Pad[1] = 00
.
+0dc void *ServiceTable = 80482860
+0e0 struct _KQUEUE *Queue = 00000000
+0e4 uint32 ApcQueueLock = 00000000
+0e8 struct _KTIMER Timer
+0e8 struct _DISPATCHER_HEADER Header
+0e8 byte Type = 08
.
+0e9 byte Absolute = 00
.
+0ea byte Size = 0a
.
+0eb byte Inserted = 00
.
+0ec int32 SignalState = 00000000
+0f0 struct _LIST_ENTRY WaitListHead
+0f0 struct _LIST_ENTRY *Flink = 812EC6F0
+0f4 struct _LIST_ENTRY *Blink = 812EC6F0
+0f8 union _ULARGE_INTEGER DueTime
+0f8 uint32 LowPart = a812700d
+0fc uint32 HighPart = 0000000d
+0f8 struct __unnamed12 u
+0f8 uint32 LowPart = a812700d
+0fc uint32 HighPart = 0000000d
+0f8 uint64 QuadPart = 0000000da812700d
+100 struct _LIST_ENTRY TimerListEntry
+100 struct _LIST_ENTRY *Flink = 81736318
+104 struct _LIST_ENTRY *Blink = 80482CD8
+108 struct _KDPC *Dpc = 00000000
+10c int32 Period = 00000000
+110 struct _LIST_ENTRY QueueListEntry
+110 struct _LIST_ENTRY *Flink = 00000000
+114 struct _LIST_ENTRY *Blink = 00000000
+118 uint32 Affinity = 00000003
+11c byte Preempted = 00
.
+11d byte ProcessReadyQueue = 00
.
+11e byte KernelStackResident = 01
.
+11f byte NextProcessor = 00
.
+120 void *CallbackStack = 00000000
+124 void *Win32Thread = E22D5448
+128 struct _KTRAP_FRAME *TrapFrame = F871AD64
+12c struct _KAPC_STATE *ApcStatePointer[2] =
812EC634
812EC740
+134 char PreviousMode = 01
.
+135 byte EnableStackSwap = 01
.
+136 byte LargeStack = 01
.
+137 byte ResourceIndex = 00
.
+138 uint32 KernelTime = 00000012
+13c uint32 UserTime = 00000000
+140 struct _KAPC_STATE SavedApcState
+140 struct _LIST_ENTRY ApcListHead[2]
+140 ApcListHead[0]
+140 struct _LIST_ENTRY *Flink =
00000000
+144 struct _LIST_ENTRY *Blink =
00000000
+148 ApcListHead[1]
+148 struct _LIST_ENTRY *Flink =
00000000
+14c struct _LIST_ENTRY *Blink =
00000000
+150 struct _KPROCESS *Process = 00000000
+154 byte KernelApcInProgress = 00
.
+155 byte KernelApcPending = 00
.
+156 byte UserApcPending = 00
.
+158 byte Alertable = 00
.
+159 byte ApcStateIndex = 00
.
+15a byte ApcQueueable = 01
.
+15b byte AutoAlignment = 00
.
+15c void *StackBase = F871B000
+160 struct _KAPC SuspendApc
+160 int16 Type = 0012
+162 int16 Size = 0030
+164 uint32 Spare0 = 00000000
+168 struct _KTHREAD *Thread = 812EC600
+16c struct _LIST_ENTRY ApcListEntry
+16c struct _LIST_ENTRY *Flink = 812EC634
+170 struct _LIST_ENTRY *Blink = 812EC634
+174 function *KernelRoutine = 8043071C
+178 function *RundownRoutine = 00000000
+17c function *NormalRoutine = 80430C8C
+180 void *NormalContext = 00000000
+184 void *SystemArgument1 = 00000000
+188 void *SystemArgument2 = 00000000
+18c char ApcStateIndex = 00
.
+18d char ApcMode = 00
.
+18e byte Inserted = 00
.
+190 struct _KSEMAPHORE SuspendSemaphore
+190 struct _DISPATCHER_HEADER Header
+190 byte Type = 05
.
+191 byte Absolute = 00
.
+192 byte Size = 05
.
+193 byte Inserted = 00
.
+194 int32 SignalState = 00000000
+198 struct _LIST_ENTRY WaitListHead
+198 struct _LIST_ENTRY *Flink = 812EC798
+19c struct _LIST_ENTRY *Blink = 812EC798
+1a0 int32 Limit = 00000002
+1a4 struct _LIST_ENTRY ThreadListEntry
+1a4 struct _LIST_ENTRY *Flink = 812E31C4
+1a8 struct _LIST_ENTRY *Blink = 8130A884
+1ac char FreezeCount = 00
.
+1ad char SuspendCount = 00
.
+1ae byte IdealProcessor = 01
.
+1af byte DisableBoost = 00
.
+1b0 union _LARGE_INTEGER CreateTime
+1b0 uint32 LowPart = 19d75fc0
+1b4 int32 HighPart = 0e0b184a
+1b0 struct __unnamed3 u
+1b0 uint32 LowPart = 19d75fc0
+1b4 int32 HighPart = 0e0b184a
+1b0 int64 QuadPart = 0e0b184a19d75fc0
+1b0 bits0-1 NestedFaultCount = 0
+1b0 bits2-2 ApcNeeded = 0
+1b8 union _LARGE_INTEGER ExitTime
+1b8 uint32 LowPart = 812ec7b8
+1bc int32 HighPart = 812ec7b8
+1b8 struct __unnamed3 u
+1b8 uint32 LowPart = 812ec7b8
+1bc int32 HighPart = 812ec7b8
+1b8 int64 QuadPart = 812ec7b8812ec7b8
+1b8 struct _LIST_ENTRY LpcReplyChain
+1b8 struct _LIST_ENTRY *Flink = 812EC7B8
+1bc struct _LIST_ENTRY *Blink = 812EC7B8
+1c0 int32 ExitStatus = 00000000
+1c0 void *OfsChain = 00000000
+1c4 struct _LIST_ENTRY PostBlockList
+1c4 struct _LIST_ENTRY *Flink = 812EC7C4
+1c8 struct _LIST_ENTRY *Blink = 812EC7C4
+1cc struct _LIST_ENTRY TerminationPortList
+1cc struct _LIST_ENTRY *Flink = E2A3D708
+1d0 struct _LIST_ENTRY *Blink = E2A3D708
+1d4 uint32 ActiveTimerListLock = 00000000
+1d8 struct _LIST_ENTRY ActiveTimerListHead
+1d8 struct _LIST_ENTRY *Flink = 812EC7D8
+1dc struct _LIST_ENTRY *Blink = 812EC7D8
+1e0 struct _CLIENT_ID Cid
+1e0 void *UniqueProcess = 00000608
+1e4 void *UniqueThread = 000009B8
+1e8 struct _KSEMAPHORE LpcReplySemaphore
+1e8 struct _DISPATCHER_HEADER Header
+1e8 byte Type = 05
.
+1e9 byte Absolute = 00
.
+1ea byte Size = 05
.
+1eb byte Inserted = 00
.
+1ec int32 SignalState = 00000000
+1f0 struct _LIST_ENTRY WaitListHead
+1f0 struct _LIST_ENTRY *Flink = 812EC7F0
+1f4 struct _LIST_ENTRY *Blink = 812EC7F0
+1f8 int32 Limit = 00000001
+1fc void *LpcReplyMessage = 00000000
+200 uint32 LpcReplyMessageId = 00000000
+204 uint32 PerformanceCountLow = 00000000
+208 struct _PS_IMPERSONATION_INFORMATION *ImpersonationInfo =
00000000
+20c struct _LIST_ENTRY IrpList
+20c struct _LIST_ENTRY *Flink = B0F5CEA0
+210 struct _LIST_ENTRY *Blink = B0F5CEA0
+214 uint32 TopLevelIrp = 00000000
+218 struct _DEVICE_OBJECT *DeviceToVerify = 00000000
+21c uint32 ReadClusterSize = 00000007
+220 byte ForwardClusterOnly = 00
.
+221 byte DisablePageFaultClustering = 00
.
+222 byte DeadThread = 00
.
+223 byte HideFromDebugger = 00
.
+224 uint32 HasTerminated = 00000000
+228 uint32 GrantedAccess = 001f03ff
+22c struct _EPROCESS *ThreadsProcess = 81498880
+230 void *StartAddress = 77E87532
+234 void *Win32StartAddress = 77C889DD
+234 uint32 LpcReceivedMessageId = 77c889dd
+238 byte LpcExitThreadCalled = 00
.
+239 byte HardErrorsAreDisabled = 00
.
+23a byte LpcReceivedMsgIdValid = 00
.
+23b byte ActiveImpersonationInfo = 00
.
+23c int32 PerformanceCountHigh = 00000000
+240 struct _LIST_ENTRY ThreadListEntry
+240 struct _LIST_ENTRY *Flink = 812E3260
+244 struct _LIST_ENTRY *Blink = 8130A920
======
IRP
======
struct _IRP (sizeof=112)
+00 int16 Type = 0006
+02 uint16 Size = 016c
+04 struct _MDL *MdlAddress = 00000000
+08 uint32 Flags = 40000a00
+0c union __unnamed14 AssociatedIrp
+0c struct _IRP *MasterIrp = 00000000
+0c int32 IrpCount = 00000000
+0c void *SystemBuffer = 00000000
+10 struct _LIST_ENTRY ThreadListEntry
+10 struct _LIST_ENTRY *Flink = 812EC80C
+14 struct _LIST_ENTRY *Blink = 812EC80C
+18 struct _IO_STATUS_BLOCK IoStatus
+18 int32 Status = 00000000
+18 void *Pointer = 00000000
+1c uint32 Information = 0000066c
+20 char RequestorMode = 01
.
+21 byte PendingReturned = 00
.
+22 char StackCount = 07
.
+23 char CurrentLocation = 07
.
+24 byte Cancel = 00
.
+25 byte CancelIrql = 00
.
+26 char ApcEnvironment = 00
.
+27 byte AllocationFlags = 80
.
+28 struct _IO_STATUS_BLOCK *UserIosb = 05D5E948
+2c struct _KEVENT *UserEvent = 00000000
+30 union __unnamed15 Overlay
+30 struct __unnamed16 AsynchronousParameters
+30 function *UserApcRoutine = 00000000
+34 void *UserApcContext = 00000000
+30 union _LARGE_INTEGER AllocationSize
+30 uint32 LowPart = 00000000
+34 int32 HighPart = 00000000
+30 struct __unnamed3 u
+30 uint32 LowPart = 00000000
+34 int32 HighPart = 00000000
+30 int64 QuadPart = 0000000000000000
+38 function *CancelRoutine = 00000000
+3c void *UserBuffer = 05DA0000
+40 union __unnamed17 Tail
+40 struct __unnamed18 Overlay
+40 struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry
+40 struct _LIST_ENTRY DeviceListEntry
+40 struct _LIST_ENTRY *Flink = 00000000
+44 struct _LIST_ENTRY *Blink = 00000000
+48 uint32 SortKey = 00000000
+4c byte Inserted = 00
.
+40 void *DriverContext[4] = 00000000
00000000
00000000
00000000
+50 struct _ETHREAD *Thread = 812EC600
+54 char *AuxiliaryBuffer = 00000000
+58 struct _LIST_ENTRY ListEntry
+58 struct _LIST_ENTRY *Flink = 00000000
+5c struct _LIST_ENTRY *Blink = 00000000
+60 struct _IO_STACK_LOCATION *CurrentStackLocation =
B0F5CFD8
+60 uint32 PacketType = b0f5cfd8
+64 struct _FILE_OBJECT *OriginalFileObject =
812EF6E8
+40 struct _KAPC Apc
+40 int16 Type = 0000
+42 int16 Size = 0000
+44 uint32 Spare0 = 00000000
+48 struct _KTHREAD *Thread = 00000000
+4c struct _LIST_ENTRY ApcListEntry
+4c struct _LIST_ENTRY *Flink = 00000000
+50 struct _LIST_ENTRY *Blink = 812EC600
+54 function *KernelRoutine = 00000000
+58 function *RundownRoutine = 00000000
+5c function *NormalRoutine = 00000000
+60 void *NormalContext = B0F5CFD8
+64 void *SystemArgument1 = 812EF6E8
+68 void *SystemArgument2 = 00000000
+6c char ApcStateIndex = 00
.
+6d char ApcMode = 00
.
+6e byte Inserted = 00
.
+40 void *CompletionKey = 00000000
======
FILE OBJECT
======
0: kd> !strct _FILE_OBJECT 812EF6E8
struct _FILE_OBJECT (sizeof=112)
+00 int16 Type = 0005
+02 int16 Size = 0070
+04 struct _DEVICE_OBJECT *DeviceObject = 8188E030
+08 struct _VPB *Vpb = 81890448
+0c void *FsContext = E2A43758
+10 void *FsContext2 = E2A438D0
+14 struct _SECTION_OBJECT_POINTERS *SectionObjectPointer =
8133DA94
+18 void *PrivateCacheMap = 815ABE38
+1c int32 FinalStatus = 00000000
+20 struct _FILE_OBJECT *RelatedFileObject = 00000000
+24 byte LockOperation = 00
.
+25 byte DeletePending = 00
.
+26 byte ReadAccess = 00
.
+27 byte WriteAccess = 01
.
+28 byte DeleteAccess = 01
.
+29 byte SharedRead = 00
.
+2a byte SharedWrite = 00
.
+2b byte SharedDelete = 00
.
+2c uint32 Flags = 00041062
+30 struct _UNICODE_STRING FileName
+30 uint16 Length = 0022
+32 uint16 MaximumLength = 0038
+34 uint16 *Buffer = E2A502A8
+38 union _LARGE_INTEGER CurrentByteOffset
+38 uint32 LowPart = 0000066c
+3c int32 HighPart = 00000000
+38 struct __unnamed3 u
+38 uint32 LowPart = 0000066c
+3c int32 HighPart = 00000000
+38 int64 QuadPart = 000000000000066c
+40 uint32 Waiters = 00000000
+44 uint32 Busy = 00000001
+48 void *LastLock = 00000000
+4c struct _KEVENT Lock
+4c struct _DISPATCHER_HEADER Header
+4c byte Type = 01
.
+4d byte Absolute = 00
.
+4e byte Size = 04
.
+4f byte Inserted = 00
.
+50 int32 SignalState = 00000000
+54 struct _LIST_ENTRY WaitListHead
+54 struct _LIST_ENTRY *Flink = 812EF73C
+58 struct _LIST_ENTRY *Blink = 812EF73C
+5c struct _KEVENT Event
+5c struct _DISPATCHER_HEADER Header
+5c byte Type = 00
.
+5d byte Absolute = 00
.
+5e byte Size = 04
.
+5f byte Inserted = 00
.
+60 int32 SignalState = 00000000
+64 struct _LIST_ENTRY WaitListHead
+64 struct _LIST_ENTRY *Flink = 812EF74C
+68 struct _LIST_ENTRY *Blink = 812EF74C
+6c struct _IO_COMPLETION_CONTEXT *CompletionContext =
00000000
======================================================================
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com