Hi,
I couldn’t find enough information from NTFSD on the crash I encountered
for the past two days. My encryption filter driver (run in Win XP SP2) will
crash every time when running an installshield program to install a USB
smart card driver. The crash happened on Set EndOfFile to truncate 512 bytes
from the end of a temporary file.
I tried to simulate the crash by writing a usermode program to truncate
512 bytes to a file of same size and it went through successfully.
Below is the crash dump analysis. I appreciate any suggestion on how to
solve this problem. SecureDs is my filter driver, and I am rolling my own
Set EndOfFile IRP when I receive the IRP_MJ_SET_INFORMATION IRP.
Thanks,
SL
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1902fe, f7b6f4a8, f7b6f1a4, 8055d34d}
*** WARNING: Unable to verify checksum for iKernel.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
iKernel.dll -
*** WARNING: Unable to verify checksum for iscript.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
iscript.dll -
*** WARNING: Unable to verify checksum for ctor.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ctor.dll -
*** WARNING: Unable to verify checksum for ISRT.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ISRT.dll -
Probably caused by : memory_corruption
Followup: memory_corruption
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: f7b6f4a8
Arg3: f7b6f1a4
Arg4: 8055d34d
Debugging Details:
EXCEPTION_RECORD: f7b6f4a8 – (.exr fffffffff7b6f4a8)
ExceptionAddress: 8055d34d (nt!CcCopyRead+0x00000047)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000002
Attempt to read from address 00000002
CONTEXT: f7b6f1a4 – (.cxr fffffffff7b6f1a4)
eax=818a9d38 ebx=ffa56da8 ecx=00000001 edx=ffa3c6e8 esi=00000000
edi=00000000
eip=8055d34d esp=f7b6f570 ebp=f7b6f5ec iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!CcCopyRead+0x47:
8055d34d f6460202 test byte ptr [esi+0x2],0x2 ds:0023:00000002=??
Resetting default scope
DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced
memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 00000002
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from bada2e31 to 8055d34d
STACK_TEXT:
f7b6f5ec bada2e31 818a9d38 f7b6f634 00000001 nt!CcCopyRead+0x47
f7b6f620 bada17b7 8175ddd8 818712e8 e1fc60d0
Ntfs!NtfsPrepareToShrinkFileSize+0xa3
f7b6f704 bada0e2f 8175ddd8 818712e8 863dee70 Ntfs!NtfsSetEndOfFileInfo+0x144
f7b6f774 bad79ad8 8175ddd8 863dee70 8196f658
Ntfs!NtfsCommonSetInformation+0x477
f7b6f7dc 804eddf9 8196f658 863dee70 806d02e8 Ntfs!NtfsFsdSetInformation+0xa3
f7b6f7ec 8064b5a8 863dee70 863defdc 00000000 nt!IopfCallDriver+0x31
f7b6f810 bae27f45 819702d8 81971040 85fb6e00 nt!IovCallDriver+0xa0
f7b6f824 804eddf9 81970390 84ebcfc8 806d02e8 sr!SrSetInformation+0x179
f7b6f834 8064b5a8 85fe3000 85755000 85fb6e00 nt!IopfCallDriver+0x31
f7b6f858 f80cee96 f7b6f801 0000693e 00000001 nt!IovCallDriver+0xa0
f7b6f8a4 f80c9e19 819702d8 818712e8 0001fa00
SecureDs!KfcSetEndOfFileInformation+0x154 [f:\source\secureds\sys\kfc.c @
267]
f7b6fb64 f80c77ab 85886f00 85fb6e48 819702d8
SecureDs!LocalLargeFileTruncate1+0x7ea [f:\source\secureds\sys\extension.c @
4420]
f7b6fbb8 f80db945 85886f00 819702d8 85fb6e48
SecureDs!DoLocalSetEndFile+0x122 [f:\source\secureds\sys\extension.c @ 3707]
f7b6fc68 804eddf9 8173d928 85fb6e48 806d02e8
SecureDs!SecureDiscSetInfo+0x533 [f:\source\secureds\sys\dispatch.c @ 1298]
f7b6fc78 8064b5a8 85fb6fd8 85fb6e58 85fb6e48 nt!IopfCallDriver+0x31
f7b6fc9c 8056f673 f7b6fd64 00123cb4 8056f104 nt!IovCallDriver+0xa0
f7b6fd48 8053c808 000000e4 00123cbc 00123ccc nt!NtSetInformationFile+0x56f
f7b6fd48 7c90eb94 000000e4 00123cbc 00123ccc nt!KiFastCallEntry+0xf8
00123c94 7c90e5e5 7c81f8a9 000000e4 00123cbc ntdll!KiFastSystemCallRet
00123c98 7c81f8a9 000000e4 00123cbc 00123ccc ntdll!NtSetInformationFile+0xc
00123cdc 7756cd22 000000e4 00000000 0001f800 kernel32!SetEndOfFile+0x62
00123d00 7754243c 0001f800 00000000 774edc88
ole32!CFileStream::SetSizeWorker+0x128
00123d14 7754255e 00f83f90 0001f800 00000000 ole32!CFileStream::SetSize+0xa3
00123d34 7754537c 0000000a 00f83624 00f835e4 ole32!CMStream::SetSize+0x74
00123d60 77543a9c 00000003 00f835e4 00f93260 ole32!CFat::Resize+0x5c0
00123d78 77544022 0000000a 00f93260 00f833a8 ole32!CFat::ReserveSects+0x3d
00123f1c 77543ff1 00f835e4 0000000a 00123f68
ole32!CStreamCache::Allocate+0x1d
00123f74 7754820c 000013a0 00000000 00123f9c
ole32!CDirectStream::SetSize+0x237
00123f84 775481d1 000013a0 00000000 00000000 ole32!PSStream::SetSize+0x34
00123f9c 77548148 000013a0 00000000 00000002 ole32!CPubStream::SetSize+0x50
00123fd4 00dab0b2 00f93188 000013a0 00000000
ole32!CExposedStream::SetSize+0x90
WARNING: Stack unwind information not available. Following frames may be
wrong.
00124040 00db3f34 00e9c9f4 00e16707 001242d0 iKernel+0xb0b2
001246f8 00db3ba3 0000005a 00000007 00124720 iKernel+0x13f34
00124750 00dac692 00e9c9c8 00124798 00000000 iKernel+0x13ba3
0012478c 771273d0 00124730 01ce4970 01ce03e4 iKernel+0xc692
001247ac 771279e0 00e9c4c0 0000002c 00000004 OLEAUT32!DispCallFunc+0x16a
0012483c 77127898 00187788 00e9c4c0 00000000
OLEAUT32!CTypeInfo2::Invoke+0x234
001248cc 00da5518 00187a1c 00e9c4c0 00000004
OLEAUT32!CTypeInfo2::Invoke+0x60a
001248f4 014069ff 00e9c4c0 00000004 01420420 iKernel+0x5518
001249b4 0140702e 00e9c4c0 00000004 00000003
iscript!DllRegisterServer+0xcb1f
00124a54 01406f66 00e9c4c0 015be400 01441f88
iscript!DllRegisterServer+0xd14e
00124aac 01400a2a 00124b08 0166781c 01441f88
iscript!DllRegisterServer+0xd086
00124b4c 01400451 00124b98 01667810 01441f64
iscript!DllRegisterServer+0x6b4a
00124c20 013fd9d9 000000bf 00124d40 013b1fa8
iscript!DllRegisterServer+0x6571
00124c84 0139672f 01441f64 0000004e 0139bbc8
iscript!DllRegisterServer+0x3af9
00124d60 01397f6b 01cee30c 77120000 00000008 ctor!LaunchSetup+0x4e30
00124de0 013984ea 00e77a38 00000002 01397ca8 ctor!LaunchSetup+0x666c
00125030 00dcf633 00125057 001251cc 00e78068 ctor!LaunchSetup+0x6beb
00125044 00deaf0f 001251c7 00e77a38 001251cc iKernel+0x2f633
001251b8 013973e0 00e76bec 001251cc 017d4cf0
iKernel!DllRegisterServer+0xc5c9
FOLLOWUP_IP:
Ntfs!NtfsPrepareToShrinkFileSize+a3
bada2e31 84c0 test al,al
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: Ntfs!NtfsPrepareToShrinkFileSize+a3
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 41107eea
STACK_COMMAND: .cxr fffffffff7b6f1a4 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsPrepareToShrinkFileSize+a3
BUCKET_ID: 0x24_Ntfs!NtfsPrepareToShrinkFileSize+a3
Followup: MachineOwner