NTFS: Stack space low. Posting create request..

Dear All,

I am working on a security application specifically for Windows 2000 NTFS
file system and have developed a “file system filter driver” to implement
the same. The driver is on similar patterns on what filespy is made (FileSpy
is a sample file system filter driver provided in IFS kit). I am running
this application along with the Norton antivirus application. NAV also
installs a filter driver on the file system (SymEvent.sys)

I am running my application and studying the debug prints from the DebugView
and came to know that it is showing the following error

“NTFS: Stack space low. Posting create request.”

This error comes exactly after I create a file using following code::

///////////////////////////////////////////////////////////////

InitializeObjectAttributes( &objectAttributes,
&linkFullFileNameUnicode,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);

status = ZwCreateFile ( &ntFileHandle,
SYNCHRONIZE|DELETE|FILE_GENERIC_WRITE|FILE_GENERIC_READ,
&objectAttributes,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_VALID_FLAGS,
FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_WRITE_THROUGH,
NULL,
0
);

//////////////////////////////////////////////////////////

According to the previous discussions, one of the reasons of this error is
that if we have used WCHAR arrays in our code . But I have substituted them
by the non-paged memory. But still this debug print is flashing. Although
the system is not crashing. The system doesn’t restart properly.

And Mr. Dan told that:
"While the OP most likely is being injudicious in his use of stack space,
there is another possibility here. SymEvent calls ZwCreateFile in it’s
create dispatch routine If the OP is doing the same, without recognizing the
recursion, then the stack will be recursed to death.

He should look at the stack, and see WHY it is being exhausted. (Use dds to
tear apart the stack after the SymEvent stack switch)."

I think that Mr. Reasoning is also very accurate, but unfortunately I am not
able to understand how to look at the stack. (What is dds??)

The application is working fine but the system doesn’t restart properly when
this application is been run along with NAV. Can you please tell how to
solve this problem?

Regards,
Rohit

I forgot to add another information in the last query that

This set of code is written in the IRP_MJ_SET_INFORMATION and IRP_MJ_WRITE
routines.

Regards,
Rohit

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> Dear All,
>
> I am working on a security application specifically for Windows 2000 NTFS
> file system and have developed a “file system filter driver” to implement
> the same. The driver is on similar patterns on what filespy is made
(FileSpy
> is a sample file system filter driver provided in IFS kit). I am running
> this application along with the Norton antivirus application. NAV also
> installs a filter driver on the file system (SymEvent.sys)
>
>
> I am running my application and studying the debug prints from the
DebugView
> and came to know that it is showing the following error
>
> “NTFS: Stack space low. Posting create request.”
>
> This error comes exactly after I create a file using following code::
>
> ///////////////////////////////////////////////////////////////
>
> InitializeObjectAttributes( &objectAttributes,
> &linkFullFileNameUnicode,
> OBJ_CASE_INSENSITIVE,
> NULL,
> NULL
> );
>
> status = ZwCreateFile ( &ntFileHandle,
> SYNCHRONIZE|DELETE|FILE_GENERIC_WRITE|FILE_GENERIC_READ,
> &objectAttributes,
> &ioStatus,
> NULL,
> FILE_ATTRIBUTE_NORMAL,
> FILE_SHARE_VALID_FLAGS,
> FILE_OPEN_IF,
> FILE_SYNCHRONOUS_IO_NONALERT|FILE_WRITE_THROUGH,
> NULL,
> 0
> );
>
> //////////////////////////////////////////////////////////
>
>
> According to the previous discussions, one of the reasons of this error is
> that if we have used WCHAR arrays in our code . But I have substituted
them
> by the non-paged memory. But still this debug print is flashing. Although
> the system is not crashing. The system doesn’t restart properly.
>
> And Mr. Dan told that:
> “While the OP most likely is being injudicious in his use of stack space,
> there is another possibility here. SymEvent calls ZwCreateFile in it’s
> create dispatch routine If the OP is doing the same, without recognizing
the
> recursion, then the stack will be recursed to death.
>
> He should look at the stack, and see WHY it is being exhausted. (Use dds
to
> tear apart the stack after the SymEvent stack switch).”
>
> I think that Mr. Reasoning is also very accurate, but unfortunately I am
not
> able to understand how to look at the stack. (What is dds??)
>
> The application is working fine but the system doesn’t restart properly
when
> this application is been run along with NAV. Can you please tell how to
> solve this problem?
>
> Regards,
> Rohit
>
>
>
>

There are several articles we have published in The NT Insider on
walking the stack manually, but the basic technique is to take the stack
and look for a call frame earlier (higher address) in the stack from
SymEvent. Call frames are usually bracketed by an EBP (another address
in the stack, yet numerically higher) and a return address (instruction
after a call). At that point you have the three values you need (EBP,
ESP and EIP).

The “dd” is the debugger command that one uses to display DWORD values
of memory.

If you need more detail, check out the articles (I believe they are on
OSR Online - http://www.osronline.com).

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources Inc
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Thursday, April 22, 2004 7:37 AM
To: ntfsd redirect
Subject: [ntfsd] NTFS: Stack space low. Posting create request…

Dear All,

I am working on a security application specifically for Windows 2000
NTFS
file system and have developed a “file system filter driver” to
implement
the same. The driver is on similar patterns on what filespy is made
(FileSpy
is a sample file system filter driver provided in IFS kit). I am running
this application along with the Norton antivirus application. NAV also
installs a filter driver on the file system (SymEvent.sys)

I am running my application and studying the debug prints from the
DebugView
and came to know that it is showing the following error

“NTFS: Stack space low. Posting create request.”

This error comes exactly after I create a file using following code::

///////////////////////////////////////////////////////////////

InitializeObjectAttributes( &objectAttributes,
&linkFullFileNameUnicode,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);

status = ZwCreateFile ( &ntFileHandle,
SYNCHRONIZE|DELETE|FILE_GENERIC_WRITE|FILE_GENERIC_READ,
&objectAttributes,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_VALID_FLAGS,
FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_WRITE_THROUGH,
NULL,
0
);

//////////////////////////////////////////////////////////

According to the previous discussions, one of the reasons of this error
is
that if we have used WCHAR arrays in our code . But I have substituted
them
by the non-paged memory. But still this debug print is flashing.
Although
the system is not crashing. The system doesn’t restart properly.

And Mr. Dan told that:
"While the OP most likely is being injudicious in his use of stack
space,
there is another possibility here. SymEvent calls ZwCreateFile in it’s
create dispatch routine If the OP is doing the same, without recognizing
the
recursion, then the stack will be recursed to death.

He should look at the stack, and see WHY it is being exhausted. (Use
dds to
tear apart the stack after the SymEvent stack switch)."

I think that Mr. Reasoning is also very accurate, but unfortunately I am
not
able to understand how to look at the stack. (What is dds??)

The application is working fine but the system doesn’t restart properly
when
this application is been run along with NAV. Can you please tell how to
solve this problem?

Regards,
Rohit

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

A bit side-question - Is the file name in
“linkFullFileNameUnicode” the original file name
or do you use device shadowing ?

If you use the original file name,
remember that the function ZwCreateFile creates another
IRP and sends it throught the whole device stack.
This leads to hell on earth (even more if another filter is on the stack,
e.g. Sr.sys from Windows XP).

L.

linkFullFileNameUnicode is the file name that i am dynamically creating in
the code.
So how to deal with this situation ??
Please comment.

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> A bit side-question - Is the file name in
> “linkFullFileNameUnicode” the original file name
> or do you use device shadowing ?
>
> If you use the original file name,
> remember that the function ZwCreateFile creates another
> IRP and sends it throught the whole device stack.
> This leads to hell on earth (even more if another filter is on the stack,
> e.g. Sr.sys from Windows XP).
>
> L.
>

> linkFullFileNameUnicode is the file name that i am dynamically creating in

the code.
So how to deal with this situation ??

Oh, well, but comes it from the name given to your filter
from upper driver/IO manager (namely the device name)
or do you replace the device name by your shadow device name ?

If you use the original name (e.g. \Device\Harddiskvolume1\Autoexec.bat),
this will lead to recursion, deadlocks and another bad things.

In that case, you have to use device shadowing (very nicely described
in http://www.osronline.com/article.cfm?article=258.

BUT, I am not sure if you can use the file creating within
IRP_MJ_WRITE or IRP_MJ_SET_INFORMATION
at all, maybe someone from OSR knows.

L.

What counts is your device stack. Who/what is above you? Using the ZwXxx()
calls consume a bit of stack. I recommend posting these requests off to a
worker thread to get into passive mode with a larger stack.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Thursday, April 22, 2004 4:37 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] NTFS: Stack space low. Posting create request…

Dear All,

I am working on a security application specifically for Windows 2000 NTFS
file system and have developed a “file system filter driver” to implement
the same. The driver is on similar patterns on what filespy is made (FileSpy
is a sample file system filter driver provided in IFS kit). I am running
this application along with the Norton antivirus application. NAV also
installs a filter driver on the file system (SymEvent.sys)

I am running my application and studying the debug prints from the DebugView
and came to know that it is showing the following error

“NTFS: Stack space low. Posting create request.”

This error comes exactly after I create a file using following code::

///////////////////////////////////////////////////////////////

InitializeObjectAttributes( &objectAttributes,
&linkFullFileNameUnicode,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);

status = ZwCreateFile ( &ntFileHandle,
SYNCHRONIZE|DELETE|FILE_GENERIC_WRITE|FILE_GENERIC_READ,
&objectAttributes,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_VALID_FLAGS,
FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_WRITE_THROUGH,
NULL,
0
);

//////////////////////////////////////////////////////////

According to the previous discussions, one of the reasons of this error is
that if we have used WCHAR arrays in our code . But I have substituted them
by the non-paged memory. But still this debug print is flashing. Although
the system is not crashing. The system doesn’t restart properly.

And Mr. Dan told that:
"While the OP most likely is being injudicious in his use of stack space,
there is another possibility here. SymEvent calls ZwCreateFile in it’s
create dispatch routine If the OP is doing the same, without recognizing the
recursion, then the stack will be recursed to death.

He should look at the stack, and see WHY it is being exhausted. (Use dds to
tear apart the stack after the SymEvent stack switch)."

I think that Mr. Reasoning is also very accurate, but unfortunately I am not
able to understand how to look at the stack. (What is dds??)

The application is working fine but the system doesn’t restart properly when
this application is been run along with NAV. Can you please tell how to
solve this problem?

Regards,
Rohit

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Dear Mr. Zezula,

…It from the name given to your filter from upper driver/IO manager
(namely the device name) or do you replace the device name by your shadow
device name ?

Ans. The name is not given from upper driver I/O Manager, i am creating
this name dynamically in the dispatch routine itself using following code::

int theLinkNo = 1
////////////////////
linkFileName.MaximumLength = 30;
linkFileName.Buffer = ExAllocatePoolWithTag(NonPagedPool,
linkFileName.MaximumLength,‘2leM’);

linkFullFileName.MaximumLength = 50 ;
linkFullFileName.Buffer = ExAllocatePoolWithTag(NonPagedPool,
linkFullFileName.MaximumLength,‘2leM’);

_itow(theLinkNo++,linkFileName.Buffer, 10);

linkFileName.Length = wcslen(linkFileName.Buffer) * sizeof(WCHAR);

RtlInitUnicodeString(&temp,L"\??\c:\RStmp\");
RtlCopyUnicodeString(&linkFullFileName, &temp);

RtlAppendUnicodeStringToString(&linkFullFileName, &linkFileName); // Here
the name is created \??\c:\RStmp\1
RtlInitUnicodeString(&linkFullFileNameUnicode,linkFullFileName.Buffer);
//////////////////////
And then, I use the code to create the file with the name that is given by
my above piece of code.

(I wrote this code because: As soon as user tries to write /rename something
on a file, I create a file on a buffer and copy the entire contents of the
file on which the request has come to the newly created file i have created
in the buffer)

So please guide how to handle this situation.

Regards,
Rohit

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > linkFullFileNameUnicode is the file name that i am dynamically creating
in
> > the code.
> > So how to deal with this situation ??
>
> Oh, well, but comes it from the name given to your filter
> from upper driver/IO manager (namely the device name)
> or do you replace the device name by your shadow device name ?
>
> If you use the original name (e.g. \Device\Harddiskvolume1\Autoexec.bat),
> this will lead to recursion, deadlocks and another bad things.
>
> In that case, you have to use device shadowing (very nicely described
> in http://www.osronline.com/article.cfm?article=258.
>
> BUT, I am not sure if you can use the file creating within
> IRP_MJ_WRITE or IRP_MJ_SET_INFORMATION
> at all, maybe someone from OSR knows.
>
> L.
>
>

Can “IoCreateFileSpecifyDeviceObjectHint” instead of “ZwCreateFile” API
?
“Jamey Kirby” wrote in message news:xxxxx@ntfsd…
> What counts is your device stack. Who/what is above you? Using the ZwXxx()
> calls consume a bit of stack. I recommend posting these requests off to a
> worker thread to get into passive mode with a larger stack.
>
> Jamey
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
> Sent: Thursday, April 22, 2004 4:37 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] NTFS: Stack space low. Posting create request…
>
> Dear All,
>
> I am working on a security application specifically for Windows 2000 NTFS
> file system and have developed a “file system filter driver” to implement
> the same. The driver is on similar patterns on what filespy is made
(FileSpy
> is a sample file system filter driver provided in IFS kit). I am running
> this application along with the Norton antivirus application. NAV also
> installs a filter driver on the file system (SymEvent.sys)
>
>
> I am running my application and studying the debug prints from the
DebugView
> and came to know that it is showing the following error
>
> “NTFS: Stack space low. Posting create request.”
>
> This error comes exactly after I create a file using following code::
>
> ///////////////////////////////////////////////////////////////
>
> InitializeObjectAttributes( &objectAttributes,
> &linkFullFileNameUnicode,
> OBJ_CASE_INSENSITIVE,
> NULL,
> NULL
> );
>
> status = ZwCreateFile ( &ntFileHandle,
> SYNCHRONIZE|DELETE|FILE_GENERIC_WRITE|FILE_GENERIC_READ,
> &objectAttributes,
> &ioStatus,
> NULL,
> FILE_ATTRIBUTE_NORMAL,
> FILE_SHARE_VALID_FLAGS,
> FILE_OPEN_IF,
> FILE_SYNCHRONOUS_IO_NONALERT|FILE_WRITE_THROUGH,
> NULL,
> 0
> );
>
> //////////////////////////////////////////////////////////
>
>
> According to the previous discussions, one of the reasons of this error is
> that if we have used WCHAR arrays in our code . But I have substituted
them
> by the non-paged memory. But still this debug print is flashing. Although
> the system is not crashing. The system doesn’t restart properly.
>
> And Mr. Dan told that:
> “While the OP most likely is being injudicious in his use of stack space,
> there is another possibility here. SymEvent calls ZwCreateFile in it’s
> create dispatch routine If the OP is doing the same, without recognizing
the
> recursion, then the stack will be recursed to death.
>
> He should look at the stack, and see WHY it is being exhausted. (Use dds
to
> tear apart the stack after the SymEvent stack switch).”
>
> I think that Mr. Reasoning is also very accurate, but unfortunately I am
not
> able to understand how to look at the stack. (What is dds??)
>
> The application is working fine but the system doesn’t restart properly
when
> this application is been run along with NAV. Can you please tell how to
> solve this problem?
>
> Regards,
> Rohit
>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

> Ans. The name is not given from upper driver I/O Manager, i am creating

this name dynamically in the dispatch routine itself using following
code::

You have either to use device shadowing (see one of my previous
postings for the URL) or follow the advice which Jamey
gave you. This will solve the problem.

L.

Dear Mr Zezula,

Thanks for your reply. Can you please tell what does “shadowing device name”
? And do I need to replace the zwcreatefile by
IoCreateFileSpecifyDeviceObjectHint , (i am developing this application for
windows 2000, will this api work ??)
Regards,
Rohit

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > linkFullFileNameUnicode is the file name that i am dynamically creating
in
> > the code.
> > So how to deal with this situation ??
>
> Oh, well, but comes it from the name given to your filter
> from upper driver/IO manager (namely the device name)
> or do you replace the device name by your shadow device name ?
>
> If you use the original name (e.g. \Device\Harddiskvolume1\Autoexec.bat),
> this will lead to recursion, deadlocks and another bad things.
>
> In that case, you have to use device shadowing (very nicely described
> in http://www.osronline.com/article.cfm?article=258.
>
> BUT, I am not sure if you can use the file creating within
> IRP_MJ_WRITE or IRP_MJ_SET_INFORMATION
> at all, maybe someone from OSR knows.
>
> L.
>
>

> Thanks for your reply. Can you please tell what does “shadowing device
name”

This is a long story, read the article at OSR.
http://www.osronline.com/article.cfm?article=258

IoCreateFileSpecifyDeviceObjectHint , (i am developing this application
for
windows 2000, will this api work ??)

No, this routine is availabe in WinXP+.

L.

Dear Mr Zezula.,

Thanks a lot. The article is very informative. But there is no code attached
in it , The code that mimics the functionality of
IoCreateFileSpecifyDeviceObjectHint for Windows 2000 support.
Can you send /forward that code ??

Regards,
Rohit
“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > Thanks for your reply. Can you please tell what does “shadowing device
> name”
>
> This is a long story, read the article at OSR.
> http://www.osronline.com/article.cfm?article=258
>
> > IoCreateFileSpecifyDeviceObjectHint , (i am developing this application
> for
> > windows 2000, will this api work ??)
>
> No, this routine is availabe in WinXP+.
>
> L.
>
>
>

Hi

I don’t have it.
You have to write your own code based on information
in that article. But it should not be a problem.

L.