Problem in loading volume filter driver

Hello,

I am newbie in Driver World. I am trying to develop volume filter driver. Its just a pass through driver and I wrote INF file which installs this driver. The problem is that after installation the system prompts to restart the box. When I restart it shows BSOD. I tried to debug through WinDbg but unable to get failure cause. WinDbg did output the following things, but I am unable to understand. Could you please help me out? What might be the cause of failure?
Thnaks in advance.

PassThrough -

NTSTATUS
VolumeFilterDispatchPassThrough (IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp) {

PDEVICE_EXTENSION pDeviceExtension = (PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;
DbgPrint (“VolumeFilterDispatch: In PassThrough!”);
KdBreakPoint();
IoSkipCurrentIrpStackLocation (pIrp);
return IoCallDriver (pDeviceExtension->pLowerDeviceObject, pIrp);
}

WinDbg -

kd> g
IoCreateDevice: Success!! [pFilterDeviceObject:813b3558]IoAttachDeviceToDeviceStack: Success!!
*** Fatal System Error: 0x0000007b
(0xF9E62640,0xC000000E,0x00000000,0x00000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnl.exe -
Loading Kernel Symbols
…
Loading unloaded module list
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.

BugCheck 7B, {f9e62640, c000000e, 0, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
Probably caused by : ntoskrnl.exe ( nt!KeDeregisterBugCheckCallback+52d )
Followup: MachineOwner

nt!DbgBreakPointWithStatus+0x4:
8050d064 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
INACCESSIBLE_BOOT_DEVICE (7b)
During the initialization of the I/O system, it is possible that the driver
for the boot device failed to initialize the device that the system is
attempting to boot from, or it is possible for the file system that is
supposed to read that device to either fail its initialization or to simply
not recognize the data on the boot device as a file system structure that
it recognizes.

Arguments:
Arg1: f9e62640, Pointer to the device object or Unicode string of ARC name
Arg2: c000000e
Arg3: 00000000
Arg4: 00000000

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x7B
LAST_CONTROL_TRANSFER: from 80522dea to 8050d064

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f9e6210c 80522dea 00000003 80087000 e1285b20 nt!DbgBreakPointWithStatus+0x4
f9e624d4 804fc1bb 0000007b f9e62640 c000000e nt!KeDeregisterBugCheckCallback+0x52d
f9e624f4 806879a6 0000007b f9e62640 c000000e nt!KeBugCheckEx+0x19
f9e62654 80673e52 80087000 80087000 00000000 nt!KeSetProfileIrql+0x12bd
f9e626a4 8067f996 80087000 f9e627ec 00034000 nt!IoReportHalResourceUsage+0x2a98
f9e627d0 80088228 80683c64 80088228 00000010 nt!KeFindConfigurationNextEntry+0xb73f
80683c70 4f425245 00004553 00640041 00700061 0x80088228
56504958 00000000 00000000 00000000 00000000 0x4f425245

FOLLOWUP_IP:
nt!KeDeregisterBugCheckCallback+52d
80522dea e8b698feff call nt!ZwYieldExecution+0x287 (8050c6a5)
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!KeDeregisterBugCheckCallback+52d
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 3b7de38f
STACK_COMMAND: kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner

You fail something in the SystemRoot disk stack, which causes SystemRoot to
be unmountable.

Update your kernel symbols, they are wrong.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Hello,
>
> I am newbie in Driver World. I am trying to develop volume filter driver. Its
just a pass through driver and I wrote INF file which installs this driver. The
problem is that after installation the system prompts to restart the box. When
I restart it shows BSOD. I tried to debug through WinDbg but unable to get
failure cause. WinDbg did output the following things, but I am unable to
understand. Could you please help me out? What might be the cause of failure?
> Thnaks in advance.
>
> PassThrough -
>
> NTSTATUS
> VolumeFilterDispatchPassThrough (IN PDEVICE_OBJECT pDeviceObject, IN PIRP
pIrp) {
>
> PDEVICE_EXTENSION pDeviceExtension =
(PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;
> DbgPrint (“VolumeFilterDispatch: In PassThrough!”);
> KdBreakPoint();
> IoSkipCurrentIrpStackLocation (pIrp);
> return IoCallDriver (pDeviceExtension->pLowerDeviceObject, pIrp);
> }
>
> WinDbg -
>
> kd> g
> IoCreateDevice: Success!!
[pFilterDeviceObject:813b3558]IoAttachDeviceToDeviceStack: Success!!
> Fatal System Error: 0x0000007b
> (0xF9E62640,0xC000000E,0x00000000,0x00000000)
> Break instruction exception - code 80000003 (first chance)
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
> A fatal system error has occurred.
>
> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
> ERROR: Symbol file could not be found. Defaulted to export symbols for
ntoskrnl.exe -
> Loading Kernel Symbols
> …
> Loading unloaded module list
> Loading User Symbols
>

>

> * Bugcheck Analysis

>

>
*
> Use !analyze -v to get detailed debugging information.
>
> BugCheck 7B, {f9e62640, c000000e, 0, 0}
> Kernel symbols are WRONG. Please fix symbols to do analysis.
> Probably caused by : ntoskrnl.exe ( nt!KeDeregisterBugCheckCallback+52d )
> Followup: MachineOwner
> ---------
> nt!DbgBreakPointWithStatus+0x4:
> 8050d064 cc int 3
> kd> !analyze -v
>

>

> * Bugcheck Analysis

>

>
*
> INACCESSIBLE_BOOT_DEVICE (7b)
> During the initialization of the I/O system, it is possible that the driver
> for the boot device failed to initialize the device that the system is
> attempting to boot from, or it is possible for the file system that is
> supposed to read that device to either fail its initialization or to simply
> not recognize the data on the boot device as a file system structure that
> it recognizes.
>
> Arguments:
> Arg1: f9e62640, Pointer to the device object or Unicode string of ARC name
> Arg2: c000000e
> Arg3: 00000000
> Arg4: 00000000
>
> Debugging Details:
> ------------------
> Kernel symbols are WRONG. Please fix symbols to do analysis.
> DEFAULT_BUCKET_ID: DRIVER_FAULT
> BUGCHECK_STR: 0x7B
> LAST_CONTROL_TRANSFER: from 80522dea to 8050d064
>
> STACK_TEXT:
> WARNING: Stack unwind information not available. Following frames may be
wrong.
> f9e6210c 80522dea 00000003 80087000 e1285b20 nt!DbgBreakPointWithStatus+0x4
> f9e624d4 804fc1bb 0000007b f9e62640 c000000e
nt!KeDeregisterBugCheckCallback+0x52d
> f9e624f4 806879a6 0000007b f9e62640 c000000e nt!KeBugCheckEx+0x19
> f9e62654 80673e52 80087000 80087000 00000000 nt!KeSetProfileIrql+0x12bd
> f9e626a4 8067f996 80087000 f9e627ec 00034000
nt!IoReportHalResourceUsage+0x2a98
> f9e627d0 80088228 80683c64 80088228 00000010
nt!KeFindConfigurationNextEntry+0xb73f
> 80683c70 4f425245 00004553 00640041 00700061 0x80088228
> 56504958 00000000 00000000 00000000 00000000 0x4f425245
>
>
> FOLLOWUP_IP:
> nt!KeDeregisterBugCheckCallback+52d
> 80522dea e8b698feff call nt!ZwYieldExecution+0x287 (8050c6a5)
> SYMBOL_STACK_INDEX: 1
> FOLLOWUP_NAME: MachineOwner
> SYMBOL_NAME: nt!KeDeregisterBugCheckCallback+52d
> MODULE_NAME: nt
> IMAGE_NAME: ntoskrnl.exe
> DEBUG_FLR_IMAGE_TIMESTAMP: 3b7de38f
> STACK_COMMAND: kb
> BUCKET_ID: WRONG_SYMBOLS
> Followup: MachineOwner
> ---------
>

As a wild guess (beyond Maxim’s earlier reply), 0xC000000E is STATUS_NO_SUCH_DEVICE. Did you return this from AddDevice (or whatever produced those messages about IoCreateDevice and IoAttachDeviceToDeviceStack)? Or from a dispatch?

Thanks for your reply!!

The problem was, I failed to initialize the last Major Function. Just missed
‘=’ condition with IRP_MJ_MAXIMUM_FUNCTION in my Major Function
initialization code as below -

for (cnt=0; cnt < IRP_MJ_MAXIMUM_FUNCTION; cnt++) {
pDriverObject->MajorFunction[cnt] = VolumeFilterDispatchPassThrough;
}

Now, its running fine, except VolumeFilterWritePassThrough is crashing. Even
though its just a pass through, my driver is crashing after handling
IRP_MJ_WRITE request.
Its error out as Access Violation!!
Whats driver is reading? Is it write buffer?

NTSTATUS
VolumeFilterWritePassThrough (IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
DbgPrint (“VolumeFilter: In DiskFilterWrite!”);
KdBreakPoint();
IoSkipCurrentIrpStackLocation (pIrp);
return IoCallDriver
(((PDEVICE_EXTENSION)pDeviceObject->DeviceExtension)->pLowerDeviceObject,
pIrp);
}

Will update the symbols soon
WINDBG Trace -

WinDbg - kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
FAT_FILE_SYSTEM (23)
If you see FatExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000e0100
Arg2: f9e61e50
Arg3: f9e61b50
Arg4: f9a9baf3

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

EXCEPTION_RECORD: f9e61e50 – (.exr fffffffff9e61e50)
ExceptionAddress: f9a9baf3 (CLASSPNP!ClassResetMediaChangeTimer+0x0000003a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000018
Attempt to read from address 00000018

CONTEXT: f9e61b50 – (.cxr fffffffff9e61b50)
eax=813ad108 ebx=00000200 ecx=00000000 edx=81390008 esi=813ad008
edi=81392728
eip=f9a9baf3 esp=f9e61f18 ebp=f9e61f38 iopl=0 nv up ei ng nz na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000286
CLASSPNP!ClassResetMediaChangeTimer+0x3a:
f9a9baf3 8b7918 mov edi,[ecx+0x18]
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x23
LAST_CONTROL_TRANSFER: from f9a9c0b3 to f9a9baf3

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
f9e61f38 f9a9c0b3 81392670 813ad008 813ad008
CLASSPNP!ClassResetMediaChangeTimer+0x3a
f9e61f5c 804ec04f 81392670 00000000 813a7b58
CLASSPNP!ClassResetMediaChangeTimer+0x5fa
f9e61f7c 804ec04f 81392448 813ad008 813ad12c nt!IofCallDriver+0x2d
f9e61fa8 804ec04f 813a5bb8 813ad008 813ad16c nt!IofCallDriver+0x2d
f9e61fcc 804ec04f 813a57a8 813ad008 813a59a0 nt!IofCallDriver+0x2d
f9e61fe4 804ec04f 813a5580 813ad008 813ad008 nt!IofCallDriver+0x2d
f9e6206c f996fac0 813a6258 81385950 00000001 nt!IofCallDriver+0x2d
f9e6209c f9975469 813a6258 81385b20 81385b40 Fastfat+0xac0
f9e620f8 f998a9c7 813a6258 e1275bd8 00001780 Fastfat+0x6469
f9e62338 f9981b24 813a6258 813a2008 81385950 Fastfat+0x1b9c7
f9e6238c f9975650 813a6258 813a2008 813a2190 Fastfat+0x12b24
f9e623d0 804ec04f 81385858 813a2008 813a21b4 Fastfat+0x6650
f9e624c4 f99a0448 81385cc8 813a2008 813a2198 nt!IofCallDriver+0x2d
f9e624e0 804ec04f 81385cc8 813a2008 00000000 sr+0xd448
f9e625a0 804d4e91 8000006c f9e6266c e12730d0 nt!IofCallDriver+0x2d
f9e625bc f9e625e4 0040003e 80684616 0010000e nt!KeInitializeInterrupt+0xa7c
813c7bf8 80542b20 00000000 00000000 00000000 0xf9e625e4
813c7ca8 813c7bf8 00000000 00000000 00000000 nt!CcFastReadWait+0xbe8
813c7ce0 813c7ca8 00000000 00000000 00000000 0x813c7bf8
813c7d18 813c7ce0 00000000 00000000 00000000 0x813c7ca8
813c7d50 813c7d18 00000000 00000000 00000000 0x813c7ce0
80541e38 813c7d50 00000000 00000000 00000000 0x813c7d18
80548b40 80541e38 00000000 00000000 00000000 0x813c7d50
813c7750 80548b40 00000000 00000000 00000000 nt!KeI386MachineType+0x3744
813c7788 813c7750 00000000 00000000 00000000 nt!ExSemaphoreObjectType+0x160

FOLLOWUP_IP:
CLASSPNP!ClassResetMediaChangeTimer+3a
f9a9baf3 8b7918 mov edi,[ecx+0x18]
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: CLASSPNP!ClassResetMediaChangeTimer+3a
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 3b7dc5af
STACK_COMMAND: .cxr fffffffff9e61b50 ; kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner

From: “Maxim S. Shatskih”
>Reply-To: “Windows System Software Devs Interest List”
>
>To: “Windows System Software Devs Interest List”
>Subject: Re:[ntdev] Problem in loading volume filter driver
>Date: Wed, 11 Apr 2007 18:21:45 +0400
>
> You fail something in the SystemRoot disk stack, which causes
>SystemRoot to
>be unmountable.
>
> Update your kernel symbols, they are wrong.
>
>–
>Maxim Shatskih, Windows DDK MVP
>StorageCraft Corporation
>xxxxx@storagecraft.com
>http://www.storagecraft.com
>
> wrote in message news:xxxxx@ntdev…
> > Hello,
> >
> > I am newbie in Driver World. I am trying to develop volume filter
>driver. Its
>just a pass through driver and I wrote INF file which installs this driver.
>The
>problem is that after installation the system prompts to restart the box.
>When
>I restart it shows BSOD. I tried to debug through WinDbg but unable to get
>failure cause. WinDbg did output the following things, but I am unable to
>understand. Could you please help me out? What might be the cause of
>failure?
> > Thnaks in advance.
> >
> > PassThrough -
> >
> > NTSTATUS
> > VolumeFilterDispatchPassThrough (IN PDEVICE_OBJECT pDeviceObject, IN
>PIRP
>pIrp) {
> >
> > PDEVICE_EXTENSION pDeviceExtension =
>(PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;
> > DbgPrint (“VolumeFilterDispatch: In PassThrough!”);
> > KdBreakPoint();
> > IoSkipCurrentIrpStackLocation (pIrp);
> > return IoCallDriver (pDeviceExtension->pLowerDeviceObject, pIrp);
> > }
> >

_________________________________________________________________
Interest Rates Fall Again! $430,000 Mortgage for $1,399/mo - Calculate new
payment
http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9632-18679&amp;moid=7581

Thanks for your reply!!

The problem was, I failed to initialize the last Major Function. Just missed
‘=’ condition with IRP_MJ_MAXIMUM_FUNCTION in my Major Function
initialization code as below -

for (cnt=0; cnt < IRP_MJ_MAXIMUM_FUNCTION; cnt++) {
pDriverObject->MajorFunction[cnt] = VolumeFilterDispatchPassThrough;
}

Now, its running fine, except VolumeFilterWritePassThrough is crashing. Even
though its just a pass through, my driver is crashing after handling
IRP_MJ_WRITE request.
Its error out as Access Violation!!
Whats driver is reading? Is it write buffer?

NTSTATUS
VolumeFilterWritePassThrough (IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
DbgPrint (“VolumeFilter: In DiskFilterWrite!”);
KdBreakPoint();
IoSkipCurrentIrpStackLocation (pIrp);
return IoCallDriver
(((PDEVICE_EXTENSION)pDeviceObject->DeviceExtension)->pLowerDeviceObject,
pIrp);
}

Will update the symbols soon
WINDBG Trace -

WinDbg - kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
FAT_FILE_SYSTEM (23)
If you see FatExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000e0100
Arg2: f9e61e50
Arg3: f9e61b50
Arg4: f9a9baf3

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

EXCEPTION_RECORD: f9e61e50 – (.exr fffffffff9e61e50)
ExceptionAddress: f9a9baf3 (CLASSPNP!ClassResetMediaChangeTimer+0x0000003a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000018
Attempt to read from address 00000018

CONTEXT: f9e61b50 – (.cxr fffffffff9e61b50)
eax=813ad108 ebx=00000200 ecx=00000000 edx=81390008 esi=813ad008
edi=81392728
eip=f9a9baf3 esp=f9e61f18 ebp=f9e61f38 iopl=0 nv up ei ng nz na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000286
CLASSPNP!ClassResetMediaChangeTimer+0x3a:
f9a9baf3 8b7918 mov edi,[ecx+0x18]
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x23
LAST_CONTROL_TRANSFER: from f9a9c0b3 to f9a9baf3

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
f9e61f38 f9a9c0b3 81392670 813ad008 813ad008
CLASSPNP!ClassResetMediaChangeTimer+0x3a
f9e61f5c 804ec04f 81392670 00000000 813a7b58
CLASSPNP!ClassResetMediaChangeTimer+0x5fa
f9e61f7c 804ec04f 81392448 813ad008 813ad12c nt!IofCallDriver+0x2d
f9e61fa8 804ec04f 813a5bb8 813ad008 813ad16c nt!IofCallDriver+0x2d
f9e61fcc 804ec04f 813a57a8 813ad008 813a59a0 nt!IofCallDriver+0x2d
f9e61fe4 804ec04f 813a5580 813ad008 813ad008 nt!IofCallDriver+0x2d
f9e6206c f996fac0 813a6258 81385950 00000001 nt!IofCallDriver+0x2d
f9e6209c f9975469 813a6258 81385b20 81385b40 Fastfat+0xac0
f9e620f8 f998a9c7 813a6258 e1275bd8 00001780 Fastfat+0x6469
f9e62338 f9981b24 813a6258 813a2008 81385950 Fastfat+0x1b9c7
f9e6238c f9975650 813a6258 813a2008 813a2190 Fastfat+0x12b24
f9e623d0 804ec04f 81385858 813a2008 813a21b4 Fastfat+0x6650
f9e624c4 f99a0448 81385cc8 813a2008 813a2198 nt!IofCallDriver+0x2d
f9e624e0 804ec04f 81385cc8 813a2008 00000000 sr+0xd448
f9e625a0 804d4e91 8000006c f9e6266c e12730d0 nt!IofCallDriver+0x2d
f9e625bc f9e625e4 0040003e 80684616 0010000e nt!KeInitializeInterrupt+0xa7c
813c7bf8 80542b20 00000000 00000000 00000000 0xf9e625e4
813c7ca8 813c7bf8 00000000 00000000 00000000 nt!CcFastReadWait+0xbe8
813c7ce0 813c7ca8 00000000 00000000 00000000 0x813c7bf8
813c7d18 813c7ce0 00000000 00000000 00000000 0x813c7ca8
813c7d50 813c7d18 00000000 00000000 00000000 0x813c7ce0
80541e38 813c7d50 00000000 00000000 00000000 0x813c7d18
80548b40 80541e38 00000000 00000000 00000000 0x813c7d50
813c7750 80548b40 00000000 00000000 00000000 nt!KeI386MachineType+0x3744
813c7788 813c7750 00000000 00000000 00000000 nt!ExSemaphoreObjectType+0x160

FOLLOWUP_IP:
CLASSPNP!ClassResetMediaChangeTimer+3a
f9a9baf3 8b7918 mov edi,[ecx+0x18]
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: CLASSPNP!ClassResetMediaChangeTimer+3a
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 3b7dc5af
STACK_COMMAND: .cxr fffffffff9e61b50 ; kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner

From: “Maxim S. Shatskih”
>Reply-To: “Windows System Software Devs Interest List”
>
>To: “Windows System Software Devs Interest List”
>Subject: Re:[ntdev] Problem in loading volume filter driver
>Date: Wed, 11 Apr 2007 18:21:45 +0400
>
> You fail something in the SystemRoot disk stack, which causes
>SystemRoot to
>be unmountable.
>
> Update your kernel symbols, they are wrong.
>
>–
>Maxim Shatskih, Windows DDK MVP
>StorageCraft Corporation
>xxxxx@storagecraft.com
>http://www.storagecraft.com
>
> wrote in message news:xxxxx@ntdev…
> > Hello,
> >
> > I am newbie in Driver World. I am trying to develop volume filter
>driver. Its
>just a pass through driver and I wrote INF file which installs this driver.
>The
>problem is that after installation the system prompts to restart the box.
>When
>I restart it shows BSOD. I tried to debug through WinDbg but unable to get
>failure cause. WinDbg did output the following things, but I am unable to
>understand. Could you please help me out? What might be the cause of
>failure?
> > Thnaks in advance.
> >
> > PassThrough -
> >
> > NTSTATUS
> > VolumeFilterDispatchPassThrough (IN PDEVICE_OBJECT pDeviceObject, IN
>PIRP
>pIrp) {
> >
> > PDEVICE_EXTENSION pDeviceExtension =
>(PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;
> > DbgPrint (“VolumeFilterDispatch: In PassThrough!”);
> > KdBreakPoint();
> > IoSkipCurrentIrpStackLocation (pIrp);
> > return IoCallDriver (pDeviceExtension->pLowerDeviceObject, pIrp);
> > }
> >

_________________________________________________________________
Get a FREE Web site, company branded e-mail and more from Microsoft Office
Live! http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/

Fix your symbols.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-283497-
xxxxx@lists.osr.com] On Behalf Of Jhon Nash
Sent: Friday, April 13, 2007 7:40 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Problem in loading volume filter driver

Thanks for your reply!!

The problem was, I failed to initialize the last Major Function. Just
missed
‘=’ condition with IRP_MJ_MAXIMUM_FUNCTION in my Major Function
initialization code as below -

for (cnt=0; cnt < IRP_MJ_MAXIMUM_FUNCTION; cnt++) {
pDriverObject->MajorFunction[cnt] =
VolumeFilterDispatchPassThrough;
}

Now, its running fine, except VolumeFilterWritePassThrough is crashing.
Even
though its just a pass through, my driver is crashing after handling
IRP_MJ_WRITE request.
Its error out as Access Violation!!
Whats driver is reading? Is it write buffer?

NTSTATUS
VolumeFilterWritePassThrough (IN PDEVICE_OBJECT pDeviceObject, IN PIRP
pIrp)
{
DbgPrint (“VolumeFilter: In DiskFilterWrite!”);
KdBreakPoint();
IoSkipCurrentIrpStackLocation (pIrp);
return IoCallDriver
(((PDEVICE_EXTENSION)pDeviceObject->DeviceExtension)-
>pLowerDeviceObject,
pIrp);
}

Will update the symbols soon
WINDBG Trace -

WinDbg - kd> !analyze -v
***********************************************************************
********
*
*
* Bugcheck Analysis
*
*
*
***********************************************************************
********
FAT_FILE_SYSTEM (23)
If you see FatExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000e0100
Arg2: f9e61e50
Arg3: f9e61b50
Arg4: f9a9baf3

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

EXCEPTION_RECORD: f9e61e50 – (.exr fffffffff9e61e50)
ExceptionAddress: f9a9baf3
(CLASSPNP!ClassResetMediaChangeTimer+0x0000003a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000018
Attempt to read from address 00000018

CONTEXT: f9e61b50 – (.cxr fffffffff9e61b50)
eax=813ad108 ebx=00000200 ecx=00000000 edx=81390008 esi=813ad008
edi=81392728
eip=f9a9baf3 esp=f9e61f18 ebp=f9e61f38 iopl=0 nv up ei ng nz na
po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000286
CLASSPNP!ClassResetMediaChangeTimer+0x3a:
f9a9baf3 8b7918 mov edi,[ecx+0x18]
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x23
LAST_CONTROL_TRANSFER: from f9a9c0b3 to f9a9baf3

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may
be
wrong.
f9e61f38 f9a9c0b3 81392670 813ad008 813ad008
CLASSPNP!ClassResetMediaChangeTimer+0x3a
f9e61f5c 804ec04f 81392670 00000000 813a7b58
CLASSPNP!ClassResetMediaChangeTimer+0x5fa
f9e61f7c 804ec04f 81392448 813ad008 813ad12c nt!IofCallDriver+0x2d
f9e61fa8 804ec04f 813a5bb8 813ad008 813ad16c nt!IofCallDriver+0x2d
f9e61fcc 804ec04f 813a57a8 813ad008 813a59a0 nt!IofCallDriver+0x2d
f9e61fe4 804ec04f 813a5580 813ad008 813ad008 nt!IofCallDriver+0x2d
f9e6206c f996fac0 813a6258 81385950 00000001 nt!IofCallDriver+0x2d
f9e6209c f9975469 813a6258 81385b20 81385b40 Fastfat+0xac0
f9e620f8 f998a9c7 813a6258 e1275bd8 00001780 Fastfat+0x6469
f9e62338 f9981b24 813a6258 813a2008 81385950 Fastfat+0x1b9c7
f9e6238c f9975650 813a6258 813a2008 813a2190 Fastfat+0x12b24
f9e623d0 804ec04f 81385858 813a2008 813a21b4 Fastfat+0x6650
f9e624c4 f99a0448 81385cc8 813a2008 813a2198 nt!IofCallDriver+0x2d
f9e624e0 804ec04f 81385cc8 813a2008 00000000 sr+0xd448
f9e625a0 804d4e91 8000006c f9e6266c e12730d0 nt!IofCallDriver+0x2d
f9e625bc f9e625e4 0040003e 80684616 0010000e
nt!KeInitializeInterrupt+0xa7c
813c7bf8 80542b20 00000000 00000000 00000000 0xf9e625e4
813c7ca8 813c7bf8 00000000 00000000 00000000 nt!CcFastReadWait+0xbe8
813c7ce0 813c7ca8 00000000 00000000 00000000 0x813c7bf8
813c7d18 813c7ce0 00000000 00000000 00000000 0x813c7ca8
813c7d50 813c7d18 00000000 00000000 00000000 0x813c7ce0
80541e38 813c7d50 00000000 00000000 00000000 0x813c7d18
80548b40 80541e38 00000000 00000000 00000000 0x813c7d50
813c7750 80548b40 00000000 00000000 00000000
nt!KeI386MachineType+0x3744
813c7788 813c7750 00000000 00000000 00000000
nt!ExSemaphoreObjectType+0x160

FOLLOWUP_IP:
CLASSPNP!ClassResetMediaChangeTimer+3a
f9a9baf3 8b7918 mov edi,[ecx+0x18]
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: CLASSPNP!ClassResetMediaChangeTimer+3a
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 3b7dc5af
STACK_COMMAND: .cxr fffffffff9e61b50 ; kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner

>From: “Maxim S. Shatskih”
> >Reply-To: “Windows System Software Devs Interest List”
> >
> >To: “Windows System Software Devs Interest List”
> >Subject: Re:[ntdev] Problem in loading volume filter driver
> >Date: Wed, 11 Apr 2007 18:21:45 +0400
> >
> > You fail something in the SystemRoot disk stack, which causes
> >SystemRoot to
> >be unmountable.
> >
> > Update your kernel symbols, they are wrong.
> >
> >–
> >Maxim Shatskih, Windows DDK MVP
> >StorageCraft Corporation
> >xxxxx@storagecraft.com
> >http://www.storagecraft.com
> >
> > wrote in message news:xxxxx@ntdev…
> > > Hello,
> > >
> > > I am newbie in Driver World. I am trying to develop volume filter
> >driver. Its
> >just a pass through driver and I wrote INF file which installs this
> driver.
> >The
> >problem is that after installation the system prompts to restart the
> box.
> >When
> >I restart it shows BSOD. I tried to debug through WinDbg but unable to
> get
> >failure cause. WinDbg did output the following things, but I am unable
> to
> >understand. Could you please help me out? What might be the cause of
> >failure?
> > > Thnaks in advance.
> > >
> > > PassThrough -
> > >
> > > NTSTATUS
> > > VolumeFilterDispatchPassThrough (IN PDEVICE_OBJECT pDeviceObject,
> IN
> >PIRP
> >pIrp) {
> > >
> > > PDEVICE_EXTENSION pDeviceExtension =
> >(PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;
> > > DbgPrint (“VolumeFilterDispatch: In PassThrough!”);
> > > KdBreakPoint();
> > > IoSkipCurrentIrpStackLocation (pIrp);
> > > return IoCallDriver (pDeviceExtension->pLowerDeviceObject, pIrp);
> > > }
> > >
>
> _________________________________________________________________
> Get a FREE Web site, company branded e-mail and more from Microsoft
> Office
> Live! http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Hi,
My dispatch write ‘VolumeFilterWritePassThrough’ is crashing. Even though its just a pass through, my driver is crashing after handling IRP_MJ_WRITE request.
Its error out as Access Violation!! Whats driver is reading? Is it write buffer?
Please help me out!!

WINDBG -
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

FAT_FILE_SYSTEM (23)
If you see FatExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000e0100
Arg2: f9e61e50
Arg3: f9e61b50
Arg4: f9a9baf3

Debugging Details:

EXCEPTION_RECORD: f9e61e50 – (.exr fffffffff9e61e50)
ExceptionAddress: f9a9baf3 (CLASSPNP!ClassResetMediaChangeTimer+0x0000003a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000018
Attempt to read from address 00000018

CONTEXT: f9e61b50 – (.cxr fffffffff9e61b50)
eax=813ad108 ebx=00000200 ecx=00000000 edx=81390008 esi=813ad008 edi=813919b8
eip=f9a9baf3 esp=f9e61f18 ebp=f9e61f38 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
CLASSPNP!ClassResetMediaChangeTimer+0x3a:
f9a9baf3 8b7918 mov edi,dword ptr [ecx+18h] ds:0023:00000018=???
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 00000018
BUGCHECK_STR: 0x23
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from f9a9c0b3 to f9a9baf3
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f9e61f38 f9a9c0b3 81391900 813ad008 813ad008 CLASSPNP!ClassResetMediaChangeTimer+0x3a
f9e61f5c 804ec04f 81391900 00000000 813a7b58 CLASSPNP!ClassResetMediaChangeTimer+0x5fa
f9e61f6c f9cd3537 81386ee8 813916d8 f9e61fa8 nt!IopfCallDriver+0x31
f9e61f7c 804ec04f 813916d8 813ad008 813ad12c PartMgr+0x537
f9e61f8c f99e01c6 813ad148 81389d90 813ad008 nt!IopfCallDriver+0x31
f9e61fa8 804ec04f 81386e30 813ad008 813ad16c ftdisk+0x11c6
f9e61fb8 f9a7ba4b 00000000 813a3b10 813a7a60 nt!IopfCallDriver+0x31
f9e61fcc 804ec04f 81386a20 813ad008 81386c18 VolSnap+0xa4b
f9e61fdc fa0137d8 f9e6206c 804ec04f 813867f8 nt!IopfCallDriver+0x31
f9e61fe4 804ec04f 813867f8 813ad008 813ad008 volfltr!VolumeFilterWrite+0x45 [g:\aniket\sourcecodes\volumefilter\volfltr.c @ 169]
f9e61ff4 f996fa88 f9972478 813a3b10 813a3d28 nt!IopfCallDriver+0x31
f9e6206c f996fac0 813db730 813a3b10 00000001 Fastfat+0xa88
f9e6209c f9975469 813db730 813a3ce0 813a3d00 Fastfat+0xac0
f9e620f8 f998a9c7 813db730 e1275bd8 00001780 Fastfat+0x6469
f9e62338 f9981b24 813db730 813a3008 813a3b10 Fastfat+0x1b9c7
f9e6238c f9975650 813db730 813a3008 813a3190 Fastfat+0x12b24
f9e623d0 804ec04f 813a3a18 813a3008 813a31b4 Fastfat+0x6650
f9e623e0 f999fcf8 813a3008 00000040 00000000 nt!IopfCallDriver+0x31
f9e624c4 f99a0448 813a3e88 813a3008 813a3198 sr+0xccf8
f9e624e0 804ec04f 813a3e88 813a3008 00000000 sr+0xd448
f9e624f0 8055ec4c f9e625bc f9e62648 8058181d nt!IopfCallDriver+0x31
f9e625a0 804d4e91 8000006c f9e6266c e12730d0 nt!NtSetInformationFile+0x53f
f9e625a0 8050bff7 8000006c f9e6266c e12730d0 nt!KiSystemService+0xc4
f9e6262c 80688ce2 8000006c f9e6266c e12730d0 nt!ZwSetInformationFile+0x11
f9e62678 8067e5d0 f9e6269c f9e6268c 00000000 nt!IopFileUtilRename+0xc7
f9e626ac 8067f9b5 00034000 00000000 00000000 nt!PpLastGoodDoBootProcessing+0x5f
f9e62844 80680727 80087000 00000000 813ce790 nt!IoInitSystem+0x651
f9e62dac 80559026 80087000 00000000 00000000 nt!Phase1Initialization+0x83b
f9e62ddc 8050f513 806800f7 80087000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
CLASSPNP!ClassResetMediaChangeTimer+3a
f9a9baf3 8b7918 mov edi,dword ptr [ecx+18h]

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CLASSPNP!ClassResetMediaChangeTimer+3a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 3b7dc5af
STACK_COMMAND: .cxr 0xfffffffff9e61b50 ; kb
FAILURE_BUCKET_ID: 0x23_CLASSPNP!ClassResetMediaChangeTimer+3a
BUCKET_ID: 0x23_CLASSPNP!ClassResetMediaChangeTimer+3a
Followup: MachineOwner

NTSTATUS
VolumeFilterWritePassThrough (IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp) {

DbgPrint (“In DiskFilterWrite”);
KdBreakPoint();
IoSkipCurrentIrpStackLocation (pIrp);
return IoCallDriver (((PDEVICE_EXTENSION)pDeviceObject->DeviceExtension)->pLowerDeviceObject, pIrp);
}

It still appears that you do not have the correct symbols loaded. Where, for example, is Fastfat!FatFsdWrite on the stack? How do you end up in CLASSPNP!ClassResetMediaChangeTimer without having gone through CLASSPNP!ClassDeviceControl?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-283603-
xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Sunday, April 15, 2007 7:55 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Problem in loading volume filter driver

Hi,
My dispatch write ‘VolumeFilterWritePassThrough’ is crashing. Even
though its just a pass through, my driver is crashing after handling
IRP_MJ_WRITE request.
Its error out as Access Violation!! Whats driver is reading? Is it
write buffer?
Please help me out!!

WINDBG -
kd> !analyze -v
***********************************************************************
********
*
*
* Bugcheck Analysis
*
*
*
***********************************************************************
********

FAT_FILE_SYSTEM (23)
If you see FatExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000e0100
Arg2: f9e61e50
Arg3: f9e61b50
Arg4: f9a9baf3

Debugging Details:

EXCEPTION_RECORD: f9e61e50 – (.exr fffffffff9e61e50)
ExceptionAddress: f9a9baf3
(CLASSPNP!ClassResetMediaChangeTimer+0x0000003a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000018
Attempt to read from address 00000018

CONTEXT: f9e61b50 – (.cxr fffffffff9e61b50)
eax=813ad108 ebx=00000200 ecx=00000000 edx=81390008 esi=813ad008
edi=813919b8
eip=f9a9baf3 esp=f9e61f18 ebp=f9e61f38 iopl=0 nv up ei ng nz na
pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000286
CLASSPNP!ClassResetMediaChangeTimer+0x3a:
f9a9baf3 8b7918 mov edi,dword ptr [ecx+18h]
ds:0023:00000018=???
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 00000018
BUGCHECK_STR: 0x23
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from f9a9c0b3 to f9a9baf3
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may
be wrong.
f9e61f38 f9a9c0b3 81391900 813ad008 813ad008
CLASSPNP!ClassResetMediaChangeTimer+0x3a
f9e61f5c 804ec04f 81391900 00000000 813a7b58
CLASSPNP!ClassResetMediaChangeTimer+0x5fa
f9e61f6c f9cd3537 81386ee8 813916d8 f9e61fa8 nt!IopfCallDriver+0x31
f9e61f7c 804ec04f 813916d8 813ad008 813ad12c PartMgr+0x537
f9e61f8c f99e01c6 813ad148 81389d90 813ad008 nt!IopfCallDriver+0x31
f9e61fa8 804ec04f 81386e30 813ad008 813ad16c ftdisk+0x11c6
f9e61fb8 f9a7ba4b 00000000 813a3b10 813a7a60 nt!IopfCallDriver+0x31
f9e61fcc 804ec04f 81386a20 813ad008 81386c18 VolSnap+0xa4b
f9e61fdc fa0137d8 f9e6206c 804ec04f 813867f8 nt!IopfCallDriver+0x31
f9e61fe4 804ec04f 813867f8 813ad008 813ad008
volfltr!VolumeFilterWrite+0x45
[g:\aniket\sourcecodes\volumefilter\volfltr.c @ 169]
f9e61ff4 f996fa88 f9972478 813a3b10 813a3d28 nt!IopfCallDriver+0x31
f9e6206c f996fac0 813db730 813a3b10 00000001 Fastfat+0xa88
f9e6209c f9975469 813db730 813a3ce0 813a3d00 Fastfat+0xac0
f9e620f8 f998a9c7 813db730 e1275bd8 00001780 Fastfat+0x6469
f9e62338 f9981b24 813db730 813a3008 813a3b10 Fastfat+0x1b9c7
f9e6238c f9975650 813db730 813a3008 813a3190 Fastfat+0x12b24
f9e623d0 804ec04f 813a3a18 813a3008 813a31b4 Fastfat+0x6650
f9e623e0 f999fcf8 813a3008 00000040 00000000 nt!IopfCallDriver+0x31
f9e624c4 f99a0448 813a3e88 813a3008 813a3198 sr+0xccf8
f9e624e0 804ec04f 813a3e88 813a3008 00000000 sr+0xd448
f9e624f0 8055ec4c f9e625bc f9e62648 8058181d nt!IopfCallDriver+0x31
f9e625a0 804d4e91 8000006c f9e6266c e12730d0
nt!NtSetInformationFile+0x53f
f9e625a0 8050bff7 8000006c f9e6266c e12730d0 nt!KiSystemService+0xc4
f9e6262c 80688ce2 8000006c f9e6266c e12730d0
nt!ZwSetInformationFile+0x11
f9e62678 8067e5d0 f9e6269c f9e6268c 00000000 nt!IopFileUtilRename+0xc7
f9e626ac 8067f9b5 00034000 00000000 00000000
nt!PpLastGoodDoBootProcessing+0x5f
f9e62844 80680727 80087000 00000000 813ce790 nt!IoInitSystem+0x651
f9e62dac 80559026 80087000 00000000 00000000
nt!Phase1Initialization+0x83b
f9e62ddc 8050f513 806800f7 80087000 00000000
nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
CLASSPNP!ClassResetMediaChangeTimer+3a
f9a9baf3 8b7918 mov edi,dword ptr [ecx+18h]

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CLASSPNP!ClassResetMediaChangeTimer+3a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 3b7dc5af
STACK_COMMAND: .cxr 0xfffffffff9e61b50 ; kb
FAILURE_BUCKET_ID: 0x23_CLASSPNP!ClassResetMediaChangeTimer+3a
BUCKET_ID: 0x23_CLASSPNP!ClassResetMediaChangeTimer+3a
Followup: MachineOwner

NTSTATUS
VolumeFilterWritePassThrough (IN PDEVICE_OBJECT pDeviceObject, IN PIRP
pIrp) {

DbgPrint (“In DiskFilterWrite”);
KdBreakPoint();
IoSkipCurrentIrpStackLocation (pIrp);
return IoCallDriver (((PDEVICE_EXTENSION)pDeviceObject-
>DeviceExtension)->pLowerDeviceObject, pIrp);
}

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer