Hello,
I am trying to write a simple KMDF driver. After I call WdfDriverCreate in the Entry, the system crashes with a SYSTEM_THREAD_EXCEPTION_NOT_HANDLED.
Does anyone see what is wrong?
Here’s my code:
#include <ntddk.h>
#include <wdf.h>
DRIVER_INITIALIZE DriverEntry;
EVT_WDF_DRIVER_DEVICE_ADD EvtDeviceAdd;
VOID Print(PCSTR text)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "%s", text);
}
VOID EvtDriverUnload(WDFDRIVER driver)
{
UNREFERENCED_PARAMETER(driver);
Print("Driver Unload\n");
}
NTSTATUS EvtDeviceAdd(WDFDRIVER driver, PWDFDEVICE_INIT deviceInit)
{
UNREFERENCED_PARAMETER(driver);
WDFDEVICE device;
Print("EvtDeviceAdd Called\n");
WdfDeviceInitSetDeviceType(deviceInit, FILE_DEVICE_UNKNOWN);
NTSTATUS status = WdfDeviceCreate(&deviceInit, WDF_NO_OBJECT_ATTRIBUTES, &device);
if (!NT_SUCCESS(status))
{
Print("WdfDeviceCreate failed\n");
return status;
}
Print("Virtual device created successfully\n");
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING registryPath)
{
Print("DriverEntry\n");
WDF_DRIVER_CONFIG config;
WDF_DRIVER_CONFIG_INIT(&config, EvtDeviceAdd);
config.EvtDriverUnload = EvtDriverUnload;
/*WdfDeviceCreate crashes*/
NTSTATUS status = WdfDriverCreate(driverObject, registryPath, WDF_NO_OBJECT_ATTRIBUTES, &config, WDF_NO_HANDLE);
return status;
}
There’s nothing wrong with this code. EXACTLY how did you install this? INF file? Command line? Perhaps you should post the dump file analysis.
I am installing the driver as a service and when starting it, it crashes with SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
This is the dump:
DriverEntry
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x0000007e
(0xFFFFFFFFC0000005,0xFFFFF8016A8B10F8,0xFFFFE682B3D8F478,0xFFFFE682B3D8EC60)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff801`d36fa090 cc int 3
3: kd> !analyze -v
Connected to Windows 10 26100 x64 target at (Sat Oct 18 09:02:14.756 2025 (UTC + 3:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..........................................................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common BugCheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8016a8b10f8, The address that the exception occurred at
Arg3: ffffe682b3d8f478, Exception Record Address
Arg4: ffffe682b3d8ec60, Context Record Address
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : AV.Type
Value: Read
Key : Analysis.CPU.mSec
Value: 1031
Key : Analysis.Elapsed.mSec
Value: 2445
Key : Analysis.IO.Other.Mb
Value: 1
Key : Analysis.IO.Read.Mb
Value: 1
Key : Analysis.IO.Write.Mb
Value: 0
Key : Analysis.Init.CPU.mSec
Value: 968
Key : Analysis.Init.Elapsed.mSec
Value: 135931
Key : Analysis.Memory.CommitPeak.Mb
Value: 104
Key : Analysis.Version.DbgEng
Value: 10.0.27920.1001
Key : Analysis.Version.Description
Value: 10.2506.23.01 amd64fre
Key : Analysis.Version.Ext
Value: 1.2506.23.1
Key : Bugcheck.Code.KiBugCheckData
Value: 0x7e
Key : Bugcheck.Code.LegacyAPI
Value: 0x7e
Key : Bugcheck.Code.TargetModel
Value: 0x7e
Key : Failure.Bucket
Value: AV_LearnKMDF!WdfDriverCreate
Key : Failure.Exception.Code
Value: 0xc0000005
Key : Failure.Exception.IP.Address
Value: 0xfffff8016a8b10f8
Key : Failure.Exception.IP.Module
Value: LearnKMDF
Key : Failure.Exception.IP.Offset
Value: 0x10f8
Key : Failure.Exception.Record
Value: 0xffffe682b3d8f478
Key : Failure.Hash
Value: {1edf33f0-bf91-47b2-0579-bb0eee779da9}
Key : Hypervisor.Enlightenments.ValueHex
Value: 0x7015efb4
Key : Hypervisor.Flags.AnyHypervisorPresent
Value: 1
Key : Hypervisor.Flags.ApicEnlightened
Value: 1
Key : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 0
Key : Hypervisor.Flags.AsyncMemoryHint
Value: 0
Key : Hypervisor.Flags.CoreSchedulerRequested
Value: 0
Key : Hypervisor.Flags.CpuManager
Value: 1
Key : Hypervisor.Flags.DeprecateAutoEoi
Value: 0
Key : Hypervisor.Flags.DynamicCpuDisabled
Value: 1
Key : Hypervisor.Flags.Epf
Value: 0
Key : Hypervisor.Flags.ExtendedProcessorMasks
Value: 1
Key : Hypervisor.Flags.HardwareMbecAvailable
Value: 1
Key : Hypervisor.Flags.MaxBankNumber
Value: 0
Key : Hypervisor.Flags.MemoryZeroingControl
Value: 0
Key : Hypervisor.Flags.NoExtendedRangeFlush
Value: 0
Key : Hypervisor.Flags.NoNonArchCoreSharing
Value: 1
Key : Hypervisor.Flags.Phase0InitDone
Value: 1
Key : Hypervisor.Flags.PowerSchedulerQos
Value: 0
Key : Hypervisor.Flags.RootScheduler
Value: 0
Key : Hypervisor.Flags.SynicAvailable
Value: 1
Key : Hypervisor.Flags.UseQpcBias
Value: 0
Key : Hypervisor.Flags.Value
Value: 38408431
Key : Hypervisor.Flags.ValueHex
Value: 0x24a10ef
Key : Hypervisor.Flags.VpAssistPage
Value: 1
Key : Hypervisor.Flags.VsmAvailable
Value: 1
Key : Hypervisor.RootFlags.AccessStats
Value: 1
Key : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 1
Key : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 1
Key : Hypervisor.RootFlags.DisableHyperthreading
Value: 0
Key : Hypervisor.RootFlags.HostTimelineSync
Value: 1
Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0
Key : Hypervisor.RootFlags.IsHyperV
Value: 1
Key : Hypervisor.RootFlags.LivedumpEnlightened
Value: 1
Key : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 1
Key : Hypervisor.RootFlags.MceEnlightened
Value: 1
Key : Hypervisor.RootFlags.Nested
Value: 1
Key : Hypervisor.RootFlags.StartLogicalProcessor
Value: 1
Key : Hypervisor.RootFlags.Value
Value: 2039
Key : Hypervisor.RootFlags.ValueHex
Value: 0x7f7
Key : SecureKernel.HalpHvciEnabled
Value: 0
Key : WER.OS.Branch
Value: ge_release
Key : WER.OS.Version
Value: 10.0.26100.1
BUGCHECK_CODE: 7e
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: fffff8016a8b10f8
BUGCHECK_P3: ffffe682b3d8f478
BUGCHECK_P4: ffffe682b3d8ec60
FAULTING_THREAD: ffffe78f597cd040
EXCEPTION_RECORD: ffffe682b3d8f478 -- (.exr 0xffffe682b3d8f478)
ExceptionAddress: fffff8016a8b10f8 (LearnKMDF!WdfDriverCreate+0x0000000000000028)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00000000000003a0
Attempt to read from address 00000000000003a0
CONTEXT: ffffe682b3d8ec60 -- (.cxr 0xffffe682b3d8ec60)
rax=00000000000003a0 rbx=ffffe78f5beff000 rcx=0000000000000000
rdx=ffffe78f5beff000 rsi=ffffe78f60c131cd rdi=ffffe78f60e6de20
rip=fffff8016a8b10f8 rsp=ffffe682b3d8f6b0 rbp=ffffe682b3d8f8c0
r8=0000000000000000 r9=ffffe682b3d8f740 r10=0000000000000007
r11=0000000000000000 r12=00000000000a0000 r13=ffffe78f5ff729d0
r14=ffffe78f5beff000 r15=ffffffff800019f8
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050206
LearnKMDF!WdfDriverCreate+0x28:
fffff801`6a8b10f8 488b0401 mov rax,qword ptr [rcx+rax] ds:002b:00000000`000003a0=????????????????
Resetting default scope
PROCESS_NAME: System
READ_ADDRESS: 00000000000003a0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 00000000000003a0
EXCEPTION_STR: 0xc0000005
STACK_TEXT:
ffffe682`b3d8f6b0 fffff801`6a8b104b : ffffe78f`60e6de20 ffffe78f`5beff000 00000000`00000000 ffffe682`b3d8f740 : LearnKMDF!WdfDriverCreate+0x28 [C:\Program Files (x86)\Windows Kits\10\Include\wdf\kmdf\1.33\wdfdriver.h @ 244]
ffffe682`b3d8f710 fffff801`d3baf498 : ffffe78f`60e6de20 ffffe78f`5beff000 ffffffff`800019f8 ffffe78f`5beff000 : LearnKMDF!DriverEntry+0x4b [X:\Learn\LearnKMDF\LearnKMDF\Main.c @ 38]
ffffe682`b3d8f770 fffff801`d3bb1442 : 00000000`00000014 ffffd304`919e5390 ffffe78f`5beff000 ffffe78f`00001000 : nt!PnpCallDriverEntry+0x54
ffffe682`b3d8f7c0 fffff801`d3cbff93 : 00000000`00000057 00000000`00000000 ffffbc01`c5d08100 fffff801`d41cfbc0 : nt!IopLoadDriver+0x6f2
ffffe682`b3d8f990 fffff801`d3504ddc : ffffe78f`00000000 ffffffff`800019f8 ffffe78f`597cd040 ffffe78f`00000009 : nt!IopLoadUnloadDriver+0x83
ffffe682`b3d8f9d0 fffff801`d3687c2a : ffffe78f`597cd040 ffffe78f`597cd040 fffff801`d35047f0 ffffe78f`548b9ae0 : nt!ExpWorkerThread+0x5ec
ffffe682`b3d8fbb0 fffff801`d38a0b24 : ffffbc01`c5d08180 ffffe78f`597cd040 fffff801`d3687bd0 0002543c`00047427 : nt!PspSystemThreadStartup+0x5a
ffffe682`b3d8fc00 00000000`00000000 : ffffe682`b3d90000 ffffe682`b3d89000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34
FAULTING_SOURCE_LINE: C:\Program Files (x86)\Windows Kits\10\Include\wdf\kmdf\1.33\wdfdriver.h
FAULTING_SOURCE_FILE: C:\Program Files (x86)\Windows Kits\10\Include\wdf\kmdf\1.33\wdfdriver.h
FAULTING_SOURCE_LINE_NUMBER: 244
FAULTING_SOURCE_CODE:
240: _Out_opt_
241: WDFDRIVER* Driver
242: )
243: {
> 244: return ((PFN_WDFDRIVERCREATE) WdfFunctions[WdfDriverCreateTableIndex])(WdfDriverGlobals, DriverObject, RegistryPath, DriverAttributes, DriverConfig, Driver);
245: }
246:
247: //
248: // WDF Function: WdfDriverGetRegistryPath
249: //
SYMBOL_NAME: LearnKMDF!WdfDriverCreate+28
MODULE_NAME: LearnKMDF
IMAGE_NAME: LearnKMDF.sys
STACK_COMMAND: .cxr 0xffffe682b3d8ec60 ; kb
BUCKET_ID_FUNC_OFFSET: 28
FAILURE_BUCKET_ID: AV_LearnKMDF!WdfDriverCreate
OS_VERSION: 10.0.26100.1
BUILDLAB_STR: ge_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {1edf33f0-bf91-47b2-0579-bb0eee779da9}
Followup: MachineOwner
---------
You need to understand that service/legacy drivers are very different from PnP drivers.
When you’re writing a service/legacy driver, then you are not a PnP driver, and you will not get a call to EvtDeviceAdd. You also will not have the registry entries that KMDF needs to identify your driver. I was trying to find a sample KMDF service driver for you, but I couldn’t find one.
1 Like
You didn’t link against the appropriate wdf lib (probably wdfldr.lib). It’s a null dereference trying to call through the jump table. Everything Tim said still applies