All,
I am writing MiniFilter Driver for Windows Server 2003 x64 system. In the PostCreate, I need File attributes, so i am using the “FltQueryInformationFile” function to get the File Basic Information. I am passing the FileObject Passed to me by the system to FltQueryInformationFile function.
Status = FltQueryInformationFile(FltObjects->Instance,
FltObjects->FileObject,
&FileInfo, sizeof(FileInfo),
FileBasicInformation, NULL);
Everything works fine for local drives and network mapped drives. But when I have RDP session to the system and i try to copy file to my test machine (with my Mini Filter Driver) using the RDP session, system crashes.
So when i looked at the crash dump, crash is in the " rdpdr.sys" and my driver is not in the stack. But i dumped the detail process/thread info and found out that the thread where “FltQueryInformationFile” was made to the system by my driver, that thread is swapped out. Both stack traces are attached in the thread below.
Filename in the File Object is “\tsclient\C\Program Files\desktop.ini”. On Windows Server 2008, FileName in the file object is “C\Program Files\desktop.ini” i.e. as local file system and i don’t see any crash.
Is there any restriction on File Object with RDP Redirector “\tsclient\C\Program Files\desktop.ini” on Windows Server 2003? Why can’t we get the basic information on this file object and why the system is crashing. Looks like when the call was made to the RDP redirector on behalf of my driver, some invalid parameter was passed to it and it crashed.
thanks any help would be appreciated.
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: ba17f0ec, Exception Record Address
Arg4: ba17ede8, Context Record Address
Debugging Details:
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
+16
00000000 ?? ???
EXCEPTION_RECORD: ba17f0ec – (.exr 0xffffffffba17f0ec)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000000
Attempt to execute non-executable address 00000000
CONTEXT: ba17ede8 – (.cxr 0xffffffffba17ede8)
eax=00001000 ebx=ba79a410 ecx=000000fe edx=00000000 esi=89339580 edi=00000000
eip=00000000 esp=ba17f1b4 ebp=ba17f1c8 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
00000000 ?? ???
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 00000000
WRITE_ADDRESS: 00000000
FOLLOWUP_IP:
rdpdr!RxLowIoCompletionTail+33
ba793c93 8bd8 mov ebx,eax
FAILED_INSTRUCTION_ADDRESS:
+55a0952f034ed7b4
00000000 ?? ???
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from ba793c93 to 00000000
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ba17f1b0 ba793c93 89339580 89339580 89339580 0x0
ba17f1c8 ba793d45 89339580 ba79a410 894782e8 rdpdr!RxLowIoCompletionTail+0x33
ba17f1dc ba78df22 89339580 ba17f20c ba78e291 rdpdr!RxLowIoCompletion+0x3f
ba17f1e8 ba78e291 89339580 00000000 00000024 rdpdr!DrDevice::CompleteRxContext+0x2a
ba17f20c ba784ff7 ba17f250 00000000 00000024 rdpdr!DrDevice::CompleteBusyExchange+0x4d
ba17f23c ba78f36d e14d59c0 893fc5b8 ba17f2b4 rdpdr!DrDrive::OnQueryFileInfoCompletion+0x2a5
ba17f260 ba78b69d e14d59c0 00000038 ba17f2b4 rdpdr!DrDevice::OnDeviceIoCompletion+0xa9
ba17f280 ba78b85a e14d59c0 00000038 ba17f2b4 rdpdr!DrExchangeManager::OnDeviceIoCompletion+0x55
ba17f294 ba78c51f e14d59c0 00000038 ba17f2b4 rdpdr!DrExchangeManager::HandlePacket+0x26
ba17f2c0 ba78be34 00000000 895818a8 ba17f360 rdpdr!DrSession::ReadCompletion+0xc5
ba17f2d8 809ad23e 00000000 895818a8 88fa2c80 rdpdr!DrSession::ReadCompletionRoutine+0x38
ba17f2fc 8081d761 00000000 895818a8 ba17f360 nt!IovpLocalCompletionRoutine+0xb4
ba17f32c 809ad77e 895818a8 8998d6d8 00000000 nt!IopfCompleteRequest+0xcd
ba17f398 f76795d8 88fdc9e8 00000000 e19c9000 nt!IovCompleteRequest+0x9a
ba17f3d4 f767a0d2 88fdc9e8 00000005 00000000 termdd!IcaChannelInputInternal+0x1f0
ba17f3fc b9c776e1 899d2964 00000005 00000000 termdd!IcaChannelInput+0x3c
ba17f430 b9c713c1 e19cda93 20fdc7e6 00000029 RDPWD!WDW_OnDataReceived+0x181
ba17f458 b9c711b9 e19c9c00 e19cc150 ba17f400 RDPWD!SM_MCSSendDataCallback+0x159
ba17f4c0 b9c70fe0 0000003c ba17f4f8 00000043 RDPWD!HandleAllSendDataPDUs+0x155
ba17f4dc b9c8eba4 0000003c ba17f4f8 e19c9000 RDPWD!RecognizeMCSFrame+0x32
ba17f504 b9c7006b e19c9000 00000000 88fdc80f RDPWD!MCSIcaRawInputWorker+0x346
ba17f52c f767d194 e19c9000 00000000 88fdc7cc RDPWD!MCSIcaRawInput+0x65
ba17f550 ba2aafcb 88fe15bc 00000000 88fdc7cc termdd!IcaRawInput+0x58
ba17fd90 f767c265 88fdc680 00000000 88fdf458 TDTCP!TdInputThread+0x371
ba17fdac 809418f8 88fdf758 00000000 00000000 termdd!_IcaDriverThread+0x4d
ba17fddc 80887f7a f767c218 89881088 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: rdpdr!RxLowIoCompletionTail+33
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: rdpdr
IMAGE_NAME: rdpdr.sys
SWAPPED OUT THREAD stack trace:
kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
b99f61b4 8082ffd7 88f91c30 88f91cd8 00000000 nt!KiSwapContext+0x25
b99f61cc 808287d4 00000000 89350360 8948eb10 nt!KiSwapThread+0x83
b99f6210 f726eb4c 8948eb20 00000000 00000000 nt!KeWaitForSingleObject+0x2e0
b99f6248 f726f66f b99f6268 00000103 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x232
b99f6280 f727eae4 88fee008 f7262258 f726324c fltmgr!FltPerformSynchronousIo+0xb9
b99f6294 f7255df0 88fee008 8948eb6c b99f62c0 fltmgr!FltQueryInformationFile+0x44
b99f62e8 f7254538 88fc0acc b99f63f4 88fee768 vmfiltr!GetFileAttributes+0xd0 [f:\scratch\vor_4.3.6_2009.12.10.08.05.27\fspem\agent\fs\windows\vmmfiltr\src_tmp\streaminfo.cpp @ 632]
b99f6314 f7254d2e 88fc0acc b99f63f4 88fee768 vmfiltr!PopulateFileNode+0x8e [f:\scratch\vor_4.3.6_2009.12.10.08.05.27\fspem\agent\fs\windows\vmmfiltr\src_tmp\streamctx.cpp @ 154]
b99f6338 f7257830 88fc0acc b99f63f4 88f86170 vmfiltr!GetStreamContext+0xbc [f:\scratch\vor_4.3.6_2009.12.10.08.05.27\fspem\agent\fs\windows\vmmfiltr\src_tmp\streamctx.cpp @ 516]
b99f636c f72596c3 88fc0acc b99f63f4 88f86170 vmfiltr!PostCreate+0x14a [f:\scratch\vor_4.3.6_2009.12.10.08.05.27\fspem\agent\fs\windows\vmmfiltr\src_tmp\create.cpp @ 281]
b99f638c f72597af 88fc0acc b99f63f4 88f86170 vmfiltr!PostCallOp+0x23 [f:\scratch\vor_4.3.6_2009.12.10.08.05.27\fspem\agent\fs\windows\vmmfiltr\src_tmp\postop.cpp @ 44]
b99f63ac f72864e5 88fc0acc b99f63f4 88f86170 vmfiltr!PostOp+0x93 [f:\scratch\vor_4.3.6_2009.12.10.08.05.27\fspem\agent\fs\windows\vmmfiltr\src_tmp\postop.cpp @ 96]
b99f63d0 f726bb73 88fc0acc 019f63f4 88f86170 fltmgr!FltvPostOperation+0x4d
b99f6438 f726dfc2 00fc0a70 00000000 88fc0a70 fltmgr!FltpPerformPostCallbacks+0x1c5
b99f644c f726e4f1 88fc0a70 8932e008 b99f648c fltmgr!FltpProcessIoCompletion+0x10
b99f645c f726eb83 8947b430 8932e008 88fc0a70 fltmgr!FltpPassThroughCompletion+0x89
b99f648c f727c5de b99f64ac 00000000 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x269
b99f64c8 809ad50c 8947b430 8932e008 b99f67b0 fltmgr!FltpCreate+0x26a
b99f64f8 8081d591 808f0f1b b99f65ec 808f0f1b nt!IovCallDriver+0x112
b99f6504 808f0f1b b99f66ac 89857228 00000000 nt!IofCallDriver+0x13