Registry-Error and System-crash after loading driver on XP

OSR_Community_User · February 6, 2006, 9:55am

Hello Everybody
I’m writing a Class-Upper filter driver of Volume Level for windows 2K and
XP to take the bitmaps of all drives and then performing desired operations
on Read and Write requests, It is working fine but when I’m loading the
driver on a system having too many applications, it starts behaving
unexpectedly and also crashing the System many times showing a BSOD. First
it shows a ‘Registry Error’ saying “File that contain the Registry has to be
recovered by using log or alternate copy, Recovery was successful.” at
log-on screen and after that it loads the desktop normally but many times
shows BSOD after a minute or so. Error that comes in BSOD are like
‘PAGE_FAULT_IN_NONPAGED_AREA’ or ‘IRQL_LESS_THAN_OR_EQUAL’ or simply
‘dumping physical memory(without any error)’,etc… . These errors are
continuously coming for the OS drive and when I disable the driver for OS
drive, it works very fine. Also it changed the ‘Task-bar’ of XP to classic
style and also changed/removed some entries of certain application programs
like ‘Internet Explorer’, it behaves quite differently like it is being used
for first time and asked to set-up an account and also for Microsoft Outlook
it starts running ‘Prepare to Install…’ thread, So now I have really got
stuck where the problem could have been.??

I’m using ExAcquireFastMutex(&(deviceExtension->gLock)) function to acquire
the mutex in my write operations and releasing it after performing all
calculations/functionalities. And is working fine on some systems but not on
each and every system, may be due to too many applications?? Main thing is
why it gives the ‘Registry Error’, Is it possible that driver is pampering
with some Registry files.

Regards
Anuj Agarwal

OSR_Community_User · February 6, 2006, 11:17am

From your description it has nothing to do specifically with any of the
symptoms you are stating. It sounds like you may be ‘remapping’ or modifying
the requests on the fly. There is either something wrong with your
functionality, or more likely, you are getting called at DISPATCH level in
your dispatch handlers. If it is the latter, you can not use mutexes, you
must use spinlocks to protect access to data structures.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anuj Agarwal
Sent: Monday, February 06, 2006 7:55 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Registry-Error and System-crash after loading driver on XP

Hello Everybody
I’m writing a Class-Upper filter driver of Volume Level for windows 2K and
XP to take the bitmaps of all drives and then performing desired operations
on Read and Write requests, It is working fine but when I’m loading the
driver on a system having too many applications, it starts behaving
unexpectedly and also crashing the System many times showing a BSOD. First
it shows a ‘Registry Error’ saying "File that contain the Registry has to be
recovered by using log or alternate copy, Recovery was successful. " at
log-on screen and after that it loads the desktop normally but many times
shows BSOD after a minute or so. Error that comes in BSOD are like
‘PAGE_FAULT_IN_NONPAGED_AREA’ or ‘IRQL_LESS_THAN_OR_EQUAL’ or simply
‘dumping physical memory(without any error)’,etc… . These errors are
continuously coming for the OS drive and when I disable the driver for OS
drive, it works very fine. Also it changed the ‘Task-bar’ of XP to classic
style and also changed/removed some entries of certain application programs
like ‘Internet Explorer’, it behaves quite differently like it is being used
for first time and asked to set-up an account and also for Microsoft Outlook
it starts running ‘Prepare to Install…’ thread, So now I have really got
stuck where the problem could have been.??

I’m using ExAcquireFastMutex(&(deviceExtension->gLock)) function to acquire
the mutex in my write operations and releasing it after performing all
calculations/functionalities. And is working fine on some systems but not on
each and every system, may be due to too many applications?? Main thing is
why it gives the ‘Registry Error’, Is it possible that driver is pampering
with some Registry files.

Regards
Anuj Agarwal
— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed to
ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com

OSR_Community_User · February 7, 2006, 2:33am

Hello Peter
Thats right that I’m modifying/filtering the requests but I’m using ‘mutex’
only at one place thats where I’m performing some operations for Write
Requests and if I’ll use SpinLocks then I must be sure that all requests are
coming at or below Dispatch Level as functions like ExAcquireSpinLock()
works only at below Dpc Level and ExAcquireSpinLockAtDpcLevel works at Dpc
Level, so later it can also create problems and one thing more it works fine
for Non-OS drives and even sometimes on OS-Drives as well, but not always or
on all systems.

Can I know which files that contains Registry(Registry-entries) can get
corrupted and how? and at what time(Boot-Time, Log-On Time or any other…)
they usually get modified.

Thanks.
Regards
Anuj Agarwal

On 2/6/06, Peter Scott wrote:
>
>
>
> From your description it has nothing to do specifically with any of the
> symptoms you are stating. It sounds like you may be ‘remapping’ or modifying
> the requests on the fly. There is either something wrong with your
> functionality, or more likely, you are getting called at DISPATCH level in
> your dispatch handlers. If it is the latter, you can not use mutexes, you
> must use spinlocks to protect access to data structures.
>
>
>
> Pete
>
>
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
> ------------------------------
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Anuj Agarwal
> Sent: Monday, February 06, 2006 7:55 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Registry-Error and System-crash after loading driver on
> XP
>
>
>
> Hello Everybody
> I’m writing a Class-Upper filter driver of Volume Level for windows 2K and
> XP to take the bitmaps of all drives and then performing desired operations
> on Read and Write requests, It is working fine but when I’m loading the
> driver on a system having too many applications, it starts behaving
> unexpectedly and also crashing the System many times showing a BSOD. First
> it shows a ‘Registry Error’ saying “*File that contain the Registry has
> to be recovered by using log or alternate copy, Recovery was successful. *”
> at log-on screen and after that it loads the desktop normally but many times
> shows BSOD after a minute or so. Error that comes in BSOD are like
> ‘PAGE_FAULT_IN_NONPAGED_AREA’ or ‘IRQL_LESS_THAN_OR_EQUAL’ or simply
> ‘dumping physical memory(without any error)’,etc… . These errors are
> continuously coming for the OS drive and when I disable the driver for OS
> drive, it works very fine. Also it changed the ‘Task-bar’ of XP to classic
> style and also changed/removed some entries of certain application programs
> like ‘Internet Explorer’, it behaves quite differently like it is being used
> for first time and asked to set-up an account and also for Microsoft Outlook
> it starts running ‘Prepare to Install…’ thread, So now I have really got
> stuck where the problem could have been.??
>
> I’m using ExAcquireFastMutex(&(deviceExtension->gLock)) function to
> acquire the mutex in my write operations and releasing it after performing
> all calculations/functionalities. And is working fine on some systems but
> not on each and every system, may be due to too many applications?? Main
> thing is why it gives the ‘Registry Error’, Is it possible that driver is
> pampering with some Registry files.
>
> Regards
> Anuj Agarwal
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 You are currently subscribed
> to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank
> email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Don_Burn_1 · February 7, 2006, 7:42am

First, don’t use ExAquireSpinLock it is just a macro redefining
KeAcquireSpinLock. Second, KeAcquireSpinLock works from PASSIVE to
DISPATCH, you are confused on some real basics here.

How are you doing your writes? ExAcquireFastMutex forces you to APC_LEVEL,
and if you are using ZwWriteFile it has to be PASSIVE_LEVEL or it can
corrupt things.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Anuj Agarwal” wrote in message
news:xxxxx@ntdev…
Hello Peter
Thats right that I’m modifying/filtering the requests but I’m using ‘mutex’
only at one place thats where I’m performing some operations for Write
Requests and if I’ll use SpinLocks then I must be sure that all requests are
coming at or below Dispatch Level as functions like ExAcquireSpinLock()
works only at below Dpc Level and ExAcquireSpinLockAtDpcLevel works at Dpc
Level, so later it can also create problems and one thing more it works fine
for Non-OS drives and even sometimes on OS-Drives as well, but not always or
on all systems.

Can I know which files that contains Registry(Registry-entries) can get
corrupted and how? and at what time(Boot-Time, Log-On Time or any other…)
they usually get modified.

Thanks.
Regards
Anuj Agarwal

On 2/6/06, Peter Scott wrote:
>
>
>
> From your description it has nothing to do specifically with any of the
> symptoms you are stating. It sounds like you may be ‘remapping’ or
> modifying
> the requests on the fly. There is either something wrong with your
> functionality, or more likely, you are getting called at DISPATCH level in
> your dispatch handlers. If it is the latter, you can not use mutexes, you
> must use spinlocks to protect access to data structures.
>
>
>
> Pete
>
>
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
> ------------------------------
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Anuj Agarwal
> Sent: Monday, February 06, 2006 7:55 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Registry-Error and System-crash after loading driver on
> XP
>
>
>
> Hello Everybody
> I’m writing a Class-Upper filter driver of Volume Level for windows 2K and
> XP to take the bitmaps of all drives and then performing desired
> operations
> on Read and Write requests, It is working fine but when I’m loading the
> driver on a system having too many applications, it starts behaving
> unexpectedly and also crashing the System many times showing a BSOD. First
> it shows a ‘Registry Error’ saying “*File that contain the Registry has
> to be recovered by using log or alternate copy, Recovery was successful.
> *”
> at log-on screen and after that it loads the desktop normally but many
> times
> shows BSOD after a minute or so. Error that comes in BSOD are like
> ‘PAGE_FAULT_IN_NONPAGED_AREA’ or ‘IRQL_LESS_THAN_OR_EQUAL’ or simply
> ‘dumping physical memory(without any error)’,etc… . These errors are
> continuously coming for the OS drive and when I disable the driver for OS
> drive, it works very fine. Also it changed the ‘Task-bar’ of XP to classic
> style and also changed/removed some entries of certain application
> programs
> like ‘Internet Explorer’, it behaves quite differently like it is being
> used
> for first time and asked to set-up an account and also for Microsoft
> Outlook
> it starts running ‘Prepare to Install…’ thread, So now I have really got
> stuck where the problem could have been.??
>
> I’m using ExAcquireFastMutex(&(deviceExtension->gLock)) function to
> acquire the mutex in my write operations and releasing it after performing
> all calculations/functionalities. And is working fine on some systems but
> not on each and every system, may be due to too many applications?? Main
> thing is why it gives the ‘Registry Error’, Is it possible that driver is
> pampering with some Registry files.
>
> Regards
> Anuj Agarwal
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 You are currently subscribed
> to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank
> email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 7, 2006, 9:03am

No, read up on the different locks. SpinLocks work at any IRQL through
DISPATCH, the API you mention, ExAcquireSpinLockAtDpcLevel(), is an
optimized call for acquiring a spinlock at raied IRQL but
ExAcquireSpinLock() works at DISPATCH as well.

You mentioned you are a disk or volume class filter driver and therefore you
should not require ANY file based information. Your logic is probably messed
up in how you are handling the requests. Also, you MUST change your locking
since the write handlers can be called at DISPATCH level, hence the spinlock
vs. a mutex.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anuj Agarwal
Sent: Tuesday, February 07, 2006 12:33 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Registry-Error and System-crash after loading driver on
XP

Hello Peter
Thats right that I’m modifying/filtering the requests but I’m using ‘mutex’
only at one place thats where I’m performing some operations for Write
Requests and if I’ll use SpinLocks then I must be sure that all requests are
coming at or below Dispatch Level as functions like ExAcquireSpinLock()
works only at below Dpc Level and ExAcquireSpinLockAtDpcLevel works at Dpc
Level, so later it can also create problems and one thing more it works fine
for Non-OS drives and even sometimes on OS-Drives as well, but not always or
on all systems.

Can I know which files that contains Registry(Registry-entries) can get
corrupted and how? and at what time(Boot-Time, Log-On Time or any other…)
they usually get modified.

Thanks.
Regards
Anuj Agarwal

On 2/6/06, Peter Scott wrote:

From your description it has nothing to do specifically with any of the
symptoms you are stating. It sounds like you may be ‘remapping’ or modifying
the requests on the fly. There is either something wrong with your
functionality, or more likely, you are getting called at DISPATCH level in
your dispatch handlers. If it is the latter, you can not use mutexes, you
must use spinlocks to protect access to data structures.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

_____

From: xxxxx@lists.osr.com [mailto:
mailto:xxxxx xxxxx@lists.osr.com]
On Behalf Of Anuj Agarwal
Sent: Monday, February 06, 2006 7:55 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Registry-Error and System-crash after loading driver on XP

Hello Everybody
I’m writing a Class-Upper filter driver of Volume Level for windows 2K and
XP to take the bitmaps of all drives and then performing desired operations
on Read and Write requests, It is working fine but when I’m loading the
driver on a system having too many applications, it starts behaving
unexpectedly and also crashing the System many times showing a BSOD. First
it shows a ‘Registry Error’ saying "File that contain the Registry has to be
recovered by using log or alternate copy, Recovery was successful. " at
log-on screen and after that it loads the desktop normally but many times
shows BSOD after a minute or so. Error that comes in BSOD are like
‘PAGE_FAULT_IN_NONPAGED_AREA’ or ‘IRQL_LESS_THAN_OR_EQUAL’ or simply
‘dumping physical memory(without any error)’,etc… . These errors are
continuously coming for the OS drive and when I disable the driver for OS
drive, it works very fine. Also it changed the ‘Task-bar’ of XP to classic
style and also changed/removed some entries of certain application programs
like ‘Internet Explorer’, it behaves quite differently like it is being used
for first time and asked to set-up an account and also for Microsoft Outlook
it starts running ‘Prepare to Install…’ thread, So now I have really got
stuck where the problem could have been.??

I’m using ExAcquireFastMutex(&(deviceExtension->gLock)) function to acquire
the mutex in my write operations and releasing it after performing all
calculations/functionalities. And is working fine on some systems but not on
each and every system, may be due to too many applications?? Main thing is
why it gives the ‘Registry Error’, Is it possible that driver is pampering
with some Registry files.

Regards
Anuj Agarwal

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed to
ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed to
ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com</mailto:xxxxx>