Hi all !
I have two strange BSODs, that occurred when my FS filter driver was
included in the following stacks with
antivirus and XP system recovery filter (sr):
!DevObj !DrvObj !DevExt ObjectName
82bb7c18 \Driver\Avg7RsW 82bb7cd0 –> antivirus
82ed4020 \FileSystem\MyFilter 82ed40d8
82ed4dd0 \FileSystem\sr 82ed4e88
82ed3020 \FileSystem\Ntfs 82ed30d8
82692298 \Driver\SymEvent 82692350
827345e8 \FileSystem\MyFilter 827346a0
82b99938 \FileSystem\sr 82b999f0
82720770 \FileSystem\Ntfs 82720828
My filter just forwarded the Irp in both case:
FIRST CASE
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: bb89b9ee, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 80a28a16, address which referenced memory
eeeb274c f8696b33 bb89b9ba 00000001 00000001
hal!KeAcquireInStackQueuedSpinLock+0x26
eeeb274c f8696b33 bb89b9ba 00000001 00000001 Ntfs!NtfsFlushVolume+0xfa
eeeb27c8 f8696b0a 82740b18 82ed3100 00000001 Ntfs!NtfsFlushVolume+0xfa
eeeb2868 f8683e37 82740b18 8292a770 eeeb0000 Ntfs!NtfsCommonVolumeOpen+0x341
eeeb2944 8080a3d9 82ed3020 8292a770 8291d9e0 Ntfs!NtfsFsdCreate+0x14d
eeeb2954 f871d876 00000000 82f749f8 8292a770 nt!IopfCallDriver+0x31
eeeb29a0 8080a3d9 82ed4e88 00000001 82ed4020 sr!SrCreate+0x150
eeeb29b0 f86f8bb0 8292a770 82f747e8 8291d9e0 nt!IopfCallDriver+0x31
eeeb29d8 f870e57d 00ed4020 0092a770 8292a96c
MyFilter!MyFilterPassThrough+0x246
eeeb2a0c 8080a3d9 82ed4020 8292a770 8292a770 MyFilter!
MyFilterCreateClose+0x1bd
eeeb2a1c f8b6b328 f8d7d9f0 8292a770 82bb7cd0 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be
wrong.
eeeb2a38 f8b6a6ab 82bb7c18 8291d9e0 f8d7d436 avg7rsxp+0x2328
eeeb2b4c 80895063 82f75030 00000000 82a03c88 avg7rsxp+0x16ab
eeeb2bc4 808982a8 00000000 eeeb2c04 00000040 nt!ObpLookupObjectName+0x53c
eeeb2c18 808a62e2 00000000 00000000 00000001 nt!ObOpenObjectByName+0xea
eeeb2c94 808a63b1 0012fe6c c0100080 0012fe0c nt!IopCreateFile+0x407
eeeb2cf0 808a63f4 0012fe6c c0100080 0012fe0c nt!IoCreateFile+0x8e
eeeb2d30 8080699f 0012fe6c c0100080 0012fe0c nt!NtCreateFile+0x30
eeeb2d30 7c90eb94 0012fe6c c0100080 0012fe0c nt!KiFastCallEntry+0xfc
0012fdc8 7c90d68e 7c810916 0012fe6c c0100080 ntdll!KiFastSystemCallRet
The second case is the similar one, but with Symantec antivirus.
Any idea?
Thanks,
Dani