SYMEVENT.SYS

Eric_Chan · March 14, 2002, 8:08pm

I got the following error while debugging my filter driver, modified from
Filemon. I’ve got no idea what this error is and why I got this error.
Please help.

*** Fatal System Error: 0x00000023
(0x000E00C8,0xED1DED70,0xED1DE9C8,0x80413BE8)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

*******************************************************************************

*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 23, {e00c8, ed1ded70, ed1de9c8, 80413be8}

*** ERROR: Symbol file could not be found. Defaulted to export symbols
for SYMEVENT.SYS -
Probably caused by : SYMEVENT ( SYMEVENT+118b )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804a9bcc cc int 3

Nathan_Nesbit · March 14, 2002, 8:14pm

Did you do “!analyze -v” to get more info?

Also read the debugger docs about bugcheck code 23.

-----Original Message-----
From: Eric Chan [mailto:xxxxx@hotmail.com]
Sent: Thursday, March 14, 2002 5:07 PM
To: File Systems Developers
Subject: [ntfsd] SYMEVENT.SYS

I got the following error while debugging my filter driver, modified
from Filemon. I’ve got no idea what this error is and why I got this
error. Please help.

*** Fatal System Error: 0x00000023
(0x000E00C8,0xED1DED70,0xED1DE9C8,0x80413BE8)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

************************************************************************
*******

*

*
* Bugcheck Analysis

*
*

*
************************************************************************
*******

Use !analyze -v to get detailed debugging information.

BugCheck 23, {e00c8, ed1ded70, ed1de9c8, 80413be8}

*** ERROR: Symbol file could not be found. Defaulted to export symbols
for SYMEVENT.SYS - Probably caused by : SYMEVENT ( SYMEVENT+118b )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804a9bcc cc int 3

You are currently subscribed to ntfsd as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User-288 · March 15, 2002, 4:08am

Eric Chan wrote:

I got the following error while debugging my filter driver, modified from
Filemon. I’ve got no idea what this error is and why I got this error.
Please help.

*** Fatal System Error: 0x00000023
(0x000E00C8,0xED1DED70,0xED1DE9C8,0x80413BE8)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

*******************************************************************************

*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 23, {e00c8, ed1ded70, ed1de9c8, 80413be8}

*** ERROR: Symbol file could not be found. Defaulted to export symbols
for SYMEVENT.SYS -
Probably caused by : SYMEVENT ( SYMEVENT+118b )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804a9bcc cc int 3

Which version of the anti-virus software are you using, and does it
still fail when it is removed? It’s be worth doing a search on Norton’s
web site, we’ve seen a few funnys from them in the past.

Andy.

basudeb · March 15, 2002, 11:06am

Hello All:

I have some doubts at the disk level of Win2K drivers. The doubt is:

How does WIN2k come to know the partition information of a hard disk?

What are the functions of IOCTL_DISK_GET_DRIVE_LAYOUT &
IOCTL_DISK_GET_PARTITION_INFO in this matter?

Also, what is partmgr doing as a disk filter? If I remove this, the OS
crashes. Why should there be a partition manager in a OS when all it needs
is to read the first sector of a disk?

Thanks
Basudeb

OSR_Community_User · March 15, 2002, 2:16pm

> How does WIN2k come to know the partition information of a hard disk?

The disk driver+ClassPnP combo read the MBR record by IoReadPartitionTable (which parses the MBR) and then creates device objects
for each partition as a PnP bus driver.
The have “STORAGE\Partition” PnP ID. PartMgr is a filter for this ID.

What are the functions of IOCTL_DISK_GET_DRIVE_LAYOUT &
IOCTL_DISK_GET_PARTITION_INFO in this matter?

These ones are serviced by the disk driver which keeps the partition table in its memory.

Also, what is partmgr doing as a disk filter?

PartMgr handles partition arrival-removal. The volume managers register themselves in PartMgr. PartMgr’s job is to report partition
arrival-removal to the volume managers.
The default volume manager is FtDisk.sys - for simple partitions and for legacy NT4 FtDisk volumes. DmIo (Dynamic Disk) is another
volume manager.

Volume manager is a place to implement any kinds of software RAID. It’s primary purpose is to create a harddisk volume device object
(this is NOT a partition or physical disk device object) and to handle IO on it. On the upper end, it receives IRPs from the
filesystems. On the lower one, it talks to partition device objects and receive partition arrival-removal notification from PartMgr.

Filesystems talk to volume manager’s device objects, not to Disk.sys ones.

Both PartMgr and FtDisk are essential parts of the OS and are always loaded.

Max