System doesn't restart properly??

NTFSD
1

Dear All,

A few weeks ago I had posted a query:

////////////

I am working on a security application specifically for Windows 2000 NTFS
file system and have developed a “file system filter driver” to implement
the same. The driver is on similar patterns on what filespy is made (FileSpy
is a sample file system filter driver provided in IFS kit)

The application works fine when installed on a fresh Windows 2000 machine
and functions properly. But when it is installed on machine having Symantec
Norton Antivirus installed in it, the system crashes with a stop code

STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)

UNEXPECTED_KERNEL_MODE_TRAP

So is there any way out to run Norton Antivirus and my application at same
time? Is there any way to place our driver on top of the Norton Symevent.sys
driver? Or, is there any alternative way?

///////////

The driver has finally started working along with Norton Antivirus. Thanks
to all of you for your support!

I have decreased the utilization of stack space by removing the large stack
structures like WCHAR xx[400] in the dispatch routines and allocating the
memory from nonpaged pool. There are a very few static memory allocation
left now in the code like:

wchar_t Full = L"%SystemRoot%\System32\shell32.dll,32"; and I will
remove these too soon.

The driver, while Norton Antivirus installed, runs fine but the system
DOESNOT RESTART UPON REBOOTING, NEITHER IT SHUTS DOWN PROPERLY. One has to
manually restart the system. On the other hand, the SYSTEM SHUTS DOWN
PROPERLY without any problem if NAV is not installed on the system.

What can be the reason behind this? Is this due to the left static memory
allocations (they are just 2 or three in number) or any other reason?

Please comment!

Regards,

Rohit

2

Dear All,

I am not able to find a particular resason behind improper restart of my
file system filter driver when running along with other filter driver (i.e
SymEvent.sys of NAV) . Can anybody please suggest some reasons behind this ?

Regards,
Rohit

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> Dear All,
>
>
>
> A few weeks ago I had posted a query:
>
> ////////////
>
> I am working on a security application specifically for Windows 2000 NTFS
> file system and have developed a “file system filter driver” to implement
> the same. The driver is on similar patterns on what filespy is made
(FileSpy
> is a sample file system filter driver provided in IFS kit)
>
>
>
> The application works fine when installed on a fresh Windows 2000 machine
> and functions properly. But when it is installed on machine having
Symantec
> Norton Antivirus installed in it, the system crashes with a stop code
>
> STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
>
> UNEXPECTED_KERNEL_MODE_TRAP
>
> So is there any way out to run Norton Antivirus and my application at same
> time? Is there any way to place our driver on top of the Norton
Symevent.sys
> driver? Or, is there any alternative way?
>
>
>
> ///////////
>
> The driver has finally started working along with Norton Antivirus. Thanks
> to all of you for your support!
>
>
>
> I have decreased the utilization of stack space by removing the large
stack
> structures like WCHAR xx[400] in the dispatch routines and allocating the
> memory from nonpaged pool. There are a very few static memory allocation
> left now in the code like:
>
> wchar_t Full = L"%SystemRoot%\System32\shell32.dll,32"; and I will
> remove these too soon.
>
>
>
> The driver, while Norton Antivirus installed, runs fine but the system
> DOESNOT RESTART UPON REBOOTING, NEITHER IT SHUTS DOWN PROPERLY. One has to
> manually restart the system. On the other hand, the SYSTEM SHUTS DOWN
> PROPERLY without any problem if NAV is not installed on the system.
>
>
>
> What can be the reason behind this? Is this due to the left static memory
> allocations (they are just 2 or three in number) or any other reason?
>
> Please comment!
>
> Regards,
>
> Rohit
>
>
>
>
>

3

Dear Dejan, Maxim, Ladislav, Tony and Dan,

Thanks a lot for helping me in solving the compatilibity issue of filter
driver with other filter driver. I have followed your procedure and removed
all the statically allocated memory and allocating memory by non paged .

But the system doesnot restart properly. I have been using a lot of link
list in my code. Can there be any problem due to that ?? Or any possible
cause for improper restart.

Can you please suggest a way out to how to ANALYSE this problem or where can
the problem be ?
Regards,
Rohit

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> Dear All,
>
> I am not able to find a particular resason behind improper restart of my
> file system filter driver when running along with other filter driver (i.e
> SymEvent.sys of NAV) . Can anybody please suggest some reasons behind this
?
>
> Regards,
> Rohit
>
>
> “Rohit Dhamija” wrote in message
> news:xxxxx@ntfsd…
> > Dear All,
> >
> >
> >
> > A few weeks ago I had posted a query:
> >
> > ////////////
> >
> > I am working on a security application specifically for Windows 2000
NTFS
> > file system and have developed a “file system filter driver” to
implement
> > the same. The driver is on similar patterns on what filespy is made
> (FileSpy
> > is a sample file system filter driver provided in IFS kit)
> >
> >
> >
> > The application works fine when installed on a fresh Windows 2000
machine
> > and functions properly. But when it is installed on machine having
> Symantec
> > Norton Antivirus installed in it, the system crashes with a stop code
> >
> > STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
> >
> > UNEXPECTED_KERNEL_MODE_TRAP
> >
> > So is there any way out to run Norton Antivirus and my application at
same
> > time? Is there any way to place our driver on top of the Norton
> Symevent.sys
> > driver? Or, is there any alternative way?
> >
> >
> >
> > ///////////
> >
> > The driver has finally started working along with Norton Antivirus.
Thanks
> > to all of you for your support!
> >
> >
> >
> > I have decreased the utilization of stack space by removing the large
> stack
> > structures like WCHAR xx[400] in the dispatch routines and allocating
the
> > memory from nonpaged pool. There are a very few static memory allocation
> > left now in the code like:
> >
> > wchar_t Full = L"%SystemRoot%\System32\shell32.dll,32"; and I will
> > remove these too soon.
> >
> >
> >
> > The driver, while Norton Antivirus installed, runs fine but the system
> > DOESNOT RESTART UPON REBOOTING, NEITHER IT SHUTS DOWN PROPERLY. One has
to
> > manually restart the system. On the other hand, the SYSTEM SHUTS DOWN
> > PROPERLY without any problem if NAV is not installed on the system.
> >
> >
> >
> > What can be the reason behind this? Is this due to the left static
memory
> > allocations (they are just 2 or three in number) or any other reason?
> >
> > Please comment!
> >
> > Regards,
> >
> > Rohit
> >
> >
> >
> >
> >
>
>
>

4

What does mean “does not restart properly” ?

A bugcheck ? A Deadlock ? Or anything else ?

L.

5

Ladislav Zezula wrote:
> What does mean “does not restart properly” ?
>
> A bugcheck ? A Deadlock ? Or anything else ?

IIRC it’s a bug check 0x7F (0x8 , 0 , 0 , 0)…

Ugly thingy… it’s an indicator for a kernel stack overflow.

Tobias

6

Dear Mr. Zezula,

Thanks for your response. Let me clarify the exact situation:
//////////////////
“does not restart properly” means that when I try to restart my system
i.e Clicking Start menu->Shutdown->Restart , the system closes all the
opened applications and then dialog box showing that windows is shutting
down appears (i.e till now the procedure is normal). After the dialog box
closes, the system stops there only and doesn’t shuts down. (Ideally, the
system should shutdown and start again). The systems stops but doesn’t
hangs(becoz u are able to move mouse at that time), And then one has to
manually restart the system.
It seems as if system has gone in some infinite loop and is not able to
restart by itself.
////////////////////

There is no dump created in this situation. Please let me know for further
clarifications in this regards,
Regards,
Rohit

Can you please suggest any particular reason why when such kind of situation
happens ?

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> What does mean “does not restart properly” ?
>
> A bugcheck ? A Deadlock ? Or anything else ?
>
> L.
>
>

7

Dear Mr. Tobias,

The system now no more shows the bug check 0x7F (0x8 , 0 , 0 , 0) since i
have majorly minimized the kernel stack utilization. Moreover , the
application performance has been majorly increased now.
Now the system is not able to restart properly ( i have mentioned clearly in
my previous mail by what i mean to say this)

Please comment!
Regards,
Rohit

“Tobias Sasse” wrote in message news:xxxxx@ntfsd…
> Ladislav Zezula wrote:
> > What does mean “does not restart properly” ?
> >
> > A bugcheck ? A Deadlock ? Or anything else ?
>
> IIRC it’s a bug check 0x7F (0x8 , 0 , 0 , 0)…
>
> Ugly thingy… it’s an indicator for a kernel stack overflow.
>
> Tobias
>

8

Rohit Dhamija wrote:

Hi Rohit,

The system now no more shows the bug check 0x7F (0x8 , 0 , 0 , 0) since i
have majorly minimized the kernel stack utilization. Moreover , the
application performance has been majorly increased now.
Now the system is not able to restart properly ( i have mentioned clearly in
my previous mail by what i mean to say this)

Please comment!

Oh okay, I didn’t catch that right. But now I hopefully have :wink:

I’d say there can be many reasons for such a situation. Did you already
attach a debugger via cable, to perhaps find out were exactly your
driver hangs or breaks the shutdown procedure?

Did you handle the paging path requirements (which are described in the
DDK docs in datail) properly?

Tobias

9

Dear Tobias,

I have attached the remote debug view and come to know that the driver hangs
in IRP_MJ_SET_INFORMATION dispatch routine in

if(irpStack->Parameters.SetFile.FileInformationClass ==
FileBasicInformation) {
} function

The code inside this function is
/////////////////////////////////////////

linkFileName.MaximumLength = 30;
linkFileName.Buffer = ExAllocatePoolWithTag(NonPagedPool,
linkFileName.MaximumLength,‘2leM’);

linkFullFileName.MaximumLength = 50 ;
linkFullFileName.Buffer = ExAllocatePoolWithTag(NonPagedPool,
linkFullFileName.MaximumLength,‘2leM’);

LINE1) dummy = 7; // Initialize value of dummy of integer type
LINE2) _itow(dummy,linkFileName.Buffer, 10); // placing it into
linkFileName.Buffer
LINE4) linkFileName.Length = wcslen(linkFileName.Buffer) *
sizeof(WCHAR);
LINE5) RtlInitUnicodeString(&temp,L"BOND00"); //temp is initialized to
BOND
LINE6) RtlCopyUnicodeString(&linkFullFileName, &temp);
LINE7) RtlAppendUnicodeStringToString(&linkFullFileName, &linkFileName);
//linkfulllFileName = Bond007
LINE8) DbgPrint(“\n #NEW CODE linkFileName = %wZ”,&linkFileName);
LINE7) DbgPrint(“\n #NEW CODE linkFullFileName =
%wZ”,&linkFullFileName);

ExFreePoolWithTag(linkFileName.Buffer,‘pmoC’);
ExFreePoolWithTag(linkFullFileName.Buffer,‘pmoC’);

/////////////////////////////////////////

when i restart the system, the dbgprints mentioned in this function are
appearing at regular intervals and system doesnot restart. Please let me
know any idea you get from this code. Also let me know if you need any
clarification in this regards,

Waiting for your reply,

Regards,
Rohit

“Tobias Sasse” wrote in message news:xxxxx@ntfsd…
> Rohit Dhamija wrote:
>
> Hi Rohit,
>
> > The system now no more shows the bug check 0x7F (0x8 , 0 , 0 , 0) since
i
> > have majorly minimized the kernel stack utilization. Moreover , the
> > application performance has been majorly increased now.
> > Now the system is not able to restart properly ( i have mentioned
clearly in
> > my previous mail by what i mean to say this)
> >
> > Please comment!
>
> Oh okay, I didn’t catch that right. But now I hopefully have :wink:
>
> I’d say there can be many reasons for such a situation. Did you already
> attach a debugger via cable, to perhaps find out were exactly your
> driver hangs or breaks the shutdown procedure?
>
> Did you handle the paging path requirements (which are described in the
> DDK docs in datail) properly?
>
> Tobias
>

10

Rohit Dhamija wrote:

> The code inside this function is
```

Can’t say much about your code. But I suppose it’s not all you
implemented. You have to return status etc.

However, to me the problem seems like someone’s device isn’t satisfied
with your answer. That is where I would investigate if I was you.

Tobias

11

Dear Tobias,
In general can you tell some of the reason behind this problem ??
Regards,
rohit
“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> Dear Tobias,
>
> I have attached the remote debug view and come to know that the driver
hangs
> in IRP_MJ_SET_INFORMATION dispatch routine in
>
> if(irpStack->Parameters.SetFile.FileInformationClass ==
> FileBasicInformation) {
> } function
>
>
> The code inside this function is
> /////////////////////////////////////////
>
> linkFileName.MaximumLength = 30;
> linkFileName.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> linkFileName.MaximumLength,‘2leM’);
>
> linkFullFileName.MaximumLength = 50 ;
> linkFullFileName.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> linkFullFileName.MaximumLength,‘2leM’);
>
>
> LINE1) dummy = 7; // Initialize value of dummy of integer type
> LINE2) _itow(dummy,linkFileName.Buffer, 10); // placing it into
> linkFileName.Buffer
> LINE4) linkFileName.Length = wcslen(linkFileName.Buffer) *
> sizeof(WCHAR);
> LINE5) RtlInitUnicodeString(&temp,L"BOND00"); //temp is initialized
to
> BOND
> LINE6) RtlCopyUnicodeString(&linkFullFileName, &temp);
> LINE7) RtlAppendUnicodeStringToString(&linkFullFileName,
&linkFileName);
> //linkfulllFileName = Bond007
> LINE8) DbgPrint(“\n #NEW CODE linkFileName = %wZ”,&linkFileName);
> LINE7) DbgPrint(“\n #NEW CODE linkFullFileName =
> %wZ”,&linkFullFileName);
>
> ExFreePoolWithTag(linkFileName.Buffer,‘pmoC’);
> ExFreePoolWithTag(linkFullFileName.Buffer,‘pmoC’);
>
> /////////////////////////////////////////
>
> when i restart the system, the dbgprints mentioned in this function are
> appearing at regular intervals and system doesnot restart. Please let me
> know any idea you get from this code. Also let me know if you need any
> clarification in this regards,
>
> Waiting for your reply,
>
> Regards,
> Rohit
>
> “Tobias Sasse” wrote in message news:xxxxx@ntfsd…
> > Rohit Dhamija wrote:
> >
> > Hi Rohit,
> >
> > > The system now no more shows the bug check 0x7F (0x8 , 0 , 0 , 0)
since
> i
> > > have majorly minimized the kernel stack utilization. Moreover , the
> > > application performance has been majorly increased now.
> > > Now the system is not able to restart properly ( i have mentioned
> clearly in
> > > my previous mail by what i mean to say this)
> > >
> > > Please comment!
> >
> > Oh okay, I didn’t catch that right. But now I hopefully have :wink:
> >
> > I’d say there can be many reasons for such a situation. Did you already
> > attach a debugger via cable, to perhaps find out were exactly your
> > driver hangs or breaks the shutdown procedure?
> >
> > Did you handle the paging path requirements (which are described in the
> > DDK docs in datail) properly?
> >
> > Tobias
> >
>
>
>