hi all,
we have developed a filter driver which starts at the boot time. our filter drivers monitors access to files folders and drives. if we put a rule on c drive, and configured the driver to only monitor the activities on c drive, then the windows is getting hanged. we tried to log the events happening since startup and find out that the windows is not able to go forward when the wmilib.sys is being accessed by smss.exe.
we are trying to print the current login user name for every log. and we are using ZwOpenKey for that. is there anything unusual in using ZwOpenKey.
could any one give some clue on this.
regards,
gopal
> if we put a rule on c drive, …
is there anything unusual in using ZwOpenKey.
Registry Manager uses IO Manger and Cache Manager, and Zw* functions
sometimes require APC to complete ( different from special-kernel mode
APC ).
I am sure that your case is related with
- Using a function( ZwOpenKey etc ) which generates page faults on a
paging path and these page faults for pages which are not supported by the
pagefiles( they are supported by a registry hive file ).
- Pagefile(s) is on the volume which your driver monitors and the filter
driver generates page faults on the path related with the processing page
faults to pages backed by a pagefile.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> hi all,
>
> we have developed a filter driver which starts at the boot time. our
> filter drivers monitors access to files folders and drives. if we put a
> rule on c drive, and configured the driver to only monitor the activities
> on c drive, then the windows is getting hanged. we tried to log the events
> happening since startup and find out that the windows is not able to go
> forward when the wmilib.sys is being accessed by smss.exe.
>
> we are trying to print the current login user name for every log. and we
> are using ZwOpenKey for that. is there anything unusual in using
> ZwOpenKey.
>
> could any one give some clue on this.
>
> regards,
> gopal
>
hi slava,
but every time we try to reproduce the scenario, it is getting hanged when smss.exe tries to access the wmilib.sys. is there any thing wrong in there.
regards,
venu
> but every time we try to reproduce the scenario, it is getting hanged when
smss.exe tries to access the wmilib.sys. is there any thing wrong in
there.
You have been pointed to the possible flaw in you driver - generating page
faults to a mapped file(!) on every paging path, this violates the lockin
hierarchy - the system tries to acquire a lock for a data stream when a lock
for another data stream has already been acquired and the former data stream
is not a page file. You saw the consequence of this violation - the system
hanged, doesn’t matter where.
Even if you find workaround for this special case the system will hang in
another place.
You wrote that you call Zw* functions for registry operations inside you
filter - this is the source of the problem.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> hi slava,
>
> but every time we try to reproduce the scenario, it is getting hanged when
> smss.exe tries to access the wmilib.sys. is there any thing wrong in
> there.
>
> regards,
> venu
>