SGksDQoNCk15IGZpbGUgZmlsdGVyIGRyaXZlciBoYXZlIGEgcHJvYmxlbS5JdCB3cml0ZSBmdWxs
IHBhdGhuYW1lIHRoYXQgbXkNCkZzQ3JlYXRlRGlzcGF0Y2ggcm91dGluZSBjYXB0dXJlIHRoZSBj
dXJyZW50IG9wZW5lZCBvciBjcmVhdGVkIGZpbGUgdG8gbXkNCmxvZyBmaWxlLkl0J3Mgd29yayBj
b3JyZXRseS5CdXQgaXQgY3Jhc2gNCihidWdjaGVjazpVQ0VYQ0VQVF9LRVJORUxfTU9ERV9UUkFQ
KSB3aGVuIG15IGRyaXZlciBpbnRlcmNlcHQgY3Nyc3MuZXhlDQpwcm9jZXNzIHRvIG9wZW4gb3Ig
Y3JlYXRlIHRoZSBjXzEyNTIubmxzIGZpbGUgaW4gRnNDcmVhdGVEaXNwYXRjaCByb3V0aW5lLkkN
Cmtub3cgdGhhdCB0aGUgY18xMjUyLm5scyBhc3NvY2lhdGVkIHdpdGggTlRGU6OsYnV0IGkgZG9u
J3Qga25vdyB3aGF0DQpoYXBwZW5lZCBkdXJpbmcgY18xMjUyLm5scyBvcGVuZWQuSSB1c2UgWndD
cmVhdGVGaWxlIHRvIG9wZW4gbXkgbG9nDQpmaWxlLldoZW4gY3Nyc3MuZXhlIG9wZW5pbmcgY18x
MjUyLm5scyx0aGUgWndDcmVhdGVGaWxlIHJlc3VsdCBpbg0KY3Jhc2hlZC5XaG8gY2FuIHRlbGwg
bWUgdGhpcyByZWFzb24/DQoNCg0KDQpCZXN0IFJlZ2FyZHMNCg0KS2VuIFdhbmcNCg==
I think I can tell you this reason - I think you have a bug in your filter
driver I expect you will be able to use windbg for example to debug your
filter driver.
wrote in message news:xxxxx@ntfsd…
> Hi,
>
> My file filter driver have a problem.It write full pathname that my
> FsCreateDispatch routine capture the current opened or created file to my
> log file.It’s work corretly.But it crash
> (bugcheck:UCEXCEPT_KERNEL_MODE_TRAP) when my driver intercept csrss.exe
> process to open or create the c_1252.nls file in FsCreateDispatch
> routine.I
> know that the c_1252.nls associated with NTFS£¬but i don’t know what
> happened during c_1252.nls opened.I use ZwCreateFile to open my log
> file.When csrss.exe opening c_1252.nls,the ZwCreateFile result in
> crashed.Who can tell me this reason?
>
>
>
> Best Regards
>
> Ken Wang
>
Welcome to the “I have a driver and it does not work”
club. Get a crash dump, include your filter’s PDB
symbols info Windbg’s symbol path and do
!analyze -v command in Windbg. If you will
not understand the list, post it there.
Without this, no one is able to tell you
anything except “You have a bug in your filter”
BTW I don’t think it has anything to do
with c_1252.nls, it seems to be a pure
coincidence. c_1252.nls is only the first
file which is processes a way that your
filter does not handle correctly.
L.
> I usually use softice to debug dirver, so
i don’t know how to get Windbg’s
I use SoftICE too, but still consider
WinDBg as essential. Do this:
- Turn on crash dump generating
- Download the Debugging Tools for Windows
from Microsoft web - Install it
- Configure the Symbol Server (help will hell you how)
and include path to your PDB file to
_NT_SYMBOL_PATH environment variable - Let your system crash. Then reboot
(without your driver), open your crash
dump and open the crash dump in WinDbg. - Type !analyze -v
- Post the result here.
I cannot promise you I will tell you where’s
the problem after I see your crash dump analysis,
but I can guarantee that if you learn how to
analze crash dump, it will greatly increase
your driver writing skills.
L.
Sysmon is your filter ?
If yes, you have called the strncpy
with a wrong parameter. Because the
failure operation was “read” and the address
was e3170000 (i.e. a begin of a new page),
I guess that you have tries to strcpy a string
that is not zero terminated (a buffer from
UNICODE_STRING).
L.
> The nv4_disp.dll is conflict with my filter driver?
No, I don’t think so. But If you rewrite another
memory page, you might also rewrite another driver’s
data. That might have led to the BSOD in your prev
mail.
L.