the problem in my filter driver during c_1252.nls opened?

SGksDQoNCk15IGZpbGUgZmlsdGVyIGRyaXZlciBoYXZlIGEgcHJvYmxlbS5JdCB3cml0ZSBmdWxs
IHBhdGhuYW1lIHRoYXQgbXkNCkZzQ3JlYXRlRGlzcGF0Y2ggcm91dGluZSBjYXB0dXJlIHRoZSBj
dXJyZW50IG9wZW5lZCBvciBjcmVhdGVkIGZpbGUgdG8gbXkNCmxvZyBmaWxlLkl0J3Mgd29yayBj
b3JyZXRseS5CdXQgaXQgY3Jhc2gNCihidWdjaGVjazpVQ0VYQ0VQVF9LRVJORUxfTU9ERV9UUkFQ
KSB3aGVuIG15IGRyaXZlciBpbnRlcmNlcHQgY3Nyc3MuZXhlDQpwcm9jZXNzIHRvIG9wZW4gb3Ig
Y3JlYXRlIHRoZSBjXzEyNTIubmxzIGZpbGUgaW4gRnNDcmVhdGVEaXNwYXRjaCByb3V0aW5lLkkN
Cmtub3cgdGhhdCB0aGUgY18xMjUyLm5scyBhc3NvY2lhdGVkIHdpdGggTlRGU6OsYnV0IGkgZG9u
J3Qga25vdyB3aGF0DQpoYXBwZW5lZCBkdXJpbmcgY18xMjUyLm5scyBvcGVuZWQuSSB1c2UgWndD
cmVhdGVGaWxlIHRvIG9wZW4gbXkgbG9nDQpmaWxlLldoZW4gY3Nyc3MuZXhlIG9wZW5pbmcgY18x
MjUyLm5scyx0aGUgWndDcmVhdGVGaWxlIHJlc3VsdCBpbg0KY3Jhc2hlZC5XaG8gY2FuIHRlbGwg
bWUgdGhpcyByZWFzb24/DQoNCg0KDQpCZXN0IFJlZ2FyZHMNCg0KS2VuIFdhbmcNCg==

I think I can tell you this reason - I think you have a bug in your filter
driver :slight_smile: I expect you will be able to use windbg for example to debug your
filter driver.

wrote in message news:xxxxx@ntfsd…
> Hi,
>
> My file filter driver have a problem.It write full pathname that my
> FsCreateDispatch routine capture the current opened or created file to my
> log file.It’s work corretly.But it crash
> (bugcheck:UCEXCEPT_KERNEL_MODE_TRAP) when my driver intercept csrss.exe
> process to open or create the c_1252.nls file in FsCreateDispatch
> routine.I
> know that the c_1252.nls associated with NTFS£¬but i don’t know what
> happened during c_1252.nls opened.I use ZwCreateFile to open my log
> file.When csrss.exe opening c_1252.nls,the ZwCreateFile result in
> crashed.Who can tell me this reason?
>
>
>
> Best Regards
>
> Ken Wang
>

Welcome to the “I have a driver and it does not work”
club. Get a crash dump, include your filter’s PDB
symbols info Windbg’s symbol path and do
!analyze -v command in Windbg. If you will
not understand the list, post it there.

Without this, no one is able to tell you
anything except “You have a bug in your filter”

BTW I don’t think it has anything to do
with c_1252.nls, it seems to be a pure
coincidence. c_1252.nls is only the first
file which is processes a way that your
filter does not handle correctly.

L.

> I usually use softice to debug dirver, so

i don’t know how to get Windbg’s

I use SoftICE too, but still consider
WinDBg as essential. Do this:

  1. Turn on crash dump generating
  2. Download the Debugging Tools for Windows
    from Microsoft web
  3. Install it
  4. Configure the Symbol Server (help will hell you how)
    and include path to your PDB file to
    _NT_SYMBOL_PATH environment variable
  5. Let your system crash. Then reboot
    (without your driver), open your crash
    dump and open the crash dump in WinDbg.
  6. Type !analyze -v
  7. Post the result here.

I cannot promise you I will tell you where’s
the problem after I see your crash dump analysis,
but I can guarantee that if you learn how to
analze crash dump, it will greatly increase
your driver writing skills.

L.

Sysmon is your filter ?
If yes, you have called the strncpy
with a wrong parameter. Because the
failure operation was “read” and the address
was e3170000 (i.e. a begin of a new page),
I guess that you have tries to strcpy a string
that is not zero terminated (a buffer from
UNICODE_STRING).

L.

> The nv4_disp.dll is conflict with my filter driver?

No, I don’t think so. But If you rewrite another
memory page, you might also rewrite another driver’s
data. That might have led to the BSOD in your prev
mail.

L.