Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

On-Access, Transparent, Per-File Data Encryption:

OSR's File Encryption Solution Framework (FESF) provides all the infrastructure you need to build a transparent file encryption product REALLY FAST.

Super flexible policy determination and customization, all done in user-mode. Extensive starter/sample code provided.

Proven, robust, flexible. In use in multiple commercial products.

Currently available on Windows. FESF for Linux will ship in 2018.

For more info: https://www.osr.com/fesf

Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 5  
02 Oct 17 12:47
John
xxxxxx@gmail.com
Join Date: 10 May 2014
Posts To This List: 35
INVALID_PROCESS_ATTACH_ATTEMPT

I got a crash dump from a system running one of my drivers. It's a minifilter that does use SFO's in some cases. The customer said this crash occurs infrequently on start up and although my software has been installed for many months this apparently only started occurring semi-recently. Most of the documentation on INVALID_PROCESS_ATTACH_ATTEMPT state an issue with KeAttachProcess but that's been deprecated and not used in my driver however I do use KeStackAttachProcess. I'm not sure how to interpret Arg1 and Arg2 as they are "pointers to the dispatcher object of the process." A "!stacks 2 mydriver" command shows only 1 thread but it's in a different process than the one that caused the crash. Based off what I see, I don't believe I'm the culprit but is there anything else I can check that can help confirm that? 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* INVALID_PROCESS_ATTACH_ATTEMPT (5) Arguments: Arg1: ffffd20300000000 Arg2: ffffd203d0aa7640 Arg3: 0000000000000000 Arg4: 0000000000000000 Debugging Details: ------------------ DUMP_CLASS: 1 DUMP_QUALIFIER: 402 BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834 SYSTEM_MANUFACTURER: Dell Inc. SYSTEM_PRODUCT_NAME: Dell System XPS L502X SYSTEM_SKU: System SKUNumber BIOS_VENDOR: Dell Inc. BIOS_VERSION: A12 BIOS_DATE: 09/07/2012 BASEBOARD_MANUFACTURER: Dell Inc. BASEBOARD_PRODUCT: 0NJT03 BASEBOARD_VERSION: A00 DUMP_TYPE: 0 BUGCHECK_P1: ffffd20300000000 BUGCHECK_P2: ffffd203d0aa7640 BUGCHECK_P3: 0 BUGCHECK_P4: 0 CPU_COUNT: 8 CPU_MHZ: 7cb CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 2a CPU_STEPPING: 7 CPU_MICROCODE: 6,2a,7,0 (F,M,S,R) SIG: 29'00000000 (cache) 29'00000000 (init) DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: 0x5 PROCESS_NAME: ClipRenew.exe CURRENT_IRQL: 1 LAST_CONTROL_TRANSFER: from fffff800fd395617 to fffff800fd385580 STACK_TEXT: ffffa300`7690f338 fffff800`fd395617 : 00000000`00000005 ffffd203`00000000 ffffd203`d0aa7640 00000000`00000000 : nt!KeBugCheckEx ffffa300`7690f340 fffff800`fd250225 : ffffd203`d0389420 00000000`00000000 ffffd203`00000000 fffff800`fd27bf8d : nt!KiDeliverApc+0x146ea7 ffffa300`7690f3d0 fffff800`fd3050d7 : ffffd203`d06340f0 00000000`00000000 ffffd203`d0389420 ffffd203`d0634010 : nt!KiCheckForKernelApcDelivery+0x25 ffffa300`7690f400 fffff803`e72d49cc : ffffa300`7690f4e9 ffffd203`00000000 ffffd203`00000000 ffffd203`d0634010 : nt!KeLeaveGuardedRegion+0x37 ffffa300`7690f430 fffff803`e72d46ec : ffffa300`7690f620 00000000`00000000 ffffd203`d0aa7600 ffffd203`cedaf212 : FLTMGR!FltpPerformPreCallbacks+0x16c ffffa300`7690f550 fffff803`e72d36d8 : ffffd203`cedaf2b0 ffffa300`7690f620 ffffd203`cedaf2b0 ffffa300`7690f630 : FLTMGR!FltpPassThroughInternal+0x8c ffffa300`7690f580 fffff803`e72d34be : ffffffff`fffe7960 ffffd203`cd5ce7f0 00000000`00000000 00000000`00000000 : FLTMGR!FltpPassThrough+0x168 ffffa300`7690f600 fffff800`fd6ac7cf : ffffd203`d0aa8360 00000000`00000000 00000000`00000000 ffffa300`7690f6b0 : FLTMGR!FltpDispatch+0x9e ffffa300`7690f660 fffff800`fd6bbde8 : 00000000`00007fff ffffd203`ca34bb00 00000000`00000000 ffffd203`d0aa8340 : nt!IopCloseFile+0x14f ffffa300`7690f6f0 fffff800`fd743c45 : 00000000`00000000 ffffd203`d087b928 00000000`00000001 ffffffff`ffffffff : nt!ObCloseHandleTableEntry+0x228 ffffa300`7690f830 fffff800`fd63fa89 : ffffd203`d0aa7640 ffffd203`d0aa5700 ffffd203`d0aa7640 00000000`00040001 : nt!ExSweepHandleTable+0xc5 ffffa300`7690f8e0 fffff800`fd6e24f7 : 00000000`00040000 00000000`00000000 00000000`00000000 fffff800`fd6e9786 : nt!ObKillProcess+0x35 ffffa300`7690f910 fffff800`fd653641 : ffffd203`d0aa7640 ffff8807`16e69060 ffffd203`d0aa7640 00000000`00000000 : nt!PspRundownSingleProcess+0x117 ffffa300`7690f990 fffff800`fd712f59 : 00000000`00000000 ffffd203`d0aa7601 0000008c`635d8000 ffffd203`d0aa5700 : nt!PspExitThread+0x57d ffffa300`7690fa90 fffff800`fd390413 : ffffd203`d0aa7640 ffffd203`d0aa5700 ffffa300`7690fb80 000001d7`679f0730 : nt!NtTerminateProcess+0xe9 ffffa300`7690fb00 00007ffd`c3cf5924 : 00007ffd`c3c9d2ff 00000000`00000000 000001d7`679f0730 000001d7`679f0728 : nt!KiSystemServiceCopyEnd+0x13 0000008c`6367fa68 00007ffd`c3c9d2ff : 00000000`00000000 000001d7`679f0730 000001d7`679f0728 000001d7`679f0730 : ntdll!NtTerminateProcess+0x14 0000008c`6367fa70 00007ffd`c3bbc0da : 00000000`00000000 00000000`00000000 000001d7`679f0730 00007ffd`c3cc0da7 : ntdll!RtlExitUserProcess+0xbf 0000008c`6367faa0 00007ffd`c11fa045 : 00007ff7`be3eb9c0 00000000`00000000 00000000`00000000 000001d7`679f0740 : KERNEL32!ExitProcessImplementation+0xa 0000008c`6367fad0 00007ffd`c11fa68d : 000001d7`679f0728 00007ff7`a4f1e6b9 000001d7`67a41a50 00000000`00000000 : msvcrt!_crtExitProcess+0x15 0000008c`6367fb00 00007ff7`be3eaf90 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : msvcrt!unlockexit+0x1d1 0000008c`6367fb70 00007ffd`c3bb2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ClipRenew!__wmainCRTStartup+0x164 0000008c`6367fbb0 00007ffd`c3cc0d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 0000008c`6367fbe0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 1: kd> !thread -1 THREAD ffffd203d0aa5700 Cid 0b6c.0b70 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1 IRP List: ffffd203cedaf2b0: (0006,0598) Flags: 00000404 Mdl: 00000000 Not impersonating DeviceMap ffff88070b0145a0 Owning Process ffffd203d0aa7640 Image: ClipRenew.exe Attached Process N/A Image: N/A Wait Start TickCount 3234 Ticks: 0 Context Switch Count 69 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ClipRenew!wmainCRTStartup (0x00007ff7be3eaff0) Stack Init ffffa3007690fc90 Current ffffa3007690edf0 Base ffffa30076910000 Limit ffffa3007690a000 Call 0 Priority 7 BasePriority 6 UnusualBoost 0 ForegroundBoost 0 IoPriority 1 PagePriority 2 1: kd> !irp ffffd203cedaf2b0 Irp is active with 16 stacks 16 is current (= 0xffffd203cedaf7b8) No Mdl: No System Buffer: Thread ffffd203d0aa5700: Irp stack trace. cmd flg cl Device File Completion-Context >[IRP_MJ_CLEANUP(12), N/A(0)] 0 1 ffffd203cd5ce7f0 ffffd203d0aa8360 00000000-00000000 pending \FileSystem\FltMgr Args: 00000000 00000000 00000000 00000000 1: kd> !stacks 2 mydriver [ffffd203d0b44080 svchost.exe] c04.000c3c ffffd203d0b61080 fffff35e RUNNING nt!FsRtlFindExtraCreateParameter+0x38 NTFS!NtfsCommonCreate+0x2ef5 NTFS!NtfsCommonCreateCallout+0x1d nt!KxSwitchKernelStackCallout+0x27 nt!KiSwitchKernelStackContinue nt!KiExpandKernelStackAndCalloutOnStackSegment+0x12c nt!KiExpandKernelStackAndCalloutSwitchStack+0x9e nt!KeExpandKernelStackAndCalloutInternal+0x2f NTFS!NtfsFsdCreate+0x1cb FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18d FLTMGR!FltpCreate+0x2eb nt!IopParseDevice+0x815 nt!ObpLookupObjectName+0x46b nt!ObOpenObjectByNameEx+0x1e0 nt!IopCreateFile+0x3aa nt!IoCreateFileEx+0x124 FLTMGR!FltpExpandFilePathWorker+0x2b9 FLTMGR!FltpExpandFilePath+0x1a FLTMGR!FltpGetNormalizedFileNameWorker+0x117 FLTMGR!FltpGetNormalizedFileName+0x1a FLTMGR!FltpCreateFileNameInformation+0x32d FLTMGR!HandleStreamListNotSupported+0x115 FLTMGR!FltpGetFileNameInformation+0x623 FLTMGR!FltGetFileNameInformation+0x1ba mydriver+0x17c05 FLTMGR!FltpCallOpenedFileNameHandler+0x70 FLTMGR!FltpGetNormalizedFileNameWorker+0x2f FLTMGR!FltpGetNormalizedFileName+0x1a FLTMGR!FltpCreateFileNameInformation+0x32d FLTMGR!HandleStreamListNotSupported+0x115 FLTMGR!FltpGetFileNameInformation+0x623 FLTMGR!FltGetFileNameInformation+0x1ba MbamChameleon+0x16e3 MbamChameleon+0x2a543 FLTMGR!FltpPerformPreCallbacks+0x2ec FLTMGR!FltpPassThroughInternal+0x8c FLTMGR!FltpCreate+0x2d7 nt!IopParseDevice+0x815 nt!ObpLookupObjectName+0x46b nt!ObOpenObjectByNameEx+0x1e0 nt!IopCreateFile+0x3aa nt!IoCreateFileEx+0x124 nt!IopOpenLinkOrRenameTarget+0x166 nt!NtSetInformationFile+0x9c3 nt!KiSystemServiceCopyEnd+0x13 1: kd> !irql Debugger saved IRQL for processor 0x1 -- 1 (APC_LEVEL) 1: kd> !apc *** Enumerating APCs in all processes Process ffffd203ca2b4040 System Thread ffffd203ca29a680 Thread ffffd203ca3125c0 Thread ffffd203cd878040 Thread Process ffffd203cf239080 csrss.exe Thread ffffd203cd707080 Thread ffffd203cd705080 Process ffffd203cfef0080 csrss.exe Thread ffffd203cfeed300 Thread ffffd203cfeeb080 Thread ffffd203cff45080 Thread ffffd203cff43480 Thread ffffd203cff38080 Thread ffffd203cff37700 Thread ffffd203cffc2080 Thread ffffd203cff86080 Thread ffffd203cff8b080 Thread ffffd203cdc60080 Thread ffffd203cf77c080 Thread ffffd203cf72a4c0 Thread ffffd203cf76b080 Thread ffffd203cff25580 Thread ffffd203cf76a080 Thread ffffd203cff1f080 Thread ffffd203cf7b5080 Thread ffffd203cf7b3080 Thread ffffd203cf79a080 Thread ffffd203cff19080 Thread ffffd203d0210080 Thread ffffd203d0269080 Thread ffffd203d0225080 Thread ffffd203d02a5080 Thread ffffd203d0229080 Thread ffffd203d0291700 Thread ffffd203d02ac080 Thread ffffd203d0245080 Thread ffffd203d02ec080 Thread ffffd203d02e8080 Thread ffffd203d02df080 Thread ffffd203d02d1080 Thread ffffd203d0337080 Thread ffffd203d0333380 Thread ffffd203d02ce080 Thread ffffd203d03fd080 Thread ffffd203ca2a2700 Thread ffffd203d034e080 Thread ffffd203d0343080 Thread ffffd203d033c080 Thread ffffd203d0340080 Thread ffffd203d0339340 Thread ffffd203d0355500 Thread ffffd203d0391080 Thread ffffd203d023a080 Thread ffffd203d0236080 Thread ffffd203d0504700 Thread ffffd203d060b080 Thread ffffd203d053d080 Thread ffffd203d0547080 Thread ffffd203cdc53080 Thread ffffd203d059a080 Thread ffffd203d0596080 Thread ffffd203d05a6700 Thread ffffd203d05d5080 Thread ffffd203d05b7080 Thread ffffd203d05d4080 Thread ffffd203d05e9600 Thread ffffd203d0605080 Thread ffffd203d0673080 Thread ffffd203d085a080 Thread ffffd203d0630080 Thread ffffd203d0858080 Thread ffffd203d062b480 Thread ffffd203d08555c0 Thread ffffd203d087f080 Thread ffffd203d088a440 Thread ffffd203d08d9080 Thread ffffd203d0902080 Thread ffffd203d08f8080 Thread ffffd203d09e3080 Thread ffffd203d09de080 Thread ffffd203d09d3080 Thread ffffd203d0625080 Thread ffffd203d092a700 Thread ffffd203d0928080 Thread ffffd203d0984700 Thread ffffd203d095a080 Thread ffffd203d098d080 Thread ffffd203d0a09080 Thread ffffd203d09c0080 Thread ffffd203d0a3f080 Thread ffffd203d09ec080 Thread ffffd203d0a0f080 Thread ffffd203d09eb080 Thread ffffd203d0a0b080 Thread ffffd203d0990080 Thread ffffd203d0a0d080 Thread ffffd203d0aa5700 Process ffffd203d0abf640 svchost.exe Thread ffffd203d0aba080 Thread ffffd203d0acd080 Thread ffffd203d0aaf080 Thread ffffd203d0ac8080 Thread ffffd203d0ae3080 Thread ffffd203d0aca080 Thread ffffd203d0aee080 Thread ffffd203d0ae9080 Thread ffffd203d0b46080 Thread ffffd203d0b74080 Thread ffffd203d0b42080 Thread ffffd203d0b72080
  Message 2 of 5  
02 Oct 17 13:39
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 953
List Moderator
INVALID_PROCESS_ATTACH_ATTEMPT

Are you 100% certain that all calls to KeStackAttachProcess are paired with calls to KeUnstackDetachProcess? From the bugcheck description: "this bug check could occur if KeAttachProcess was called when the thread was already attached to a process (which is illegal), or if the thread returned from certain function calls in an attached state (which is invalid)," As far as the args, did you try just running !process on them? -scott OSR @OSRDrivers
  Message 3 of 5  
02 Oct 17 14:08
John
xxxxxx@gmail.com
Join Date: 10 May 2014
Posts To This List: 35
INVALID_PROCESS_ATTACH_ATTEMPT

<Quote>Are you 100% certain that all calls to KeStackAttachProcess are paired with calls to KeUnstackDetachProcess?</Quote> In my driver, yes. I'm simply doing a ObOpenObjectByPointer in between Attach/Detach. <Quote>did you try just running !process on them</Quote> Ran !process on Arg2. Turns out Arg2 is just the EPROCESS of the process that caused the crash. Arg1 looks bogus.
  Message 4 of 5  
02 Oct 17 14:27
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 953
List Moderator
INVALID_PROCESS_ATTACH_ATTEMPT

OK, that takes care of the easy answer then. Looking more closely at the args, Arg1 is Arg2 with the low 32-bits cleared: Arg1: ffffd20300000000 Arg2: ffffd203d0aa7640 Sounds like another manifestation of the problem you were having previously: http://www.osronline.com/showThread.CFM?link=285110 Did you ever get anywhere on that case? -scott OSR @OSRDrivers
  Message 5 of 5  
02 Oct 17 15:22
John
xxxxxx@gmail.com
Join Date: 10 May 2014
Posts To This List: 35
INVALID_PROCESS_ATTACH_ATTEMPT

I noticed the low 32 bit clearing as well and recognized the similarities with the other crash I was fighting. Unfortunately never figured that one out as I couldn't reproduce and no one else running the software seemed to experience the problem. I'm thinking my next move is to programmatically enable verifier on the customers system hoping that it can catch the apparent overwrite at an earlier point.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 15:20.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license