FltSendMessage usuage

I have modified the scanner code to include registry callback function. There i am intercepting the RegNtPreCreateKey and RegNtPreOpenKey and sending the Registry Path ( CompleteName of PREG_PRE_CREATE_KEY_INFORMATION structure ) through FltSendMessage. In user mode i am printing the Path with notification->Contents.
Now the problem is that system hangs on some particular keypaths such as \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32. I modified the code to include timeout in FltSendMessage, now the system does not hang but those keypaths are skipped for sending to user mode and system doen’t hang this way.

Anybody having any idea why are those keypaths are not being send to user mode.

Thanks in Advance.

> Now the problem is that system hangs

The talk about “system hangs” starts with the stack investigation.

Use “!process 0 7” (runs a lot, 20 minutes or so) to print the stacks of all threads. Then find the offending ones (deep and not idle).


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

I found in DDK + Guest Article - Introduction to Registry Filtering in Vista (Part I) {http://www.osronline.com/article.cfm?article=517 } that the Arg2 (

(PREG_PRE_CREATE_KEY_INFORMATION) pCrKey =
(PREG_PRE_CREATE_KEY_INFORMATION) Arg2;)
)
should be in try/except block since it can be a user-space pointer…
And in my case i am getting the Keypath from this same argument.

Can anybody put light on that what kind of exception i should handle while accessing the buffers pointed by this Arg2.
I forgot to mention that i am doing this on Win XP

I would do a general catch-all try/except just around the data capturing. You could get several exceptions; AV, in-page error to name the most likely.

(Generally, catch-alls are to be used cautiously and finely-scoped, btw.)

? S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, January 07, 2009 05:02
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] FltSendMessage usuage

I found in DDK + Guest Article - Introduction to Registry Filtering in Vista (Part I) {http://www.osronline.com/article.cfm?article=517 } that the Arg2 (

(PREG_PRE_CREATE_KEY_INFORMATION) pCrKey =
(PREG_PRE_CREATE_KEY_INFORMATION) Arg2;)
)
should be in try/except block since it can be a user-space pointer…
And in my case i am getting the Keypath from this same argument.

Can anybody put light on that what kind of exception i should handle while accessing the buffers pointed by this Arg2.
I forgot to mention that i am doing this on Win XP


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Please provide call stacks of the hanging case as Maxim requested. Some general useful commands in deadlock situations are:

!stacks
!locks
!analyze -hang

? S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, January 07, 2009 01:24
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FltSendMessage usuage

I have modified the scanner code to include registry callback function. There i am intercepting the RegNtPreCreateKey and RegNtPreOpenKey and sending the Registry Path ( CompleteName of PREG_PRE_CREATE_KEY_INFORMATION structure ) through FltSendMessage. In user mode i am printing the Path with notification->Contents.
Now the problem is that system hangs on some particular keypaths such as \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32. I modified the code to include timeout in FltSendMessage, now the system does not hang but those keypaths are skipped for sending to user mode and system doen’t hang this way.

Anybody having any idea why are those keypaths are not being send to user mode.

Thanks in Advance.


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Here is out put from !stacks, !locks & !analyze -hang

kd> !stacks
Proc.Thread .Thread Ticks ThreadState Blocker

Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Prototype PTEs are implicitly decoded
[82d58830 System]
4.000584 82a91da8 006016c Blocked MRxVPC+0x8c94
4.000588 82a91b30 006016c Blocked MRxVPC+0x8c94
4.00058c 82a918b8 006016c Blocked MRxVPC+0x8c94
4.000204 82a61da8 00020ae Blocked HTTP!UlpScavengerThread+0x5d

[82b6c880 smss.exe]

[82b7e020 csrss.exe]
200.000210 82b88578 0000bff Blocked nt!KiFastCallEntry+0xf8
200.000228 82c69430 00000da Blocked win32k!NtUserScrollDC+0x11
200.00023c 82b6a558 00000d2 Blocked win32k!TimersProc+0x10
200.000240 82b6a2e0 0000443 Blocked win32k!xxxMsgWaitForMultipleObjects+0xb0

[82c0d540 winlogon.exe]
218.000238 82c69920 0000555 Blocked nt!KiFastCallEntry+0xf8
218.000264 82b823f0 0000ae1 Blocked nt!KiFastCallEntry+0xf8
218.0006a8 82ba52a0 0000adb Blocked nt!KiFastCallEntry+0xf8

[82c05928 services.exe]
268.0002ac 82c40b30 0000aea Blocked nt!KiFastCallEntry+0xf8
268.00056c 82a41bb0 0000508 Blocked nt!KiFastCallEntry+0xf8
268.000654 82b6eb30 000029e Blocked nt!KiFastCallEntry+0xf8
268.0001d0 82b6e8b8 0000508 Blocked nt!KiFastCallEntry+0xf8

[82b7d450 lsass.exe]
274.000288 82c09da8 0000952 Blocked nt!KiFastCallEntry+0xf8
274.00028c 82c09b30 0000952 Blocked nt!KiFastCallEntry+0xf8
274.0002a4 82b87190 0000768 Blocked nt!KiFastCallEntry+0xf8
274.0002b8 82c40158 00000bc Blocked nt!KiFastCallEntry+0xf8
274.000664 82a7aaf0 0000031 Blocked nt!KiFastCallEntry+0xf8
274.000468 82ac3740 00000bc Blocked nt!KiFastCallEntry+0xf8

[82b143c0 svchost.exe]
310.0000d0 82a19b30 00006e7 Blocked nt!KiFastCallEntry+0xf8
310.000798 82a31020 00006e7 Blocked nt!KiFastCallEntry+0xf8
310.0007cc 82a4b3f0 00003fe Blocked nt!KiFastCallEntry+0xf8
310.000678 82a68aa8 00006e7 Blocked nt!KiFastCallEntry+0xf8

[82ae2320 svchost.exe]
340.000348 82ae2020 00002ab Blocked nt!KiFastCallEntry+0xf8
340.000350 82ae1da8 0000c46 Blocked nt!KiFastCallEntry+0xf8
340.0005e8 82aa9020 00000ee Blocked nt!KiFastCallEntry+0xf8
340.000768 82aab020 00000ed Blocked nt!KiFastCallEntry+0xf8

[82adc020 svchost.exe]
38c.00039c 82ad8650 00008f2 Blocked nt!KiFastCallEntry+0xf8
38c.000484 82ab3020 0000427 Blocked nt!KiFastCallEntry+0xf8
38c.0004ac 82aad838 00000bc Blocked nt!KiFastCallEntry+0xf8
38c.0004b8 82ab0020 00008b2 Blocked nt!KiFastCallEntry+0xf8
38c.0004c4 82ab0368 00008b0 Blocked nt!KiFastCallEntry+0xf8
38c.000500 82a9c788 0000367 Blocked nt!KiFastCallEntry+0xf8
38c.00050c 82a9bda8 000052e Blocked nt!KiFastCallEntry+0xf8
38c.0003a4 82a01da8 0000a32 Blocked nt!KiFastCallEntry+0xf8
38c.000618 82a13020 0000aea Blocked nt!KiFastCallEntry+0xf8
38c.000630 82c7e778 0000b00 Blocked nt!KiFastCallEntry+0xf8
38c.000644 82a928b8 0000024 Blocked nt!KiFastCallEntry+0xf8
38c.0002ec 82a92020 00000bc Blocked nt!KiFastCallEntry+0xf8
38c.000134 82b6e640 0000aea Blocked nt!KiFastCallEntry+0xf8
38c.0007c8 82adbda8 0000150 Blocked win32k!NtUserCallNoParam+0xc

[82ad6488 svchost.exe]

[82ac8020 svchost.exe]
410.00022c 82a61328 0000767 Blocked nt!KiFastCallEntry+0xf8

[82ab0858 spoolsv.exe]

[82a98638 vmsrvc.exe]
540.000558 82a94570 000046e Blocked nt!KiFastCallEntry+0xf8

[82a4e8b0 vpcmap.exe]
68c.0006c0 82a4c1e8 00000b9 Blocked nt!KiFastCallEntry+0xf8

[82a41928 explorer.exe]
720.000450 82ba5020 00000bc Blocked nt!KiFastCallEntry+0xf8
720.000670 82ac49c8 00000ba Blocked nt!KiFastCallEntry+0xf8
720.0001a8 82a0a020 00000ed Blocked nt!KiFastCallEntry+0xf8
720.0002fc 82abe070 00000bc Blocked nt!KiFastCallEntry+0xf8

[82a26b30 vmusrvc.exe]
7b0.000248 82bbd370 0000c70 Blocked nt!KiFastCallEntry+0xf8
7b0.0000f8 82aab900 00000ee Blocked nt!KiFastCallEntry+0xf8
7b0.000738 82a85b40 0000c6f Blocked nt!KiFastCallEntry+0xf8
7b0.00070c 82a44398 0000c70 Blocked nt!KiFastCallEntry+0xf8

[82a25aa0 ctfmon.exe]

[82a73b38 alg.exe]
10c.000128 82a6f958 00004a4 Blocked nt!KiFastCallEntry+0xf8

[82a659d0 wmiprvse.exe]

[82be9a60 cmd.exe]

[82a69490 sc.exe]

[82a7b020 prac.exe]

[82ac7da0 prac.exe]

[82a65110 prac.exe]

[82a76ca8 scanuser.exe]

[82a63cf8 prac.exe]

[82a2f020 sc.exe]

[82acd020 sc.exe]

[82c08cb0 prac.exe]

[82a19020 sc.exe]

[82a9a020 sc.exe]

[82a3e778 scanuser.exe]

[82a48020 WINWORD.EXE]

[82a19780 agentsvr.exe]

[82b14020 notepad.exe]

[82b68640 wordpad.exe]

[82a64020 scanuser.exe]

[82a6ebc0 WINWORD.EXE]

[82ac7020 notepad.exe]

[82a60da0 wordpad.exe]

[82ac7698 sc.exe]

[82a68828 sc.exe]

[82adbb28 scanuser.exe]
478.0005a4 82adb8b0 0000bfc Blocked nt!KiFastCallEntry+0xf8

[82ada020 WINWORD.EXE]
6b8.00067c 82adada8 0000bfc Blocked fltMgr!FltSendMessage+0x149

Threads Processed: 279

Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Transition PTEs are implicitly decoded
** Prototype PTEs are implicitly decoded
kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks…

Resource @ 0x82bd3560 Exclusively owned
Contention Count = 71700
NumberOfExclusiveWaiters = 3
Threads: 82adada8-01<*>
Threads Waiting On Exclusive Access:
82adbda8 82c69430 82b6a558

KD: Scanning for held locks…

Resource @ 0x82b64040 Shared 1 owning threads
Threads: 82d553cb-01<*> *** Actual Thread 82d553c8
4032 total locks, 2 locks currently held
kd> !analyze -hang
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols

Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 0, {0, 0, 0, 0}

Scanning for threads blocked on locks …
Probably caused by : scanner.sys ( scanner!AddToListReg+257 )

Followup: MachineOwner

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

PROCESS_NAME: Idle

FAULTING_IP:
nt!RtlpBreakWithStatusInstruction+0
804e3592 cc int 3

EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 804e3592 (nt!RtlpBreakWithStatusInstruction)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000000
Parameter[1]: 8055142c
Parameter[2]: 000003f8

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x0

STACK_TEXT:
8055034c 804e3324 00000001 00000002 00000030 nt!RtlpBreakWithStatusInstruction
8055034c 806f2742 00000001 00000002 00000030 nt!KeUpdateSystemTime+0x165
805503d0 804dbb37 00000000 0000000e 00000000 hal!HalProcessorIdle+0x2
805503d4 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x10

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!RtlpBreakWithStatusInstruction+0
804e3592 cc int 3

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!RtlpBreakWithStatusInstruction+0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 45e54711

BUCKET_ID: MANUAL_BREAKIN

Followup: MachineOwner

How are you calling FilterGetMessage sync or async and how have you modified
the original sample ? The original scanuser sample spawns a number of
threads and for each thread it issues only a fixed number of
FilterGetMessage requests asynchronously, this does not look like your
model. You may either have not enough (sync) waiters or you may have run out
of pended (async) requests.

//Daniel

wrote in message news:xxxxx@ntfsd…
> Here is out put from !stacks, !locks & !analyze -hang
>
> kd> !stacks
> Proc.Thread .Thread Ticks ThreadState Blocker
>
> [82adbb28 scanuser.exe]
> 478.0005a4 82adb8b0 0000bfc Blocked nt!KiFastCallEntry+0xf8
>
> [82ada020 WINWORD.EXE]
> 6b8.00067c 82adada8 0000bfc Blocked fltMgr!FltSendMessage+0x149
>

Previously i tried with unmodified scanuser code and printing the contents from kernel with
notification->Contents in ScannerWorker Threads i.e async. Here system hang happens just after printf( “Received message, size %d\n”, pOvlp->InternalHigh );

Later just to make things simpler i made one single thread with sync I/O ie removed the OVERLAPPED from SCANNER_MESSAGE. In this case the scanner works fine if i don’t try to print the notification->Contents or received message size. But ultimately i have to get the Registry path from here and print it on console.

wrote in message news:xxxxx@ntfsd…
> Later just to make things simpler i made one single thread with sync I/O
> ie removed the OVERLAPPED from SCANNER_MESSAGE. In this case the scanner
> works fine if i don’t try to print the notification->Contents or received
> message size. But ultimately i have to get the Registry path from here and
> print it on console.
>

So this is an effort to serialize all registry operations or at least all
paths from which you call FltSendMessage, this is never a good idea and can
easily cause lockups. Also have you considered the obvious that your
usermode app could cause to be called into these paths ?

//Daniel

I removed the reply code from the original scanuser and corresponding code from the driver. Now the things are working file. The system was actually hanging in somwhere between notification = &message->Notification; and FilterReplyMessage( I don’t know why? ). But now there is one new problem:-

Sometimes GetQueuedCompletionStatus fails with ERROR_SUCCESS (ie handle associated with a completion port is closed.) in one of the ScannerWorker thread or in both the threads.
Anybody have any clues Why So?