question on unclean shutdown events

Hi,

I am facing a problem that I have trouble debugging. I have a filter where
I have attached a FLT_FILE_CONTEXT to files in Post-IRP_MJ_CREATE. I
cleanup the context in Pre-IRP_MJ_CLEANUP. I use verifier with 0xbfb flags.

The issue is that when I restart, I get the ‘Launch Startup Repair’ boot
menu. I am nt able to figure out what’s going on. To debug this, since
there is no driver unload during Shutdown, I added a callback to
IRP_MJ_SHUTDOWN and saw that there were many contexts that I had created
(as expected).

Here are some facts:

  1. The filter unloads cleanly when I use ‘fltmc unload’ and there are no
    errors
  2. If I unload the filter and restart, there are no issues.
  3. If I choose ‘Start Windows Normally’ in the boot menu, there are no
    issues.
  4. I use driver verifier throughout and a debugger is attached throughout.
    There are no issues reported.
  5. When I remove driver-verifier and Windbg from the scenario the issue
    persists.

How can I determine what could be going on ? Event Viewer mentions a
critical error with the following details.

Log Name: System
Source: Microsoft-Windows-Kernel-Power
Date: 10/23/2014 4:50:05 PM
Event ID: 41
Task Category: (63)
Level: Critical
Keywords: (2)
User: SYSTEM
Computer: ak-win7x64-test
Description:
The system has rebooted without cleanly shutting down first. This error
could be caused if the system stopped responding, crashed, or lost power
unexpectedly.
Event Xml:


Guid=“{331C3B3A-2005-44C2-AC5E-77220C37D6B4}” />
41
2
1
63
0
0x8000000000000002

3112


System
ak-win7x64-test



0
0x0
0x0
0x0
0x0
false
0

Thanks,

I suspect you have ruined the writes to bootstat.dat file by your filter.

“Arun M. Krishnakumar” wrote in message news:xxxxx@ntfsd…
Hi,

I am facing a problem that I have trouble debugging. I have a filter where I have attached a FLT_FILE_CONTEXT to files in Post-IRP_MJ_CREATE. I cleanup the context in Pre-IRP_MJ_CLEANUP. I use verifier with 0xbfb flags.

The issue is that when I restart, I get the ‘Launch Startup Repair’ boot menu. I am nt able to figure out what’s going on. To debug this, since there is no driver unload during Shutdown, I added a callback to IRP_MJ_SHUTDOWN and saw that there were many contexts that I had created (as expected).

Here are some facts:

1. The filter unloads cleanly when I use ‘fltmc unload’ and there are no errors
2. If I unload the filter and restart, there are no issues.
3. If I choose ‘Start Windows Normally’ in the boot menu, there are no issues.
4. I use driver verifier throughout and a debugger is attached throughout. There are no issues reported.
5. When I remove driver-verifier and Windbg from the scenario the issue persists.

How can I determine what could be going on ? Event Viewer mentions a critical error with the following details.

Log Name: System
Source: Microsoft-Windows-Kernel-Power
Date: 10/23/2014 4:50:05 PM
Event ID: 41
Task Category: (63)
Level: Critical
Keywords: (2)
User: SYSTEM
Computer: ak-win7x64-test
Description:
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Event Xml:



41
2
1
63
0
0x8000000000000002

3112


System
ak-win7x64-test



0
0x0
0x0
0x0
0x0
false
0



Thanks,

Thanks Maxim, what you said was perfect!

On Thu, Oct 23, 2014 at 5:44 PM, Maxim S. Shatskih
wrote:

> I suspect you have ruined the writes to bootstat.dat file by your
> filter.
>
>
> “Arun M. Krishnakumar” wrote in message
> news:xxxxx@ntfsd…
> Hi,
>
> I am facing a problem that I have trouble debugging. I have a filter where
> I have attached a FLT_FILE_CONTEXT to files in Post-IRP_MJ_CREATE. I
> cleanup the context in Pre-IRP_MJ_CLEANUP. I use verifier with 0xbfb flags.
>
> The issue is that when I restart, I get the ‘Launch Startup Repair’ boot
> menu. I am nt able to figure out what’s going on. To debug this, since
> there is no driver unload during Shutdown, I added a callback to
> IRP_MJ_SHUTDOWN and saw that there were many contexts that I had created
> (as expected).
>
> Here are some facts:
>
> 1. The filter unloads cleanly when I use ‘fltmc unload’ and there are no
> errors
> 2. If I unload the filter and restart, there are no issues.
> 3. If I choose ‘Start Windows Normally’ in the boot menu, there are no
> issues.
> 4. I use driver verifier throughout and a debugger is attached throughout.
> There are no issues reported.
> 5. When I remove driver-verifier and Windbg from the scenario the issue
> persists.
>
> How can I determine what could be going on ? Event Viewer mentions a
> critical error with the following details.
>
> Log Name: System
> Source: Microsoft-Windows-Kernel-Power
> Date: 10/23/2014 4:50:05 PM
> Event ID: 41
> Task Category: (63)
> Level: Critical
> Keywords: (2)
> User: SYSTEM
> Computer: ak-win7x64-test
> Description:
> The system has rebooted without cleanly shutting down first. This error
> could be caused if the system stopped responding, crashed, or lost power
> unexpectedly.
> Event Xml:
>
>
> > Guid=“{331C3B3A-2005-44C2-AC5E-77220C37D6B4}” />
> 41
> 2
> 1
> 63
> 0
> 0x8000000000000002
>
> 3112
>
>
> System
> ak-win7x64-test
>
>
>
> 0
> 0x0
> 0x0
> 0x0
> 0x0
> false
> 0
>
>
>
> Thanks,
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>