NtCreateSection

If you specify HANDLE to NtCreateSection for file which has
FSRTL_COMMON_FCB_HEADER instead of FSRTL_ADVANCED_FCB_HEADER header you’ll
get BSOD.The matter is that if SectionPageProtection is
PAGE_EXECUTE_READWRITE or PAGE_READWRITE the function will not check header
version and try to acquire the FastMutex which is absent.

I found it on Windows 8.1

I’m not doubting you, but I’d also check that you have set the version in the Common Header Correctly.

If you have access to the code it shouldn’t be hard to change to using a common header. After all the common header dates to over 15 years ago…

“Anatoly Mikhailov” wrote in message news:xxxxx@ntfsd…
If you specify HANDLE to NtCreateSection for file which has FSRTL_COMMON_FCB_HEADER instead of FSRTL_ADVANCED_FCB_HEADER header you’ll get BSOD.The matter is that if SectionPageProtection is PAGE_EXECUTE_READWRITE or PAGE_READWRITE the function will not check header version and try to acquire the FastMutex which is absent.

I found it on Windows 8.1

> I’d also check that you have set the version in the Common Header
Correctly
Version is zero. Also bit FSRTL_FLAG_ADVANCED_HEADER is cleared.

If you have access to the code it shouldn’t be hard to change to using a
common header. After all the common header dates to over 15 years ago…
I understand. I’m using advanced header by myself. I just consider this
behavior as buggy.

2015-01-29 13:19 GMT+03:00 Rod Widdowson :

> I’m not doubting you, but I’d also check that you have set the version
> in the Common Header Correctly.
>
> If you have access to the code it shouldn’t be hard to change to using a
> common header. After all the common header dates to over 15 years ago…
>
>
> “Anatoly Mikhailov” wrote in message
> news:xxxxx@ntfsd…
> If you specify HANDLE to NtCreateSection for file which has
> FSRTL_COMMON_FCB_HEADER instead of FSRTL_ADVANCED_FCB_HEADER header you’ll
> get BSOD.The matter is that if SectionPageProtection is
> PAGE_EXECUTE_READWRITE or PAGE_READWRITE the function will not check header
> version and try to acquire the FastMutex which is absent.
>
> I found it on Windows 8.1
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>