INVALID_PROCESS_ATTACH_ATTEMPT

I got a crash dump from a system running one of my drivers. It’s a minifilter that does use SFO’s in some cases. The customer said this crash occurs infrequently on start up and although my software has been installed for many months this apparently only started occurring semi-recently. Most of the documentation on INVALID_PROCESS_ATTACH_ATTEMPT state an issue with KeAttachProcess but that’s been deprecated and not used in my driver however I do use KeStackAttachProcess. I’m not sure how to interpret Arg1 and Arg2 as they are “pointers to the dispatcher object of the process.” A “!stacks 2 mydriver” command shows only 1 thread but it’s in a different process than the one that caused the crash.

Based off what I see, I don’t believe I’m the culprit but is there anything else I can check that can help confirm that?

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

INVALID_PROCESS_ATTACH_ATTEMPT (5)
Arguments:
Arg1: ffffd20300000000
Arg2: ffffd203d0aa7640
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: Dell System XPS L502X

SYSTEM_SKU: System SKUNumber

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: A12

BIOS_DATE: 09/07/2012

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 0NJT03

BASEBOARD_VERSION: A00

DUMP_TYPE: 0

BUGCHECK_P1: ffffd20300000000

BUGCHECK_P2: ffffd203d0aa7640

BUGCHECK_P3: 0

BUGCHECK_P4: 0

CPU_COUNT: 8

CPU_MHZ: 7cb

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 2a

CPU_STEPPING: 7

CPU_MICROCODE: 6,2a,7,0 (F,M,S,R) SIG: 29’00000000 (cache) 29’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x5

PROCESS_NAME: ClipRenew.exe

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from fffff800fd395617 to fffff800fd385580

STACK_TEXT:
ffffa3007690f338 fffff800fd395617 : 0000000000000005 ffffd20300000000 ffffd203d0aa7640 0000000000000000 : nt!KeBugCheckEx
ffffa3007690f340 fffff800fd250225 : ffffd203d0389420 0000000000000000 ffffd20300000000 fffff800fd27bf8d : nt!KiDeliverApc+0x146ea7
ffffa3007690f3d0 fffff800fd3050d7 : ffffd203d06340f0 0000000000000000 ffffd203d0389420 ffffd203d0634010 : nt!KiCheckForKernelApcDelivery+0x25
ffffa3007690f400 fffff803e72d49cc : ffffa3007690f4e9 ffffd20300000000 ffffd20300000000 ffffd203d0634010 : nt!KeLeaveGuardedRegion+0x37
ffffa3007690f430 fffff803e72d46ec : ffffa3007690f620 0000000000000000 ffffd203d0aa7600 ffffd203cedaf212 : FLTMGR!FltpPerformPreCallbacks+0x16c
ffffa3007690f550 fffff803e72d36d8 : ffffd203cedaf2b0 ffffa3007690f620 ffffd203cedaf2b0 ffffa3007690f630 : FLTMGR!FltpPassThroughInternal+0x8c
ffffa3007690f580 fffff803e72d34be : fffffffffffe7960 ffffd203cd5ce7f0 0000000000000000 0000000000000000 : FLTMGR!FltpPassThrough+0x168
ffffa3007690f600 fffff800fd6ac7cf : ffffd203d0aa8360 0000000000000000 0000000000000000 ffffa3007690f6b0 : FLTMGR!FltpDispatch+0x9e
ffffa3007690f660 fffff800fd6bbde8 : 0000000000007fff ffffd203ca34bb00 0000000000000000 ffffd203d0aa8340 : nt!IopCloseFile+0x14f
ffffa3007690f6f0 fffff800fd743c45 : 0000000000000000 ffffd203d087b928 0000000000000001 ffffffffffffffff : nt!ObCloseHandleTableEntry+0x228
ffffa3007690f830 fffff800fd63fa89 : ffffd203d0aa7640 ffffd203d0aa5700 ffffd203d0aa7640 0000000000040001 : nt!ExSweepHandleTable+0xc5
ffffa3007690f8e0 fffff800fd6e24f7 : 0000000000040000 0000000000000000 0000000000000000 fffff800fd6e9786 : nt!ObKillProcess+0x35
ffffa3007690f910 fffff800fd653641 : ffffd203d0aa7640 ffff880716e69060 ffffd203d0aa7640 0000000000000000 : nt!PspRundownSingleProcess+0x117
ffffa3007690f990 fffff800fd712f59 : 0000000000000000 ffffd203d0aa7601 0000008c635d8000 ffffd203d0aa5700 : nt!PspExitThread+0x57d
ffffa3007690fa90 fffff800fd390413 : ffffd203d0aa7640 ffffd203d0aa5700 ffffa3007690fb80 000001d7679f0730 : nt!NtTerminateProcess+0xe9
ffffa3007690fb00 00007ffdc3cf5924 : 00007ffdc3c9d2ff 0000000000000000 000001d7679f0730 000001d7679f0728 : nt!KiSystemServiceCopyEnd+0x13
0000008c6367fa68 00007ffdc3c9d2ff : 0000000000000000 000001d7679f0730 000001d7679f0728 000001d7679f0730 : ntdll!NtTerminateProcess+0x14
0000008c6367fa70 00007ffdc3bbc0da : 0000000000000000 0000000000000000 000001d7679f0730 00007ffdc3cc0da7 : ntdll!RtlExitUserProcess+0xbf
0000008c6367faa0 00007ffdc11fa045 : 00007ff7be3eb9c0 0000000000000000 0000000000000000 000001d7679f0740 : KERNEL32!ExitProcessImplementation+0xa
0000008c6367fad0 00007ffdc11fa68d : 000001d7679f0728 00007ff7a4f1e6b9 000001d767a41a50 0000000000000000 : msvcrt!_crtExitProcess+0x15
0000008c6367fb00 00007ff7be3eaf90 : 0000000000000001 0000000000000000 0000000000000000 0000000000000000 : msvcrt!unlockexit+0x1d1
0000008c6367fb70 00007ffdc3bb2774 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ClipRenew!__wmainCRTStartup+0x164
0000008c6367fbb0 00007ffdc3cc0d51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14
0000008c6367fbe0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21

1: kd> !thread -1
THREAD ffffd203d0aa5700 Cid 0b6c.0b70 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
IRP List:
ffffd203cedaf2b0: (0006,0598) Flags: 00000404 Mdl: 00000000
Not impersonating
DeviceMap ffff88070b0145a0
Owning Process ffffd203d0aa7640 Image: ClipRenew.exe
Attached Process N/A Image: N/A
Wait Start TickCount 3234 Ticks: 0
Context Switch Count 69 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ClipRenew!wmainCRTStartup (0x00007ff7be3eaff0)
Stack Init ffffa3007690fc90 Current ffffa3007690edf0
Base ffffa30076910000 Limit ffffa3007690a000 Call 0
Priority 7 BasePriority 6 UnusualBoost 0 ForegroundBoost 0 IoPriority 1 PagePriority 2

1: kd> !irp ffffd203cedaf2b0
Irp is active with 16 stacks 16 is current (= 0xffffd203cedaf7b8)
No Mdl: No System Buffer: Thread ffffd203d0aa5700: Irp stack trace.
cmd flg cl Device File Completion-Context

[IRP_MJ_CLEANUP(12), N/A(0)]
0 1 ffffd203cd5ce7f0 ffffd203d0aa8360 00000000-00000000 pending
\FileSystem\FltMgr
Args: 00000000 00000000 00000000 00000000

1: kd> !stacks 2 mydriver

[ffffd203d0b44080 svchost.exe]
c04.000c3c ffffd203d0b61080 fffff35e RUNNING nt!FsRtlFindExtraCreateParameter+0x38
NTFS!NtfsCommonCreate+0x2ef5
NTFS!NtfsCommonCreateCallout+0x1d
nt!KxSwitchKernelStackCallout+0x27
nt!KiSwitchKernelStackContinue
nt!KiExpandKernelStackAndCalloutOnStackSegment+0x12c
nt!KiExpandKernelStackAndCalloutSwitchStack+0x9e
nt!KeExpandKernelStackAndCalloutInternal+0x2f
NTFS!NtfsFsdCreate+0x1cb
FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18d
FLTMGR!FltpCreate+0x2eb
nt!IopParseDevice+0x815
nt!ObpLookupObjectName+0x46b
nt!ObOpenObjectByNameEx+0x1e0
nt!IopCreateFile+0x3aa
nt!IoCreateFileEx+0x124
FLTMGR!FltpExpandFilePathWorker+0x2b9
FLTMGR!FltpExpandFilePath+0x1a
FLTMGR!FltpGetNormalizedFileNameWorker+0x117
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32d
FLTMGR!HandleStreamListNotSupported+0x115
FLTMGR!FltpGetFileNameInformation+0x623
FLTMGR!FltGetFileNameInformation+0x1ba
mydriver+0x17c05
FLTMGR!FltpCallOpenedFileNameHandler+0x70
FLTMGR!FltpGetNormalizedFileNameWorker+0x2f
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32d
FLTMGR!HandleStreamListNotSupported+0x115
FLTMGR!FltpGetFileNameInformation+0x623
FLTMGR!FltGetFileNameInformation+0x1ba
MbamChameleon+0x16e3
MbamChameleon+0x2a543
FLTMGR!FltpPerformPreCallbacks+0x2ec
FLTMGR!FltpPassThroughInternal+0x8c
FLTMGR!FltpCreate+0x2d7
nt!IopParseDevice+0x815
nt!ObpLookupObjectName+0x46b
nt!ObOpenObjectByNameEx+0x1e0
nt!IopCreateFile+0x3aa
nt!IoCreateFileEx+0x124
nt!IopOpenLinkOrRenameTarget+0x166
nt!NtSetInformationFile+0x9c3
nt!KiSystemServiceCopyEnd+0x13

1: kd> !irql
Debugger saved IRQL for processor 0x1 – 1 (APC_LEVEL)
1: kd> !apc
*** Enumerating APCs in all processes
Process ffffd203ca2b4040 System
Thread ffffd203ca29a680 Thread ffffd203ca3125c0
Thread ffffd203cd878040 Thread
Process ffffd203cf239080 csrss.exe
Thread ffffd203cd707080 Thread ffffd203cd705080
Process ffffd203cfef0080 csrss.exe
Thread ffffd203cfeed300 Thread ffffd203cfeeb080
Thread ffffd203cff45080 Thread ffffd203cff43480
Thread ffffd203cff38080 Thread ffffd203cff37700
Thread ffffd203cffc2080 Thread ffffd203cff86080
Thread ffffd203cff8b080 Thread ffffd203cdc60080
Thread ffffd203cf77c080 Thread ffffd203cf72a4c0
Thread ffffd203cf76b080 Thread ffffd203cff25580
Thread ffffd203cf76a080 Thread ffffd203cff1f080
Thread ffffd203cf7b5080 Thread ffffd203cf7b3080
Thread ffffd203cf79a080 Thread ffffd203cff19080
Thread ffffd203d0210080 Thread ffffd203d0269080
Thread ffffd203d0225080 Thread ffffd203d02a5080
Thread ffffd203d0229080 Thread ffffd203d0291700
Thread ffffd203d02ac080 Thread ffffd203d0245080
Thread ffffd203d02ec080 Thread ffffd203d02e8080
Thread ffffd203d02df080 Thread ffffd203d02d1080
Thread ffffd203d0337080 Thread ffffd203d0333380
Thread ffffd203d02ce080 Thread ffffd203d03fd080
Thread ffffd203ca2a2700 Thread ffffd203d034e080
Thread ffffd203d0343080 Thread ffffd203d033c080
Thread ffffd203d0340080 Thread ffffd203d0339340
Thread ffffd203d0355500 Thread ffffd203d0391080
Thread ffffd203d023a080 Thread ffffd203d0236080
Thread ffffd203d0504700 Thread ffffd203d060b080
Thread ffffd203d053d080 Thread ffffd203d0547080
Thread ffffd203cdc53080 Thread ffffd203d059a080
Thread ffffd203d0596080 Thread ffffd203d05a6700
Thread ffffd203d05d5080 Thread ffffd203d05b7080
Thread ffffd203d05d4080 Thread ffffd203d05e9600
Thread ffffd203d0605080 Thread ffffd203d0673080
Thread ffffd203d085a080 Thread ffffd203d0630080
Thread ffffd203d0858080 Thread ffffd203d062b480
Thread ffffd203d08555c0 Thread ffffd203d087f080
Thread ffffd203d088a440 Thread ffffd203d08d9080
Thread ffffd203d0902080 Thread ffffd203d08f8080
Thread ffffd203d09e3080 Thread ffffd203d09de080
Thread ffffd203d09d3080 Thread ffffd203d0625080
Thread ffffd203d092a700 Thread ffffd203d0928080
Thread ffffd203d0984700 Thread ffffd203d095a080
Thread ffffd203d098d080 Thread ffffd203d0a09080
Thread ffffd203d09c0080 Thread ffffd203d0a3f080
Thread ffffd203d09ec080 Thread ffffd203d0a0f080
Thread ffffd203d09eb080 Thread ffffd203d0a0b080
Thread ffffd203d0990080 Thread ffffd203d0a0d080
Thread ffffd203d0aa5700
Process ffffd203d0abf640 svchost.exe
Thread ffffd203d0aba080 Thread ffffd203d0acd080
Thread ffffd203d0aaf080 Thread ffffd203d0ac8080
Thread ffffd203d0ae3080 Thread ffffd203d0aca080
Thread ffffd203d0aee080 Thread ffffd203d0ae9080
Thread ffffd203d0b46080 Thread ffffd203d0b74080
Thread ffffd203d0b42080 Thread ffffd203d0b72080

Are you 100% certain that all calls to KeStackAttachProcess are paired with
calls to KeUnstackDetachProcess? From the bugcheck description:

“this bug check could occur if KeAttachProcess was called when the thread
was already attached to a process (which is illegal), or if the thread
returned from certain function calls in an attached state (which is
invalid),”

As far as the args, did you try just running !process on them?

-scott
OSR
@OSRDrivers

[quote] Are you 100% certain that all calls to KeStackAttachProcess are paired with
calls to KeUnstackDetachProcess? [/quote]

In my driver, yes. I’m simply doing a ObOpenObjectByPointer in between Attach/Detach.

Ran !process on Arg2. Turns out Arg2 is just the EPROCESS of the process that caused the crash. Arg1 looks bogus.

OK, that takes care of the easy answer then.

Looking more closely at the args, Arg1 is Arg2 with the low 32-bits cleared:

Arg1: ffffd20300000000
Arg2: ffffd203d0aa7640

Sounds like another manifestation of the problem you were having previously:

http://www.osronline.com/showThread.CFM?link=285110

Did you ever get anywhere on that case?

-scott
OSR
@OSRDrivers

I noticed the low 32 bit clearing as well and recognized the similarities with the other crash I was fighting. Unfortunately never figured that one out as I couldn’t reproduce and no one else running the software seemed to experience the problem.

I’m thinking my next move is to programmatically enable verifier on the customers system hoping that it can catch the apparent overwrite at an earlier point.