I have a client who has set up an DFS share and when he does a folder rename on this share, my mini-filter crashes. I can?t reproduce this here in the office and code looks right, at least to me. All the dumps point to the same location a FltGetDestinationFileNameInformation call.
According to the dump:
BugCheck 27, {baad00a3, b3ce7f44, b3ce7c40, b6a23a5f}
I?m getting a RDBSS_BUG_CHECK_NTEXECPT with a A3, which looks like STATUS_DEVICE_NOT_READY.
Talking with the customer, the DFS share is actually on another domain than the login domain and while that maybe causing some problems here, I?m more interested in how in the world to I catch this state before I attempt to get the rename information.
Am I even analyzing this dump correctly?
Thank you,
Gene
Here is the dump.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
RDR_FILE_SYSTEM (27)
If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
exception record and context record. Do a .cxr on the 3rd parameter and then kb to
obtain a more informative stack trace.
The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
as follows:
RDBSS_BUG_CHECK_CACHESUP = 0xca550000,
RDBSS_BUG_CHECK_CLEANUP = 0xc1ee0000,
RDBSS_BUG_CHECK_CLOSE = 0xc10e0000,
RDBSS_BUG_CHECK_NTEXCEPT = 0xbaad0000,
Arguments:
Arg1: baad00a3
Arg2: b3ce7f44
Arg3: b3ce7c40
Arg4: b6a23a5f
Debugging Details:
EXCEPTION_RECORD: b3ce7f44 – (.exr 0xffffffffb3ce7f44)
ExceptionAddress: b6a23a5f (rdbss!RxIsThisACscAgentOpen+0x00000038)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000008
Attempt to read from address 00000008
CONTEXT: b3ce7c40 – (.cxr 0xffffffffb3ce7c40)
eax=00000000 ebx=b6a23a80 ecx=00000009 edx=00000000 esi=00000008 edi=b6a23a80
eip=b6a23a5f esp=b3ce800c ebp=b3ce801c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
rdbss!RxIsThisACscAgentOpen+0x38:
b6a23a5f f3a6 repe cmps byte ptr [esi],byte ptr es:[edi]
Resetting default scope
CUSTOMER_CRASH_COUNT: 2
PROCESS_NAME: NotesBU.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
READ_ADDRESS: 00000008
BUGCHECK_STR: 0x27
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from b6a2b431 to b6a23a5f
STACK_TEXT:
b3ce801c b6a2b431 8a04d888 8a7f6d80 b3ce80c0 rdbss!RxIsThisACscAgentOpen+0x38
b3ce803c b6a2bbf7 00000000 b3ce806c b3ce807c rdbss!RxInitializeVNetRootParameters+0x282
b3ce809c b6a2e6cd 8a7f6c60 b3ce80c0 00000004 rdbss!RxFindOrConstructVirtualNetRoot+0xdc
b3ce80d0 b6a2ae15 8a04d888 8a681bf0 b3ce8120 rdbss!RxCanonicalizeNameAndObtainNetRoot+0x197
b3ce8134 b6a20d51 8a04d888 8a681bc0 b6a298a8 rdbss!RxCommonCreate+0x2c3
b3ce81cc b6a2acc2 b6a298a8 8a384000 8a38409c rdbss!RxFsdCommonDispatch+0x353
b3ce81f4 b69ac317 8a532b10 8a384000 8a384008 rdbss!RxFsdDispatch+0xda
b3ce8214 804e13d9 00000000 01384008 b3ce8330 mrxsmb!MRxSmbFsdDispatch+0x134
b3ce8224 f786ab2a b3ce8330 89eaa930 89eaa98c nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
b3ce8264 f784e6ea b3ce8330 8a3840c0 8a68f6c8 mfehidk+0x25b2a
b3ce8288 f784ee91 00000002 8a3840c0 8a681bc0 mfehidk+0x96ea
b3ce8320 f7869d87 cccccccc 8a8cfa48 8a4ed3a0 mfehidk+0x9e91
b3ce8348 804e13d9 8a4ed3a0 8a384008 8a384008 mfehidk+0x24d87
b3ce8358 f747de9b 00000000 8a384008 8a3840e4 nt!IopfCallDriver+0x31
b3ce837c f748a754 b3ce839c 8a6d6ee8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
b3ce83b8 804e13d9 8a6d6ee8 8a384008 8a681bc0 fltmgr!FltpCreate+0x26a
b3ce83c8 f7419540 89eadc8c 89eadc88 00000000 nt!IopfCallDriver+0x31
b3ce83fc f741a8fa 89eadc88 f740e088 89eadc88 Mup!DnrRedirectFileOpen+0x443
b3ce845c f741b81a 01eadc88 0078005e 8a384108 Mup!DnrNameResolve+0x53c
b3ce848c f7415d3d 8a40d180 8a384008 8a8cfd40 Mup!DnrStartNameResolution+0x292
b3ce84fc f7413fd6 8a40d180 8a8cfc88 8a384008 Mup!DfsCommonCreate+0x237
b3ce8544 f7414076 8a8cfc88 8a384008 8a384018 Mup!DfsFsdCreate+0xe0
b3ce859c 804e13d9 8a8cfc88 8a384008 8a384008 Mup!MupCreate+0xbc
b3ce85ac 8057bbed 8a8cfc70 8a05dae4 b3ce8744 nt!IopfCallDriver+0x31
b3ce868c 8056d03b 8a8cfc88 00000000 8a05da40 nt!IopParseDevice+0xa12
b3ce8704 80570358 00000000 b3ce8744 00000240 nt!ObpLookupObjectName+0x53c
b3ce8758 8057c246 00000000 00000000 38400800 nt!ObOpenObjectByName+0xea
b3ce87d4 80584cc8 8a5b4620 00100000 b3ce886c nt!IopCreateFile+0x407
b3ce881c f7490c77 8a5b4620 00100000 b3ce886c nt!IoCreateFileSpecifyDeviceObjectHint+0x52
b3ce88c4 f7490fe5 00000000 00000000 b3ce895c fltmgr!FltpExpandFilePathWorker+0x117
b3ce88dc f74914c1 8a5b45d8 00000000 8a5b45d8 fltmgr!FltpExpandFilePath+0x19
b3ce8910 f7491509 8a5b45d8 8a5b45d8 b3ce8a60 fltmgr!FltpGetOpenedDestinationFileName+0x2b9
b3ce8920 f7491695 8a5b45d8 8a677064 b3ce8b7c fltmgr!FltpGetNormalizedDestinationFileName+0x13
b3ce8a60 b513e8ac 8a35f3c8 89ead650 00000000 fltmgr!FltGetDestinationFileNameInformation+0x12b
b3ce8b3c b513fa2e 8a677064 b3ce8b7c 8a35f584 SoxAudit!AddEntryForPreNonCreatesPaths+0xdc [c:\development\main\filemaster\bssaudit\filter\bssaudit.c @ 1706]
b3ce8b5c f747b888 8a677064 b3ce8b7c b3ce8bac SoxAudit!PreSetInformation+0x62 [c:\development\main\filemaster\bssaudit\filter\bssaudit.c @ 3076]
b3ce8bbc f747d2a0 00ce8c04 00000000 b3ce8c04 fltmgr!FltpPerformPreCallbacks+0x2d4
b3ce8bd0 f747dc48 b3ce8c04 00000000 8a6d6ee8 fltmgr!FltpPassThroughInternal+0x32
b3ce8bec f747e059 b3ce8c00 00000000 8a900280 fltmgr!FltpPassThrough+0x1c2
b3ce8c1c 804e13d9 8a6d6ee8 89f8c888 89f8c9ac fltmgr!FltpDispatch+0x10d
b3ce8c2c f741c30e 89ead650 8a8cf030 89f8c888 nt!IopfCallDriver+0x31
b3ce8c70 f741c409 8a8a3728 89f8c888 89ead650 Mup!DfsCommonSetInformation+0xa3
b3ce8cb0 804e13d9 8a8cfc88 89f8c888 00000000 Mup!DfsFsdSetInformation+0x63
b3ce8cc0 805db2c4 b3ce8d64 0012d160 8057f4e5 nt!IopfCallDriver+0x31
b3ce8d48 804dd99f 00000128 0012d1d4 001c5d50 nt!NtSetInformationFile+0x533
b3ce8d48 7c90e514 00000128 0012d1d4 001c5d50 nt!KiFastCallEntry+0xfc
0012d218 00000000 00000000 00000000 00000000 0x7c90e514
FOLLOWUP_IP:
rdbss!RxIsThisACscAgentOpen+38
b6a23a5f f3a6 repe cmps byte ptr [esi],byte ptr es:[edi]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: rdbss!RxIsThisACscAgentOpen+38
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: rdbss
IMAGE_NAME: rdbss.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48025ee6
STACK_COMMAND: .cxr 0xffffffffb3ce7c40 ; kb
FAILURE_BUCKET_ID: 0x27_rdbss!RxIsThisACscAgentOpen+38
BUCKET_ID: 0x27_rdbss!RxIsThisACscAgentOpen+38