pointer to FCB is NULL & how to use !irp

WINDBG
1

Hi, I am analyzing one memory.dmp. And this is caused why pointer to FCB is
NULL, but I don’t know who set NULL.
Can I find this information from memory.dmp?

And Do you know what the following parameters mean when I use !irp?

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000 —> What is [ 12,
0]?? And where can I get this?
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 —>
What’s arguement???

1: kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
bb9babe8 beb7be49 00000000 00000001 00000001 cdm!CdmAcquireFcbLock+0xd (FPO:
[Non-Fpo])
bb9bac1c 8041d915 88a22790 87bb74c8 87f81e68 cdm!CdmFsdCleanup+0x43 (FPO:
[Non-Fpo])
bb9bac30 804c1e67 80064ffc 890ae640 00000001 nt!IopfCallDriver+0x35 (FPO:
[0,0,2])
bb9bac64 804d840b 883f1b00 88a22790 00120116 nt!IopCloseFile+0x267 (FPO:
[Non-Fpo])
bb9bac90 8044f37a 883f1b00 87f81e54 87f81e68
nt!ObpDecrementHandleCount+0x13d (FPO: [Non-Fpo])
bb9bad44 bede0530 00000580 00000000 00000000 nt!NtClose+0x1f0 (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
bb9bad58 80465679 00000580 00000001 bf9539f4 TMFilter+0x18530
bb9bad58 77f82811 00000580 00000001 bf9539f4 nt!KiSystemService+0xc9 (FPO:
[0,0] TrapFrame @ bb9bad64)
0619f644 77e7be45 00000580 00000001 04857320 ntdll!NtClose+0xb (FPO:
[1,0,0])
0619f908 7862c71e 00000758 0483d128 00000000
KERNEL32!CreateDirectoryExW+0x840 (FPO: [Non-Fpo])
0619f930 7862d716 00000030 048573f4 048575fc SHELL32!EnterDir_Copy+0x48
(FPO: [Non-Fpo])
0619fe40 7862e584 00000000 00000000 048412d8 SHELL32!MoveCopyDriver+0x2dd
(FPO: [Non-Fpo])
0619fe8c 7863b12e 00000908 00000000 048412d8 SHELL32!SHFileOperationW+0x1a7
(FPO: [EBP 0x0619ff08] [1,13,4])
0619ff08 7863b445 00000007 00000000 04841310 SHELL32!_HandleMoveOrCopy+0x1da
(FPO: [Non-Fpo])
0619ff50 70c0b8fe 048412d8 00000000 0365ed74
SHELL32!FileDropTargetThreadProc+0x14d (FPO: [Non-Fpo])
0619ffb4 77e5758a 00000000 00000000 0365ed74 SHLWAPI!WrapperThreadProc+0x92
(FPO: [Non-Fpo])
0619ffec 00000000 70c0b86c 0365f1d4 00000000 KERNEL32!BaseThreadStart+0x52
(FPO: [Non-Fpo])
1: kd> !irp 87bb74c8
Irp is active with 3 stacks 3 is current (= 0x87bb7580)
No Mdl Thread 87bb8020: Irp stack trace.
cmd flg cl Device File Completion-Context
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000 What is [12, 0]??
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 —>
What’s arguement???
1: kd> !devobj 88a22790
Device object (88a22790) is for:
CdmRedirector \FileSystem\Cdm DriverObject 88a22910
Current Irp 00000000 RefCount 12 Type 00000014 Flags 00000040
DevExt 88a22848 DevObjExt 88a228a0
ExtensionFlags (0000000000)
Device queue is not busy.

2

[12, 0] is the major and minor function numbers (in hex).

IRP_MJ_CLEANUP is 0x12, so this is a cleanup irp. Which makes sense
given that the call stack shows “close” functions.

-----Original Message-----
From: xxxxx@citrix.co.jp [mailto:xxxxx@citrix.co.jp]

Sent: Tuesday, April 23, 2002 8:35 PM
To: Kernel Debugging Interest List
Subject: [windbg] pointer to FCB is NULL & how to use !irp

Hi, I am analyzing one memory.dmp. And this is caused why pointer to FCB
is NULL, but I don’t know who set NULL. Can I find this information from
memory.dmp?

And Do you know what the following parameters mean when I use !irp?

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000 —> What is [
12,
0]?? And where can I get this?
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 —>
What’s arguement???

1: kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
bb9babe8 beb7be49 00000000 00000001 00000001 cdm!CdmAcquireFcbLock+0xd
(FPO:
[Non-Fpo])
bb9bac1c 8041d915 88a22790 87bb74c8 87f81e68 cdm!CdmFsdCleanup+0x43
(FPO:
[Non-Fpo])
bb9bac30 804c1e67 80064ffc 890ae640 00000001 nt!IopfCallDriver+0x35
(FPO:
[0,0,2])
bb9bac64 804d840b 883f1b00 88a22790 00120116 nt!IopCloseFile+0x267 (FPO:
[Non-Fpo])
bb9bac90 8044f37a 883f1b00 87f81e54 87f81e68
nt!ObpDecrementHandleCount+0x13d (FPO: [Non-Fpo]) bb9bad44 bede0530
00000580 00000000 00000000 nt!NtClose+0x1f0 (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong. bb9bad58 80465679 00000580 00000001 bf9539f4 TMFilter+0x18530
bb9bad58 77f82811 00000580 00000001 bf9539f4 nt!KiSystemService+0xc9
(FPO: [0,0] TrapFrame @ bb9bad64) 0619f644 77e7be45 00000580 00000001
04857320 ntdll!NtClose+0xb (FPO:
[1,0,0])
0619f908 7862c71e 00000758 0483d128 00000000
KERNEL32!CreateDirectoryExW+0x840 (FPO: [Non-Fpo]) 0619f930 7862d716
00000030 048573f4 048575fc SHELL32!EnterDir_Copy+0x48
(FPO: [Non-Fpo])
0619fe40 7862e584 00000000 00000000 048412d8
SHELL32!MoveCopyDriver+0x2dd
(FPO: [Non-Fpo])
0619fe8c 7863b12e 00000908 00000000 048412d8
SHELL32!SHFileOperationW+0x1a7
(FPO: [EBP 0x0619ff08] [1,13,4])
0619ff08 7863b445 00000007 00000000 04841310
SHELL32!_HandleMoveOrCopy+0x1da
(FPO: [Non-Fpo])
0619ff50 70c0b8fe 048412d8 00000000 0365ed74
SHELL32!FileDropTargetThreadProc+0x14d (FPO: [Non-Fpo]) 0619ffb4
77e5758a 00000000 00000000 0365ed74 SHLWAPI!WrapperThreadProc+0x92
(FPO: [Non-Fpo])
0619ffec 00000000 70c0b86c 0365f1d4 00000000
KERNEL32!BaseThreadStart+0x52
(FPO: [Non-Fpo])
1: kd> !irp 87bb74c8
Irp is active with 3 stacks 3 is current (= 0x87bb7580)
No Mdl Thread 87bb8020: Irp stack trace.
cmd flg cl Device File Completion-Context
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000 What is [ 12,
0]??
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 —>
What’s arguement???
1: kd> !devobj 88a22790
Device object (88a22790) is for:
CdmRedirector \FileSystem\Cdm DriverObject 88a22910
Current Irp 00000000 RefCount 12 Type 00000014 Flags 00000040 DevExt
88a22848 DevObjExt 88a228a0
ExtensionFlags (0000000000)
Device queue is not busy.

You are currently subscribed to windbg as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

3

Thank you very much. And I have one more quesion, do you know what does
“Args” means?

1: kd> !irp 87bb74c8
Irp is active with 3 stacks 3 is current (= 0x87bb7580)
No Mdl Thread 87bb8020: Irp stack trace.
cmd flg cl Device File Completion-Context

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000
Thanks,
Kimi

-----Original Message-----
From: Nathan Nesbit [mailto:xxxxx@windows.microsoft.com]
Sent: Wednesday, April 24, 2002 3:28 PM
To: Kernel Debugging Interest List
Subject: [windbg] RE: pointer to FCB is NULL & how to use !irp

[12, 0] is the major and minor function numbers (in hex).

IRP_MJ_CLEANUP is 0x12, so this is a cleanup irp. Which makes sense
given that the call stack shows “close” functions.

-----Original Message-----
From: xxxxx@citrix.co.jp [mailto:xxxxx@citrix.co.jp]

Sent: Tuesday, April 23, 2002 8:35 PM
To: Kernel Debugging Interest List
Subject: [windbg] pointer to FCB is NULL & how to use !irp

Hi, I am analyzing one memory.dmp. And this is caused why pointer to FCB
is NULL, but I don’t know who set NULL. Can I find this information from
memory.dmp?

And Do you know what the following parameters mean when I use !irp?

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000 —> What is [
12,
0]?? And where can I get this?
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 —>
What’s arguement???

1: kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
bb9babe8 beb7be49 00000000 00000001 00000001 cdm!CdmAcquireFcbLock+0xd
(FPO:
[Non-Fpo])
bb9bac1c 8041d915 88a22790 87bb74c8 87f81e68 cdm!CdmFsdCleanup+0x43
(FPO:
[Non-Fpo])
bb9bac30 804c1e67 80064ffc 890ae640 00000001 nt!IopfCallDriver+0x35
(FPO:
[0,0,2])
bb9bac64 804d840b 883f1b00 88a22790 00120116 nt!IopCloseFile+0x267 (FPO:
[Non-Fpo])
bb9bac90 8044f37a 883f1b00 87f81e54 87f81e68
nt!ObpDecrementHandleCount+0x13d (FPO: [Non-Fpo]) bb9bad44 bede0530
00000580 00000000 00000000 nt!NtClose+0x1f0 (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong. bb9bad58 80465679 00000580 00000001 bf9539f4 TMFilter+0x18530
bb9bad58 77f82811 00000580 00000001 bf9539f4 nt!KiSystemService+0xc9
(FPO: [0,0] TrapFrame @ bb9bad64) 0619f644 77e7be45 00000580 00000001
04857320 ntdll!NtClose+0xb (FPO:
[1,0,0])
0619f908 7862c71e 00000758 0483d128 00000000
KERNEL32!CreateDirectoryExW+0x840 (FPO: [Non-Fpo]) 0619f930 7862d716
00000030 048573f4 048575fc SHELL32!EnterDir_Copy+0x48
(FPO: [Non-Fpo])
0619fe40 7862e584 00000000 00000000 048412d8
SHELL32!MoveCopyDriver+0x2dd
(FPO: [Non-Fpo])
0619fe8c 7863b12e 00000908 00000000 048412d8
SHELL32!SHFileOperationW+0x1a7
(FPO: [EBP 0x0619ff08] [1,13,4])
0619ff08 7863b445 00000007 00000000 04841310
SHELL32!_HandleMoveOrCopy+0x1da
(FPO: [Non-Fpo])
0619ff50 70c0b8fe 048412d8 00000000 0365ed74
SHELL32!FileDropTargetThreadProc+0x14d (FPO: [Non-Fpo]) 0619ffb4
77e5758a 00000000 00000000 0365ed74 SHLWAPI!WrapperThreadProc+0x92
(FPO: [Non-Fpo])
0619ffec 00000000 70c0b86c 0365f1d4 00000000
KERNEL32!BaseThreadStart+0x52
(FPO: [Non-Fpo])
1: kd> !irp 87bb74c8
Irp is active with 3 stacks 3 is current (= 0x87bb7580)
No Mdl Thread 87bb8020: Irp stack trace.
cmd flg cl Device File Completion-Context
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000 What is [ 12,
0]??
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 —>
What’s arguement???
1: kd> !devobj 88a22790
Device object (88a22790) is for:
CdmRedirector \FileSystem\Cdm DriverObject 88a22910
Current Irp 00000000 RefCount 12 Type 00000014 Flags 00000040 DevExt
88a22848 DevObjExt 88a228a0
ExtensionFlags (0000000000)
Device queue is not busy.

You are currently subscribed to windbg as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to windbg as: xxxxx@citrix.co.jp
To unsubscribe send a blank email to %%email.unsub%%

4

Open ntdkk.h and look at the definition of _IO_STACK_LOCATION

There is a 1 to 1 corrispondance between what is printed and fields in
the struct. You should be able to easily figure it all out. Here is a
hint: Only 1 of the structs in the union gets printed. It has four
fields named “Argument1” - “Argument4”.

-----Original Message-----
From: xxxxx@citrix.co.jp [mailto:xxxxx@citrix.co.jp]

Sent: Wednesday, April 24, 2002 9:29 AM
To: Kernel Debugging Interest List
Subject: [windbg] RE: pointer to FCB is NULL & how to use !irp

Thank you very much. And I have one more quesion, do you know what does
“Args” means?

1: kd> !irp 87bb74c8
Irp is active with 3 stacks 3 is current (= 0x87bb7580)
No Mdl Thread 87bb8020: Irp stack trace.
cmd flg cl Device File Completion-Context

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000
Thanks,
Kimi

-----Original Message-----
From: Nathan Nesbit [mailto:xxxxx@windows.microsoft.com]
Sent: Wednesday, April 24, 2002 3:28 PM
To: Kernel Debugging Interest List
Subject: [windbg] RE: pointer to FCB is NULL & how to use !irp

[12, 0] is the major and minor function numbers (in hex).

IRP_MJ_CLEANUP is 0x12, so this is a cleanup irp. Which makes sense
given that the call stack shows “close” functions.

-----Original Message-----
From: xxxxx@citrix.co.jp [mailto:xxxxx@citrix.co.jp]

Sent: Tuesday, April 23, 2002 8:35 PM
To: Kernel Debugging Interest List
Subject: [windbg] pointer to FCB is NULL & how to use !irp

Hi, I am analyzing one memory.dmp. And this is caused why pointer to FCB
is NULL, but I don’t know who set NULL. Can I find this information from
memory.dmp?

And Do you know what the following parameters mean when I use !irp?

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000 —> What is [
12,
0]?? And where can I get this?
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 —>
What’s arguement???

1: kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
bb9babe8 beb7be49 00000000 00000001 00000001 cdm!CdmAcquireFcbLock+0xd
(FPO:
[Non-Fpo])
bb9bac1c 8041d915 88a22790 87bb74c8 87f81e68 cdm!CdmFsdCleanup+0x43
(FPO:
[Non-Fpo])
bb9bac30 804c1e67 80064ffc 890ae640 00000001 nt!IopfCallDriver+0x35
(FPO:
[0,0,2])
bb9bac64 804d840b 883f1b00 88a22790 00120116 nt!IopCloseFile+0x267 (FPO:
[Non-Fpo])
bb9bac90 8044f37a 883f1b00 87f81e54 87f81e68
nt!ObpDecrementHandleCount+0x13d (FPO: [Non-Fpo]) bb9bad44 bede0530
00000580 00000000 00000000 nt!NtClose+0x1f0 (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong. bb9bad58 80465679 00000580 00000001 bf9539f4 TMFilter+0x18530
bb9bad58 77f82811 00000580 00000001 bf9539f4 nt!KiSystemService+0xc9
(FPO: [0,0] TrapFrame @ bb9bad64) 0619f644 77e7be45 00000580 00000001
04857320 ntdll!NtClose+0xb (FPO:
[1,0,0])
0619f908 7862c71e 00000758 0483d128 00000000
KERNEL32!CreateDirectoryExW+0x840 (FPO: [Non-Fpo]) 0619f930 7862d716
00000030 048573f4 048575fc SHELL32!EnterDir_Copy+0x48
(FPO: [Non-Fpo])
0619fe40 7862e584 00000000 00000000 048412d8
SHELL32!MoveCopyDriver+0x2dd
(FPO: [Non-Fpo])
0619fe8c 7863b12e 00000908 00000000 048412d8
SHELL32!SHFileOperationW+0x1a7
(FPO: [EBP 0x0619ff08] [1,13,4])
0619ff08 7863b445 00000007 00000000 04841310
SHELL32!_HandleMoveOrCopy+0x1da
(FPO: [Non-Fpo])
0619ff50 70c0b8fe 048412d8 00000000 0365ed74
SHELL32!FileDropTargetThreadProc+0x14d (FPO: [Non-Fpo]) 0619ffb4
77e5758a 00000000 00000000 0365ed74 SHLWAPI!WrapperThreadProc+0x92
(FPO: [Non-Fpo])
0619ffec 00000000 70c0b86c 0365f1d4 00000000
KERNEL32!BaseThreadStart+0x52
(FPO: [Non-Fpo])
1: kd> !irp 87bb74c8
Irp is active with 3 stacks 3 is current (= 0x87bb7580)
No Mdl Thread 87bb8020: Irp stack trace.
cmd flg cl Device File Completion-Context
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[12, 0] 0 0 88a22790 87f81e68 00000000-00000000 What is [ 12,
0]??
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 —>
What’s arguement???
1: kd> !devobj 88a22790
Device object (88a22790) is for:
CdmRedirector \FileSystem\Cdm DriverObject 88a22910
Current Irp 00000000 RefCount 12 Type 00000014 Flags 00000040 DevExt
88a22848 DevObjExt 88a228a0
ExtensionFlags (0000000000)
Device queue is not busy.

You are currently subscribed to windbg as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to windbg as: xxxxx@citrix.co.jp
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to windbg as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%