We would like to to understand the root cause for this BSOD but we are
stuck here. I suspect it can be related to the ACPI firmware of VirtualBox.
I have tried toaster filter and another shareware generic class filter as
well. Just the presence of an upper class filter, even it does nothing,
causes the this BSOD in VirtuaBox (Win 7 32 bits).
Just in case some finds it useful, this is the “Microsoft
ACPI-Compliantesystem” device status:
DevNode 0x8523ccf8 for PDO 0x85198a38
Parent 0x8517e9c8 Sibling 0000000000 Child 0000000000
InstancePath is “ACPI_HAL\PNP0C08\0”
ServiceName is “ACPI”
State = DeviceNodeDriversAdded (0x303)
Previous State = DeviceNodeInitialized (0x302)
StateHistory[01] = DeviceNodeInitialized (0x302)
StateHistory[00] = DeviceNodeUninitialized (0x301)
StateHistory[19] = Unknown State (0x0)
StateHistory[18] = Unknown State (0x0)
StateHistory[17] = Unknown State (0x0)
StateHistory[16] = Unknown State (0x0)
StateHistory[15] = Unknown State (0x0)
StateHistory[14] = Unknown State (0x0)
StateHistory[13] = Unknown State (0x0)
StateHistory[12] = Unknown State (0x0)
StateHistory[11] = Unknown State (0x0)
StateHistory[10] = Unknown State (0x0)
StateHistory[09] = Unknown State (0x0)
StateHistory[08] = Unknown State (0x0)
StateHistory[07] = Unknown State (0x0)
StateHistory[06] = Unknown State (0x0)
StateHistory[05] = Unknown State (0x0)
StateHistory[04] = Unknown State (0x0)
StateHistory[03] = Unknown State (0x0)
StateHistory[02] = Unknown State (0x0)
Flags (0x2c0020f0) DNF_ENUMERATED, DNF_IDS_QUERIED,
DNF_HAS_BOOT_CONFIG, DNF_BOOT_CONFIG_RESERVED,
DNF_HAS_PROBLEM, DNF_NO_LOWER_DEVICE_FILTERS,
DNF_NO_LOWER_CLASS_FILTERS,
DNF_NO_UPPER_DEVICE_FILTERS
CapabilityFlags (0x000000c0) UniqueID, SilentInstall
Problem = CM_PROB_NORMAL_CONFLICT
BootResourcesList at 0x8d1a1ad0 Version 1.1 Interface 0xf Bus
#0xffffffff
Entry 0 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x1a, Vector 0x1a, Group 0, Affinity 0xffffffff
Entry 1 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x19, Vector 0x19, Group 0, Affinity 0xffffffff
Entry 2 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x18, Vector 0x18, Group 0, Affinity 0xffffffff
Entry 3 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x17, Vector 0x17, Group 0, Affinity 0xffffffff
Entry 4 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x16, Vector 0x16, Group 0, Affinity 0xffffffff
Entry 5 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x15, Vector 0x15, Group 0, Affinity 0xffffffff
Entry 6 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x14, Vector 0x14, Group 0, Affinity 0xffffffff
Entry 7 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x12, Vector 0x12, Group 0, Affinity 0xffffffff
Entry 8 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x11, Vector 0x11, Group 0, Affinity 0xffffffff
Entry 9 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0x10, Vector 0x10, Group 0, Affinity 0xffffffff
Entry 10 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0xf, Vector 0xf, Group 0, Affinity 0xffffffff
Entry 11 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0xe, Vector 0xe, Group 0, Affinity 0xffffffff
Entry 12 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0xd, Vector 0xd, Group 0, Affinity 0xffffffff
Entry 13 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
Level 0xc, Vector 0xc, Group 0, Affinity 0xffffffff
IoResList at 0x8d1fe008 : Interface 0xf Bus 0xffffffff Slot 0
Alternative 0 (Version 1.1)
Preferred Descriptor 0 - NonArbitrated/ConfigData (0x80) Shared (0x3)
Flags (0000) -
Data: : 0x1 0x0 0x0
Preferred Descriptor 1 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x31 - 0x31
Preferred Descriptor 2 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x32 - 0x32
Preferred Descriptor 3 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x33 - 0x33
Preferred Descriptor 4 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x34 - 0x34
Preferred Descriptor 5 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x35 - 0x35
Preferred Descriptor 6 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x36 - 0x36
Preferred Descriptor 7 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x37 - 0x37
Preferred Descriptor 8 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x39 - 0x39
Preferred Descriptor 9 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x3a - 0x3a
Preferred Descriptor 10 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x3b - 0x3b
Preferred Descriptor 11 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x3c - 0x3c
Preferred Descriptor 12 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x3d - 0x3d
Preferred Descriptor 13 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x3e - 0x3e
Preferred Descriptor 14 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0000) - LEVEL_SENSITIVE
0x3f - 0x3f
Kind regards,
Julian
2018-07-20 20:09 GMT+02:00 Julián de Navascués :
> @Doron
>
> Thanks for your response. I have set a breakpoint in WDFLDR!DllInitialize
> and I can see it is loaded before the filter. It is also boot start.
>
> I can see that my call to WdfDriverCreate (right now the only thing I do
> in DriverEntry) ends up in a call to Wdf01000!imp_WdfDriverCreate and
> returns STATUS_SUCCESS. Later the I see the subsequent calls to AddDevice.
>
> I think is not a problem with WDF, but maybe I’m wrong. On Monday I will
> read about the load order of WDF and the groups.
>
> @Everyone
>
> Right know I dont know how to simplify more the filter. Is there any basic
> mistake that I can’t see?
>
>
> NTSTATUS
> FilterEvtDeviceAdd(
> IN WDFDRIVER Driver,
> IN PWDFDEVICE_INIT DeviceInit
> )
> {
> UNREFERENCED_PARAMETER(Driver);
> UNREFERENCED_PARAMETER(DeviceInit);
>
> KdPrint((“Ignoring device…\n”));
>
> return STATUS_SUCCESS;
> }
>
> NTSTATUS
> DriverEntry(
> IN PDRIVER_OBJECT DriverObject,
> IN PUNICODE_STRING RegistryPath
> )
> {
> WDF_DRIVER_CONFIG config;
> NTSTATUS status;
> WDFDRIVER hDriver;
>
> KdPrint((“Generic Class Filter - KMDF.\n”));
>
> WDF_DRIVER_CONFIG_INIT(
> &config,
> FilterEvtDeviceAdd
> );
>
> status = WdfDriverCreate(DriverObject,
> RegistryPath,
> WDF_NO_OBJECT_ATTRIBUTES,
> &config,
> &hDriver);
> if (!NT_SUCCESS(status))
> {
> KdPrint((“WdfDriverCreate failed with status 0x%x\n”, status));
> }
>
> return status;
> }
>
>
> Thanks in advance,
>
> Rui
>
> 2018-07-20 18:55 GMT+02:00 xxxxx@microsoft.com
> :
>
>> In addition to being boot start, WDF itself needs to be boot start and
>> needs to be in earlier in the load order group.
>>
>> d
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com >> .com> On Behalf Of xxxxx@protonmail.com
>> Sent: Friday, July 20, 2018 8:36 AM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] Generic class upper filter crash
>>
>> Hi all,
>>
>> I’m writing a generic class upper filter that can be installed for any
>> class to log some operations (for example PNP IRPs) for each device from
>> that class.
>>
>> For testing purposes I have an installer that installs the filter in all
>> classes of the testing machine. I’m refering here to all system-defined
>> device classes.
>>
>> The filter has been working properly in different versions of Windows in
>> both physical and VMs… until today, when I tested it in a new environment
>> for testing.
>>
>> I have realized the problem appears when filtering the System class (i.e.
>> {4d36e97d-e325-11ce-bfc1-08002be10318}). It seems that all other classes
>> can be filtered in this environment without any problem.
>>
>> The WinDbg output is:
>>
>> *****************************************
>>
>> *
>> *
>> * Bugcheck Analysis
>> *
>> *
>> *
>> *****************************************
>>
>>
>> INACCESSIBLE_BOOT_DEVICE (7b)
>> During the initialization of the I/O system, it is possible that the
>> driver for the boot device failed to initialize the device that the system
>> is attempting to boot from, or it is possible for the file system that is
>> supposed to read that device to either fail its initialization or to simply
>> not recognize the data on the boot device as a file system structure that
>> it recognizes. In the former case, the argument (#1) is the address of a
>> Unicode string data structure that is the ARC name of the device from which
>> the boot was being attempted. In the latter case, the argument (#1) is the
>> address of the device object that could not be mounted.
>> If this is the initial setup of the system, then this error can occur if
>> the system was installed on an unsupported disk or SCSI controller. Note
>> that some controllers are supported only by drivers which are in the
>> Windows Driver Library (WDL) which requires the user to do a custom
>> install. See the Windows Driver Library for more information.
>> This error can also be caused by the installation of a new SCSI adapter
>> or disk controller or repartitioning the disk with the system partition.
>> If this is the case, on x86 systems the boot.ini file must be edited or on
>> ARC systems setup must be run. See the “Advanced Server System
>> Administrator’s User Guide” for information on changing boot.ini.
>> If the argument is a pointer to an ARC name string, then the format of
>> the first two (and in this case only) longwords will be:
>> USHORT Length;
>> USHORT MaximumLength;
>> PWSTR Buffer;
>> That is, the first longword will contain something like 00800020 where 20
>> is the actual length of the Unicode string, and the next longword will
>> contain the address of buffer. This address will be in system space, so
>> the high order bit will be set.
>> If the argument is a pointer to a device object, then the format of the
>> first word will be:
>> USHORT Type;
>> That is, the first word will contain a 0003, where the Type code will
>> ALWAYS be 0003.
>> Note that this makes it immediately obvious whether the argument is a
>> pointer to an ARC name string or a device object, since a Unicode string
>> can never have an odd number of bytes, and a device object will always have
>> a Type code of 3.
>> Arguments:
>> Arg1: 8078da48, Pointer to the device object or Unicode string of ARC name
>> Arg2: c0000034
>> Arg3: 00000000
>> Arg4: 00000000
>>
>> Debugging Details:
>> ------------------
>>
>>
>> DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
>>
>> BUGCHECK_STR: 0x7B
>>
>> PROCESS_NAME: System
>>
>> CURRENT_IRQL: 2
>>
>> LAST_CONTROL_TRANSFER: from 826ed5ef to 8267659c
>>
>> STACK_TEXT:
>> 8078d5f4 826ed5ef 00000003 aa737504 00000065
>> nt!RtlpBreakWithStatusInstruction
>> 8078d644 826ee0ed 00000003 00000000 c0000034 nt!KiBugCheckDebugBreak+0x1c
>> 8078da08 8260bae6 0000007b 8078da48 c0000034 nt!KeBugCheck2+0x68b
>> 8078da64 829b8957 8080a2f0 829c225f 00000000 nt!PnpBootDeviceWait+0x13f
>> 8078dad4 829ccf8b 8080a2f0 00000007 8080a2f0
>> nt!IopInitializeBootDrivers+0x4ce 8078db5c 829d1236 0080a2f0 851e1640
>> 851e1338 nt!IoInitSystem+0x5c5 8078dc3c 827a1730 8078dc90 8281eb74 8080a2f0
>> nt!Phase1InitializationDiscard+0xd1b
>> 8078dc44 8281eb74 8080a2f0 aa737fd0 00000000 nt!Phase1Initialization+0xd
>> 8078dc90 826be0d9 827a1723 8080a2f0 00000000
>> nt!PspSystemThreadStartup+0x159
>> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
>>
>>
>> STACK_COMMAND: kb
>>
>> FOLLOWUP_IP:
>> nt!PnpBootDeviceWait+13f
>> 8260bae6 cc int 3
>>
>> SYMBOL_STACK_INDEX: 3
>>
>> SYMBOL_NAME: nt!PnpBootDeviceWait+13f
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> MODULE_NAME: nt
>>
>> IMAGE_NAME: ntkrpamp.exe
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 5b1a9f1a
>>
>> FAILURE_BUCKET_ID: 0x7B_VRF_nt!PnpBootDeviceWait+13f
>>
>> BUCKET_ID: 0x7B_VRF_nt!PnpBootDeviceWait+13f
>>
>> Followup: MachineOwner
>> ---------
>>
>> kd> !error c0000034
>> Error code: (NTSTATUS) 0xc0000034 (3221225524) - Object Name not found.
>> kd> dS 8078da48
>> 86bfa2d0 “\ArcName\multi(0)disk(0)rdisk(0)”
>> 86bfa310 “partition(1)”
>>
>> Here is a list of things I have tried by now:
>>
>> - Configure verifier in the testing machine, but does not point out any
>> problem.
>> - Disabled signature enforcement (anyways the driver is loading so a bit
>> pointless)
>> - Checked KMDF dependecy is properly resolved (again pointless)
>> - Make sure again that the driver is configured with Start=0
>>
>> - Develop a “minimum filter driver” (tried both WDM and KMDF) that in
>> AddDevice they just return STATUS_SUCCESS and do not attach to any device.
>> Both versions are loading and doing nothing in AddDevice. Both are still
>> crashing for System class. After trying this… I have no more ideas and I
>> am not so sure what to conclude.
>>
>> Am I doing something that is conceptually wrong? Any ideas are welcome.
>>
>> Thanks a lot,
>>
>> Rui
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: https:>> tion.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%
>> 2Fshowlists.cfm%3Flist%3Dntdev&data=02%7C01%7CDoron.
>> Holan%40microsoft.com%7C25d6904cbda84da0f7cf08d5ee56857f%7C7
>> 2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676977731318872
>> &sdata=k9sFAPEg%2Bg8ovzJLn%2FBpzN3J1tLFC4bopfA
>> nsRQ%2BET4%3D&reserved=0>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at https:>> 2F%2Fwww.osr.com%2Fseminars&data=02%7C01%7CDoron.
>> Holan%40microsoft.com%7C25d6904cbda84da0f7cf08d5ee56857f%7C7
>> 2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676977731318872
>> &sdata=cD8FYLW%2B6xkkXaCUE9AiWeMSpjIdktAmwSEL5nuYndo%3D&
>> amp;reserved=0>
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> https://na01.safelinks.protection.outlook.com/?url=http%3A%
>> 2F%2Fwww.osronline.com%2Fpage.cfm%3Fname%3DListServer&
>> data=02%7C01%7CDoron.Holan%40microsoft.com%7C25d6904cbda8
>> 4da0f7cf08d5ee56857f%7C72f988bf86f141af91ab2d7cd011db47%7C1%
>> 7C0%7C636676977731318872&sdata=b7hjF5KUK4%2BtSLpWthzzT1C
>> %2B0C4VHpQ6z6ymRlTXc84%3D&reserved=0>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: http:>> lists.cfm?list=ntdev>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
></http:></http:></https:></https:>