my minifilter issued BSOD:INACCESSIBLE_BOOT_DEVICE!!

crazy?But it is!
When install my minifilter and run it,the system will crash with INACCESSIBLE_BOOT_DEVICE by accident when system boot.

I think there is a possible problem:
1.In my application call CreateFile to open my control DO,I will ZwCreateFile(\SystemRoot\myfile.xxx,FILE_OPEN_IF),the file is FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM.
2.I will write the file in anytime.
3.I never ZwClose the file.

OK,because the file is always opened,the volume reference(system volume) is never become 0.
May it will issue the BSOD.

If it’s the problem,I modify my code is very simple:
I can close the file when my application exit.
But,if the system power off by accident ,the file is still opened,what’s the situation?Will it issued the BSOD too?

How about you post code and a crash dump???

What exactly is your question?

Sorry, but this ‘question’ sounds like your ‘skitzed out’ on meth
while hallucinating and masturbating a power cord. I’m lost.

Then again, perhaps I can’t understand because I fully exhausted my English
while
shooting pool earlier.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Friday, April 24, 2009 2:58 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] my minifilter issued BSOD:INACCESSIBLE_BOOT_DEVICE!!

crazy?But it is!
When install my minifilter and run it,the system will crash with
INACCESSIBLE_BOOT_DEVICE by accident when system boot.

I think there is a possible problem:
1.In my application call CreateFile to open my control DO,I will
ZwCreateFile(\SystemRoot\myfile.xxx,FILE_OPEN_IF),the file is
FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM.
2.I will write the file in anytime.
3.I never ZwClose the file.

OK,because the file is always opened,the volume reference(system volume) is
never become 0.
May it will issue the BSOD.

If it’s the problem,I modify my code is very simple:
I can close the file when my application exit.
But,if the system power off by accident ,the file is still opened,what’s the
situation?Will it issued the BSOD too?


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

You should at least post the complete bug code.
The 0x7B from my experience can have the following reasons:

  • a (filter)driver registered for the boot device is missing
  • the MBR is corrupted
    Filesystem operations at this early time of boot = before a filesystem has
    even mounted won’t succeed anyway.

Regards
Else

|---------±-------------------------------->
| | “Matt” |
| | | | > |
| | Sent by: |
| | bounce-363969-18867@li|
| | sts.osr.com |
| | |
| | |
| | 24.04.2009 12:02 |
| | Please respond to |
| | “Windows File Systems |
| | Devs Interest List” |
|---------±-------------------------------->
>------------------------------------------------------------------------------------------------------------------------------------|
| |
| To: “Windows File Systems Devs Interest List” |
| cc: |
| Subject: RE: [ntfsd] my minifilter issued BSOD:INACCESSIBLE_BOOT_DEVICE!! |
>------------------------------------------------------------------------------------------------------------------------------------|

How about you post code and a crash dump???

What exactly is your question?

Sorry, but this ‘question’ sounds like your ‘skitzed out’ on meth
while hallucinating and masturbating a power cord. I’m lost.

Then again, perhaps I can’t understand because I fully exhausted my English
while
shooting pool earlier.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Friday, April 24, 2009 2:58 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] my minifilter issued BSOD:INACCESSIBLE_BOOT_DEVICE!!

crazy?But it is!
When install my minifilter and run it,the system will crash with
INACCESSIBLE_BOOT_DEVICE by accident when system boot.

I think there is a possible problem:
1.In my application call CreateFile to open my control DO,I will
ZwCreateFile(\SystemRoot\myfile.xxx,FILE_OPEN_IF),the file is
FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM.
2.I will write the file in anytime.
3.I never ZwClose the file.

OK,because the file is always opened,the volume reference(system volume) is
never become 0.
May it will issue the BSOD.

If it’s the problem,I modify my code is very simple:
I can close the file when my application exit.
But,if the system power off by accident ,the file is still opened,what’s
the
situation?Will it issued the BSOD too?


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

sorry for my horrible description.

In my minifilter:
I will ZwCreateFile (\systemroot\myfile.xxx),and the myfile.xxx is with hide & system attribute.
I never close myfile.xxx.

Thus,when the windows is running ,the \systemroot\myfile.xxx is always opened by my minifilter.

Restart the windows many times,there will be INACCESSIBLE_BOOT_DEVICE in windows start!
And if the INACCESSIBLE_BOOT_DEVICE occured,restart the windows will crash too(the same bugcheck:INACCESSIBLE_BOOT_DEVICE).

no dump file,because can’t mount the c:
but in windbg,I can view the stack:

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

INACCESSIBLE_BOOT_DEVICE (7b)
During the initialization of the I/O system, it is possible that the driver
for the boot device failed to initialize the device that the system is
attempting to boot from, or it is possible for the file system that is
supposed to read that device to either fail its initialization or to simply
not recognize the data on the boot device as a file system structure that
it recognizes. In the former case, the argument (#1) is the address of a
Unicode string data structure that is the ARC name of the device from which
the boot was being attempted. In the latter case, the argument (#1) is the
address of the device object that could not be mounted.
If this is the initial setup of the system, then this error can occur if
the system was installed on an unsupported disk or SCSI controller. Note
that some controllers are supported only by drivers which are in the Windows
Driver Library (WDL) which requires the user to do a custom install. See
the Windows Driver Library for more information.
This error can also be caused by the installation of a new SCSI adapter or
disk controller or repartitioning the disk with the system partition. If
this is the case, on x86 systems the boot.ini file must be edited or on ARC
systems setup must be run. See the “Advanced Server System Administrator’s
User Guide” for information on changing boot.ini.
If the argument is a pointer to an ARC name string, then the format of the
first two (and in this case only) longwords will be:
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
That is, the first longword will contain something like 00800020 where 20
is the actual length of the Unicode string, and the next longword will
contain the address of buffer. This address will be in system space, so
the high order bit will be set.
If the argument is a pointer to a device object, then the format of the first
word will be:
USHORT Type;
That is, the first word will contain a 0003, where the Type code will ALWAYS
be 0003.
Note that this makes it immediately obvious whether the argument is a pointer
to an ARC name string or a device object, since a Unicode string can never
have an odd number of bytes, and a device object will always have a Type
code of 3.
Arguments:
Arg1: 8185d5f0, Pointer to the device object or Unicode string of ARC name
Arg2: c0000032
Arg3: 00000000
Arg4: 00000000

Debugging Details:

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x7B

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 8042a9e3 to 804554d8

STACK_TEXT:
f4022cfc 8042a9e3 00000003 f4022d44 8185d5f0 nt!RtlpBreakWithStatusInstruction
f4022d2c 8042afd6 00000003 00000000 8185d5f0 nt!KiBugCheckDebugBreak+0x31
f40230b8 804ad9aa 0000007b 8185d5f0 c0000032 nt!KeBugCheckEx+0x390
f4023110 80428938 c0000032 00000000 00000000 nt!IopMountVolume+0x33e
f4023138 804bf2c9 f40234c8 8185d5f0 f402331c nt!IopCheckVpbMounted+0x4a
f40232d8 80450893 8185d5f0 00000000 f4023390 nt!IopParseDevice+0x40f
f4023350 804d59a0 00000000 81881c00 00000040 nt!ObpLookupObjectName+0x4e7
f4023460 8049f9f1 00000000 00000000 00120100 nt!ObOpenObjectByName+0xc8
f402353c 8049f596 f40238bc 00100020 f4023894 nt!IopCreateFile+0x407
f4023584 804a8279 f40238bc 00100020 f4023894 nt!IoCreateFile+0x36
f40235c4 80464f84 f40238bc 00100020 f4023894 nt!NtOpenFile+0x25
f40235c4 8042fe9f f40238bc 00100020 f4023894 nt!KiSystemService+0xc4
f4023654 8055ad81 f40238bc 00100020 f4023894 nt!ZwOpenFile+0xb
f40238c0 805498b6 00000000 00000032 00000000 nt!PsLocateSystemDll+0x67
f4023a58 805486e9 80087000 00000000 00000000 nt!IoInitSystem+0x637
f4023da8 80454a24 80087000 00000000 00000000 nt!Phase1Initialization+0x71b
f4023ddc 80469212 80547fce 80087000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!IopMountVolume+33e
804ad9aa 8b4508 mov eax,dword ptr [ebp+8]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt!IopMountVolume+33e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 427b58bb

FAILURE_BUCKET_ID: 0x7B_nt!IopMountVolume+33e

BUCKET_ID: 0x7B_nt!IopMountVolume+33e

Followup: MachineOwner

I’ve have zero ideas other than a question about the symlink “systemroot”
along with at what point are you loading your
driver (start = 0? 1? 2?)… If the object manager hasn’t yet established
this symbolic link, and you are calling it early in the boot process, I
would expect a failure to occur if the Object Manager wasn’t up yet - which
could result in an INACCESSIBLE_BOOT_DEVICE error due to the layered design
of NT - however, that doesn’t explain the ‘it works sometimes’ scenario.

I hope others could comment on this question; I however am guessing this has
something to do with "\systemroot" and the object manager not being fully
functional at boot start.

Clark Stone, what is your driver’s start type and in what Path to you call
ZwCreateFile? Driver_Load, IRP_Create???

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Friday, April 24, 2009 5:40 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] my minifilter issued BSOD:INACCESSIBLE_BOOT_DEVICE!!

sorry for my horrible description.

In my minifilter:
I will ZwCreateFile (\systemroot\myfile.xxx),and the myfile.xxx is with hide
& system attribute.
I never close myfile.xxx.

Thus,when the windows is running ,the \systemroot\myfile.xxx is always
opened by my minifilter.

Restart the windows many times,there will be INACCESSIBLE_BOOT_DEVICE in
windows start!
And if the INACCESSIBLE_BOOT_DEVICE occured,restart the windows will crash
too(the same bugcheck:INACCESSIBLE_BOOT_DEVICE).

no dump file,because can’t mount the c:
but in windbg,I can view the stack:

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

INACCESSIBLE_BOOT_DEVICE (7b)
During the initialization of the I/O system, it is possible that the driver
for the boot device failed to initialize the device that the system is
attempting to boot from, or it is possible for the file system that is
supposed to read that device to either fail its initialization or to simply
not recognize the data on the boot device as a file system structure that
it recognizes. In the former case, the argument (#1) is the address of a
Unicode string data structure that is the ARC name of the device from which
the boot was being attempted. In the latter case, the argument (#1) is the
address of the device object that could not be mounted.
If this is the initial setup of the system, then this error can occur if
the system was installed on an unsupported disk or SCSI controller. Note
that some controllers are supported only by drivers which are in the Windows
Driver Library (WDL) which requires the user to do a custom install. See
the Windows Driver Library for more information.
This error can also be caused by the installation of a new SCSI adapter or
disk controller or repartitioning the disk with the system partition. If
this is the case, on x86 systems the boot.ini file must be edited or on ARC
systems setup must be run. See the “Advanced Server System Administrator’s
User Guide” for information on changing boot.ini.
If the argument is a pointer to an ARC name string, then the format of the
first two (and in this case only) longwords will be:
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
That is, the first longword will contain something like 00800020 where 20
is the actual length of the Unicode string, and the next longword will
contain the address of buffer. This address will be in system space, so
the high order bit will be set.
If the argument is a pointer to a device object, then the format of the
first
word will be:
USHORT Type;
That is, the first word will contain a 0003, where the Type code will ALWAYS
be 0003.
Note that this makes it immediately obvious whether the argument is a
pointer
to an ARC name string or a device object, since a Unicode string can never
have an odd number of bytes, and a device object will always have a Type
code of 3.
Arguments:
Arg1: 8185d5f0, Pointer to the device object or Unicode string of ARC name
Arg2: c0000032
Arg3: 00000000
Arg4: 00000000

Debugging Details:

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x7B

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 8042a9e3 to 804554d8

STACK_TEXT:
f4022cfc 8042a9e3 00000003 f4022d44 8185d5f0
nt!RtlpBreakWithStatusInstruction
f4022d2c 8042afd6 00000003 00000000 8185d5f0 nt!KiBugCheckDebugBreak+0x31
f40230b8 804ad9aa 0000007b 8185d5f0 c0000032 nt!KeBugCheckEx+0x390
f4023110 80428938 c0000032 00000000 00000000 nt!IopMountVolume+0x33e
f4023138 804bf2c9 f40234c8 8185d5f0 f402331c nt!IopCheckVpbMounted+0x4a
f40232d8 80450893 8185d5f0 00000000 f4023390 nt!IopParseDevice+0x40f
f4023350 804d59a0 00000000 81881c00 00000040 nt!ObpLookupObjectName+0x4e7
f4023460 8049f9f1 00000000 00000000 00120100 nt!ObOpenObjectByName+0xc8
f402353c 8049f596 f40238bc 00100020 f4023894 nt!IopCreateFile+0x407
f4023584 804a8279 f40238bc 00100020 f4023894 nt!IoCreateFile+0x36
f40235c4 80464f84 f40238bc 00100020 f4023894 nt!NtOpenFile+0x25
f40235c4 8042fe9f f40238bc 00100020 f4023894 nt!KiSystemService+0xc4
f4023654 8055ad81 f40238bc 00100020 f4023894 nt!ZwOpenFile+0xb
f40238c0 805498b6 00000000 00000032 00000000 nt!PsLocateSystemDll+0x67
f4023a58 805486e9 80087000 00000000 00000000 nt!IoInitSystem+0x637
f4023da8 80454a24 80087000 00000000 00000000 nt!Phase1Initialization+0x71b
f4023ddc 80469212 80547fce 80087000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!IopMountVolume+33e
804ad9aa 8b4508 mov eax,dword ptr [ebp+8]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt!IopMountVolume+33e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 427b58bb

FAILURE_BUCKET_ID: 0x7B_nt!IopMountVolume+33e

BUCKET_ID: 0x7B_nt!IopMountVolume+33e

Followup: MachineOwner


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> OK,because the file is always opened,the volume reference(system volume) is never become 0.

May it will issue the BSOD.

No.

This BSOD means - “mount path for the SystemRoot volume failed”.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

I have described when I call ZwCreateFile to open myfile.xxx :
when my application call CreateFile(my control device object’s symbolic link),in IRP_MJ_CREATE handler for my control DO,I will call ZwCreateFile to open \SystemRoot\myfile.xxx.

detail information about the BSOD:

>>>f4023654 8055ad81 f40238bc 00100020 f4023894 nt!ZwOpenFile+0xb
kd> dt _OBJECT_ATTRIBUTES 0xf4023894
nt!_OBJECT_ATTRIBUTES
+0x000 Length : 0x18
+0x004 RootDirectory : (null)
+0x008 ObjectName : 0xf40238b0 _UNICODE_STRING “\SystemRoot\System32\ntdll.dll”
+0x00c Attributes : 0x40
+0x010 SecurityDescriptor : (null)
+0x014 SecurityQualityOfService : (null)

kd> !devobj 0x8185d5f0
Device object (8185d5f0) is for:
HarddiskVolume1 \Driver\Ftdisk DriverObject 81894e50
Current Irp 00000000 RefCount 4 Type 00000007 Flags 00001150
Vpb 81890a68 DevExt 8185d6a8 DevObjExt 8185d768 Dope 8185d568 DevNode 8185dce8
ExtensionFlags (0xa0000000)
Unknown flags 0xa0000000
Device queue is not busy.

the starttype of my minifilter is BOOT(not a legacy filesystem filter like sfilter).

I have described when I call ZwCreateFile to open myfile.xxx :
when my application call CreateFile(my control device object’s symbolic link),in
IRP_MJ_CREATE handler for my control DO,I will call ZwCreateFile to open
\SystemRoot\myfile.xxx.

my application is a Service.
In this time point,the IO manager is OK.

and ,in this BSOD:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 818b5380 SessionId: 0 Cid: 0008 Peb: 00000000 ParentCid: 0000
DirBase: 00030000 ObjectTable: 818b5e68 TableSize: 24.
Image: System

Yes,just System process.

oh,crazy things,In the BSOD,my driver still not loaded!

kd> lm o 1m
hal
nt
Mup
NDIS
Ntfs
KSecDD
fltmgr
SCSIPORT
atapi
dmio
ftdisk
ACPI
pci
isapnp
buslogic
CLASSPNP
PCIIDEX
MountMgr
disk
agp440
BOOTVID
compbatt
PartMgr
vmscsi
BATTC
intelide
Diskperf
dmload
WMILIB

and the all threads of the system process:
kd> !process 0 7
**** NT ACTIVE PROCESS DUMP ****
PROCESS 818b5380 SessionId: 0 Cid: 0008 Peb: 00000000 ParentCid: 0000
DirBase: 00030000 ObjectTable: 818b5e68 TableSize: 24.
Image: System
VadRoot 8187ef08 Clone 0 Private 1. Modified 87. Locked 0.
DeviceMap 81881e88
Token e1000750
ElapsedTime 14:56:55.0171
UserTime 0:00:00.0000
KernelTime 0:00:02.0906
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (56, 0, 345) (224KB, 0KB, 1380KB)
PeakWorkingSetSize 56
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 52
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1

THREAD 818b5100 Cid 8.4 Teb: 00000000 Win32Thread: 00000000 RUNNING
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 594
UserTime 0:00:00.0000
KernelTime 0:00:02.0296
Start Address nt!Phase1Initialization (0x80547fce)
Stack Init f4024000 Current f4023078 Base f4024000 Limit f4021000 Call 0
Priority 31 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4022cfc 8042a9e3 00000003 f4022d44 8185d5f0 nt!RtlpBreakWithStatusInstruction
f4022d2c 8042afd6 00000003 00000000 8185d5f0 nt!KiBugCheckDebugBreak+0x31
f40230b8 804ad9aa 0000007b 8185d5f0 c0000032 nt!KeBugCheckEx+0x390
f4023110 80428938 c0000032 00000000 00000000 nt!IopMountVolume+0x33e
f4023138 804bf2c9 f40234c8 8185d5f0 f402331c nt!IopCheckVpbMounted+0x4a
f40232d8 80450893 8185d5f0 00000000 f4023390 nt!IopParseDevice+0x40f
f4023350 804d59a0 00000000 81881c00 00000040 nt!ObpLookupObjectName+0x4e7
f4023460 8049f9f1 00000000 00000000 00120100 nt!ObOpenObjectByName+0xc8
f402353c 8049f596 f40238bc 00100020 f4023894 nt!IopCreateFile+0x407
f4023584 804a8279 f40238bc 00100020 f4023894 nt!IoCreateFile+0x36
f40235c4 80464f84 f40238bc 00100020 f4023894 nt!NtOpenFile+0x25
f40235c4 8042fe9f f40238bc 00100020 f4023894 nt!KiSystemService+0xc4
f4023654 8055ad81 f40238bc 00100020 f4023894 nt!ZwOpenFile+0xb
f40238c0 805498b6 00000000 00000032 00000000 nt!PsLocateSystemDll+0x67
f4023a58 805486e9 80087000 00000000 00000000 nt!IoInitSystem+0x637
f4023da8 80454a24 80087000 00000000 00000000 nt!Phase1Initialization+0x71b
f4023ddc 80469212 80547fce 80087000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81881940 Cid 8.c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) UserMode Non-Alertable
804746a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 15 Elapsed Ticks: 233
Context Switch Count 2
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f402c000 Current f402bd34 Base f402c000 Limit f4029000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f402bd4c 8042d59b 00000000 804746a0 81881940 nt!KiSwapThread+0xc5
f402bd70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f402bda8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f402bddc 80469212 80416b4c 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818816c0 Cid 8.10 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) UserMode Non-Alertable
804746a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 15 Elapsed Ticks: 233
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4030000 Current f402fd34 Base f4030000 Limit f402d000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f402fd4c 8042d59b 00000000 804746a0 818816c0 nt!KiSwapThread+0xc5
f402fd70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f402fda8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f402fddc 80469212 80416b4c 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81881440 Cid 8.14 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) UserMode Non-Alertable
804746a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 15 Elapsed Ticks: 233
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4034000 Current f4033d34 Base f4034000 Limit f4031000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4033d4c 8042d59b 00000000 804746a0 81881440 nt!KiSwapThread+0xc5
f4033d70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f4033da8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f4033ddc 80469212 80416b4c 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818811c0 Cid 8.18 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) UserMode Non-Alertable
804746a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 2
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4038000 Current f4037d34 Base f4038000 Limit f4035000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4037d4c 8042d59b bfed3068 804746a0 818811c0 nt!KiSwapThread+0xc5
f4037d70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f4037da8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f4037ddc 80469212 80416b4c 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81880020 Cid 8.1c Teb: 00000000 Win32Thread: 00000000 READY
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 20
UserTime 0:00:00.0000
KernelTime 0:00:00.0031
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f403c000 Current f403ba40 Base f403c000 Limit f4039000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f403ba58 8042b745 00000040 81896d08 00000000 nt!KiUnlockDispatcherDatabase+0x73
f403ba6c 8041e0a0 f40230e0 00000001 00000000 nt!KeSetEvent+0x71
f403ba98 bfebe418 818987c8 00000000 bfef0850 nt!IopfCompleteRequest+0x1a6
f403baa4 bfef0850 818987c8 81896d08 c0000032 Ntfs!NtfsCompleteRequest+0x5c
f403bcd8 bfedf6dd 818987c8 81896d08 818987c8 Ntfs!NtfsMountVolume+0x1aac
f403bce8 bfec5bf9 818987c8 81896d08 818988c8 Ntfs!NtfsCommonFileSystemControl+0x37
f403bd78 80416bfa 818987c8 00000000 00000000 Ntfs!NtfsFspDispatch+0x1b3
f403bda8 80454a24 818987c8 00000000 00000000 nt!ExpWorkerThread+0xae
f403bddc 80469212 80416b4c 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81880da0 Cid 8.20 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) UserMode Non-Alertable
804746dc Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 15 Elapsed Ticks: 233
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4040000 Current f403fd34 Base f4040000 Limit f403d000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f403fd4c 8042d59b 00000000 804746dc 81880da0 nt!KiSwapThread+0xc5
f403fd70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f403fda8 80454a24 00000001 00000000 00000000 nt!ExpWorkerThread+0x73
f403fddc 80469212 80416b4c 00000001 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81880b20 Cid 8.24 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) UserMode Non-Alertable
804746dc Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 3
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4044000 Current f4043d34 Base f4044000 Limit f4041000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4043d4c 8042d59b 80477c60 804746dc 81880b20 nt!KiSwapThread+0xc5
f4043d70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f4043da8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f4043ddc 80469212 80416b4c 00000001 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818808a0 Cid 8.28 Teb: 00000000 Win32Thread: 00000000 READY
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 104
UserTime 0:00:00.0000
KernelTime 0:00:00.0062
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4048000 Current f4047c2c Base f4048000 Limit f4045000 Call 0
Priority 13 BasePriority 12 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4047c44 8042c2ad 00000000 818974f4 81897000 nt!KiSwapThread+0xc5
f4047c6c 80414f03 8185fa28 00000000 00000000 nt!KeWaitForSingleObject+0x1a1
f4047ca8 8041457c 818974f4 008974f4 f4047cc0 nt!ExpWaitForResource+0x2d
f4047cb8 804145c1 f4047cdc 8041456d 818974f4 nt!ExpAcquireResourceExclusiveLite+0x64
f4047cc0 8041456d 818974f4 00000001 818970f0 nt!ExAcquireResourceExclusiveLite+0x37
f4047cdc 804145c1 f4047d78 bfeeea81 818974f4 nt!ExpAcquireResourceExclusiveLite+0x55
f4047ce4 bfeeea81 818974f4 00000001 81897a68 nt!ExAcquireResourceExclusiveLite+0x37
f4047cf4 bff187c5 81897a68 818970f0 00000001 Ntfs!NtfsAcquireExclusiveVcb+0x1b
f4047d78 80416bfa 81897a68 00000000 00000000 Ntfs!NtfsSpecialDispatch+0x115
f4047da8 80454a24 81897a68 00000000 00000000 nt!ExpWorkerThread+0xae
f4047ddc 80469212 80416b4c 00000001 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81880620 Cid 8.2c Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) KernelMode Non-Alertable
80474718 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 14 Elapsed Ticks: 234
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f404c000 Current f404bd34 Base f404c000 Limit f4049000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f404bd4c 8042d59b 00000000 80474718 81880620 nt!KiSwapThread+0xc5
f404bd70 80416bbf 00000000 00000000 00000000 nt!KeRemoveQueue+0x195
f404bda8 80454a24 00000002 00000000 00000000 nt!ExpWorkerThread+0x73
f404bddc 80469212 80416b4c 00000002 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818803a0 Cid 8.30 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
f404fd78 NotificationTimer
80474760 SynchronizationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 232 Elapsed Ticks: 16
Context Switch Count 4
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThreadBalanceManager (0x8049423e)
Stack Init f4050000 Current f404fcf8 Base f4050000 Limit f404d000 Call 0
Priority 14 BasePriority 14 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f404fd10 8042c02e ff676980 00000000 ffffffff nt!KiSwapThread+0xc5
f404fd44 80494293 00000002 f404fda0 00000001 nt!KeWaitForMultipleObjects+0x266
f404fda8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThreadBalanceManager+0x55
f404fddc 80469212 8049423e 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187e880 Cid 8.34 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrVirtualMemory) UserMode Non-Alertable
80481b44 Semaphore Limit 0x7fffffff
80481a70 NotificationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!MiDereferenceSegmentThread (0x8043941e)
Stack Init f4054000 Current f4053d20 Base f4054000 Limit f4051000 Call 0
Priority 18 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4053d38 8042c02e 00000000 00000000 80064bd4 nt!KiSwapThread+0xc5
f4053d6c 80439462 00000002 f4053da0 00000001 nt!KeWaitForMultipleObjects+0x266
f4053da8 80454a24 00000000 00000000 00000000 nt!MiDereferenceSegmentThread+0x44
f4053ddc 80469212 8043941e 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187e600 Cid 8.38 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrFreePage) KernelMode Non-Alertable
804821b0 NotificationEvent
80481370 NotificationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!MiModifiedPageWriter (0x804cd328)
Stack Init f4058000 Current f4057ce0 Base f4058000 Limit f4055000 Call 0
Priority 17 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4057cf8 8042c02e 00000014 80481b80 00000000 nt!KiSwapThread+0xc5
f4057d2c 8043c829 00000002 f4057d6c 00000001 nt!KeWaitForMultipleObjects+0x266
f4057d70 804cd490 00000000 00000000 00000000 nt!MiModifiedPageWriterWorker+0x37
f4057da8 80454a24 00000000 00000000 00000000 nt!MiModifiedPageWriter+0x168
f4057ddc 80469212 804cd328 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187e380 Cid 8.3c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
f405bd70 NotificationTimer
80481b60 SynchronizationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 232 Elapsed Ticks: 16
Context Switch Count 3
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!KeBalanceSetManager (0x8046373e)
Stack Init f405c000 Current f405bcc0 Base f405c000 Limit f4059000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f405bcd8 8042c02e ffffffff ff676980 00000000 nt!KiSwapThread+0xc5
f405bd0c 804637bc 00000002 f405bd98 00000001 nt!KeWaitForMultipleObjects+0x266
f405bda8 80454a24 00000000 00000000 00000000 nt!KeBalanceSetManager+0x7e
f405bddc 80469212 8046373e 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187e100 Cid 8.40 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
80480f10 SynchronizationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!KeSwapProcessOrStack (0x80463836)
Stack Init f4060000 Current f405fd40 Base f4060000 Limit f405d000 Call 0
Priority 23 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f405fd58 8042c2ad 00000000 00000000 00000000 nt!KiSwapThread+0xc5
f405fd80 8046385a 80480f10 00000000 00000000 nt!KeWaitForSingleObject+0x1a1
f405fda8 80454a24 00000000 00000000 00000000 nt!KeSwapProcessOrStack+0x24
f405fddc 80469212 80463836 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187d820 Cid 8.44 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) KernelMode Non-Alertable
804759a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!FsRtlWorkerThread (0x8041c8cc)
Stack Init f4064000 Current f4063d4c Base f4064000 Limit f4061000 Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4063d64 8042d59b 80064bec 00000000 804759a0 nt!KiSwapThread+0xc5
f4063d88 8041c8ff 00000000 00000000 00000000 nt!KeRemoveQueue+0x195
f4063da8 80454a24 00000000 00000000 00000000 nt!FsRtlWorkerThread+0x33
f4063ddc 80469212 8041c8cc 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187d5a0 Cid 8.48 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) KernelMode Non-Alertable
804759c8 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!FsRtlWorkerThread (0x8041c8cc)
Stack Init f4068000 Current f4067d4c Base f4068000 Limit f4065000 Call 0
Priority 17 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4067d64 8042d59b 80064bec 00000001 804759c8 nt!KiSwapThread+0xc5
f4067d88 8041c8ff 00000000 00000000 00000000 nt!KeRemoveQueue+0x195
f4067da8 80454a24 00000001 00000000 00000000 nt!FsRtlWorkerThread+0x33
f4067ddc 80469212 8041c8cc 00000001 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8186dca0 Cid 8.4c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
bfff10d0 NotificationEvent
bfff10e0 NotificationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 170 Elapsed Ticks: 78
Context Switch Count 606
UserTime 0:00:00.0000
KernelTime 0:00:00.0500
Start Address ACPI!ACPIWorker (0xbffe58c8)
Stack Init f406c000 Current f406bd1c Base f406c000 Limit f4069000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f406bd34 8042c02e bfff1100 00000000 80064bec nt!KiSwapThread+0xc5
f406bd68 bffe590e 00000002 f406bd9c 00000001 nt!KeWaitForMultipleObjects+0x266
f406bda8 80454a24 00000000 00000000 00000000 ACPI!ACPIWorker+0x46
f406bddc 80469212 bffe58c8 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81866760 Cid 8.50 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrVirtualMemory) KernelMode Non-Alertable
80481570 NotificationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 105 Elapsed Ticks: 143
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!MiMappedPageWriter (0x8043d0d8)
Stack Init f4070000 Current f406fd2c Base f4070000 Limit f406d000 Call 0
Priority 17 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f406fd44 8042c2ad 00000000 00000000 80064bd4 nt!KiSwapThread+0xc5
f406fd6c 8043d125 80481570 00000012 00000000 nt!KeWaitForSingleObject+0x1a1
f406fda8 80454a24 00000000 00000000 00000000 nt!MiMappedPageWriter+0x4d
f406fddc 80469212 8043d0d8 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8185b1a0 Cid 8.54 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
bffb4200 Semaphore Limit 0x7fffffff
Not impersonating
Owning Process 818b5380
Wait Start TickCount 170 Elapsed Ticks: 78
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address dmio!voliod_loop (0xbffa0fc0)
Stack Init f4074000 Current f4073d3c Base f4074000 Limit f4071000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4073d54 8042c2ad 00000000 bffb4c70 00000000 nt!KiSwapThread+0xc5
f4073d7c bffa1359 bffb4200 00000000 00000000 nt!KeWaitForSingleObject+0x1a1
f4073da8 80454a24 00000000 00000000 00000000 dmio!voliod_loop+0x399
f4073ddc 80469212 bffa0fc0 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818997c0 Cid 8.58 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrEventPairLow) KernelMode Non-Alertable
bfe980b8 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 236 Elapsed Ticks: 12
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address NDIS!ndisWorkerThread (0xbfe9994a)
Stack Init f4078000 Current f4077d50 Base f4078000 Limit f4075000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4077d68 8042d59b 00000000 00000000 00000000 nt!KiSwapThread+0xc5
f4077d8c bfe99978 00000000 00000000 00000000 nt!KeRemoveQueue+0x195
f4077da8 80454a24 00000000 00000000 00000000 NDIS!ndisWorkerThread+0x22
f4077ddc 80469212 bfe9994a 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Since it’s a minifilter, you should use FltCreateFile[Ex], not ZwCreateFile.

Your driver resides on the boot disk, right?

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Friday, April 24, 2009 11:24 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] my minifilter issued BSOD:INACCESSIBLE_BOOT_DEVICE!!

oh,crazy things,In the BSOD,my driver still not loaded!

kd> lm o 1m
hal
nt
Mup
NDIS
Ntfs
KSecDD
fltmgr
SCSIPORT
atapi
dmio
ftdisk
ACPI
pci
isapnp
buslogic
CLASSPNP
PCIIDEX
MountMgr
disk
agp440
BOOTVID
compbatt
PartMgr
vmscsi
BATTC
intelide
Diskperf
dmload
WMILIB

and the all threads of the system process:
kd> !process 0 7
**** NT ACTIVE PROCESS DUMP ****
PROCESS 818b5380 SessionId: 0 Cid: 0008 Peb: 00000000 ParentCid: 0000
DirBase: 00030000 ObjectTable: 818b5e68 TableSize: 24.
Image: System
VadRoot 8187ef08 Clone 0 Private 1. Modified 87. Locked 0.
DeviceMap 81881e88
Token e1000750
ElapsedTime 14:56:55.0171
UserTime 0:00:00.0000
KernelTime 0:00:02.0906
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (56, 0, 345) (224KB, 0KB, 1380KB)
PeakWorkingSetSize 56
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 52
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1

THREAD 818b5100 Cid 8.4 Teb: 00000000 Win32Thread: 00000000
RUNNING
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 594
UserTime 0:00:00.0000
KernelTime 0:00:02.0296
Start Address nt!Phase1Initialization (0x80547fce)
Stack Init f4024000 Current f4023078 Base f4024000 Limit f4021000
Call 0
Priority 31 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4022cfc 8042a9e3 00000003 f4022d44 8185d5f0
nt!RtlpBreakWithStatusInstruction
f4022d2c 8042afd6 00000003 00000000 8185d5f0
nt!KiBugCheckDebugBreak+0x31
f40230b8 804ad9aa 0000007b 8185d5f0 c0000032 nt!KeBugCheckEx+0x390
f4023110 80428938 c0000032 00000000 00000000 nt!IopMountVolume+0x33e
f4023138 804bf2c9 f40234c8 8185d5f0 f402331c
nt!IopCheckVpbMounted+0x4a
f40232d8 80450893 8185d5f0 00000000 f4023390 nt!IopParseDevice+0x40f
f4023350 804d59a0 00000000 81881c00 00000040
nt!ObpLookupObjectName+0x4e7
f4023460 8049f9f1 00000000 00000000 00120100
nt!ObOpenObjectByName+0xc8
f402353c 8049f596 f40238bc 00100020 f4023894 nt!IopCreateFile+0x407
f4023584 804a8279 f40238bc 00100020 f4023894 nt!IoCreateFile+0x36
f40235c4 80464f84 f40238bc 00100020 f4023894 nt!NtOpenFile+0x25
f40235c4 8042fe9f f40238bc 00100020 f4023894 nt!KiSystemService+0xc4
f4023654 8055ad81 f40238bc 00100020 f4023894 nt!ZwOpenFile+0xb
f40238c0 805498b6 00000000 00000032 00000000
nt!PsLocateSystemDll+0x67
f4023a58 805486e9 80087000 00000000 00000000 nt!IoInitSystem+0x637
f4023da8 80454a24 80087000 00000000 00000000
nt!Phase1Initialization+0x71b
f4023ddc 80469212 80547fce 80087000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81881940 Cid 8.c Teb: 00000000 Win32Thread: 00000000 WAIT:
(WrEventPairLow) UserMode Non-Alertable
804746a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 15 Elapsed Ticks: 233
Context Switch Count 2
UserTime 0:00:00.0000
KernelTime 0:00:00.0015
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f402c000 Current f402bd34 Base f402c000 Limit f4029000
Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f402bd4c 8042d59b 00000000 804746a0 81881940 nt!KiSwapThread+0xc5
f402bd70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f402bda8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f402bddc 80469212 80416b4c 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818816c0 Cid 8.10 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) UserMode Non-Alertable
804746a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 15 Elapsed Ticks: 233
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4030000 Current f402fd34 Base f4030000 Limit f402d000
Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f402fd4c 8042d59b 00000000 804746a0 818816c0 nt!KiSwapThread+0xc5
f402fd70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f402fda8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f402fddc 80469212 80416b4c 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81881440 Cid 8.14 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) UserMode Non-Alertable
804746a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 15 Elapsed Ticks: 233
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4034000 Current f4033d34 Base f4034000 Limit f4031000
Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4033d4c 8042d59b 00000000 804746a0 81881440 nt!KiSwapThread+0xc5
f4033d70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f4033da8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f4033ddc 80469212 80416b4c 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818811c0 Cid 8.18 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) UserMode Non-Alertable
804746a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 2
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4038000 Current f4037d34 Base f4038000 Limit f4035000
Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4037d4c 8042d59b bfed3068 804746a0 818811c0 nt!KiSwapThread+0xc5
f4037d70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f4037da8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f4037ddc 80469212 80416b4c 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81880020 Cid 8.1c Teb: 00000000 Win32Thread: 00000000
READY
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 20
UserTime 0:00:00.0000
KernelTime 0:00:00.0031
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f403c000 Current f403ba40 Base f403c000 Limit f4039000
Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f403ba58 8042b745 00000040 81896d08 00000000
nt!KiUnlockDispatcherDatabase+0x73
f403ba6c 8041e0a0 f40230e0 00000001 00000000 nt!KeSetEvent+0x71
f403ba98 bfebe418 818987c8 00000000 bfef0850
nt!IopfCompleteRequest+0x1a6
f403baa4 bfef0850 818987c8 81896d08 c0000032
Ntfs!NtfsCompleteRequest+0x5c
f403bcd8 bfedf6dd 818987c8 81896d08 818987c8
Ntfs!NtfsMountVolume+0x1aac
f403bce8 bfec5bf9 818987c8 81896d08 818988c8
Ntfs!NtfsCommonFileSystemControl+0x37
f403bd78 80416bfa 818987c8 00000000 00000000
Ntfs!NtfsFspDispatch+0x1b3
f403bda8 80454a24 818987c8 00000000 00000000 nt!ExpWorkerThread+0xae
f403bddc 80469212 80416b4c 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81880da0 Cid 8.20 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) UserMode Non-Alertable
804746dc Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 15 Elapsed Ticks: 233
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4040000 Current f403fd34 Base f4040000 Limit f403d000
Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f403fd4c 8042d59b 00000000 804746dc 81880da0 nt!KiSwapThread+0xc5
f403fd70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f403fda8 80454a24 00000001 00000000 00000000 nt!ExpWorkerThread+0x73
f403fddc 80469212 80416b4c 00000001 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81880b20 Cid 8.24 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) UserMode Non-Alertable
804746dc Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 3
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4044000 Current f4043d34 Base f4044000 Limit f4041000
Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4043d4c 8042d59b 80477c60 804746dc 81880b20 nt!KiSwapThread+0xc5
f4043d70 80416bbf 00000000 00000001 00000000 nt!KeRemoveQueue+0x195
f4043da8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f4043ddc 80469212 80416b4c 00000001 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818808a0 Cid 8.28 Teb: 00000000 Win32Thread: 00000000
READY
Not impersonating
Owning Process 818b5380
Wait Start TickCount 247 Elapsed Ticks: 1
Context Switch Count 104
UserTime 0:00:00.0000
KernelTime 0:00:00.0062
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f4048000 Current f4047c2c Base f4048000 Limit f4045000
Call 0
Priority 13 BasePriority 12 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4047c44 8042c2ad 00000000 818974f4 81897000 nt!KiSwapThread+0xc5
f4047c6c 80414f03 8185fa28 00000000 00000000
nt!KeWaitForSingleObject+0x1a1
f4047ca8 8041457c 818974f4 008974f4 f4047cc0
nt!ExpWaitForResource+0x2d
f4047cb8 804145c1 f4047cdc 8041456d 818974f4
nt!ExpAcquireResourceExclusiveLite+0x64
f4047cc0 8041456d 818974f4 00000001 818970f0
nt!ExAcquireResourceExclusiveLite+0x37
f4047cdc 804145c1 f4047d78 bfeeea81 818974f4
nt!ExpAcquireResourceExclusiveLite+0x55
f4047ce4 bfeeea81 818974f4 00000001 81897a68
nt!ExAcquireResourceExclusiveLite+0x37
f4047cf4 bff187c5 81897a68 818970f0 00000001
Ntfs!NtfsAcquireExclusiveVcb+0x1b
f4047d78 80416bfa 81897a68 00000000 00000000
Ntfs!NtfsSpecialDispatch+0x115
f4047da8 80454a24 81897a68 00000000 00000000 nt!ExpWorkerThread+0xae
f4047ddc 80469212 80416b4c 00000001 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81880620 Cid 8.2c Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) KernelMode Non-Alertable
80474718 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 14 Elapsed Ticks: 234
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThread (0x80416b4c)
Stack Init f404c000 Current f404bd34 Base f404c000 Limit f4049000
Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f404bd4c 8042d59b 00000000 80474718 81880620 nt!KiSwapThread+0xc5
f404bd70 80416bbf 00000000 00000000 00000000 nt!KeRemoveQueue+0x195
f404bda8 80454a24 00000002 00000000 00000000 nt!ExpWorkerThread+0x73
f404bddc 80469212 80416b4c 00000002 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818803a0 Cid 8.30 Teb: 00000000 Win32Thread: 00000000
WAIT: (Executive) KernelMode Non-Alertable
f404fd78 NotificationTimer
80474760 SynchronizationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 232 Elapsed Ticks: 16
Context Switch Count 4
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!ExpWorkerThreadBalanceManager (0x8049423e)
Stack Init f4050000 Current f404fcf8 Base f4050000 Limit f404d000
Call 0
Priority 14 BasePriority 14 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f404fd10 8042c02e ff676980 00000000 ffffffff nt!KiSwapThread+0xc5
f404fd44 80494293 00000002 f404fda0 00000001
nt!KeWaitForMultipleObjects+0x266
f404fda8 80454a24 00000000 00000000 00000000
nt!ExpWorkerThreadBalanceManager+0x55
f404fddc 80469212 8049423e 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187e880 Cid 8.34 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrVirtualMemory) UserMode Non-Alertable
80481b44 Semaphore Limit 0x7fffffff
80481a70 NotificationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!MiDereferenceSegmentThread (0x8043941e)
Stack Init f4054000 Current f4053d20 Base f4054000 Limit f4051000
Call 0
Priority 18 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4053d38 8042c02e 00000000 00000000 80064bd4 nt!KiSwapThread+0xc5
f4053d6c 80439462 00000002 f4053da0 00000001
nt!KeWaitForMultipleObjects+0x266
f4053da8 80454a24 00000000 00000000 00000000
nt!MiDereferenceSegmentThread+0x44
f4053ddc 80469212 8043941e 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187e600 Cid 8.38 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrFreePage) KernelMode Non-Alertable
804821b0 NotificationEvent
80481370 NotificationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!MiModifiedPageWriter (0x804cd328)
Stack Init f4058000 Current f4057ce0 Base f4058000 Limit f4055000
Call 0
Priority 17 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4057cf8 8042c02e 00000014 80481b80 00000000 nt!KiSwapThread+0xc5
f4057d2c 8043c829 00000002 f4057d6c 00000001
nt!KeWaitForMultipleObjects+0x266
f4057d70 804cd490 00000000 00000000 00000000
nt!MiModifiedPageWriterWorker+0x37
f4057da8 80454a24 00000000 00000000 00000000
nt!MiModifiedPageWriter+0x168
f4057ddc 80469212 804cd328 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187e380 Cid 8.3c Teb: 00000000 Win32Thread: 00000000
WAIT: (Executive) KernelMode Non-Alertable
f405bd70 NotificationTimer
80481b60 SynchronizationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 232 Elapsed Ticks: 16
Context Switch Count 3
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!KeBalanceSetManager (0x8046373e)
Stack Init f405c000 Current f405bcc0 Base f405c000 Limit f4059000
Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f405bcd8 8042c02e ffffffff ff676980 00000000 nt!KiSwapThread+0xc5
f405bd0c 804637bc 00000002 f405bd98 00000001
nt!KeWaitForMultipleObjects+0x266
f405bda8 80454a24 00000000 00000000 00000000
nt!KeBalanceSetManager+0x7e
f405bddc 80469212 8046373e 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187e100 Cid 8.40 Teb: 00000000 Win32Thread: 00000000
WAIT: (Executive) KernelMode Non-Alertable
80480f10 SynchronizationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!KeSwapProcessOrStack (0x80463836)
Stack Init f4060000 Current f405fd40 Base f4060000 Limit f405d000
Call 0
Priority 23 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f405fd58 8042c2ad 00000000 00000000 00000000 nt!KiSwapThread+0xc5
f405fd80 8046385a 80480f10 00000000 00000000
nt!KeWaitForSingleObject+0x1a1
f405fda8 80454a24 00000000 00000000 00000000
nt!KeSwapProcessOrStack+0x24
f405fddc 80469212 80463836 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187d820 Cid 8.44 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) KernelMode Non-Alertable
804759a0 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!FsRtlWorkerThread (0x8041c8cc)
Stack Init f4064000 Current f4063d4c Base f4064000 Limit f4061000
Call 0
Priority 16 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4063d64 8042d59b 80064bec 00000000 804759a0 nt!KiSwapThread+0xc5
f4063d88 8041c8ff 00000000 00000000 00000000 nt!KeRemoveQueue+0x195
f4063da8 80454a24 00000000 00000000 00000000
nt!FsRtlWorkerThread+0x33
f4063ddc 80469212 8041c8cc 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8187d5a0 Cid 8.48 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) KernelMode Non-Alertable
804759c8 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 104 Elapsed Ticks: 144
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!FsRtlWorkerThread (0x8041c8cc)
Stack Init f4068000 Current f4067d4c Base f4068000 Limit f4065000
Call 0
Priority 17 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4067d64 8042d59b 80064bec 00000001 804759c8 nt!KiSwapThread+0xc5
f4067d88 8041c8ff 00000000 00000000 00000000 nt!KeRemoveQueue+0x195
f4067da8 80454a24 00000001 00000000 00000000
nt!FsRtlWorkerThread+0x33
f4067ddc 80469212 8041c8cc 00000001 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8186dca0 Cid 8.4c Teb: 00000000 Win32Thread: 00000000
WAIT: (Executive) KernelMode Non-Alertable
bfff10d0 NotificationEvent
bfff10e0 NotificationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 170 Elapsed Ticks: 78
Context Switch Count 606
UserTime 0:00:00.0000
KernelTime 0:00:00.0500
Start Address ACPI!ACPIWorker (0xbffe58c8)
Stack Init f406c000 Current f406bd1c Base f406c000 Limit f4069000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f406bd34 8042c02e bfff1100 00000000 80064bec nt!KiSwapThread+0xc5
f406bd68 bffe590e 00000002 f406bd9c 00000001
nt!KeWaitForMultipleObjects+0x266
f406bda8 80454a24 00000000 00000000 00000000 ACPI!ACPIWorker+0x46
f406bddc 80469212 bffe58c8 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 81866760 Cid 8.50 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrVirtualMemory) KernelMode Non-Alertable
80481570 NotificationEvent
Not impersonating
Owning Process 818b5380
Wait Start TickCount 105 Elapsed Ticks: 143
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address nt!MiMappedPageWriter (0x8043d0d8)
Stack Init f4070000 Current f406fd2c Base f4070000 Limit f406d000
Call 0
Priority 17 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f406fd44 8042c2ad 00000000 00000000 80064bd4 nt!KiSwapThread+0xc5
f406fd6c 8043d125 80481570 00000012 00000000
nt!KeWaitForSingleObject+0x1a1
f406fda8 80454a24 00000000 00000000 00000000
nt!MiMappedPageWriter+0x4d
f406fddc 80469212 8043d0d8 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 8185b1a0 Cid 8.54 Teb: 00000000 Win32Thread: 00000000
WAIT: (Executive) KernelMode Non-Alertable
bffb4200 Semaphore Limit 0x7fffffff
Not impersonating
Owning Process 818b5380
Wait Start TickCount 170 Elapsed Ticks: 78
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address dmio!voliod_loop (0xbffa0fc0)
Stack Init f4074000 Current f4073d3c Base f4074000 Limit f4071000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4073d54 8042c2ad 00000000 bffb4c70 00000000 nt!KiSwapThread+0xc5
f4073d7c bffa1359 bffb4200 00000000 00000000
nt!KeWaitForSingleObject+0x1a1
f4073da8 80454a24 00000000 00000000 00000000 dmio!voliod_loop+0x399
f4073ddc 80469212 bffa0fc0 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

THREAD 818997c0 Cid 8.58 Teb: 00000000 Win32Thread: 00000000
WAIT: (WrEventPairLow) KernelMode Non-Alertable
bfe980b8 Unknown
Not impersonating
Owning Process 818b5380
Wait Start TickCount 236 Elapsed Ticks: 12
Context Switch Count 1
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address NDIS!ndisWorkerThread (0xbfe9994a)
Stack Init f4078000 Current f4077d50 Base f4078000 Limit f4075000
Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f4077d68 8042d59b 00000000 00000000 00000000 nt!KiSwapThread+0xc5
f4077d8c bfe99978 00000000 00000000 00000000 nt!KeRemoveQueue+0x195
f4077da8 80454a24 00000000 00000000 00000000
NDIS!ndisWorkerThread+0x22
f4077ddc 80469212 bfe9994a 00000000 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I test it in a virtual machine.(VMWare 6.0).
the test target is a windows 2000.

I use vmware-mount to map the virtual machine’s C: to my host machine’s Y:
Thus,I can access all files in virtual machine’s C: in my host machine.

I find,I can’t open the file: LFTest.sys (it’s my minifilter driver)!!!
it will reports the file or the directory is bad.
oh,god!that’s the problem!!!
But,why this happens???
I don’t modify my driver file!!!