WdfDriverCreate fails with status of 0xC000009A

I’m new to window’s drivers and it appears that I may not be setting something up correctly but I’m unsure what that may be.

I have a fairly barebones kmdf project setup with WDK 8.1. The only thing my driver currently has at the moment is the DriverEntry function and a device add function. This driver is to talk to two custom PCIe devices and I have setup the .inf file to reference the hardware id of the boards.
The driver deploys through visual studio, installs on the target system, and “attaches” (if that is the right word) to my two PCIe devices, but the device is in an error state. Looking at the log statements that my driver outputs, it states that WdfDriverCreate fails with a status of 0xC000009A, which looks to mean “Insufficient Resources”.

So I went to debug the driver and run this !wdfkd.wdflogdump command to get more information.

I believe the symbol paths are setup correctly:
22: kd> .sympath
Symbol search path is: C:\Development\CIP\x64\Win7Debug;srv*C:\winsymbols*https://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: c:\development\cip\x64\win7debug;srv*c:\winsymbols*https://msdl.microsoft.com/download/symbols

************* Symbol Path validation summary **************
Response Time (ms) Location
OK C:\Development\CIP\x64\Win7Debug\
Deferred srv*C:\winsymbols*https://msdl.microsoft.com/download/symbols

When I run the command to list all the loaded modules, I see my driver’s symbols loaded along with the wdf01000.pdb symbol.

I set the trace path and ran the log dump command. This is the resulting output:

22: kd> !wdfkd.wdflogdump CIP.sys
Trace searchpath is:

Trace format prefix is: %7!u!: %!FUNC! -
TMF file used for formatting log is: C:\wintrace\Wdf01000.tmf
Trying to extract TMF information from - c:\winsymbols\Wdf01000.pdb\03FC6AA4329F4372BE924775887225632\Wdf01000.pdb
Log at 0xfffffa8036b60cf8
Gather log: Please wait, this may take a moment (reading 0 bytes).
% read so far …
warn: The log could not be accessed
hint: Are the symbols the WDF library available?
hint: The log is inaccessable after driver unload.

So I have two questions:

1. How can I setup windbg correctly so I can dump logs after the point of failure?
2. What would cause WdfDriverCreate to fail with an Insufficent Resources error? The documentation for the WdfDriverCreate function doesn’t make any mention of that error code although it doesn’t give an explicit list of potential error codes other than what it might return.

xxxxx@gmail.com wrote:

I have a fairly barebones kmdf project setup with WDK 8.1. The only thing my driver currently has at the moment is the DriverEntry function and a device add function. This driver is to talk to two custom PCIe devices and I have setup the .inf file to reference the hardware id of the boards.
The driver deploys through visual studio, installs on the target system, and “attaches” (if that is the right word) to my two PCIe devices, but the device is in an error state. Looking at the log statements that my driver outputs, it states that WdfDriverCreate fails with a status of 0xC000009A, which looks to mean “Insufficient Resources”.

Would you mind showing us your code and your INF file? There are a lot
of details to get right.

I suppose at some point I’ll have to try “deploy through Visual
Studio”. I’ve always been afraid to try that, because I give up so much
control.

So I went to debug the driver and run this !wdfkd.wdflogdump command to get more information.

I believe the symbol paths are setup correctly:
22: kd> .sympath

22?? How many processor cores do you have in this machine?

Trying to extract TMF information from - c:\winsymbols\Wdf01000.pdb\03FC6AA4329F4372BE924775887225632\Wdf01000.pdb
Log at 0xfffffa8036b60cf8
Gather log: Please wait, this may take a moment (reading 0 bytes).
% read so far …
warn: The log could not be accessed
hint: Are the symbols the WDF library available?
hint: The log is inaccessable after driver unload.

So I have two questions:

1. How can I setup windbg correctly so I can dump logs after the point of failure?

Your driver has already been unloaded. The log buffer for a driver is
cleaned up when the driver unloads. You would have to set a breakpoint
at the end of DriverEntry to catch the log before it clears out.

2. What would cause WdfDriverCreate to fail with an Insufficent Resources error? The documentation for the WdfDriverCreate function doesn’t make any mention of that error code although it doesn’t give an explicit list of potential error codes other than what it might return.

KMDF is open source, so you can download the source if you want.
WdfDriverCreate itself only returns that error if its (very small)
memory allocation fails, but it calls a number of APIs and forwards
their return codes, so it could have come from another function. You
haven’t, by chance, turned on Driver Verifier with the “low pool
simulation”, have you? That causes memory allocations to fail randomly,
and should not be used for production testing.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks for the quick response, Tim.

Would you mind showing us your code and your INF file? There are a lot

of details to get right.

My inf file:

;
; CIP.inf
;

[Version]
Signature=“$WINDOWS NT$”
Class= Contone Image Processing
ClassGuid={4C4950D7-610E-41E5-B07C-1F46C37B6D82}
Provider=%ManufacturerName%
CatalogFile=CIP.cat

[DestinationDirs]
DefaultDestDir = 12

; ================= Class section =====================

[ClassInstall32]
Addreg=CIPClassReg

[CIPClassReg]
HKR,0,%ClassName%
HKR,Icon,-5

[SourceDisksNames]
1 = %DiskName%,“”

[SourceDisksFiles]
CIP.sys = 1,

;*****************************************
; Install Section
;*****************************************

[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$

[Standard.NT$ARCH$]
%CIP.DeviceDesc%=CIP_Device, PCI\VEN_10C5&DEV_0145&SUBSYS_014510C5&REV_01

[CIP_Device.NT]
CopyFiles=Drivers_Dir

[Drivers_Dir]
CIP.sys

;-------------- Service installation
[CIP_Device.NT.Services]
AddService = CIP,%SPSVCINST_ASSOCSERVICE%, CIP_Service_Inst

; -------------- CIP driver install sections
[CIP_Service_Inst]
DisplayName = %CIP.SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\CIP.sys
LoadOrderGroup = Extended Base

;
;— CIP_Device Coinstaller installation ------
;

[DestinationDirs]
CIP_Device_CoInstaller_CopyFiles = 11

[CIP_Device.NT.CoInstallers]
AddReg=CIP_Device_CoInstaller_AddReg
CopyFiles=CIP_Device_CoInstaller_CopyFiles

[CIP_Device_CoInstaller_AddReg]
HKR,CoInstallers32,0x00010000,
“WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller”

[CIP_Device_CoInstaller_CopyFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll

[SourceDisksFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number
matches with SourceDisksNames

[CIP_Device.NT.Wdf]
KmdfService = CIP, CIP_wdfsect
[CIP_wdfsect]
KmdfLibraryVersion = $KMDFVERSION$

[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName=“Xerox Corporation”
ClassName=“Contone Image Processor”
DiskName = “CIP Installation Disk”
CIP.DeviceDesc = “CIP Device”
CIP.SVCDESC = “CIP Service”

My source:
#include “vipimagedrv.h”

#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, CipDeviceAdd)
#endif

NTSTATUS DriverEntry(In PDRIVER_OBJECT driverObject, In
PUNICODE_STRING registryPath)
{
NTSTATUS status;
WDF_DRIVER_CONFIG config;
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “vipimagedrv:
DriverEntry\n”));
WDF_DRIVER_CONFIG_INIT(&config, CipDeviceAdd);

status = WdfDriverCreate(driverObject, registryPath,
WDF_NO_OBJECT_ATTRIBUTES, &config, WDF_NO_HANDLE);
if (!NT_SUCCESS(status))
{
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “vipimagedrv:
***Error*** WdfDriverCreate Failed: 0x%x”, status));
return status;
}
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, “vipimagedrv:
WdfDriverCreated success”));
return status;
}

NTSTATUS CipDeviceAdd(In WDFDRIVER driver, Inout PWDFDEVICE_INIT deviceInit)
{
NTSTATUS status;
PCIP_DATA cipData;
WDFDEVICE cipDevice;
WDF_OBJECT_ATTRIBUTES cipAttributes;

UNREFERENCED_PARAMETER(driver);
PAGED_CODE();

KdPrint((“vipimagedrv: CipDeviceAdd”));

WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&cipAttributes, CIP_DATA);

status = WdfDeviceCreate(&deviceInit, &cipAttributes, &cipDevice);
if (!NT_SUCCESS(status))
{
KdPrint((“vipimagedrv: ***Error*** WdfDeviceCreate failed: 0x%x”, status));
return status;
}

cipData = CIPGetData(cipDevice);
status = WdfDeviceCreateDeviceInterface(cipDevice,
(LPGUID)&GUID_CIPDEVICE, NULL);
if (!NT_SUCCESS(status))
{
KdPrint((“vipimagedrv: ***Error*** WdfDeviceCreateDeviceInterface
failed: 0x%x”, status));
return status;
}
return status;
}

vipimagedrv.h

#ifndef VIPIMAGEDRV_H
#define VIPIMAGEDRV_H

#include <ntddk.h>
#include <wdf.h>
#include “Public.h”

DRIVER_INITIALIZE DriverEntry;
EVT_WDF_DRIVER_DEVICE_ADD CipDeviceAdd;

typedef struct _CIP_DATA
{
int x;
} CIP_DATA, PCIP_DATA;

WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(CIP_DATA, CIPGetData)

#endif / VIPIMAGEDRV_H */

22?? How many processor cores do you have in this machine?

It’s a pretty beefy system. It’s has duel Intel Xeon E5-2687W CPUs. 10
hyperthreaded cores for each CPU.

Your driver has already been unloaded. The log buffer for a driver is
> cleaned up when the driver unloads. You would have to set a breakpoint
> at the end of DriverEntry to catch the log before it clears out.

I was stepping through the code and ran the dump command immediately after
it called on WdfDriverCreate. It should have still been loaded at that
point, right?

by chance, turned on Driver Verifier with the “low pool
> simulation”, have you?

It was turned on but low pool simulation was not. I turned it off and
deployed it again but the driver still resulted in an error.
I’ll take a look at the source and trace through it to see who returns this
particular error.

On Thu, Jul 14, 2016 at 10:42 AM, Tim Roberts wrote:

> xxxxx@gmail.com wrote:
> > I have a fairly barebones kmdf project setup with WDK 8.1. The only
> thing my driver currently has at the moment is the DriverEntry function and
> a device add function. This driver is to talk to two custom PCIe devices
> and I have setup the .inf file to reference the hardware id of the boards.
> > The driver deploys through visual studio, installs on the target system,
> and “attaches” (if that is the right word) to my two PCIe devices, but the
> device is in an error state. Looking at the log statements that my driver
> outputs, it states that WdfDriverCreate fails with a status of 0xC000009A,
> which looks to mean “Insufficient Resources”.
>
> Would you mind showing us your code and your INF file? There are a lot
> of details to get right.
>
> I suppose at some point I’ll have to try “deploy through Visual
> Studio”. I’ve always been afraid to try that, because I give up so much
> control.
>
>
> > So I went to debug the driver and run this !wdfkd.wdflogdump command to
> get more information.
> >
> > I believe the symbol paths are setup correctly:
> > 22: kd> .sympath
>
> 22?? How many processor cores do you have in this machine?
>
>
>
> > Trying to extract TMF information from -
> c:\winsymbols\Wdf01000.pdb\03FC6AA4329F4372BE924775887225632\Wdf01000.pdb
> > Log at 0xfffffa8036b60cf8
> > Gather log: Please wait, this may take a moment (reading 0 bytes).
> > % read so far …
> > warn: The log could not be accessed
> > hint: Are the symbols the WDF library available?
> > hint: The log is inaccessable after driver unload.
> >
> >
> > So I have two questions:
> > 1) How can I setup windbg correctly so I can dump logs after the point
> of failure?
>
> Your driver has already been unloaded. The log buffer for a driver is
> cleaned up when the driver unloads. You would have to set a breakpoint
> at the end of DriverEntry to catch the log before it clears out.
>
>
> > 2) What would cause WdfDriverCreate to fail with an Insufficent
> Resources error? The documentation for the WdfDriverCreate function doesn’t
> make any mention of that error code although it doesn’t give an explicit
> list of potential error codes other than what it might return.
>
> KMDF is open source, so you can download the source if you want.
> WdfDriverCreate itself only returns that error if its (very small)
> memory allocation fails, but it calls a number of APIs and forwards
> their return codes, so it could have come from another function. You
> haven’t, by chance, turned on Driver Verifier with the “low pool
> simulation”, have you? That causes memory allocations to fail randomly,
> and should not be used for production testing.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></wdf.h></ntddk.h>

Daniel Kulas wrote:

Thanks for the quick response, Tim.

Would you mind showing us your code and your INF file? There are
a lot
of details to get right.

My inf file:

Let me double-check one thing that might seem obvious. This is a
“source” INF file, which has strings to be substituted by PatchINF. I
assume your final driver package includes the patches for $ARCH$ and
$KMDFVERSION$ and so on. Other than that, the INF looks fine.

So, what you see is this?
vipimagedrv: DriverEntry
vipimagedrv: ***Error*** WdfDriverCreate Failed: 0xc000009a

It’s hard for me to explain that. Even if your device had extremely
large BARs, it shouldn’t cause a problem at this point. This is all
just configuration. Do you see your device in Device Manager? Do the
resource assignments look right?

What is your target operating system?

I was stepping through the code and ran the dump command immediately
after it called on WdfDriverCreate. It should have still been loaded
at that point, right?

Yes, but KMDF aborted during its initialization process. KMDF packed up
its toys and went home. Its log is gone.

It was turned on but low pool simulation was not. I turned it off and
deployed it again but the driver still resulted in an error.
I’ll take a look at the source and trace through it to see who returns
this particular error.

I’m not sure that’s going to help. WdfDriverCreate calls a lot of WDM
functions where you don’t have source. It’s tedious, but you might try
single-stepping through to see at what point the error is detected.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>

Let me double-check one thing that might seem obvious. This is a
“source” INF file, which has strings to be substituted by PatchINF. I
assume your final driver package includes the patches for $ARCH$ and
$KMDFVERSION$ and so on.

Yes. The correct inf file is generated when installed on the target system.

Do you see your device in Device Manager? Do the

resource assignments look right?

Yup. I see the two instances of my device loaded and on inspecting it,
basic information on the PCIe device is displayed that matches with what is
expected.

What is your target operating system?

Windows 7 Embedded.

On Thu, Jul 14, 2016 at 11:46 AM, Tim Roberts wrote:

> Daniel Kulas wrote:
> > Thanks for the quick response, Tim.
> >
> > Would you mind showing us your code and your INF file? There are
> > a lot
> > of details to get right.
> >
> >
> > My inf file:
>
> Let me double-check one thing that might seem obvious. This is a
> “source” INF file, which has strings to be substituted by PatchINF. I
> assume your final driver package includes the patches for $ARCH$ and
> $KMDFVERSION$ and so on. Other than that, the INF looks fine.
>
> So, what you see is this?
> vipimagedrv: DriverEntry
> vipimagedrv: Error WdfDriverCreate Failed: 0xc000009a
>
> It’s hard for me to explain that. Even if your device had extremely
> large BARs, it shouldn’t cause a problem at this point. This is all
> just configuration. Do you see your device in Device Manager? Do the
> resource assignments look right?
>
> What is your target operating system?
>
>
> > I was stepping through the code and ran the dump command immediately
> > after it called on WdfDriverCreate. It should have still been loaded
> > at that point, right?
>
> Yes, but KMDF aborted during its initialization process. KMDF packed up
> its toys and went home. Its log is gone.
>
>
> > It was turned on but low pool simulation was not. I turned it off and
> > deployed it again but the driver still resulted in an error.
> > I’ll take a look at the source and trace through it to see who returns
> > this particular error.
>
> I’m not sure that’s going to help. WdfDriverCreate calls a lot of WDM
> functions where you don’t have source. It’s tedious, but you might try
> single-stepping through to see at what point the error is detected.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

So I think I pin-pointed where it fails.

Inside of the function, Wdf01000!imp_WdfDriverCreate, a call is made to
Wdf01000!FxDriver::FxDriver
That call is located at imp_WdfDriverCreate+0x36f.

After that routine finishes, there’s a jump made to
imp_WdfDriverCreate+0x3bb.
At that address, there’s the error code I run into.

fffff88000e8d177 call Wdf01000!FxDriver::FxDriver (fffff88000e8bdb0)
fffff88000e8d17c mov rbx,rax fffff88000e8d17f test rbx,rbx
fffff88000e8d182 je Wdf01000!imp_WdfDriverCreate+0x3bb (fffff88000e8d1c3)

fffff880`00e8d1c3 mov ebp,0C000009Ah

The instructions after that is a call to FxDestroy and eventually leads
back to returning the error code to my driver.

I’m currently looking inside of the disassembly of FxDriver, but I don’t
really know what I’m looking for at this point. There are several calls to
other routines that I guess I’ll have to step through and see if I can make
sense of anything.

On Fri, Jul 15, 2016 at 5:41 AM, Daniel Kulas wrote:

> Let me double-check one thing that might seem obvious. This is a
>> “source” INF file, which has strings to be substituted by PatchINF. I
>> assume your final driver package includes the patches for $ARCH$ and
>> $KMDFVERSION$ and so on.
>
>
> Yes. The correct inf file is generated when installed on the target system.
>
> Do you see your device in Device Manager? Do the
>> resource assignments look right?
>
>
> Yup. I see the two instances of my device loaded and on inspecting it,
> basic information on the PCIe device is displayed that matches with what is
> expected.
>
> What is your target operating system?
>
>
> Windows 7 Embedded.
>
>
> On Thu, Jul 14, 2016 at 11:46 AM, Tim Roberts wrote:
>
>> Daniel Kulas wrote:
>> > Thanks for the quick response, Tim.
>> >
>> > Would you mind showing us your code and your INF file? There are
>> > a lot
>> > of details to get right.
>> >
>> >
>> > My inf file:
>>
>> Let me double-check one thing that might seem obvious. This is a
>> “source” INF file, which has strings to be substituted by PatchINF. I
>> assume your final driver package includes the patches for $ARCH$ and
>> $KMDFVERSION$ and so on. Other than that, the INF looks fine.
>>
>> So, what you see is this?
>> vipimagedrv: DriverEntry
>> vipimagedrv: Error WdfDriverCreate Failed: 0xc000009a
>>
>> It’s hard for me to explain that. Even if your device had extremely
>> large BARs, it shouldn’t cause a problem at this point. This is all
>> just configuration. Do you see your device in Device Manager? Do the
>> resource assignments look right?
>>
>> What is your target operating system?
>>
>>
>> > I was stepping through the code and ran the dump command immediately
>> > after it called on WdfDriverCreate. It should have still been loaded
>> > at that point, right?
>>
>> Yes, but KMDF aborted during its initialization process. KMDF packed up
>> its toys and went home. Its log is gone.
>>
>>
>> > It was turned on but low pool simulation was not. I turned it off and
>> > deployed it again but the driver still resulted in an error.
>> > I’ll take a look at the source and trace through it to see who returns
>> > this particular error.
>>
>> I’m not sure that’s going to help. WdfDriverCreate calls a lot of WDM
>> functions where you don’t have source. It’s tedious, but you might try
>> single-stepping through to see at what point the error is detected.
>>
>> –
>> Tim Roberts, xxxxx@probo.com
>> Providenza & Boekelheide, Inc.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: <
>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
>
></http:>

Daniel Kulas wrote:

So I think I pin-pointed where it fails.

Inside of the function, Wdf01000!imp_WdfDriverCreate, a call is made
toWdf01000!FxDriver::FxDriver
That call is located at imp_WdfDriverCreate+0x36f.

After that routine finishes, there’s a jump made
toimp_WdfDriverCreate+0x3bb.
At that address, there’s the error code I run into.

fffff88000e8d177 call Wdf01000!FxDriver::FxDriver (fffff88000e8bdb0)
fffff88000e8d17c mov rbx,rax fffff88000e8d17f test rbx,rbx
fffff88000e8d182 je Wdf01000!imp_WdfDriverCreate+0x3bb (fffff88000e8d1c3)

fffff880`00e8d1c3 mov ebp,0C000009Ah

The instructions after that is a call to FxDestroy and eventually
leads back to returning the error code to my driver.

That’s the only return of STATUS_INSUFFICIENT_RESOURCES in the routine
– after the FxDriver constructor. Now, have you actually
single-stepped through this code at run-time to verify that this is
actually the path you take, or are you just assuming that it is because
you found the error code in the disassembly? Because I would
confidently assert that it is utterly impossible for this error can
occur. That’s a “placement new”:

pDriver = new(pFxDriverGlobals, DriverAttributes)
FxDriver(DriverObject, DriverConfig, pFxDriverGlobals);

if (pDriver != NULL) {
…
}
else {
status = STATUS_INSUFFICIENT_RESOURCES;
}

What that means is that there is no memory allocation being done. The
memory to be used is being provided (“pFxDriverGlobal”). All that has
to happen is to call the FxDriver constructor, which is what you see in
the disassembly. A constructor cannot fail (without throwing an
exception, which isn’t supported). If you look at the disassembly,
you’ll see that the constructor is straight-line with no early exits.
It keeps the memory pointer in rbx, and the last thing it does is copy
rbx back into rax. But if rbx is null, there would have been a
blue-screen way earlier in the function.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

The placement new does allocate memory so it can fail at the allocation stage.

Get Outlook for Androidhttps:

On Fri, Jul 15, 2016 at 10:10 AM -0700, “Tim Roberts” > wrote:

Daniel Kulas wrote:
>
> So I think I pin-pointed where it fails.
>
> Inside of the function, Wdf01000!imp_WdfDriverCreate, a call is made
> toWdf01000!FxDriver::FxDriver
> That call is located at imp_WdfDriverCreate+0x36f.
>
> After that routine finishes, there’s a jump made
> toimp_WdfDriverCreate+0x3bb.
> At that address, there’s the error code I run into.
>
> fffff88000e8d177 call Wdf01000!FxDriver::FxDriver (fffff88000e8bdb0)
> fffff88000e8d17c mov rbx,rax<br>&gt; fffff88000e8d17f test rbx,rbx
> fffff88000e8d182 je Wdf01000!imp_WdfDriverCreate+0x3bb<br>&gt; (fffff88000e8d1c3)
> –
> fffff880`00e8d1c3 mov ebp,0C000009Ah
>
> The instructions after that is a call to FxDestroy and eventually
> leads back to returning the error code to my driver.

That’s the only return of STATUS_INSUFFICIENT_RESOURCES in the routine
– after the FxDriver constructor. Now, have you actually
single-stepped through this code at run-time to verify that this is
actually the path you take, or are you just assuming that it is because
you found the error code in the disassembly? Because I would
confidently assert that it is utterly impossible for this error can
occur. That’s a “placement new”:

pDriver = new(pFxDriverGlobals, DriverAttributes)
FxDriver(DriverObject, DriverConfig, pFxDriverGlobals);

if (pDriver != NULL) {
…
}
else {
status = STATUS_INSUFFICIENT_RESOURCES;
}

What that means is that there is no memory allocation being done. The
memory to be used is being provided (“pFxDriverGlobal”). All that has
to happen is to call the FxDriver constructor, which is what you see in
the disassembly. A constructor cannot fail (without throwing an
exception, which isn’t supported). If you look at the disassembly,
you’ll see that the constructor is straight-line with no early exits.
It keeps the memory pointer in rbx, and the last thing it does is copy
rbx back into rax. But if rbx is null, there would have been a
blue-screen way earlier in the function.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></https:>

You’re right. I’m not entirely sure how it stepped inside of the
constructor of FxDriver. I’m entirely sure it did as I was writing down
what instructors I was hitting. Anyways, no matter. This is the trace that
shows returning the 0xC000005A error.

CIP!DriverEntry:
fffff88006185000 4889542410 mov qword ptr [rsp+10h],rdx 22: kd\> bp Wdf01000!imp_WdfDriverCreate 22: kd\> bp Wdf01000!FxObjectHandleAlloc 22: kd\> bp Wdf01000!FxCalculateObjectTotalSize2 22: kd\> g Breakpoint 0 hit CIP!DriverEntry+0x36: fffff88006185036 48c744242000000000 mov qword ptr [rsp+20h],0
22: kd> g
Breakpoint 2 hit
Wdf01000!imp_WdfDriverCreate:
fffff88000ef7e08 488bc4 mov rax,rsp 22: kd\> g Breakpoint 6 hit Wdf01000!imp_WdfDriverCreate+0x354: fffff88000ef815c e8a7a8feff call
Wdf01000!FxObjectHandleAlloc (fffff88000ee2a08) Breakpoint 3 hit Wdf01000!FxObjectHandleAlloc: fffff88000ee2a08 488bc4 mov rax,rsp
22: kd> g
Breakpoint 7 hit
Wdf01000!FxObjectHandleAlloc+0xa3:
fffff88000ee2aab e890000000 call Wdf01000!FxCalculateObjectTotalSize2 (fffff88000ee2b40)
Breakpoint 4 hit
Wdf01000!FxCalculateObjectTotalSize2:
fffff88000ee2b40 48895c2408 mov qword ptr [rsp+8],rbx 22: kd\> g Breakpoint 8 hit Wdf01000!FxObjectHandleAlloc+0xda: fffff88000ee2ae2 e851fcffff call Wdf01000!FxPoolAllocator
(fffff88000ee2738) Wdf01000!FxPoolAllocator: fffff88000ee2738 4c8bdc mov r11,rsp
22: kd> g
Breakpoint 10 hit
Wdf01000!FxPoolAllocator+0x2c7:
fffff88000ee29ff c3 ret Wdf01000!FxObjectHandleAlloc+0xdf: fffff88000ee2ae7 4885c0 test rax,rax
Wdf01000!FxObjectHandleAlloc+0xe2:
fffff88000ee2aea 742d je Wdf01000!FxObjectHandleAlloc+0x111 (fffff88000ee2b19)
Wdf01000!FxObjectHandleAlloc+0x111:
fffff88000ee2b19 488b5c2460 mov rbx,qword ptr [rsp+60h] 22: kd\> g Breakpoint 11 hit Wdf01000!FxObjectHandleAlloc+0x12f: fffff88000ee2b37 c3 ret
Wdf01000!imp_WdfDriverCreate+0x359:
fffff88000ef8161 4885c0 test rax,rax Wdf01000!imp_WdfDriverCreate+0x35c: fffff88000ef8164 7419 je
Wdf01000!imp_WdfDriverCreate+0x377 (fffff88000ef817f) Wdf01000!imp_WdfDriverCreate+0x377: fffff88000ef817f 4885db test rbx,rbx
Wdf01000!imp_WdfDriverCreate+0x37a:
fffff88000ef8182 743f je Wdf01000!imp_WdfDriverCreate+0x3bb (fffff88000ef81c3)
Breakpoint 5 hit
Wdf01000!imp_WdfDriverCreate+0x3bb:
fffff88000ef81c3 bd9a0000c0 mov ebp,0C000009Ah Wdf01000!imp_WdfDriverCreate+0x3c0: fffff88000ef81c8 85ed test ebp,ebp
Wdf01000!imp_WdfDriverCreate+0x3c2:
fffff88000ef81ca 7851 js Wdf01000!imp_WdfDriverCreate+0x415 (fffff88000ef821d)
Wdf01000!imp_WdfDriverCreate+0x415:
fffff88000ef821d 4885db test rbx,rbx Wdf01000!imp_WdfDriverCreate+0x418: fffff88000ef8220 7408 je
Wdf01000!imp_WdfDriverCreate+0x422 (fffff88000ef822a) Wdf01000!imp_WdfDriverCreate+0x422: fffff88000ef822a 488bcf mov rcx,rdi
Wdf01000!imp_WdfDriverCreate+0x425:
fffff88000ef822d e82a520500 call Wdf01000!FxDestroy (fffff88000f4d45c)
Wdf01000!imp_WdfDriverCreate+0x42a:
fffff88000ef8232 8bc5 mov eax,ebp Wdf01000!imp_WdfDriverCreate+0x42c: fffff88000ef8234 eb30 jmp
Wdf01000!imp_WdfDriverCreate+0x45e (fffff88000ef8266) Wdf01000!imp_WdfDriverCreate+0x45e: fffff88000ef8266 4c8d5c2450 lea r11,[rsp+50h]
Wdf01000!imp_WdfDriverCreate+0x463:
fffff88000ef826b 498b5b38 mov rbx,qword ptr [r11+38h] 22: kd\> g Breakpoint 12 hit Wdf01000!imp_WdfDriverCreate+0x47b: fffff88000ef8283 c3 ret
CIP!WdfDriverCreate+0x60:
fffff8800617f1b0 4883c448 add rsp,48h CIP!DriverEntry+0x56: fffff88006185056 89442430 mov dword ptr [rsp+30h],eax
CIP!DriverEntry+0x5a:
fffff880`0618505a 837c243000 cmp dword ptr [rsp+30h],0

I got a bit trigger happy with my breakpoints since it takes quite a while
to step through a single instruction, but I’m almost positive it fails in
here:
fffff88000ee2aea 742d je Wdf01000!FxObjectHandleAlloc+0x111 (fffff88000ee2b19)

But looking at the .cpp source, FxObjectHandleAlloc lives inside of
handleapi.cpp, and the only calls that set the status are RtlSizeTAdd,
FxCalcaulateObjectTotalSize, and FxPoolAllocateWithTag. I can’t seem to
find the cpp that holds the definition of the function RtlSizeTAdd and
FxCalculateObjectTotalSize only seems to return status which are set by
RtlSizeTAdd. Which leaves FxPoolAllocateWithTag.

FxPoolAllocateWithTag just returns the output of FxPoolAllocator.
FxPoolAllocator looks to fail if the Size parameter is 0 or if these
RtlSIZETAdd functions fail.

I wonder if the Size parameter is equal to 0. I’ll have to see where that
is set at.

On Fri, Jul 15, 2016 at 10:10 AM, Tim Roberts wrote:

> Daniel Kulas wrote:
> >
> > So I think I pin-pointed where it fails.
> >
> > Inside of the function, Wdf01000!imp_WdfDriverCreate, a call is made
> > toWdf01000!FxDriver::FxDriver
> > That call is located at imp_WdfDriverCreate+0x36f.
> >
> > After that routine finishes, there’s a jump made
> > toimp_WdfDriverCreate+0x3bb.
> > At that address, there’s the error code I run into.
> >
> > fffff88000e8d177 call Wdf01000!FxDriver::FxDriver (fffff88000e8bdb0)
> > fffff88000e8d17c mov rbx,rax<br>&gt; &gt; fffff88000e8d17f test rbx,rbx
> > fffff88000e8d182 je Wdf01000!imp_WdfDriverCreate+0x3bb<br>&gt; &gt; (fffff88000e8d1c3)
> > –
> > fffff880`00e8d1c3 mov ebp,0C000009Ah
> >
> > The instructions after that is a call to FxDestroy and eventually
> > leads back to returning the error code to my driver.
>
> That’s the only return of STATUS_INSUFFICIENT_RESOURCES in the routine
> – after the FxDriver constructor. Now, have you actually
> single-stepped through this code at run-time to verify that this is
> actually the path you take, or are you just assuming that it is because
> you found the error code in the disassembly? Because I would
> confidently assert that it is utterly impossible for this error can
> occur. That’s a “placement new”:
>
> pDriver = new(pFxDriverGlobals, DriverAttributes)
> FxDriver(DriverObject, DriverConfig, pFxDriverGlobals);
>
> if (pDriver != NULL) {
> …
> }
> else {
> status = STATUS_INSUFFICIENT_RESOURCES;
> }
>
> What that means is that there is no memory allocation being done. The
> memory to be used is being provided (“pFxDriverGlobal”). All that has
> to happen is to call the FxDriver constructor, which is what you see in
> the disassembly. A constructor cannot fail (without throwing an
> exception, which isn’t supported). If you look at the disassembly,
> you’ll see that the constructor is straight-line with no early exits.
> It keeps the memory pointer in rbx, and the last thing it does is copy
> rbx back into rax. But if rbx is null, there would have been a
> blue-screen way earlier in the function.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

You can try to set a conditional breakpoint on the return instruction of ExAllocatePoolWithTag. This condition would be:

(@rax == 0)

Set the conditional breakpoint when you DriverEntry begins and delete it before DriverEntry returns because ExAllocatePoolWithTag is very busy.

Are you initializing the WDF_OBJECT_ATTRIBUTES you are passing in? how big of a context are you asking for? Dump the structure right before you make the WdfDriverCreate call. I would guess you are asking for a very large value, perhaps a not initialized value.

d

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Kulas
Sent: Friday, July 15, 2016 12:54 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] WdfDriverCreate fails with status of 0xC000009A

You’re right. I’m not entirely sure how it stepped inside of the constructor of FxDriver. I’m entirely sure it did as I was writing down what instructors I was hitting. Anyways, no matter. This is the trace that shows returning the 0xC000005A error.

CIP!DriverEntry:
fffff88006185000 4889542410 mov qword ptr [rsp+10h],rdx<br>22: kd&gt; bp Wdf01000!imp_WdfDriverCreate<br>22: kd&gt; bp Wdf01000!FxObjectHandleAlloc<br>22: kd&gt; bp Wdf01000!FxCalculateObjectTotalSize2<br>22: kd&gt; g<br>Breakpoint 0 hit<br>CIP!DriverEntry+0x36:<br>fffff88006185036 48c744242000000000 mov qword ptr [rsp+20h],0
22: kd> g
Breakpoint 2 hit
Wdf01000!imp_WdfDriverCreate:
fffff88000ef7e08 488bc4 mov rax,rsp<br>22: kd&gt; g<br>Breakpoint 6 hit<br>Wdf01000!imp_WdfDriverCreate+0x354:<br>fffff88000ef815c e8a7a8feff call Wdf01000!FxObjectHandleAlloc (fffff88000ee2a08)<br>Breakpoint 3 hit<br>Wdf01000!FxObjectHandleAlloc:<br>fffff88000ee2a08 488bc4 mov rax,rsp
22: kd> g
Breakpoint 7 hit
Wdf01000!FxObjectHandleAlloc+0xa3:
fffff88000ee2aab e890000000 call Wdf01000!FxCalculateObjectTotalSize2 (fffff88000ee2b40)
Breakpoint 4 hit
Wdf01000!FxCalculateObjectTotalSize2:
fffff88000ee2b40 48895c2408 mov qword ptr [rsp+8],rbx<br>22: kd&gt; g<br>Breakpoint 8 hit<br>Wdf01000!FxObjectHandleAlloc+0xda:<br>fffff88000ee2ae2 e851fcffff call Wdf01000!FxPoolAllocator (fffff88000ee2738)<br>Wdf01000!FxPoolAllocator:<br>fffff88000ee2738 4c8bdc mov r11,rsp
22: kd> g
Breakpoint 10 hit
Wdf01000!FxPoolAllocator+0x2c7:
fffff88000ee29ff c3 ret<br>Wdf01000!FxObjectHandleAlloc+0xdf:<br>fffff88000ee2ae7 4885c0 test rax,rax
Wdf01000!FxObjectHandleAlloc+0xe2:
fffff88000ee2aea 742d je Wdf01000!FxObjectHandleAlloc+0x111 (fffff88000ee2b19)
Wdf01000!FxObjectHandleAlloc+0x111:
fffff88000ee2b19 488b5c2460 mov rbx,qword ptr [rsp+60h]<br>22: kd&gt; g<br>Breakpoint 11 hit<br>Wdf01000!FxObjectHandleAlloc+0x12f:<br>fffff88000ee2b37 c3 ret
Wdf01000!imp_WdfDriverCreate+0x359:
fffff88000ef8161 4885c0 test rax,rax<br>Wdf01000!imp_WdfDriverCreate+0x35c:<br>fffff88000ef8164 7419 je Wdf01000!imp_WdfDriverCreate+0x377 (fffff88000ef817f)<br>Wdf01000!imp_WdfDriverCreate+0x377:<br>fffff88000ef817f 4885db test rbx,rbx
Wdf01000!imp_WdfDriverCreate+0x37a:
fffff88000ef8182 743f je Wdf01000!imp_WdfDriverCreate+0x3bb (fffff88000ef81c3)
Breakpoint 5 hit
Wdf01000!imp_WdfDriverCreate+0x3bb:
fffff88000ef81c3 bd9a0000c0 mov ebp,0C000009Ah<br>Wdf01000!imp_WdfDriverCreate+0x3c0:<br>fffff88000ef81c8 85ed test ebp,ebp
Wdf01000!imp_WdfDriverCreate+0x3c2:
fffff88000ef81ca 7851 js Wdf01000!imp_WdfDriverCreate+0x415 (fffff88000ef821d)
Wdf01000!imp_WdfDriverCreate+0x415:
fffff88000ef821d 4885db test rbx,rbx<br>Wdf01000!imp_WdfDriverCreate+0x418:<br>fffff88000ef8220 7408 je Wdf01000!imp_WdfDriverCreate+0x422 (fffff88000ef822a)<br>Wdf01000!imp_WdfDriverCreate+0x422:<br>fffff88000ef822a 488bcf mov rcx,rdi
Wdf01000!imp_WdfDriverCreate+0x425:
fffff88000ef822d e82a520500 call Wdf01000!FxDestroy (fffff88000f4d45c)
Wdf01000!imp_WdfDriverCreate+0x42a:
fffff88000ef8232 8bc5 mov eax,ebp<br>Wdf01000!imp_WdfDriverCreate+0x42c:<br>fffff88000ef8234 eb30 jmp Wdf01000!imp_WdfDriverCreate+0x45e (fffff88000ef8266)<br>Wdf01000!imp_WdfDriverCreate+0x45e:<br>fffff88000ef8266 4c8d5c2450 lea r11,[rsp+50h]
Wdf01000!imp_WdfDriverCreate+0x463:
fffff88000ef826b 498b5b38 mov rbx,qword ptr [r11+38h]<br>22: kd&gt; g<br>Breakpoint 12 hit<br>Wdf01000!imp_WdfDriverCreate+0x47b:<br>fffff88000ef8283 c3 ret
CIP!WdfDriverCreate+0x60:
fffff8800617f1b0 4883c448 add rsp,48h<br>CIP!DriverEntry+0x56:<br>fffff88006185056 89442430 mov dword ptr [rsp+30h],eax
CIP!DriverEntry+0x5a:
fffff8800618505a 837c243000 cmp dword ptr [rsp+30h],0<br><br>I got a bit trigger happy with my breakpoints since it takes quite a while to step through a single instruction, but I'm almost positive it fails in here:<br>fffff88000ee2aea 742d je Wdf01000!FxObjectHandleAlloc+0x111 (fffff88000ee2b19)<br><br>But looking at the .cpp source, FxObjectHandleAlloc lives inside of handleapi.cpp, and the only calls that set the status are RtlSizeTAdd, FxCalcaulateObjectTotalSize, and FxPoolAllocateWithTag. I can't seem to find the cpp that holds the definition of the function RtlSizeTAdd and FxCalculateObjectTotalSize only seems to return status which are set by RtlSizeTAdd. Which leaves FxPoolAllocateWithTag.<br><br>FxPoolAllocateWithTag just returns the output of FxPoolAllocator. FxPoolAllocator looks to fail if the Size parameter is 0 or if these RtlSIZETAdd functions fail.<br><br>I wonder if the Size parameter is equal to 0. I'll have to see where that is set at.<br><br>On Fri, Jul 15, 2016 at 10:10 AM, Tim Roberts <xxxxx>&gt; wrote:<br>Daniel Kulas wrote:<br>&gt;<br>&gt; So I think I pin-pointed where it fails.<br>&gt;<br>&gt; Inside of the function, Wdf01000!imp_WdfDriverCreate, a call is made<br>&gt; toWdf01000!FxDriver::FxDriver<br>&gt; That call is located at imp_WdfDriverCreate+0x36f.<br>&gt;<br>&gt; After that routine finishes, there's a jump made<br>&gt; toimp_WdfDriverCreate+0x3bb.<br>&gt; At that address, there's the error code I run into.<br>&gt;<br>&gt; fffff88000e8d177 call Wdf01000!FxDriver::FxDriver (fffff88000e8bdb0)<br>&gt; fffff88000e8d17c mov rbx,rax
> fffff88000e8d17f test rbx,rbx<br>&gt; fffff88000e8d182 je Wdf01000!imp_WdfDriverCreate+0x3bb
> (fffff88000e8d1c3)<br>&gt; --<br>&gt; fffff88000e8d1c3 mov ebp,0C000009Ah
>
> The instructions after that is a call to FxDestroy and eventually
> leads back to returning the error code to my driver.

That’s the only return of STATUS_INSUFFICIENT_RESOURCES in the routine
– after the FxDriver constructor. Now, have you actually
single-stepped through this code at run-time to verify that this is
actually the path you take, or are you just assuming that it is because
you found the error code in the disassembly? Because I would
confidently assert that it is utterly impossible for this error can
occur. That’s a “placement new”:

pDriver = new(pFxDriverGlobals, DriverAttributes)
FxDriver(DriverObject, DriverConfig, pFxDriverGlobals);

if (pDriver != NULL) {
…
}
else {
status = STATUS_INSUFFICIENT_RESOURCES;
}

What that means is that there is no memory allocation being done. The
memory to be used is being provided (“pFxDriverGlobal”). All that has
to happen is to call the FxDriver constructor, which is what you see in
the disassembly. A constructor cannot fail (without throwing an
exception, which isn’t supported). If you look at the disassembly,
you’ll see that the constructor is straight-line with no early exits.
It keeps the memory pointer in rbx, and the last thing it does is copy
rbx back into rax. But if rbx is null, there would have been a
blue-screen way earlier in the function.

–
Tim Roberts, xxxxx@probo.commailto:xxxxx
Providenza & Boekelheide, Inc.

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></mailto:xxxxx>

Doron Holan wrote:

The placement new does allocate memory so it can fail at the
allocation stage.

Yes; I missed the definition of the overloaded operator.

FWIW, he posted his code yesterday morning. Stock ordinary. No
context, no attributes.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

When you allocate a wdf object the caller content area is computed as a part of the size. My guess is that somehow the driver is asking for a huge context. I don’t have time to look at the posted code to verify

Get Outlook for Androidhttps:

On Fri, Jul 15, 2016 at 2:59 PM -0700, “Tim Roberts” > wrote:

Doron Holan wrote:
>
> The placement new does allocate memory so it can fail at the
> allocation stage.
>

Yes; I missed the definition of the overloaded operator.

FWIW, he posted his code yesterday morning. Stock ordinary. No
context, no attributes.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></https:>

So this is weird.

Tim,

When you asked me in your first response if I have the driver verifier on
with the low memory pool simulation, you were referring to the option under
Configuration Properties -> Driver Install -> Driver Verification, right?

I did have the KMDF Verifier on. I decided to turn it off and see what
happens. It loaded successfully. If I turned it back on, it fails. I turned
it on a long time ago because it looked like a good thing to have on after
reading the documentation Windows provides.

Is there any relation between the KMDF verifier setting and the Driver
Verification setting? I unchecked all the boxes under Driver Verification
with KMDF verifier on and that also failed. Have Driver Verification on but
KMDF verifier off, works.

I’m pretty confused as to why having KMDF verifier on would cause
WdfDriverCreate to fail.

On Fri, Jul 15, 2016 at 2:59 PM, Tim Roberts wrote:

> Doron Holan wrote:
> >
> > The placement new does allocate memory so it can fail at the
> > allocation stage.
> >
>
> Yes; I missed the definition of the overloaded operator.
>
> FWIW, he posted his code yesterday morning. Stock ordinary. No
> context, no attributes.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>