4

I develop disk volume crypting driver "xxxx_aes" for MS Windows that is implemented like WDM filter driver. It installed in system as a "LowerFilters = xxxx_aes fvevol rdyboost" for "Storage Volumes" class {71A27CDD-812A-11D0-BEC7-08002BE2092F}.

HKLM\CurrentControlSet\System\Services\xxxx_aes entry contains: Start=0; Type=1; Tag=7; Group="Pnp Filters". Normal device stack is:

kd> !devstack \Device\HarddiskVolume2
!DevObj   !DrvObj            !DevExt   ObjectName
fffffa8015bf43c0  \Driver\volsnap    fffffa8015bf4510  
fffffa8015bf0660  \Driver\rdyboost   fffffa8015bf07b0  
fffffa8015e3d260  \Driver\fvevol     fffffa8015e3d3b0  
fffffa8015ee9030  \Driver\xxxx_aes   fffffa8015ee9180  
fffffa8015be8480  \Driver\volmgr     fffffa8015be85d0  HarddiskVolume2

It works under XP x32, even Win8 x32/x64 and Win10 x64. It not works on some PC with Win7 x64, e.g. after installing another driver(s) (maybe CryptoPro, but not fact). System crashes on start to BSOD with error:

BugCheck 7B, {fffff880009ae7e8, ffffffffc0000034, 0, 0}
Probably caused by : ntkrnlmp.exe ( nt!PnpBootDeviceWait+136 )
Followup: MachineOwner

Parameter1 in parentheses is address of UNICODE_STRING with name of inaccessible boot device:

kd> dS fffff880009ae7e8
fffff8a0`00370010  "\ArcName\multi(0)disk(0)rdisk(0)"
fffff8a0`00370050  "partition(2)"

It is alias of drive "c:\" or \Device\HarddiskVolume2 that already crypted and should be hooked by the driver xxxx_aes. Last calls in call-stack points to "nt" module functions, not to any driver.

If install breakpoint "bu nt!PnpInitializeBootStartDriver" (found in call stack) in WinDbg then could get list of all modules in boot sequence (like parameter at (WCHAR**)(@rcx+8)):

RAW, Wdf01000, msiadrv, vdrvroot, pci, partmgr, volmgr, volmgrx, 
pciide, vmihc, mountmgr, vmbus, vsock, atapi, amdxata, FltMgr,
SymDS, FileInfo, SymEFA, CLFSSci, NTFS, KSecDD, CNGehci, pcw, 
Fs_Rec, NDIS, KSecPkg, Tcpip, StorFlt, 
xxxx_aes,
rdyboost, fvevol, volsnap, spldr, Mup, hwpolicy, disk.

Here BSOD occured, after loading disk.sys. I saw DriverEntry call for my driver, but not saw PnP's AddDevice call. So, driver was really non-functional.

What could happen in this system? Thanks in advance.

PS. I had made Linux live-CD with "swiss-knife" tools include registry editor "fred" and FUSE-driver (read/write) for crypted volume. So, I can explore and edit crashed system..

Dmitry Bakulin
  • 49
  • 3
  • 1
    @BradLarsen this is a programming question and should be asked here and not on superuser. – magicandre1981 Nov 24 '15 at 19:05
  • You need to show enough for someone to reproduce the problem themselves then if it's a programming problem. – Flexo Nov 25 '15 at 14:57
  • "for someone to reproduce the problem themselves" I should provide intermediate version of our product with test license key. 1. I cannot do it. 2. Not sure anybody will try reproduce my problem. I just ask if anybody faced similar case and has solution. – Dmitry Bakulin Nov 26 '15 at 08:45
  • You say the problem occurrs after installing another drivers. Did you look how they updated the LowerFilters value for the Volume device setup class? Is it your driver ready not to be the lowest of all filters? My only experience with this type of problems is that a driver that should be loaded at boot-time is not present, mostly due toplacing it into bad load order group. AFAIK, PnP manager starts calling `AddDevice` after it loads the function driver and all the filters for the given device stack, so if one of the drivers has bad load order group, the whole stack may be initialized too late. – Martin Drab Dec 09 '16 at 13:10

0 Answers0