This is a new exiting book project I’m working on now scheduled for release in 2012 with ISBN 978-1908043337. If your company would like to have its programs considered for inclusion please let me know and send a copy just in case I would need to include screenshots. I’ll update about this project soon.
- Dmitry Vostokov @ SoftwareGeneralist.com -
A few weeks ago when I was asked about my opinion whether the current economic crisis will deepen an idea came to me that Cloud Computing is the last Model piece of MVC (Model-View-Controller) where View is Social Media such as Facebook, LinkedIn, Twitter, etc. and Controller is Internet itself. With the final piece of the puzzle the World needs new MVC Revolution in order to get back on track.
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
HKLM\S\MountedDevices and basic disk volume partition offset (pp. 667 - 668)
General reparse points; symbolic links and mount points as their applications (p. 669)
Device object -> VPB, !vpb WinDbg command (p. 670) - here’s on my x64 W2K8 system:
0: kd> dt _DEVICE_OBJECT
ntdll!_DEVICE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 ReferenceCount : Int4B
+0x008 DriverObject : Ptr64 _DRIVER_OBJECT
+0x010 NextDevice : Ptr64 _DEVICE_OBJECT
+0x018 AttachedDevice : Ptr64 _DEVICE_OBJECT
+0x020 CurrentIrp : Ptr64 _IRP
+0x028 Timer : Ptr64 _IO_TIMER
+0x030 Flags : Uint4B
+0x034 Characteristics : Uint4B
+0×038 Vpb : Ptr64 _VPB
+0×040 DeviceExtension : Ptr64 Void
+0×048 DeviceType : Uint4B
+0×04c StackSize : Char
+0×050 Queue : <unnamed-tag>
+0×098 AlignmentRequirement : Uint4B
+0×0a0 DeviceQueue : _KDEVICE_QUEUE
+0×0c8 Dpc : _KDPC
+0×108 ActiveThreadCount : Uint4B
+0×110 SecurityDescriptor : Ptr64 Void
+0×118 DeviceLock : _KEVENT
+0×130 SectorSize : Uint2B
+0×132 Spare1 : Uint2B
+0×138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION
+0×140 Reserved : Ptr64 Void
0: kd> dt _VPB
ntdll!_VPB
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x004 Flags : Uint2B
+0x006 VolumeLabelLength : Uint2B
+0x008 DeviceObject : Ptr64 _DEVICE_OBJECT
+0x010 RealDevice : Ptr64 _DEVICE_OBJECT
+0x018 SerialNumber : Uint4B
+0x01c ReferenceCount : Uint4B
+0x020 VolumeLabel : [32] Wchar
FS -> Volume I/O (pp. 674 - 675) - we can also see driver stack from IRP I/O stack locations:
2: kd> !irp fffffa8017492b80
[...]
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[ 4,34] 1c e0 fffffa800dfe2060 00000000 fffff88001186f30-00000000 Success Error Cancel
\Driver\Disk partmgr!PmReadWriteCompletion
Args: 00001000 00000000 b99a9000 00000000
[ 4, 0] 1c e0 fffffa800dfe2b90 00000000 fffff88001197180-fffffa800da89e20 Success Error Cancel
\Driver\partmgr volmgr!VmpReadWriteCompletionRoutine
Args: 148ce8c5bed 00000000 b99a9000 00000000
[ 4, 0] c e0 fffffa800da89cd0 00000000 fffff88001968150-fffffa800dfe7190 Success Error Cancel
\Driver\volmgr volsnap!VspRefCountCompletionRoutine
Args: 00001000 00000000 148ce8c5be9 00000000
[ 4, 0] c e1 fffffa800dfe7040 00000000 fffff88001a464f4-fffff88002777a10 Success Error Cancel pending
\Driver\volsnap Ntfs!NtfsMasterIrpSyncCompletionRoutine
Args: 00001000 00000000 b996a000 00000000
[ 4, 0] 0 0 fffffa800dfed030 fffffa800da958e0 00000000-00000000
\FileSystem\Ntfs
Args: 00001000 00000000 01afc000 00000000
[…]
BitLocker architecture diagram (p.678) - parts can be seen from IRP I/O stack locations:
kd> !irp 85e7ee00
[...]
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[ 3,34] 10 e0 857b9030 00000000 8353724e-00000000 Success Error Cancel
\Driver\Disk partmgr!PmReadWriteCompletion
Args: 00001000 00000000 400d6000 00000000
[ 3, 0] 10 0 857b9d18 00000000 00000000-00000000
\Driver\partmgr
Args: 6bad71d7 00000000 400d6000 00000000
[ 3, 0] 10 e0 8478b5f0 00000000 835487a4-857bc2f0 Success Error Cancel
\Driver\DriverA volmgr!VmpReadWriteCompletionRoutine
Args: 00001000 00000000 400d6000 00000000
[ 3, 0] 0 e0 857bc238 00000000 872c83e2-857bfb70 Success Error Cancel
\Driver\volmgr fvevol!FvePassThroughCompletion
Args: 00001000 00000000 6bad70ba 00000000
[ 3, 0] 0 e0 857bfab8 00000000 8709807a-859a2118 Success Error Cancel
\Driver\fvevol Ntfs!NtfsMasterIrpAsyncCompletionRoutine
Args: 00001000 00000000 40097000 00000000
[ 3, 0] 0 1 857e2020 8584ca40 00000000-00000000 pending
\FileSystem\Ntfs
Args: 00001000 00000000 0329e000 00000000
[…]
VMK -> FVEK: possibility for rekeying (p. 679)
Maximum protection: TPM+USB+PIN (p. 679)
Diffuser to protect from manipulations with AES-encrypted ciphertext (p. 681)
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
The distinction between class, port and miniport components in storage stack (pp. 646 - 647)
Example: disk.sys as a class driver, ataport.sys and atapi.sys as port and miniport drivers (pp. 647 - 448)
MPIO (multi path I/O), DSM (device-specific modules) and storage stack (pp. 649 - 650)
Old and new naming convention (DRX) for disk device objects (p. 650)
Win32 API disk drive naming (p. 651)
Partition device objects (p. 652)
Volume manager as a bus driver (p. 655)
System vs. boot volume (p. 660)
Volmgr.sys vs. Volmgrx.sys (p. 661)
The advantages of storing volume metadata in a file (p. 662)
Spanned, striped (RAID-0), mirrored (RAID-1), RAID-5 (striped with rotated parity) (pp. 662 - 667)
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Differences between driver and service loading (p. 623)
Tag value precedence redefinition (p. 624)
Verbose !devnode command options (pp. 627 - 628)
DID=VID.PID and DIID=DID.IID (p. 630)
Hybrid sleep (pp. 637-638)
Power dispatch routine (p. 639) - Here’s a dispatch routine for a PCI driver from my x64 W2K8R2 system:
0: kd> !devnode 0 3
Dumping IopRootDeviceNode (= 0xfffffa8003c1ed90)
DevNode 0xfffffa8003c1ed90 for PDO 0xfffffa8003c1db10
InstancePath is "HTREE\ROOT\0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
[...]
DevNode 0xfffffa8003e91b10 for PDO 0xfffffa8003e40a20
InstancePath is “PCI\VEN_8086&DEV_2810&SUBSYS_00000000&REV_02\3&172e68dd&0&F8″
ServiceName is “msisadrv”
State = DeviceNodeStarted (0×308)
Previous State = DeviceNodeEnumerateCompletion (0×30d)
[...]
0: kd> !devobj 0xfffffa8003e40a20
Device object (fffffa8003e40a20) is for:
NTPNP_PCI0013 \Driver\pci DriverObject fffffa8003cfe270
Current Irp 00000000 RefCount 0 Type 00000022 Flags 00001040
Dacl fffff9a10008b231 DevExt fffffa8003e40b70 DevObjExt fffffa8003e40f90 DevNode fffffa8003e91b10
ExtensionFlags (0×00000800)
Unknown flags 0×00000800
AttachedDevice (Upper) fffffa8003e3f800
\Driver\ACPI
Device queue is not busy.
0: kd> !drvobj fffffa8003cfe270 f
Driver object (fffffa8003cfe270) is for:
\Driver\pci
Driver Extension List: (id , addr)
Device Object list:
fffffa8003e9da20 fffffa8003e9a060 fffffa8003e99a20 fffffa8003e939f0
fffffa8003e93040 fffffa8003e92660 fffffa8003e92cb0 fffffa8003e42060
fffffa8003e41a20 fffffa8003e41060 fffffa8003e40a20 fffffa8003e40060
fffffa8003e3fa20 fffffa8003e3f060 fffffa8003e3ea20 fffffa8003e3e060
fffffa8003e3da20 fffffa8003e3d060 fffffa8003e3ca20 fffffa8003e3c060
fffffa8003e3ba20 fffffa8003e3b060 fffffa8003e3aa20 fffffa8003e3a060
fffffa8003e37530
DriverEntry: fffff880013ae1a0 pci!GsDriverEntry
DriverStartIo: 00000000�
DriverUnload: fffff880013a2fec pci!PciDriverUnload
AddDevice: fffff8800139ae54 pci!PciAddDevice
Dispatch routines:
[00] IRP_MJ_CREATE fffff80001ab5cfc nt!IopInvalidDeviceRequest
[01] IRP_MJ_CREATE_NAMED_PIPE fffff80001ab5cfc nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE fffff80001ab5cfc nt!IopInvalidDeviceRequest
[03] IRP_MJ_READ fffff80001ab5cfc nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE fffff80001ab5cfc nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION fffff80001ab5cfc nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION fffff80001ab5cfc nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA fffff80001ab5cfc nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA fffff80001ab5cfc nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL fffff80001ab5cfc nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL fffff8800139e6d0 pci!PciDispatchDeviceControl
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL fffff80001ab5cfc nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN fffff80001ab5cfc nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL fffff80001ab5cfc nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP fffff80001ab5cfc nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT fffff80001ab5cfc nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY fffff80001ab5cfc nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY fffff80001ab5cfc nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER fffff880013848fc pci!PciDispatchPnpPower
[17] IRP_MJ_SYSTEM_CONTROL fffff8800139e66c pci!PciDispatchSystemControl
[18] IRP_MJ_DEVICE_CHANGE fffff80001ab5cfc nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA fffff80001ab5cfc nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA fffff80001ab5cfc nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP fffff880013848fc pci!PciDispatchPnpPower
!pocaps and !popolicy WinDbg commands (pp. 641 - 643)
Unlike other PnP operations like normal eject power cannot be vetoed by drivers and apps (pp. 643 - 644)
- Dmitry Vostokov @ SoftwareGeneralist.com -
In seeking spritual faith a software generalist views various religious worldviews as packages providing interfaces (IReligion). The methods of such interface will be discussed in the next part but for now I show a UML diagram:
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
I/O Completion Ports (pp. 592 - 598) - my own architectural investigation from a complete memory dump perspective: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/
Lock contention (p. 594) - some patterns: http://www.dumpanalysis.org/blog/index.php/2010/09/21/contention-patterns/
Concurrency value may exceed concurrently limit for I/O CP (p. 595)
KeRemoveQueueEx (p. 596) - see also Passive System Thread pattern: http://www.dumpanalysis.org/blog/index.php/2007/11/20/crash-dump-analysis-patterns-part-31a/
I/O priority queues and strategies for IRP (p. 599) - priority fields in _EPROCESS and _ETHREAD structures from x64 W2K8 R2:
1: kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
[...]
+0x438 DefaultIoPriority : Pos 27, 3 Bits
[...]
1: kd> dt _ETHREAD
ntdll!_ETHREAD
+0x000 Tcb : _KTHREAD
[...]
+0x448 ThreadIoPriority : Pos 10, 3 Bits
[...]
Driver Verifier (pp. 604 - 606) - see also Instrumentation Information pattern: http://www.dumpanalysis.org/blog/index.php/2010/09/27/crash-dump-analysis-patterns-part-107/
WDF book (p. 607) - there is also another book coming soon: http://www.dumpanalysis.org/blog/index.php/2010/08/19/windows-7-device-driver-book/
Listing KMDF drivers (p. 608) - here’s the output from x64 W2K8 R2 system:
1: kd> !wdfkd.wdfldr
LoadedModuleList 0xfffff8800115a2d8
----------------------------------
LIBRARY_MODULE fffffa8003bc8d10
Version v1.9 build(7600)
Service \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
ImageName Wdf01000.sys
ImageAddress 0xfffff880010ae000
ImageSize 0xa4000
Associated Clients: 10
ImageName Version WdfGlobals FxGlobals ImageAddress ImageSize
peauth.sys v1.7(6001) 0xfffffa8004bf6510 0xfffffa8004bf63c0 0xfffff88004600000 0x000a6000
monitor.sys v1.9(7600) 0xfffffa80048f55d0 0xfffffa80048f5480 0xfffff88003752000 0x0000e000
umbus.sys v1.9(7600) 0xfffffa8004371160 0xfffffa8004371010 0xfffff88002db0000 0x00012000
CompositeBus.sys v1.9(7600) 0xfffffa8004440800 0xfffffa80044406b0 0xfffff88002a45000 0x00010000
HDAudBus.sys v1.7(6001) 0xfffffa80043c9160 0xfffffa80043c9010 0xfffff88002b48000 0x00024000
intelppm.sys v1.9(7600) 0xfffffa8004271dd0 0xfffffa8004271c80 0xfffff88002ab0000 0x00016000
cdrom.sys v1.9(7600) 0xfffffa80041f3fc0 0xfffffa80041f3e70 0xfffff88001400000 0x0002a000
vmstorfl.sys v1.5(6000) 0xfffffa80040129e0 0xfffffa8004012890 0xfffff88001750000 0x00010000
msisadrv.sys v1.9(7600) 0xfffffa8003ebb910 0xfffffa8003ebb7c0 0xfffff880012c6000 0x0000a000
vdrvroot.sys v1.9(7600) 0xfffffa8003d3fa00 0xfffffa8003d3f8b0 0xfffff88001262000 0x0000d000
----------------------------------
Total: 1 library loaded
Extension of device extension extension into object context in KMDF (pp. 611 - 612)
UMDF reflectors (p. 617)
WUDFHost.exe (p. 618) - here’s its stack trace collection from x64 W2K8 R2 after I inserted an USB flash drive and attached WinDbg non-invasilvely:
0:000> ~*k
. 0 Id: 58c.12f4 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Child-SP RetAddr Call Site
00000000`0018f988 000007fe`fd8510ac ntdll!ZwWaitForSingleObject+0xa
00000000`0018f990 00000000`ff3bba44 KERNELBASE!WaitForSingleObjectEx+0x9c
00000000`0018fa30 00000000`ff3b8ce7 WUDFHost!CLpcNotification::Run+0x1c
00000000`0018fa60 00000000`ff3d2cb1 WUDFHost!wmain+0xc7b
00000000`0018fc60 00000000`7746f56d WUDFHost!ConvertStringSidToSidW+0x19b
00000000`0018fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0018fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
1 Id: 58c.1304 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Child-SP RetAddr Call Site
00000000`00c4f918 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00c4f920 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00c4f990 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00c4f9e0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00c4fa70 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00c4fc20 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00c4fc70 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00c4fca0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00c4fcd0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
2 Id: 58c.6e8 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen
Child-SP RetAddr Call Site
00000000`00dfe988 000007fe`fd853ef8 ntdll!NtQueryAttributesFile+0xa
00000000`00dfe990 000007fe`f3be9970 KERNELBASE!GetFileAttributesW+0x78
00000000`00dfea30 000007fe`f27ce8c9 WpdFs!COperationGetFastBasicProperties::OnImpersonate+0x1c0
00000000`00dfea70 000007fe`f3be9734 WUDFx!CWdfIoRequest::Impersonate+0x151
00000000`00dfeae0 000007fe`f3bda26b WpdFs!COperationGetFastBasicProperties::Invoke+0x2c4
00000000`00dfeb50 000007fe`f3bd8837 WpdFs!WpdObjectProperties::GetValues+0x3f7
00000000`00dfecd0 000007fe`f3bd8344 WpdFs!WpdObjectProperties::OnGetValues+0x10b
00000000`00dfed50 000007fe`f3bcf974 WpdFs!WpdObjectProperties::DispatchWpdMessage+0x1a0
00000000`00dfee10 000007fe`f3bcd51a WpdFs!WpdBaseDriver::DispatchWpdMessage+0x4c0
00000000`00dfef60 000007fe`f3bcdd6c WpdFs!CQueue::ProcessWpdMessage+0x29a
00000000`00dff010 000007fe`f27bf610 WpdFs!CQueue::OnDeviceIoControl+0x494
00000000`00dff160 000007fe`f27c0b5a WUDFx!CWdfIoQueue::SubmitRequest+0x358
00000000`00dff1f0 000007fe`f27c0955 WUDFx!CWdfIoQueue::DispatchRequestToDriver+0x86
00000000`00dff240 000007fe`f27bff83 WUDFx!CWdfIoQueue::DispatchEvents+0x3cd
00000000`00dff2b0 000007fe`f27b61b5 WUDFx!CWdfIoQueue::QueueRequest+0x2c3
00000000`00dff300 000007fe`f27b6f20 WUDFx!CWdfDevice::DispatchRequest+0x149
00000000`00dff350 00000000`ff3ccbb6 WUDFx!CWdfDevice::DeviceControl+0x1a8
00000000`00dff3c0 00000000`ff3c2f92 WUDFHost!CWudfIoIrp::Dispatch+0x13e
00000000`00dff420 00000000`ff3bad47 WUDFHost!CWudfDeviceStack::Forward+0x41a
00000000`00dff490 000007fe`fb87da6a WUDFHost!CLpcNotification::Message+0xd9b
00000000`00dff6c0 000007fe`fb87c848 WUDFPlatform!WdfLpcPort::ProcessMessage+0x3be
00000000`00dff760 000007fe`fb87b299 WUDFPlatform!WdfLpcCommPort::ProcessMessage+0x214
00000000`00dff7b0 000007fe`fb87b900 WUDFPlatform!WdfLpcConnPort::ProcessMessage+0xf9
00000000`00dff830 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x178
00000000`00dff880 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00dff8b0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00dff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
3 Id: 58c.2e4 Suspend: 1 Teb: 000007ff`fffd8000 Unfrozen
Child-SP RetAddr Call Site
00000000`00d7f5e8 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00d7f5f0 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00d7f660 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00d7f6b0 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00d7f740 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00d7f8f0 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00d7f940 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00d7f970 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00d7f9a0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
4 Id: 58c.12b4 Suspend: 1 Teb: 000007ff`fffd6000 Unfrozen
Child-SP RetAddr Call Site
00000000`00f8fa58 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f8fa60 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f8fad0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f8fb20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f8fbb0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f8fd60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f8fdb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f8fde0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f8fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x21
5 Id: 58c.106c Suspend: 1 Teb: 000007ff`fffd3000 Unfrozen
Child-SP RetAddr Call Site
00000000`00f0f958 000007fe`fd8753d6 ntdll!NtDeviceIoControlFile+0xa
00000000`00f0f960 00000000`7746610f KERNELBASE!WaitNamedPipeW+0x16c6
00000000`00f0f9d0 000007fe`fb87dd94 kernel32!DeviceIoControlImplementation+0x7f
00000000`00f0fa20 000007fe`fb87e6cd WUDFPlatform!WPP_SF_ssd+0x1e4
00000000`00f0fab0 000007fe`fb87b8af WUDFPlatform!WdfLpcCorePortInterface::GetMessageW+0x119
00000000`00f0fc60 00000000`ff3bd7de WUDFPlatform!WdfWorkerThread::WorkerThread+0x127
00000000`00f0fcb0 00000000`7746f56d WUDFHost!LpcWorkerThreadThunk+0x62
00000000`00f0fce0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`00f0fd10 00000000`00000000 ntdll!RtlUserThreadStart+0x21
6 Id: 58c.8fc Suspend: 1 Teb: 000007ff`fffae000 Unfrozen
Child-SP RetAddr Call Site
00000000`0136f8c8 00000000`7758c95e USER32!NtUserGetMessage+0xa
00000000`0136f8d0 000007fe`f3bd26e5 USER32!GetMessageW+0x34
00000000`0136f900 00000000`7746f56d WpdFs!CDiskNotifier::NotificationThreadWorker+0x245
00000000`0136fa50 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0136fa80 00000000`00000000 ntdll!RtlUserThreadStart+0x21
7 Id: 58c.520 Suspend: 1 Teb: 000007ff`fffac000 Unfrozen
Child-SP RetAddr Call Site
00000000`0152f6f8 00000000`77689bd7 ntdll!ZwWaitForMultipleObjects+0xa
00000000`0152f700 00000000`7746f56d ntdll!EtwTraceMessageVa+0xe07
00000000`0152f9a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0152f9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
8 Id: 58c.89c Suspend: 1 Teb: 000007ff`fffaa000 Unfrozen
Child-SP RetAddr Call Site
00000000`012df9b8 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`012df9c0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`012dfcc0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`012dfcf0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
9 Id: 58c.1394 Suspend: 1 Teb: 000007ff`fffa8000 Unfrozen
Child-SP RetAddr Call Site
00000000`0140f498 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0140f4a0 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0140f7a0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0140f7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
10 Id: 58c.1294 Suspend: 1 Teb: 000007ff`fffa6000 Unfrozen
Child-SP RetAddr Call Site
00000000`0182f758 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0182f760 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0182fa60 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0182fa90 00000000`00000000 ntdll!RtlUserThreadStart+0x21
11 Id: 58c.a98 Suspend: 1 Teb: 000007ff`fffa4000 Unfrozen
Child-SP RetAddr Call Site
00000000`0170f708 00000000`7768914b ntdll!ZwWaitForWorkViaWorkerFactory+0xa
00000000`0170f710 00000000`7746f56d ntdll!EtwTraceMessageVa+0x37b
00000000`0170fa10 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0170fa40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
12 Id: 58c.121c Suspend: 1 Teb: 000007ff`fffa2000 Unfrozen
Child-SP RetAddr Call Site
00000000`0179fd68 000007fe`fd851203 ntdll!NtDelayExecution+0xa
00000000`0179fd70 000007fe`fe2cea00 KERNELBASE!SleepEx+0xb3
00000000`0179fe10 000007fe`fe2d2046 ole32!CROIDTable::WorkerThreadLoop+0x10
00000000`0179fe40 000007fe`fe2d358a ole32!CRpcThread::WorkerLoop+0x1e
00000000`0179fe80 00000000`7746f56d ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
00000000`0179feb0 00000000`776a3281 kernel32!BaseThreadInitThunk+0xd
00000000`0179fee0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Scatter/gather (p. 566) - you can find examples of scatter/gather I/O residues left on a thread raw stack in Hardware Activity pattern and corresponding case study:
http://www.dumpanalysis.org/blog/index.php/2010/05/08/crash-dump-analysis-patterns-part-98/
and
IRP (pp. 566 - 567) - here is an expanded IRP structure from x64 W2K8:
0: kd> dt -r1 _IRP
ntdll!_IRP
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x008 MdlAddress : Ptr64 _MDL
+0x000 Next : Ptr64 _MDL
+0x008 Size : Int2B
+0x00a MdlFlags : Int2B
+0x010 Process : Ptr64 _EPROCESS
+0x018 MappedSystemVa : Ptr64 Void
+0x020 StartVa : Ptr64 Void
+0x028 ByteCount : Uint4B
+0x02c ByteOffset : Uint4B
+0x010 Flags : Uint4B
+0x018 AssociatedIrp : <unnamed-tag>
+0x000 MasterIrp : Ptr64 _IRP
+0x000 IrpCount : Int4B
+0x000 SystemBuffer : Ptr64 Void
+0x020 ThreadListEntry : _LIST_ENTRY
+0x000 Flink : Ptr64 _LIST_ENTRY
+0x008 Blink : Ptr64 _LIST_ENTRY
+0x030 IoStatus : _IO_STATUS_BLOCK
+0x000 Status : Int4B
+0x000 Pointer : Ptr64 Void
+0x008 Information : Uint8B
+0x040 RequestorMode : Char
+0x041 PendingReturned : UChar
+0x042 StackCount : Char
+0x043 CurrentLocation : Char
+0x044 Cancel : UChar
+0x045 CancelIrql : UChar
+0x046 ApcEnvironment : Char
+0x047 AllocationFlags : UChar
+0x048 UserIosb : Ptr64 _IO_STATUS_BLOCK
+0x000 Status : Int4B
+0x000 Pointer : Ptr64 Void
+0x008 Information : Uint8B
+0x050 UserEvent : Ptr64 _KEVENT
+0x000 Header : _DISPATCHER_HEADER
+0x058 Overlay : <unnamed-tag>
+0x000 AsynchronousParameters : <unnamed-tag>
+0x000 AllocationSize : _LARGE_INTEGER
+0x068 CancelRoutine : Ptr64 void
+0x070 UserBuffer : Ptr64 Void
+0x078 Tail : <unnamed-tag>
+0x000 Overlay : <unnamed-tag>
+0x000 Apc : _KAPC
+0x000 CompletionKey : Ptr64 Void
IRP stack locations (pp. 568 - 569) - here is a corresponding structure from x64 W2K8:
0: kd> dt _IO_STACK_LOCATION
ntdll!_IO_STACK_LOCATION
+0x000 MajorFunction : UChar
+0x001 MinorFunction : UChar
+0x002 Flags : UChar
+0x003 Control : UChar
+0x008 Parameters : <unnamed-tag>
+0x028 DeviceObject : Ptr64 _DEVICE_OBJECT
+0x030 FileObject : Ptr64 _FILE_OBJECT
+0x038 CompletionRoutine : Ptr64 long
+0x040 Context : Ptr64 Void
Buffered I/O (p. 570) - this part of IRP references a buffer (user input data is copied there and device output is copied there):
+0x018 AssociatedIrp : <unnamed-tag>
+0x000 MasterIrp : Ptr64 _IRP
+0x000 IrpCount : Int4B
+0×000 SystemBuffer : Ptr64 Void
These parts of I/O stack location structure handle buffer lengths:
+0x000 DeviceIoControl : <unnamed-tag>
+0×000 OutputBufferLength : Uint4B
+0×008 InputBufferLength : Uint4B
+0×010 IoControlCode : Uint4B
+0×018 Type3InputBuffer : Ptr64 Void
+0x000 Read : <unnamed-tag>
+0×000 Length : Uint4B
+0×008 Key : Uint4B
+0×010 ByteOffset : _LARGE_INTEGER
+0x000 Write : <unnamed-tag>
+0×000 Length : Uint4B
+0×008 Key : Uint4B
+0×010 ByteOffset : _LARGE_INTEGER
Direct I/O (p. 570) - these parts of IRP handle IOCTL input data (SystemBuffer, via buffering) and IOCTL output/Read/Write data (MdlAddress):
+0x008 MdlAddress : Ptr64 _MDL
+0x000 Next : Ptr64 _MDL
+0x008 Size : Int2B
+0x00a MdlFlags : Int2B
+0x010 Process : Ptr64 _EPROCESS
+0x018 MappedSystemVa : Ptr64 Void
+0x020 StartVa : Ptr64 Void
+0x028 ByteCount : Uint4B
+0x02c ByteOffset : Uint4B
+0x018 AssociatedIrp : <unnamed-tag>
+0x000 MasterIrp : Ptr64 _IRP
+0x000 IrpCount : Int4B
+0x000 SystemBuffer : Ptr64 Void
Neither I/O (p. 571) - these parts handle input data (IO_STACK_LOCATION.Parameters.DeviceIoControl.Type3InputBuffer) and output data (IRP.UserBuffer):
+0x000 DeviceIoControl : <unnamed-tag>
+0x000 OutputBufferLength : Uint4B
+0x008 InputBufferLength : Uint4B
+0x010 IoControlCode : Uint4B
+0×018 Type3InputBuffer : Ptr64 Void
+0×070 UserBuffer : Ptr64 Void
I/O status block and kernel APC (pp. 575 - 577) - this is a part of IRP structure:
+0x030 IoStatus : _IO_STATUS_BLOCK
+0x000 Status : Int4B
+0x000 Pointer : Ptr64 Void
+0x008 Information : Uint8B
KeSynchronizeExecution (p. 578) - here is a stack trace fragment showing it in action:
[...]
b9ada518 8088d661 SCSIPORT!SpStartIoSynchronized+0x14f
b9ada550 80a60147 nt!KeSynchronizeExecution+0×21
b9ada57c f72523a6 hal!HalBuildScatterGatherList+0×1c7
b9ada5c8 8081cfa2 SCSIPORT!ScsiPortStartIo+0×36a
b9ada5ec f725262f nt!IoStartPacket+0×82
b9ada620 f7252146 SCSIPORT!ScsiPortFdoDispatch+0×270
b9ada63c f7251dc3 SCSIPORT!SpDispatchRequest+0×68
b9ada658 f7251299 SCSIPORT!ScsiPortPdoScsi+0×129
b9ada66c 8081df85 SCSIPORT!ScsiPortGlobalDispatch+0×1d
b9ada680 f723e607 nt!IofCallDriver+0×45
b9ada690 f723e2b2 CLASSPNP!SubmitTransferPacket+0xbb
b9ada6c4 f723e533 CLASSPNP!ServiceTransferRequest+0×1e4
b9ada6e8 8081df85 CLASSPNP!ClassReadWrite+0×159
b9ada6fc f74c80cf nt!IofCallDriver+0×45
b9ada70c 8081df85 PartMgr!PmReadWrite+0×95
b9ada720 f7317053 nt!IofCallDriver+0×45
b9ada73c 8081df85 ftdisk!FtDiskReadWrite+0×1a9
b9ada750 f72bf8bc nt!IofCallDriver+0×45
b9ada768 8081df85 volsnap!VolSnapRead+0×52
b9ada77c f7163a62 nt!IofCallDriver+0×45
b9ada788 f71638d9 Ntfs!NtfsSingleAsync+0×91
b9ada960 f7164156 Ntfs!NtfsNonCachedIo+0×2db
b9adaa4c f7164079 Ntfs!NtfsCommonRead+0xaf5
b9adabf8 8081df85 Ntfs!NtfsFsdRead+0×113
b9adac0c f721cc45 nt!IofCallDriver+0×45
b9adac34 8081df85 fltmgr!FltpDispatch+0×6f
b9adac48 bafd5373 nt!IofCallDriver+0×45
[…]
IRP and layered drivers (pp. 578 - 586) - here’s a UML-style diagram (#3) for IRP flow:
http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/
Associated IRP (pp. 585 - 586) - this is a part of IRP structure:
+0x018 AssociatedIrp : <unnamed-tag>
+0x000 MasterIrp : Ptr64 _IRP
File object vs. thread IRP association (p. 587)
Thread Termination and pending IRP (pp. 589 - 590) - this pattern uses I/O cancellation as an example:
http://www.dumpanalysis.org/blog/index.php/2007/12/14/crash-dump-analysis-patterns-part-42a/
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Viewing the loaded driver list (pp. 546 - 547) - if we don’t see company information in lmv command output we can examine raw driver data like in this pattern: http://www.dumpanalysis.org/blog/index.php/2007/08/16/crash-dump-analysis-patterns-part-22/
DriverEntry (p. 548) - consider this as similar to main (console) or WinMain (Win32). For example, if you are writing a Windows service you have to register certain functions with SCM.
Dispatch routines (p. 548) - if you know C++ consider them as class functions for a device object where DeviceObject is a this parameter (C++ class function implementation in C where an implicit this becomes the first function argument):
NTSTATUS (*PDRIVER_DISPATCH) (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
and a driver object can be seen as a container for a virtual function table (vtable) for a device object (purely from implementation perspective): devObj->DriverObject->MajorFunction[IRP_MJ_XXX]
Relationship between device and driver objects (pp. 553 - 554) - long time ago when I was preparing a presentation about Windows drivers for escalation engineers I created some UML diagrams you can see in the following blog post: http://www.dumpanalysis.org/blog/index.php/2006/10/08/uml-and-device-drivers/
AttachedDevice vs. AttachedTo (p.554)
File object structure and extension (pp. 556 - 557) - Here are driver, device and file object structures from x64 W2K8:
0: kd> dt _DRIVER_OBJECT
ntdll!_DRIVER_OBJECT
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x008 DeviceObject : Ptr64 _DEVICE_OBJECT
+0x010 Flags : Uint4B
+0x018 DriverStart : Ptr64 Void
+0x020 DriverSize : Uint4B
+0x028 DriverSection : Ptr64 Void
+0x030 DriverExtension : Ptr64 _DRIVER_EXTENSION
+0x038 DriverName : _UNICODE_STRING
+0x048 HardwareDatabase : Ptr64 _UNICODE_STRING
+0x050 FastIoDispatch : Ptr64 _FAST_IO_DISPATCH
+0x058 DriverInit : Ptr64 long
+0x060 DriverStartIo : Ptr64 void
+0x068 DriverUnload : Ptr64 void
+0x070 MajorFunction : [28] Ptr64 long
0: kd> dt _DEVICE_OBJECT
ntdll!_DEVICE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 ReferenceCount : Int4B
+0x008 DriverObject : Ptr64 _DRIVER_OBJECT
+0x010 NextDevice : Ptr64 _DEVICE_OBJECT
+0x018 AttachedDevice : Ptr64 _DEVICE_OBJECT
+0x020 CurrentIrp : Ptr64 _IRP
+0x028 Timer : Ptr64 _IO_TIMER
+0x030 Flags : Uint4B
+0x034 Characteristics : Uint4B
+0x038 Vpb : Ptr64 _VPB
+0x040 DeviceExtension : Ptr64 Void
+0x048 DeviceType : Uint4B
+0x04c StackSize : Char
+0x050 Queue : <unnamed-tag>
+0x098 AlignmentRequirement : Uint4B
+0x0a0 DeviceQueue : _KDEVICE_QUEUE
+0x0c8 Dpc : _KDPC
+0x108 ActiveThreadCount : Uint4B
+0x110 SecurityDescriptor : Ptr64 Void
+0x118 DeviceLock : _KEVENT
+0x130 SectorSize : Uint2B
+0x132 Spare1 : Uint2B
+0x138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION
+0x140 Reserved : Ptr64 Void
0: kd> dt _FILE_OBJECT
ntdll!_FILE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x008 DeviceObject : Ptr64 _DEVICE_OBJECT
+0x010 Vpb : Ptr64 _VPB
+0x018 FsContext : Ptr64 Void
+0x020 FsContext2 : Ptr64 Void
+0x028 SectionObjectPointer : Ptr64 _SECTION_OBJECT_POINTERS
+0x030 PrivateCacheMap : Ptr64 Void
+0x038 FinalStatus : Int4B
+0x040 RelatedFileObject : Ptr64 _FILE_OBJECT
+0x048 LockOperation : UChar
+0x049 DeletePending : UChar
+0x04a ReadAccess : UChar
+0x04b WriteAccess : UChar
+0x04c DeleteAccess : UChar
+0x04d SharedRead : UChar
+0x04e SharedWrite : UChar
+0x04f SharedDelete : UChar
+0x050 Flags : Uint4B
+0x058 FileName : _UNICODE_STRING
+0x068 CurrentByteOffset : _LARGE_INTEGER
+0x070 Waiters : Uint4B
+0x074 Busy : Uint4B
+0x078 LastLock : Ptr64 Void
+0x080 Lock : _KEVENT
+0x098 Event : _KEVENT
+0x0b0 CompletionContext : Ptr64 _IO_COMPLETION_CONTEXT
+0x0b8 IrpListLock : Uint8B
+0x0c0 IrpList : _LIST_ENTRY
+0x0d0 FileObjectExtension : Ptr64 Void
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
File and registry virtualization is for 32-bit apps only (p. 522)
Files (as locations) with executable extensions are excluded from virtualization (p. 524)
luafv.sys - filesystem virtualization driver (pp. 524 - 525)
\Users\<user>\AppData\Local\VirtualStore\Windows\*.* (p. 525)
Admin Approval Mode, over-the-shoulder and consent elevations (p. 529)
appinfo.dll -> consent.exe (p. 529)
Process reparenting (p. 531)
Running regedt32.exe to get virtualized registry view (p. 533)
Typical I/O request flow (pp. 540 - 541) - here is a stack trace example from x64 Windows for a remote file request that reaches network drivers (some irrelevant 3rd-party filter drivers like antivirus were skipped):
Child-SP RetAddr Call Site
fffffadf`25d92ff0 fffffadf`28ec5b97 NetworkCardVendor!send_packet+0x33c
fffffadf`25d93250 fffffadf`28ec5903 NDIS!ndisMProcessSGList+0x8e
fffffadf`25d932e0 fffffadf`28e85618 NDIS!ndisMAllocSGList+0x17c
fffffadf`25d933a0 fffffadf`26ab57c4 NDIS!ndisMSendX+0x21e
fffffadf`25d934d0 fffffadf`26ab5999 tcpip!ARPSendData+0x23a
fffffadf`25d93540 fffffadf`26ab20ea tcpip!ARPTransmit+0x151
fffffadf`25d935d0 fffffadf`26aaecad tcpip!IPTransmit+0xaf5
fffffadf`25d93850 fffffadf`26aa94c6 tcpip!TCPSend+0x8d5
fffffadf`25d93930 fffffadf`26aafa8c tcpip!TdiSend+0x344
fffffadf`25d939a0 fffffadf`26a4085c tcpip!TCPSendData+0xee
fffffadf`25d93a00 fffffadf`26a4845b netbt!NTSend+0x227
fffffadf`25d93ac0 fffffadf`269a546d netbt!NbtDispatchInternalCtrl+0x38
fffffadf`25d93c50 fffffadf`269cea18 rdbss!RxTdiSend+0x1a2
fffffadf`25d93cf0 fffffadf`2693efcf rdbss!RxCeSend+0x98
fffffadf`25d93d80 fffffadf`268d82fd mrxsmb!VctTranceive+0xa6
fffffadf`25d93de0 fffffadf`2693fea9 mrxsmb!SmbCeTranceive+0x483
fffffadf`25d93e70 fffffadf`2693e94b mrxsmb!SmbTransactExchangeStart+0x558
fffffadf`25d93f20 fffffadf`26940abf mrxsmb!SmbCeInitiateExchange+0x2fd
fffffadf`25d93f70 fffffadf`26940c5b mrxsmb!SmbCeSubmitTransactionRequest+0x148
fffffadf`25d93fe0 fffffadf`269412e0 mrxsmb!_SmbCeTransact+0x1a1
fffffadf`25d940c0 fffffadf`26941625 mrxsmb!MRxSmbQueryFileInformation+0x811
fffffadf`25d94220 fffffadf`26941dfa mrxsmb!MRxSmbQueryFileInformationFromPseudoOpen+0x116
fffffadf`25d94260 fffffadf`2693e94b mrxsmb!SmbPseExchangeStart_Create+0x2da
fffffadf`25d94300 fffffadf`2693f50c mrxsmb!SmbCeInitiateExchange+0x2fd
fffffadf`25d94350 fffffadf`269cc4c1 mrxsmb!MRxSmbCreate+0x5d6
fffffadf`25d94430 fffffadf`269cc730 rdbss!RxCollapseOrCreateSrvOpen+0x154
fffffadf`25d944d0 fffffadf`269c7a92 rdbss!RxCreateFromNetRoot+0x399
fffffadf`25d94570 fffffadf`269a2a77 rdbss!RxCommonCreate+0x49a
fffffadf`25d94680 fffffadf`269343e8 rdbss!RxFsdCommonDispatch+0x51c
fffffadf`25d94780 fffffadf`290bfdb3 mrxsmb!MRxSmbFsdDispatch+0x211
fffffadf`25d947d0 fffffadf`290bfdb3 fltmgr!FltpCreate+0x353
[...]
fffffadf`25d98460 fffff800`012840b4 nt!IopParseDevice+0x1088
fffffadf`25d98610 fffff800`012887d7 nt!ObpLookupObjectName+0x931
fffffadf`25d98720 fffff800`01295dad nt!ObOpenObjectByName+0x180
fffffadf`25d98910 fffff800`0129cd87 nt!IopCreateFile+0x630
fffffadf`25d98aa0 fffff800`012987f9 nt!IoCreateFile+0x12f
fffffadf`25d98b80 fffff800`0102e5fd nt!NtOpenFile+0x49
fffffadf`25d98c00 00000000`77ef0d1a nt!KiSystemServiceCopyEnd+0x3
00000000`000ac568 00000000`77d6f7c9 ntdll!NtCreateFile+0xa
00000000`000ac570 000007ff`7fd535c3 kernel32!CreateFileW+0x511
- Dmitry Vostokov @ SoftwareGeneralist.com -