Update 1/26 Our sources at Microsoft provided us the following info: Microsoft is aware of a recent research blog post discussing a bug that could appear to lead to possible NTFS corruption. We have investigated this issue and confirmed that NTFS corruption does not result. When the symptom appears, a flag is set to […]
Unexpected FltGetFileNameInformation Behavior for Network Renames (oh, and Tunnel Caching too)
A couple of weeks ago I was teaching our Developing file System Minifilters for Windows seminar here in Manchester, NH. A student asked a question about a behavior they were seeing when calling FltGetFileNameInformation after a rename operation on the network. Much to their surprise, the name returned was the old name for the file […]
How L1 Terminal Fault (L1TF) Mitigation and WinDbg Wasted My Morning (a.k.a. Yak Shaving: WinDbg Edition)
I’ve been doing some research into the Windows Filtering Platform and the information available at each of the various filtering layers. In particular, I’ve been focusing on the information available in Windows 7 as that predates some ETW trace points that contain interesting network event data. After attaching a filter to the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer, I […]
PSA: FsRtlIsNameInExpression Can Raise an Exception
Well, THIS one was a surprise…After triggering a memory leak in a driver, the system surprisingly crashed due to a call to FsRtlIsNameInExpression: As best we could tell we were passing valid input to FsRtlIsNameInExpression, so what’s up? The answer lies in the exception code: STATUS_NO_MEMORY (0xC0000017). A quick scan of the disassembly shows that yes […]
NTFS Status Debugging
As a file system filter developer, one of the great pains in life is when a file system operation fails deep in the bowels of the file system. For example, say I’m trying to rename a file with FltSetInformationFile for FileRenameInformation and I get back STATUS_ACCESS_DENIED. How do I track that down? Sure, I could try […]
Check out the new Virtual Hardware Lab Kit (VHLK)
A big complaint I’ve always had about the HLKs is the overhead of getting a system provisioned as the HLK controller. This is made even worse now by the blistering speed with which Windows feature updates are coming, thus requiring the installation of yet another HLK controller for compliance testing every few months. I was […]
Finding the Computer Name in a Crash Dump
I was looking at a few different crashes today that were all eerily similar. In doing so, I realized that I hadn’t asked if these were all different systems or the same system. I could have just asked the person reporting the crashes, but what fun is that? Prior to Windows 10, the computer name […]
Beware MmBuildMdlForNonPagedPool and Kernel Stacks
Well, this one took us by surprise… MmBuildMdlForNonPagedPool is the standard shortcut function drivers use to build MDLs describing non-pageable memory. Despite the name, the buffer described by the MDL does not necessarily need to come from non-paged pool. For example, the documentation says it’s legal to call MmBuildMdlForNonPagedPool on the buffer returned by MmAllocateContiguousMemorySpecifyCache, […]
Beware of IoBuildDeviceIoControlRequest
Diagnosed yet another crash today that is likely due to the usage of IoBuildDeviceIoControlRequest. Long ago I was burned by this API and vowed to never use it again, but somehow I neglected to share this with everyone else. Sorry about that! The trouble with this API is that it’s an attractive nuisance. You need […]
Meltdown and Spectre: What about drivers?
The week the Meltdown and Spectre vulnerabilities was one of the most fun weeks I’ve had in a while. Not only were the vulnerabilities mind-bendingly clever, that week had just about everything you could possibly want in a story: mystery, intrigue, heroes, villains, and probably the greatest patch ever submitted. After consuming as much information […]
OSR Open Systems Resources, Inc.