I’ve been doing some research into the Windows Filtering Platform and the information available at each of the various filtering layers. In particular, I’ve been focusing on the information available in Windows 7 as that predates some ETW trace points that contain interesting network event data. After attaching a filter to the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer, I […]
NTFS Status Debugging
As a file system filter developer, one of the great pains in life is when a file system operation fails deep in the bowels of the file system. For example, say I’m trying to rename a file with FltSetInformationFile for FileRenameInformation and I get back STATUS_ACCESS_DENIED. How do I track that down? Sure, I could try […]
Finding the Computer Name in a Crash Dump
I was looking at a few different crashes today that were all eerily similar. In doing so, I realized that I hadn’t asked if these were all different systems or the same system. I could have just asked the person reporting the crashes, but what fun is that? Prior to Windows 10, the computer name […]
Beware MmBuildMdlForNonPagedPool and Kernel Stacks
Well, this one took us by surprise… MmBuildMdlForNonPagedPool is the standard shortcut function drivers use to build MDLs describing non-pageable memory. Despite the name, the buffer described by the MDL does not necessarily need to come from non-paged pool. For example, the documentation says it’s legal to call MmBuildMdlForNonPagedPool on the buffer returned by MmAllocateContiguousMemorySpecifyCache, […]
Beware of IoBuildDeviceIoControlRequest
Diagnosed yet another crash today that is likely due to the usage of IoBuildDeviceIoControlRequest. Long ago I was burned by this API and vowed to never use it again, but somehow I neglected to share this with everyone else. Sorry about that! The trouble with this API is that it’s an attractive nuisance. You need […]
Tracking an NTSTATUS to its Source
I found myself in a situation this week where I really wanted to call the API SeTokenIsAdmin. I vaguely remembered some issues around this API, and Googling quickly brought up a couple of threads from NTDEV and NTFSD hinting at a security issue that was fixed in 2015: https://www.osronline.com/ShowThread.cfm?link=201029 https://www.osronline.com/showthread.cfm?link=264871 (Yes, I was on one […]
WinDbg, Debugger Objects, and JavaScript! Oh, My!
In case you’ve missed it, there are tons of changes going on under the covers in WinDbg. There is a fundamental paradigm shift going on in terms of how WinDbg grants access and presents data to the user and it can lead to some pretty cool results. Let’s take a concrete example of the old way […]
1394 Boot Debugging is Dead
TL;DR: Don’t waste your time like we did – 1394 boot debugging no longer works on the latest builds on Windows 10. As you might already be aware, native 1394 kernel debug support was pulled from the latest Windows 10 releases. An officially sanctioned workaround was provided by the kernel debugging team at Microsoft and we […]
Unexpected Case of Bugcheck IRQL_UNEXPECTED_VALUE (C8)
Yet another interesting case lands on our doorstep thanks to NTDEV (original post here). I firmly believe that you have zero chance in diagnosing a non-trivial crash if you don’t understand the bugcheck code. The bugcheck code is, in fact, THE definitive reason for the crash. Of course, just understanding the bugcheck code itself is […]
Debugging Target RS1? Good Luck!
[Last updated 31 Aug 2016, 16:11 Eastern time] Update: As of 31 August 2016, we have verified that RS1 symbols are now present and indexed on the MSFT Symbol Server. Yay! We’re back in business! The hits to driver developers just keep on coming when it comes to RS1. The latest? The symbols for WDF01000.SYS and […]
OSR Open Systems Resources, Inc.