Bug check calling nt!RtlQueryEnvironmentVariable_U

Hello,

I am writing a minifilter driver that reads some configuration data from the
registry in its DriverEntry procedure using RtlQueryRegistryValues.

If I use REG_SZ values in the registry then everything works as expected.
However if I use REG_EXPAND_SZ values the system bug checks when calling
nt!RtlQueryEnvironmentVariable_U. The bug check is
PAGE_FAULT_IN_NONPAGED_AREA (50) and it occurs right at the beginning of
RtlQueryEnvironmentVariable_U. When I examine RtlQueryEnvironmentVariable_U
in the debugger it looks like the procedure is paged out (the debugger just
shows ?? for the diassembly).

Details are at the end of the message.

Can anyone tell me what's going on and how to fix the problem?

I'm using the Windows XP SP2 checked build with the driver verifier enabled
for my driver (same problem occurs with the free build without the driver
verifier IIRC).

Cheers,
Chris

My code:
696 UNICODE_STRING uTop, uBottom;
697 UNICODE_STRING uTopPath = { 0 };
698 UNICODE_STRING uBottomPath = { 0 };
699 PKEY_VALUE_PARTIAL_INFORMATION pkvpi;
700 RTL_QUERY_REGISTRY_TABLE QueryTable[3];
701 PVOID TopBuffer = NULL;
702 PVOID BottomBuffer = NULL;
703
704 RtlZeroMemory( QueryTable, sizeof(
QueryTable ) );
705
706 QueryTable[0].Flags =
RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_REGISTRY_DIRECT;
707 QueryTable[0].Name = L"Top";
708 QueryTable[0].EntryContext = &uTopPath;
709 QueryTable[1].Flags =
RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_REGISTRY_DIRECT;
710 QueryTable[1].Name = L"Bottom";
711 QueryTable[1].EntryContext =
&uBottomPath;
712
713 ASSERT( KeGetCurrentIrql( ) ==
PASSIVE_LEVEL );
714
715 status = RtlQueryRegistryValues(
RTL_REGISTRY_HANDLE, ( PCWSTR ) SubKeyHandle, QueryTable, NULL, NULL );
716 if ( !NT_SUCCESS( status ) ) {
717 OVL_DBG_PRINT( OVLDBG_TRACE_ERRORS,
718 (
"Overlay!OverlayInitFromRegistry: RtlQueryRegistryValues failed %08x\n",
status ) );
719 } else {
720 OVL_DBG_PRINT( OVLDBG_TRACE_VERBOSE,
721 (
"Overlay!OverlayInitFromRegistry: uTopPath = \"%wZ\" uBottomPath =
\"%wZ\"\n", &uTopPath,
722 &uBottomPath ) );
723 status = OverlayAdd( &uBottomPath,
&uTopPath );
724 if ( !NT_SUCCESS( status ) )
725 OVL_DBG_PRINT(
OVLDBG_TRACE_ERRORS, ( "Overlay!OverlayInitFromRegistry: OverlayAdd failed
%08x\n", status ) );
726
727 RtlFreeUnicodeString(
&uBottomPath );
728 RtlFreeUnicodeString( &uTopPath );
729 }

(Some of the declared variables are unused.)

Debugger output:
*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for Overlay.sys on Build 2600
bvs3DuzH2lcqtHJHBbXCJD
*
*******************************************************************************
Overlay!DriverEntry: Entered
Overlay!DriverEntry: Build Nov 18 2005 11:42:25
Overlay!OverlayInitFromRegistry: Entered
Overlay!OverlayInitFromRegistry: RegistryPath =
"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Overlay"
Overlay!OverlayInitFromRegistry: SubKeys = 1

*** Fatal System Error: 0x00000050
(0x80D463E6,0x00000000,0x80D463E6,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
..................................................................................................
Loading unloaded module list
............
Loading User Symbols
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {80d463e6, 0, 80d463e6, 0}

Probably caused by : Overlay.sys ( Overlay!OverlayInitFromRegistry+314 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
80aba26c cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: 80d463e6, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80d463e6, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


OVERLAPPED_MODULE: rdbss

READ_ADDRESS: 80d463e6

FAULTING_IP:
nt!RtlQueryEnvironmentVariable_U+0
80d463e6 ?? ???

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from 80bf3c51 to 80d463e6

TRAP_FRAME: f9744a10 -- (.trap fffffffff9744a10)
ErrCode = 00000000
eax=f9744aa8 ebx=00000026 ecx=00000016 edx=00000000 esi=e12dd8b4
edi=e12dd8cc
eip=80d463e6 esp=f9744a84 ebp=f9744ac0 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000246
nt!RtlQueryEnvironmentVariable_U:
80d463e6 ?? ???
Resetting default scope

STACK_TEXT:
f9744a80 80bf3c51 00000000 f9744aa8 f9744aa0
nt!RtlQueryEnvironmentVariable_U
f9744ac0 80bf44c4 00000000 00000082 f9744aec
nt!RtlExpandEnvironmentStrings_U+0xed
f9744b04 80bf4957 f9744b90 e12dd8b4 f9744b64
nt!RtlpCallQueryRegistryRoutine+0x2f4
f9744b68 f56b588e 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2dd
f9744c6c f56b64e3 ff984000 81d46610 f9744d58
Overlay!OverlayInitFromRegistry+0x314
[c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 715]
f9744c7c 80b3368a 81d46610 ff984000 f597fce8 Overlay!DriverEntry+0x5d
[c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 954]
f9744d58 80b338ba 000004c0 00000001 00000000 nt!IopLoadDriver+0x6b6
f9744d80 80acbd9f 00000000 00000000 81dbc848 nt!IopLoadUnloadDriver+0x78
f9744dac 80bcb95a f597fce8 00000000 00000000 nt!ExpWorkerThread+0x10f
f9744ddc 80adae82 80acbc90 80000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FAILED_INSTRUCTION_ADDRESS:
nt!RtlQueryEnvironmentVariable_U+0
80d463e6 ?? ???

FOLLOWUP_IP:
Overlay!OverlayInitFromRegistry+314
[c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 715]
f56b588e 8bf0 mov esi,eax

SYMBOL_STACK_INDEX: 4

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Overlay!OverlayInitFromRegistry+314

MODULE_NAME: Overlay

IMAGE_NAME: Overlay.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 437dbe21

STACK_COMMAND: .trap fffffffff9744a10 ; kb

FAILURE_BUCKET_ID: 0x50_CODE_AV_BAD_IP_Overlay!OverlayInitFromRegistry+314

BUCKET_ID: 0x50_CODE_AV_BAD_IP_Overlay!OverlayInitFromRegistry+314

Followup: MachineOwner
---------

Disassembly of nt!RtlQueryEnvironmentVariable_U:
No prior disassembly possible
nt!RtlQueryEnvironmentVariable_U:
80d463e6 ?? ???
80d463e7 ?? ???
80d463e8 ?? ???
80d463e9 ?? ???
80d463ea ?? ???
80d463eb ?? ???
80d463ec ?? ???
80d463ed ?? ???
80d463ee ?? ???
80d463ef ?? ???
80d463f0 ?? ???
80d463f1 ?? ???
80d463f2 ?? ???
80d463f3 ?? ???
80d463f4 ?? ???
80d463f5 ?? ???
80d463f6 ?? ???
80d463f7 ?? ???
80d463f8 ?? ???
80d463f9 ?? ???
80d463fa ?? ???
80d463fb ?? ???
80d463fc ?? ???
80d463fd ?? ???
80d463fe ?? ???
80d463ff ?? ???
80d46400 ?? ???

Maxim
Fri Nov 18 06:26:19 CST 2005

Not all environment values exist in the DriverEntry of the boot driver.
Possibly only SystemRoot exists, and even this is not guaranteed.

Avoid REG_EXPAND_SZ in such a path. If you need to open some files relative
to SystemRoot - use the \SystemRoot\path naming style, ZwCreateFile understands
it fine.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

"Chris January" <atomice@newsgroup.nospam> wrote in message
news:O4sKeoD7FHA.1864@TK2MSFTNGP12.phx.gbl...
> Hello,
>
> I am writing a minifilter driver that reads some configuration data from the
> registry in its DriverEntry procedure using RtlQueryRegistryValues.
>
> If I use REG_SZ values in the registry then everything works as expected.
> However if I use REG_EXPAND_SZ values the system bug checks when calling
> nt!RtlQueryEnvironmentVariable_U. The bug check is
> PAGE_FAULT_IN_NONPAGED_AREA (50) and it occurs right at the beginning of
> RtlQueryEnvironmentVariable_U. When I examine RtlQueryEnvironmentVariable_U
> in the debugger it looks like the procedure is paged out (the debugger just
> shows ?? for the diassembly).
>
> Details are at the end of the message.
>
> Can anyone tell me what's going on and how to fix the problem?
>
> I'm using the Windows XP SP2 checked build with the driver verifier enabled
> for my driver (same problem occurs with the free build without the driver
> verifier IIRC).
>
> Cheers,
> Chris
>
> My code:
> 696 UNICODE_STRING uTop, uBottom;
> 697 UNICODE_STRING uTopPath = { 0 };
> 698 UNICODE_STRING uBottomPath = { 0 };
> 699 PKEY_VALUE_PARTIAL_INFORMATION pkvpi;
> 700 RTL_QUERY_REGISTRY_TABLE QueryTable[3];
> 701 PVOID TopBuffer = NULL;
> 702 PVOID BottomBuffer = NULL;
> 703
> 704 RtlZeroMemory( QueryTable, sizeof(
> QueryTable ) );
> 705
> 706 QueryTable[0].Flags =
> RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_REGISTRY_DIRECT;
> 707 QueryTable[0].Name = L"Top";
> 708 QueryTable[0].EntryContext = &uTopPath;
> 709 QueryTable[1].Flags =
> RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_REGISTRY_DIRECT;
> 710 QueryTable[1].Name = L"Bottom";
> 711 QueryTable[1].EntryContext =
> &uBottomPath;
> 712
> 713 ASSERT( KeGetCurrentIrql( ) ==
> PASSIVE_LEVEL );
> 714
> 715 status = RtlQueryRegistryValues(
> RTL_REGISTRY_HANDLE, ( PCWSTR ) SubKeyHandle, QueryTable, NULL, NULL );
> 716 if ( !NT_SUCCESS( status ) ) {
> 717 OVL_DBG_PRINT( OVLDBG_TRACE_ERRORS,
> 718 (
> "Overlay!OverlayInitFromRegistry: RtlQueryRegistryValues failed %08x\n",
> status ) );
> 719 } else {
> 720 OVL_DBG_PRINT( OVLDBG_TRACE_VERBOSE,
> 721 (
> "Overlay!OverlayInitFromRegistry: uTopPath = \"%wZ\" uBottomPath =
> \"%wZ\"\n", &uTopPath,
> 722 &uBottomPath ) );
> 723 status = OverlayAdd( &uBottomPath,
> &uTopPath );
> 724 if ( !NT_SUCCESS( status ) )
> 725 OVL_DBG_PRINT(
> OVLDBG_TRACE_ERRORS, ( "Overlay!OverlayInitFromRegistry: OverlayAdd failed
> %08x\n", status ) );
> 726
> 727 RtlFreeUnicodeString(
> &uBottomPath );
> 728 RtlFreeUnicodeString( &uTopPath );
> 729 }
>
> (Some of the declared variables are unused.)
>
> Debugger output:
>
*******************************************************************************
> *
> * This is the string you add to your checkin description
> * Driver Verifier: Enabled for Overlay.sys on Build 2600
> bvs3DuzH2lcqtHJHBbXCJD
> *
>
*******************************************************************************
> Overlay!DriverEntry: Entered
> Overlay!DriverEntry: Build Nov 18 2005 11:42:25
> Overlay!OverlayInitFromRegistry: Entered
> Overlay!OverlayInitFromRegistry: RegistryPath =
> "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Overlay"
> Overlay!OverlayInitFromRegistry: SubKeys = 1
>
> *** Fatal System Error: 0x00000050
> (0x80D463E6,0x00000000,0x80D463E6,0x00000000)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
> Loading Kernel Symbols
>
...............................................................................
...................
> Loading unloaded module list
> ............
> Loading User Symbols
>
*******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
*******************************************************************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck 50, {80d463e6, 0, 80d463e6, 0}
>
> Probably caused by : Overlay.sys ( Overlay!OverlayInitFromRegistry+314 )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 80aba26c cc int 3
> kd> !analyze -v
>
*******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
*******************************************************************************
>
> PAGE_FAULT_IN_NONPAGED_AREA (50)
> Invalid system memory was referenced. This cannot be protected by
> try-except,
> it must be protected by a Probe. Typically the address is just plain bad or
> it
> is pointing at freed memory.
> Arguments:
> Arg1: 80d463e6, memory referenced.
> Arg2: 00000000, value 0 = read operation, 1 = write operation.
> Arg3: 80d463e6, If non-zero, the instruction address which referenced the
> bad memory
> address.
> Arg4: 00000000, (reserved)
>
> Debugging Details:
> ------------------
>
>
> OVERLAPPED_MODULE: rdbss
>
> READ_ADDRESS: 80d463e6
>
> FAULTING_IP:
> nt!RtlQueryEnvironmentVariable_U+0
> 80d463e6 ?? ???
>
> MM_INTERNAL_CODE: 0
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0x50
>
> LAST_CONTROL_TRANSFER: from 80bf3c51 to 80d463e6
>
> TRAP_FRAME: f9744a10 -- (.trap fffffffff9744a10)
> ErrCode = 00000000
> eax=f9744aa8 ebx=00000026 ecx=00000016 edx=00000000 esi=e12dd8b4
> edi=e12dd8cc
> eip=80d463e6 esp=f9744a84 ebp=f9744ac0 iopl=0 nv up ei pl zr na po
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00000246
> nt!RtlQueryEnvironmentVariable_U:
> 80d463e6 ?? ???
> Resetting default scope
>
> STACK_TEXT:
> f9744a80 80bf3c51 00000000 f9744aa8 f9744aa0
> nt!RtlQueryEnvironmentVariable_U
> f9744ac0 80bf44c4 00000000 00000082 f9744aec
> nt!RtlExpandEnvironmentStrings_U+0xed
> f9744b04 80bf4957 f9744b90 e12dd8b4 f9744b64
> nt!RtlpCallQueryRegistryRoutine+0x2f4
> f9744b68 f56b588e 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2dd
> f9744c6c f56b64e3 ff984000 81d46610 f9744d58
> Overlay!OverlayInitFromRegistry+0x314
> [c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 715]
> f9744c7c 80b3368a 81d46610 ff984000 f597fce8 Overlay!DriverEntry+0x5d
> [c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 954]
> f9744d58 80b338ba 000004c0 00000001 00000000 nt!IopLoadDriver+0x6b6
> f9744d80 80acbd9f 00000000 00000000 81dbc848 nt!IopLoadUnloadDriver+0x78
> f9744dac 80bcb95a f597fce8 00000000 00000000 nt!ExpWorkerThread+0x10f
> f9744ddc 80adae82 80acbc90 80000001 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> FAILED_INSTRUCTION_ADDRESS:
> nt!RtlQueryEnvironmentVariable_U+0
> 80d463e6 ?? ???
>
> FOLLOWUP_IP:
> Overlay!OverlayInitFromRegistry+314
> [c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 715]
> f56b588e 8bf0 mov esi,eax
>
> SYMBOL_STACK_INDEX: 4
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: Overlay!OverlayInitFromRegistry+314
>
> MODULE_NAME: Overlay
>
> IMAGE_NAME: Overlay.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 437dbe21
>
> STACK_COMMAND: .trap fffffffff9744a10 ; kb
>
> FAILURE_BUCKET_ID: 0x50_CODE_AV_BAD_IP_Overlay!OverlayInitFromRegistry+314
>
> BUCKET_ID: 0x50_CODE_AV_BAD_IP_Overlay!OverlayInitFromRegistry+314
>
> Followup: MachineOwner
> ---------
>
> Disassembly of nt!RtlQueryEnvironmentVariable_U:
> No prior disassembly possible
> nt!RtlQueryEnvironmentVariable_U:
> 80d463e6 ?? ???
> 80d463e7 ?? ???
> 80d463e8 ?? ???
> 80d463e9 ?? ???
> 80d463ea ?? ???
> 80d463eb ?? ???
> 80d463ec ?? ???
> 80d463ed ?? ???
> 80d463ee ?? ???
> 80d463ef ?? ???
> 80d463f0 ?? ???
> 80d463f1 ?? ???
> 80d463f2 ?? ???
> 80d463f3 ?? ???
> 80d463f4 ?? ???
> 80d463f5 ?? ???
> 80d463f6 ?? ???
> 80d463f7 ?? ???
> 80d463f8 ?? ???
> 80d463f9 ?? ???
> 80d463fa ?? ???
> 80d463fb ?? ???
> 80d463fc ?? ???
> 80d463fd ?? ???
> 80d463fe ?? ???
> 80d463ff ?? ???
> 80d46400 ?? ???
>
>

Chris
Fri Nov 18 06:30:38 CST 2005

> Not all environment values exist in the DriverEntry of the boot driver.
> Possibly only SystemRoot exists, and even this is not guaranteed.
>
> Avoid REG_EXPAND_SZ in such a path. If you need to open some files
> relative
> to SystemRoot - use the \SystemRoot\path naming style, ZwCreateFile
> understands
> it fine.

A fair point which I have already taken into consideration but it doesn't
explain the bug check.

Chris

>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
> "Chris January" <atomice@newsgroup.nospam> wrote in message
> news:O4sKeoD7FHA.1864@TK2MSFTNGP12.phx.gbl...
>> Hello,
>>
>> I am writing a minifilter driver that reads some configuration data from
>> the
>> registry in its DriverEntry procedure using RtlQueryRegistryValues.
>>
>> If I use REG_SZ values in the registry then everything works as expected.
>> However if I use REG_EXPAND_SZ values the system bug checks when calling
>> nt!RtlQueryEnvironmentVariable_U. The bug check is
>> PAGE_FAULT_IN_NONPAGED_AREA (50) and it occurs right at the beginning of
>> RtlQueryEnvironmentVariable_U. When I examine
>> RtlQueryEnvironmentVariable_U
>> in the debugger it looks like the procedure is paged out (the debugger
>> just
>> shows ?? for the diassembly).
>>
>> Details are at the end of the message.
>>
>> Can anyone tell me what's going on and how to fix the problem?
>>
>> I'm using the Windows XP SP2 checked build with the driver verifier
>> enabled
>> for my driver (same problem occurs with the free build without the driver
>> verifier IIRC).
>>
>> Cheers,
>> Chris
>>
>> My code:
>> 696 UNICODE_STRING uTop, uBottom;
>> 697 UNICODE_STRING uTopPath = { 0 };
>> 698 UNICODE_STRING uBottomPath = { 0 };
>> 699 PKEY_VALUE_PARTIAL_INFORMATION pkvpi;
>> 700 RTL_QUERY_REGISTRY_TABLE
>> QueryTable[3];
>> 701 PVOID TopBuffer = NULL;
>> 702 PVOID BottomBuffer = NULL;
>> 703
>> 704 RtlZeroMemory( QueryTable, sizeof(
>> QueryTable ) );
>> 705
>> 706 QueryTable[0].Flags =
>> RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_REGISTRY_DIRECT;
>> 707 QueryTable[0].Name = L"Top";
>> 708 QueryTable[0].EntryContext =
>> &uTopPath;
>> 709 QueryTable[1].Flags =
>> RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_REGISTRY_DIRECT;
>> 710 QueryTable[1].Name = L"Bottom";
>> 711 QueryTable[1].EntryContext =
>> &uBottomPath;
>> 712
>> 713 ASSERT( KeGetCurrentIrql( ) ==
>> PASSIVE_LEVEL );
>> 714
>> 715 status = RtlQueryRegistryValues(
>> RTL_REGISTRY_HANDLE, ( PCWSTR ) SubKeyHandle, QueryTable, NULL, NULL );
>> 716 if ( !NT_SUCCESS( status ) ) {
>> 717 OVL_DBG_PRINT(
>> OVLDBG_TRACE_ERRORS,
>> 718 (
>> "Overlay!OverlayInitFromRegistry: RtlQueryRegistryValues failed %08x\n",
>> status ) );
>> 719 } else {
>> 720 OVL_DBG_PRINT(
>> OVLDBG_TRACE_VERBOSE,
>> 721 (
>> "Overlay!OverlayInitFromRegistry: uTopPath = \"%wZ\" uBottomPath =
>> \"%wZ\"\n", &uTopPath,
>> 722
>> &uBottomPath ) );
>> 723 status = OverlayAdd(
>> &uBottomPath,
>> &uTopPath );
>> 724 if ( !NT_SUCCESS( status ) )
>> 725 OVL_DBG_PRINT(
>> OVLDBG_TRACE_ERRORS, ( "Overlay!OverlayInitFromRegistry: OverlayAdd
>> failed
>> %08x\n", status ) );
>> 726
>> 727 RtlFreeUnicodeString(
>> &uBottomPath );
>> 728 RtlFreeUnicodeString(
>> &uTopPath );
>> 729 }
>>
>> (Some of the declared variables are unused.)
>>
>> Debugger output:
>>
> *******************************************************************************
>> *
>> * This is the string you add to your checkin description
>> * Driver Verifier: Enabled for Overlay.sys on Build 2600
>> bvs3DuzH2lcqtHJHBbXCJD
>> *
>>
> *******************************************************************************
>> Overlay!DriverEntry: Entered
>> Overlay!DriverEntry: Build Nov 18 2005 11:42:25
>> Overlay!OverlayInitFromRegistry: Entered
>> Overlay!OverlayInitFromRegistry: RegistryPath =
>> "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Overlay"
>> Overlay!OverlayInitFromRegistry: SubKeys = 1
>>
>> *** Fatal System Error: 0x00000050
>> (0x80D463E6,0x00000000,0x80D463E6,0x00000000)
>>
>> Break instruction exception - code 80000003 (first chance)
>>
>> A fatal system error has occurred.
>> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>>
>> A fatal system error has occurred.
>>
>> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
>> Loading Kernel Symbols
>>
> ...............................................................................
> ...................
>> Loading unloaded module list
>> ............
>> Loading User Symbols
>>
> *******************************************************************************
>> *
>> *
>> * Bugcheck Analysis
>> *
>> *
>> *
>>
> *******************************************************************************
>>
>> Use !analyze -v to get detailed debugging information.
>>
>> BugCheck 50, {80d463e6, 0, 80d463e6, 0}
>>
>> Probably caused by : Overlay.sys ( Overlay!OverlayInitFromRegistry+314 )
>>
>> Followup: MachineOwner
>> ---------
>>
>> nt!RtlpBreakWithStatusInstruction:
>> 80aba26c cc int 3
>> kd> !analyze -v
>>
> *******************************************************************************
>> *
>> *
>> * Bugcheck Analysis
>> *
>> *
>> *
>>
> *******************************************************************************
>>
>> PAGE_FAULT_IN_NONPAGED_AREA (50)
>> Invalid system memory was referenced. This cannot be protected by
>> try-except,
>> it must be protected by a Probe. Typically the address is just plain bad
>> or
>> it
>> is pointing at freed memory.
>> Arguments:
>> Arg1: 80d463e6, memory referenced.
>> Arg2: 00000000, value 0 = read operation, 1 = write operation.
>> Arg3: 80d463e6, If non-zero, the instruction address which referenced the
>> bad memory
>> address.
>> Arg4: 00000000, (reserved)
>>
>> Debugging Details:
>> ------------------
>>
>>
>> OVERLAPPED_MODULE: rdbss
>>
>> READ_ADDRESS: 80d463e6
>>
>> FAULTING_IP:
>> nt!RtlQueryEnvironmentVariable_U+0
>> 80d463e6 ?? ???
>>
>> MM_INTERNAL_CODE: 0
>>
>> DEFAULT_BUCKET_ID: DRIVER_FAULT
>>
>> BUGCHECK_STR: 0x50
>>
>> LAST_CONTROL_TRANSFER: from 80bf3c51 to 80d463e6
>>
>> TRAP_FRAME: f9744a10 -- (.trap fffffffff9744a10)
>> ErrCode = 00000000
>> eax=f9744aa8 ebx=00000026 ecx=00000016 edx=00000000 esi=e12dd8b4
>> edi=e12dd8cc
>> eip=80d463e6 esp=f9744a84 ebp=f9744ac0 iopl=0 nv up ei pl zr na
>> po
>> nc
>> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
>> efl=00000246
>> nt!RtlQueryEnvironmentVariable_U:
>> 80d463e6 ?? ???
>> Resetting default scope
>>
>> STACK_TEXT:
>> f9744a80 80bf3c51 00000000 f9744aa8 f9744aa0
>> nt!RtlQueryEnvironmentVariable_U
>> f9744ac0 80bf44c4 00000000 00000082 f9744aec
>> nt!RtlExpandEnvironmentStrings_U+0xed
>> f9744b04 80bf4957 f9744b90 e12dd8b4 f9744b64
>> nt!RtlpCallQueryRegistryRoutine+0x2f4
>> f9744b68 f56b588e 00000000 00000084 00000001
>> nt!RtlQueryRegistryValues+0x2dd
>> f9744c6c f56b64e3 ff984000 81d46610 f9744d58
>> Overlay!OverlayInitFromRegistry+0x314
>> [c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 715]
>> f9744c7c 80b3368a 81d46610 ff984000 f597fce8 Overlay!DriverEntry+0x5d
>> [c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 954]
>> f9744d58 80b338ba 000004c0 00000001 00000000 nt!IopLoadDriver+0x6b6
>> f9744d80 80acbd9f 00000000 00000000 81dbc848 nt!IopLoadUnloadDriver+0x78
>> f9744dac 80bcb95a f597fce8 00000000 00000000 nt!ExpWorkerThread+0x10f
>> f9744ddc 80adae82 80acbc90 80000001 00000000
>> nt!PspSystemThreadStartup+0x34
>> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>>
>>
>> FAILED_INSTRUCTION_ADDRESS:
>> nt!RtlQueryEnvironmentVariable_U+0
>> 80d463e6 ?? ???
>>
>> FOLLOWUP_IP:
>> Overlay!OverlayInitFromRegistry+314
>> [c:\winddk\5112\src\filesys\minifilter\overlay\overlay.c @ 715]
>> f56b588e 8bf0 mov esi,eax
>>
>> SYMBOL_STACK_INDEX: 4
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> SYMBOL_NAME: Overlay!OverlayInitFromRegistry+314
>>
>> MODULE_NAME: Overlay
>>
>> IMAGE_NAME: Overlay.sys
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 437dbe21
>>
>> STACK_COMMAND: .trap fffffffff9744a10 ; kb
>>
>> FAILURE_BUCKET_ID:
>> 0x50_CODE_AV_BAD_IP_Overlay!OverlayInitFromRegistry+314
>>
>> BUCKET_ID: 0x50_CODE_AV_BAD_IP_Overlay!OverlayInitFromRegistry+314
>>
>> Followup: MachineOwner
>> ---------
>>
>> Disassembly of nt!RtlQueryEnvironmentVariable_U:
>> No prior disassembly possible
>> nt!RtlQueryEnvironmentVariable_U:
>> 80d463e6 ?? ???
>> 80d463e7 ?? ???
>> 80d463e8 ?? ???
>> 80d463e9 ?? ???
>> 80d463ea ?? ???
>> 80d463eb ?? ???
>> 80d463ec ?? ???
>> 80d463ed ?? ???
>> 80d463ee ?? ???
>> 80d463ef ?? ???
>> 80d463f0 ?? ???
>> 80d463f1 ?? ???
>> 80d463f2 ?? ???
>> 80d463f3 ?? ???
>> 80d463f4 ?? ???
>> 80d463f5 ?? ???
>> 80d463f6 ?? ???
>> 80d463f7 ?? ???
>> 80d463f8 ?? ???
>> 80d463f9 ?? ???
>> 80d463fa ?? ???
>> 80d463fb ?? ???
>> 80d463fc ?? ???
>> 80d463fd ?? ???
>> 80d463fe ?? ???
>> 80d463ff ?? ???
>> 80d46400 ?? ???
>>
>>
>

jeffm
Tue Nov 22 14:34:34 CST 2005

------=_NextPart_0001_2507456B
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Chris,

I assume it doesn't crash if you specify RTL_QUERY_REGISTRY_NOEXPAND. Can
you parse the REG_EXPAND_SZ values yourself?

[MS] Jeff McCashland
jeffm@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.
------=_NextPart_0001_2507456B
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 Chris,
\par
\par I assume it doesn't crash if you specify RTL_QUERY_REGISTRY_NOEXPAND. Can you parse the REG_EXPAND_SZ values yourself?
\par
\par [MS] Jeff McCashland
\par jeffm@online.microsoft.com
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par }
------=_NextPart_0001_2507456B--

Chris
Wed Nov 23 05:50:14 CST 2005

"Jeff McCashland [MSFT]" <jeffm@online.microsoft.com> wrote in message
news:%23k5KqQ67FHA.832@TK2MSFTNGXA02.phx.gbl...
> Chris,
>
> I assume it doesn't crash if you specify RTL_QUERY_REGISTRY_NOEXPAND. Can
> you parse the REG_EXPAND_SZ values yourself?

It doesn't crash with RTL_QUERY_REGISTRY_NOEXPAND. I can parse the values
myself, but the whole point of using RtlQueryRegistryValues was that it
would - in theory - do the expansion for me. I don't really want to
replicate functionality that's already in the runtime. However if that
functionality is broken (which noone has confirmed yet) then parsing it
myself seems the only workaround.

Chris

jeffm
Wed Nov 23 11:10:28 CST 2005

------=_NextPart_0001_2972C7EC
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Chris,

As far as "is the functionality broken", yes and no. Drivers should not
attempt to expand or use environment variables. I'll work on getting the
DDK updated to state this. I can't say authoritatively if the code is
broken, but I would guess the most likely fix would be to return an invalid
parameter error if called by a driver that doesn't set the
RTL_QUERY_REGISTRY_NOEXPAND flag. I'll file it and let the developers work
that out.

I'd avoid using environment variables in your driver key if you can, then
you won't need the expansion. It's not safe for drivers to use
envinronment variables, since they're not always available or consistent
from the kernel mode point of view.

[MS] Jeff McCashland
jeffm@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

------=_NextPart_0001_2972C7EC
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 Chris,
\par
\par As far as "is the functionality broken", yes and no. Drivers should not attempt to expand or use environment variables. I'll work on getting the DDK updated to state this. I can't say authoritatively if the code is broken, but I would guess the most likely fix would be to return an invalid parameter error if called by a driver that doesn't set the RTL_QUERY_REGISTRY_NOEXPAND flag. I'll file it and let the developers work that out.
\par
\par I'd avoid using environment variables in your driver key if you can, then you won't need the expansion. It's not safe for drivers to use envinronment variables, since they're not always available or consistent from the kernel mode point of view.
\par
\par [MS] Jeff McCashland
\par jeffm@online.microsoft.com
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par }
------=_NextPart_0001_2972C7EC--

Chris
Wed Nov 23 12:04:29 CST 2005

"Jeff McCashland [MSFT]" <jeffm@online.microsoft.com> wrote in message
news:Ls$RRDF8FHA.1236@TK2MSFTNGXA02.phx.gbl...
> Chris,
>
> As far as "is the functionality broken", yes and no. Drivers should not
> attempt to expand or use environment variables. I'll work on getting the
> DDK updated to state this. I can't say authoritatively if the code is
> broken, but I would guess the most likely fix would be to return an
> invalid
> parameter error if called by a driver that doesn't set the
> RTL_QUERY_REGISTRY_NOEXPAND flag. I'll file it and let the developers
> work
> that out.
>
> I'd avoid using environment variables in your driver key if you can, then
> you won't need the expansion. It's not safe for drivers to use
> envinronment variables, since they're not always available or consistent
> from the kernel mode point of view.

Thank you for clearing this up. I guess the environment variables will need
to be expanded from user mode by my installer instead of the driver.

Cheers,
Chris January

Pavel
Thu Nov 24 15:50:00 CST 2005

"Chris January" <atomice@newsgroup.nospam> wrote in message news:elqbahF8FHA.736@TK2MSFTNGP09.phx.gbl...

> I guess the environment variables will need to be expanded from user mode by my installer instead of the driver.

And what if these variables change after installation?

--PA