search

winsiderss / systeminformer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
https://systeminformer.sourceforge.io
MIT License
10.95k stars 1.4k forks source link

PAGE_FAULT_IN_NONPAGED_AREA BSOD #1525

Closed SteAmeR closed 1 year ago

SteAmeR commented 1 year ago

Brief description of your issue

The system has been crashed when I try to search for a locked file by System->Find handles or DLLs menu. Exception could find out attach bsodissue.txt

Steps to reproduce (optional)

Reproduce may be complex but I think if you can try a file locked and used by another process while you search for a file handle by "Find handles or DLLs"

Expected behavior (optional)

No response

Actual behavior (optional)

No response

Environment (optional)

No response

jxy-s commented 1 year ago

@SteAmeR would you please attach the dump file or email it to me?

SteAmeR commented 1 year ago

Find attach 120622-20265-01.zip

jxy-s commented 1 year ago

Thanks for providing the dump file.

5: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffac0144310781, memory referenced.
Arg2: 0000000000000000, X64: bit 0 set if the fault was due to a not-present PTE.
    bit 1 is set if the fault was due to a write, clear if a read.
    bit 3 is set if the processor decided the fault was due to a corrupted PTE.
    bit 4 is set if the fault was due to attempted execute of a no-execute PTE.
    - ARM64: bit 1 is set if the fault was due to a write, clear if a read.
    bit 3 is set if the fault was due to attempted execute of a no-execute PTE.
Arg3: fffff80674b0a620, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : AV.Type
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 1937

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 7903

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 218

    Key  : Analysis.Init.Elapsed.mSec
    Value: 26884

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 89

    Key  : Bugcheck.Code.DumpHeader
    Value: 0x50

    Key  : Bugcheck.Code.Register
    Value: 0x50

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

FILE_IN_CAB:  120622-20265-01.dmp

BUGCHECK_CODE:  50

BUGCHECK_P1: ffffac0144310781

BUGCHECK_P2: 0

BUGCHECK_P3: fffff80674b0a620

BUGCHECK_P4: 2

READ_ADDRESS: fffff806754fb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
 ffffac0144310781 

MM_INTERNAL_CODE:  2

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  SystemInformer.exe

DEVICE_OBJECT: 0000000000000160

TRAP_FRAME:  fffffc813dcf7250 -- (.trap 0xfffffc813dcf7250)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000018 rbx=0000000000000000 rcx=ffffac0144310341
rdx=0000001011aff2b0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80674b0a620 rsp=fffffc813dcf73e8 rbp=0000000000000000
 r8=00000000ffffffff  r9=7fffd388b5f74160 r10=fffff80674b0a620
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
nt!PsGetProcessId:
fffff806`74b0a620 488b8140040000  mov     rax,qword ptr [rcx+440h] ds:ffffac01`44310781=????????????????
Resetting default scope

STACK_TEXT:  
fffffc81`3dcf6fa8 fffff806`74c3421d     : 00000000`00000050 ffffac01`44310781 00000000`00000000 fffffc81`3dcf7250 : nt!KeBugCheckEx
fffffc81`3dcf6fb0 fffff806`74a399e0     : 00000000`00000000 00000000`00000000 fffffc81`3dcf72d0 00000000`00000000 : nt!MiSystemFault+0x1dc80d
fffffc81`3dcf70b0 fffff806`74c08dd8     : 00000000`00000000 00000000`00000000 ffffd388`5de61c80 00000000`00000000 : nt!MmAccessFault+0x400
fffffc81`3dcf7250 fffff806`74b0a620     : fffff806`ecd5a660 00000000`0000123c 00000010`11aff2b0 ffffd388`95558320 : nt!KiPageFault+0x358
fffffc81`3dcf73e8 fffff806`ecd5a660     : 00000000`0000123c 00000010`11aff2b0 ffffd388`95558320 00000000`0000003c : nt!PsGetProcessId
fffffc81`3dcf73f0 fffff806`ecd5a76d     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SystemInformer!KphpAlpcBasicInfo+0x48 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c @ 198] 
fffffc81`3dcf7420 fffff806`ecd5a544     : 00000000`00000000 00000010`11aff2b0 ffffac01`4120a660 00000000`00000000 : SystemInformer!KphpAlpcCommunicationInfo+0xa5 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c @ 269] 
fffffc81`3dcf7460 fffff806`ecd5e0c3     : 00000178`b530b6b0 ffffd388`f8177d40 fffff806`ecd57000 fffff806`ecd6c58c : SystemInformer!KphAlpcQueryInformation+0x28c [C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c @ 682] 
fffffc81`3dcf7520 fffff806`ecd5d3b5     : 00000000`00000000 00000000`00000ce0 00000000`00000000 00000000`00000000 : SystemInformer!KphpCommsAlpcQueryInformation+0x33 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\comms_handlers.c @ 740] 
fffffc81`3dcf7570 fffff806`740bbc4b     : ffffd388`de65e010 00000000`00000000 00000000`00000ce0 00000000`00000000 : SystemInformer!KphpCommsMessageNotifyCallback+0x355 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\comms.c @ 573] 
fffffc81`3dcf75d0 fffff806`740f1819     : ffffac01`3ef15b70 ffffac01`3ef15aa0 00000000`00000000 00000000`00000000 : FLTMGR!FltpFilterMessage+0xdb
fffffc81`3dcf7630 fffff806`740b4a40     : ffffac0f`cef86e00 00000000`00000002 00000000`00000000 ffffac01`3ef15aa0 : FLTMGR!FltpMsgDispatch+0x179
fffffc81`3dcf76a0 fffff806`74a2a6b5     : ffffac01`3ef15aa0 fffffc81`3dcf7a80 ffffac01`3ef15ac0 00000000`00000ce0 : FLTMGR!FltpDispatch+0xe0
fffffc81`3dcf7700 fffff806`74e194c8     : ffffac01`3ef15aa0 00000000`00000000 00000000`00000000 fffff806`00000000 : nt!IofCallDriver+0x55
fffffc81`3dcf7740 fffff806`74e192c7     : 00000000`00000160 00000000`00000000 00000000`00000000 fffffc81`3dcf7a80 : nt!IopSynchronousServiceTail+0x1a8
fffffc81`3dcf77e0 fffff806`74e18646     : ffffd388`5dedec20 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xc67
fffffc81`3dcf7920 fffff806`74c0caf5     : 00000000`00000ae0 00000010`11aff760 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
fffffc81`3dcf7990 00007ff9`d858d1a4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000010`11afefa8 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`d858d1a4

FAULTING_SOURCE_LINE:  C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c

FAULTING_SOURCE_FILE:  C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c

FAULTING_SOURCE_LINE_NUMBER:  198

FAULTING_SOURCE_CODE:  
No source found for 'C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c'

SYMBOL_NAME:  SystemInformer!KphpAlpcBasicInfo+48

MODULE_NAME: SystemInformer

IMAGE_NAME:  SystemInformer.sys

IMAGE_VERSION:  3.2.0.0

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  48

FAILURE_BUCKET_ID:  AV_R_(null)_SystemInformer!KphpAlpcBasicInfo

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {7df7ad47-ea2a-bd28-2ac1-1219db200c24}

Followup:     MachineOwner
---------

The dump file does not contain sufficient information to get complete insight into the state of the machine. Certain information is not resident. A complete memory dump would be required to get complete context. That said, there is some insight we can gather. The ALPC port being queried is a client to a communication port:

5: kd> dx (nt!_ALPC_PORT*)0xffffac0f`f14e7dd0
(nt!_ALPC_PORT*)0xffffac0f`f14e7dd0                 : 0xffffac0ff14e7dd0 [Type: _ALPC_PORT *]
    [+0x000] PortListEntry    [Type: _LIST_ENTRY]
    [+0x010] CommunicationInfo : 0xffffd388b5f74130 [Type: _ALPC_COMMUNICATION_INFO *]
    [+0x018] OwnerProcess     : 0xffffac0ff3936240 [Type: _EPROCESS *]
    [+0x020] CompletionPort   : 0xffffac0ff2ac2680 [Type: void *]
    [+0x028] CompletionKey    : 0x1c8a30f8990 [Type: void *]
    [+0x030] CompletionPacketLookaside : 0xffffac0131a7cef0 [Type: _ALPC_COMPLETION_PACKET_LOOKASIDE *]
    [+0x038] PortContext      : 0x123c [Type: void *]
    [+0x040] StaticSecurity   [Type: _SECURITY_CLIENT_CONTEXT]
    [+0x088] IncomingQueueLock [Type: _EX_PUSH_LOCK]
    [+0x090] MainQueue        [Type: _LIST_ENTRY]
    [+0x0a0] LargeMessageQueue [Type: _LIST_ENTRY]
    [+0x0b0] PendingQueueLock [Type: _EX_PUSH_LOCK]
    [+0x0b8] PendingQueue     [Type: _LIST_ENTRY]
    [+0x0c8] DirectQueueLock  [Type: _EX_PUSH_LOCK]
    [+0x0d0] DirectQueue      [Type: _LIST_ENTRY]
    [+0x0e0] WaitQueueLock    [Type: _EX_PUSH_LOCK]
    [+0x0e8] WaitQueue        [Type: _LIST_ENTRY]
    [+0x0f8] Semaphore        : 0xffffac0fcc0723c0 [Type: _KSEMAPHORE *]
    [+0x0f8] DummyEvent       : 0xffffac0fcc0723c0 [Type: _KEVENT *]
    [+0x100] PortAttributes   [Type: _ALPC_PORT_ATTRIBUTES]
    [+0x148] ResourceListLock [Type: _EX_PUSH_LOCK]
    [+0x150] ResourceListHead [Type: _LIST_ENTRY]
    [+0x160] PortObjectLock   [Type: _EX_PUSH_LOCK]
    [+0x168] CompletionList   : 0x0 [Type: _ALPC_COMPLETION_LIST *]
    [+0x170] CallbackObject   : 0x0 [Type: _CALLBACK_OBJECT *]
    [+0x178] CallbackContext  : 0x0 [Type: void *]
    [+0x180] CanceledQueue    [Type: _LIST_ENTRY]
    [+0x190] SequenceNo       : 23 [Type: long]
    [+0x194] ReferenceNo      : 0 [Type: long]
    [+0x198] ReferenceNoWait  : 0x0 [Type: _PALPC_PORT_REFERENCE_WAIT_BLOCK *]
    [+0x1a0] u1               [Type: <anonymous-tag>]
    [+0x1a8] TargetQueuePort  : 0x0 [Type: _ALPC_PORT *]
    [+0x1b0] TargetSequencePort : 0x0 [Type: _ALPC_PORT *]
    [+0x1b8] CachedMessage    : 0x0 [Type: _KALPC_MESSAGE *]
    [+0x1c0] MainQueueLength  : 0x0 [Type: unsigned long]
    [+0x1c4] LargeMessageQueueLength : 0x0 [Type: unsigned long]
    [+0x1c8] PendingQueueLength : 0x0 [Type: unsigned long]
    [+0x1cc] DirectQueueLength : 0x0 [Type: unsigned long]
    [+0x1d0] CanceledQueueLength : 0x0 [Type: unsigned long]
    [+0x1d4] WaitQueueLength  : 0x0 [Type: unsigned long]
5: kd> dx -r1 ((ntkrnlmp!_ALPC_COMMUNICATION_INFO *)0xffffd388b5f74130)
((ntkrnlmp!_ALPC_COMMUNICATION_INFO *)0xffffd388b5f74130)                 : 0xffffd388b5f74130 [Type: _ALPC_COMMUNICATION_INFO *]
    [+0x000] ConnectionPort   : 0xffffac014120a660 [Type: _ALPC_PORT *]
    [+0x008] ServerCommunicationPort : 0x0 [Type: _ALPC_PORT *]
    [+0x010] ClientCommunicationPort : 0xffffac0ff14e7dd0 [Type: _ALPC_PORT *]
    [+0x018] CommunicationList [Type: _LIST_ENTRY]
    [+0x028] HandleTable      [Type: _ALPC_HANDLE_TABLE]
    [+0x048] CloseMessage     : 0x0 [Type: _KALPC_MESSAGE *]

The client port looks completely valid, however the connection port looks off. And it is reaching into the connection port where the crash occurs:

5: kd> .frame 0n5;dv /t /v
05 fffffc81`3dcf73f0 fffff806`ecd5a76d     SystemInformer!KphpAlpcBasicInfo+0x48 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c @ 198] 
@rdi              void * Port = 0xffffac01`4120a660
@rbx              struct _KPH_ALPC_BASIC_INFORMATION * Info = 0x00000010`11aff2b0
<unavailable>     struct _KPROCESS * process = <value unavailable>

5: kd> dx -r1 ((ntkrnlmp!_ALPC_PORT *)0xffffac014120a660)
((ntkrnlmp!_ALPC_PORT *)0xffffac014120a660)                 : 0xffffac014120a660 [Type: _ALPC_PORT *]
    [+0x000] PortListEntry    [Type: _LIST_ENTRY]
    [+0x010] CommunicationInfo : 0xffffd388b5f73f80 [Type: _ALPC_COMMUNICATION_INFO *]
    [+0x018] OwnerProcess     : 0xffffac0144310341 [Type: _EPROCESS *]
    [+0x020] CompletionPort   : 0xffffac012feae840 [Type: void *]
    [+0x028] CompletionKey    : 0x263c0c8a310 [Type: void *]
    [+0x030] CompletionPacketLookaside : 0xffffac011b4fb780 [Type: _ALPC_COMPLETION_PACKET_LOOKASIDE *]
    [+0x038] PortContext      : 0x0 [Type: void *]
    [+0x040] StaticSecurity   [Type: _SECURITY_CLIENT_CONTEXT]
    [+0x088] IncomingQueueLock [Type: _EX_PUSH_LOCK]
    [+0x090] MainQueue        [Type: _LIST_ENTRY]
    [+0x0a0] LargeMessageQueue [Type: _LIST_ENTRY]
    [+0x0b0] PendingQueueLock [Type: _EX_PUSH_LOCK]
    [+0x0b8] PendingQueue     [Type: _LIST_ENTRY]
    [+0x0c8] DirectQueueLock  [Type: _EX_PUSH_LOCK]
    [+0x0d0] DirectQueue      [Type: _LIST_ENTRY]
    [+0x0e0] WaitQueueLock    [Type: _EX_PUSH_LOCK]
    [+0x0e8] WaitQueue        [Type: _LIST_ENTRY]
    [+0x0f8] Semaphore        : 0xffffac0fcc0723c0 [Type: _KSEMAPHORE *]
    [+0x0f8] DummyEvent       : 0xffffac0fcc0723c0 [Type: _KEVENT *]
    [+0x100] PortAttributes   [Type: _ALPC_PORT_ATTRIBUTES]
    [+0x148] ResourceListLock [Type: _EX_PUSH_LOCK]
    [+0x150] ResourceListHead [Type: _LIST_ENTRY]
    [+0x160] PortObjectLock   [Type: _EX_PUSH_LOCK]
    [+0x168] CompletionList   : 0x0 [Type: _ALPC_COMPLETION_LIST *]
    [+0x170] CallbackObject   : 0x0 [Type: _CALLBACK_OBJECT *]
    [+0x178] CallbackContext  : 0x0 [Type: void *]
    [+0x180] CanceledQueue    [Type: _LIST_ENTRY]
    [+0x190] SequenceNo       : 9 [Type: long]
    [+0x194] ReferenceNo      : 48 [Type: long]
    [+0x198] ReferenceNoWait  : 0x0 [Type: _PALPC_PORT_REFERENCE_WAIT_BLOCK *]
    [+0x1a0] u1               [Type: <anonymous-tag>]
    [+0x1a8] TargetQueuePort  : 0x0 [Type: _ALPC_PORT *]
    [+0x1b0] TargetSequencePort : 0x0 [Type: _ALPC_PORT *]
    [+0x1b8] CachedMessage    : 0x0 [Type: _KALPC_MESSAGE *]
    [+0x1c0] MainQueueLength  : 0x0 [Type: unsigned long]
    [+0x1c4] LargeMessageQueueLength : 0x0 [Type: unsigned long]
    [+0x1c8] PendingQueueLength : 0x0 [Type: unsigned long]
    [+0x1cc] DirectQueueLength : 0x0 [Type: unsigned long]
    [+0x1d0] CanceledQueueLength : 0x0 [Type: unsigned long]
    [+0x1d4] WaitQueueLength  : 0x0 [Type: unsigned long]

The EPROCESS pointer in the connection port looks wrong (which is likely the ultimate cause of the crash), as does the communication info pointer. But, there are portions of the connection port look accurate.

5: kd> dx -r1 (*((ntkrnlmp!_ALPC_PORT *)0xffffac014120a660)).u1.s1
(*((ntkrnlmp!_ALPC_PORT *)0xffffac014120a660)).u1.s1                 [Type: <anonymous-tag>]
    [+0x000 ( 0: 0)] Initialized      : 0x1 [Type: unsigned long]
    [+0x000 ( 2: 1)] Type             : 0x1 [Type: unsigned long]
    [+0x000 ( 3: 3)] ConnectionPending : 0x0 [Type: unsigned long]
    [+0x000 ( 4: 4)] ConnectionRefused : 0x0 [Type: unsigned long]
    [+0x000 ( 5: 5)] Disconnected     : 0x1 [Type: unsigned long]
    [+0x000 ( 6: 6)] Closed           : 0x1 [Type: unsigned long]
    [+0x000 ( 7: 7)] NoFlushOnClose   : 0x0 [Type: unsigned long]
    [+0x000 ( 8: 8)] ReturnExtendedInfo : 0x0 [Type: unsigned long]
    [+0x000 ( 9: 9)] Waitable         : 0x0 [Type: unsigned long]
    [+0x000 (10:10)] DynamicSecurity  : 0x0 [Type: unsigned long]
    [+0x000 (11:11)] Wow64CompletionList : 0x0 [Type: unsigned long]
    [+0x000 (12:12)] Lpc              : 0x0 [Type: unsigned long]
    [+0x000 (13:13)] LpcToLpc         : 0x0 [Type: unsigned long]
    [+0x000 (14:14)] HasCompletionList : 0x0 [Type: unsigned long]
    [+0x000 (15:15)] HadCompletionList : 0x0 [Type: unsigned long]
    [+0x000 (16:16)] EnableCompletionList : 0x0 [Type: unsigned long]

Note the flags indicating Closed and Disconnected. So, I expect in this scenario the ALPC connection port process died (or destroyed the port) before the client did. Possibly, resulting in the connection information releasing most the state associated with the connection port, keeping around only minimal state. But, it's hard to say at this point since I'm not yet confident that the information in the "destroyed" ALPC connection port can be trusted.

The fix could be as simple as checking the state for the target ALPC port. And if it is Closed do not attempt to reach in for more data. However, I am speculating a bit, I'd like to be able to reproduce the state here to confirm. It will take me some time to write a test to verify this is the appropriate fix.

SteAmeR commented 1 year ago

Hi @jxy-s ,

Thanks for your efforts. I set my environment to get a full memory dump when crashed. I'll make deep a look at the case in light of your analysis information.

jxy-s commented 1 year ago

Further investigation indicates that the OS uses the first bit of the EPROCESS OwnerProcess to determine if the EPROCESS is valid.

NTSTATUS __fastcall AlpcpPortQueryServerSessionInfo(
        _ALPC_PORT *AlpcObject,
        PVOID PortInformation,
        ULONG Length,
        PULONG ReturnLength)
{
    _ALPC_PORT *port; // rax MAPDST
    _EX_PUSH_LOCK *portObjectLock; // rdi
    _EPROCESS *ownerProcess; // rbx
    ULONG uniqueProcessId; // edi
    ULONG sessionId; // esi
    NTSTATUS result; // eax

    if ( !AlpcObject )
        return 0xC000000D;
    port = AlpcpReferenceConnectedPort(AlpcObject);
    if ( !port )
        return 0xC000000D;
    portObjectLock = &port->PortObjectLock;
    ExAcquirePushLockSharedEx(&port->PortObjectLock, 0);
    ownerProcess = 0i64;
    if ( (port->OwnerProcess & 1) == 0 )
        ownerProcess = port->OwnerProcess;
    if ( ownerProcess )
        ObfReferenceObjectWithTag(ownerProcess, 'cplA');
    if ( _InterlockedCompareExchange64(portObjectLock, 0i64, 17i64) != 17 )
        ExfReleasePushLockShared(portObjectLock);
    KeAbPostRelease(portObjectLock);
    ObfDereferenceObject(port);
    if ( !ownerProcess )
        return 0xC000000D;
    uniqueProcessId = ownerProcess->UniqueProcessId;
    sessionId = MmGetSessionIdEx(ownerProcess);
    ObfDereferenceObjectWithTag(ownerProcess, 'cplA');
    result = Length < 8 ? 0xC0000004 : 0;
    if ( Length >= 8 )
    {
        *PortInformation = sessionId;
        *(PortInformation + 1) = uniqueProcessId;
    }
    if ( ReturnLength )
        *ReturnLength = 8;
    return result;
}
jxy-s commented 1 year ago

Per the reverse engineering above, the following patch should address this:

➜ git diff
diff --git a/KSystemInformer/alpc.c b/KSystemInformer/alpc.c
index 6a42c5240..1ba65cad2 100644
--- a/KSystemInformer/alpc.c
+++ b/KSystemInformer/alpc.c
@@ -182,22 +182,36 @@ NTSTATUS KphpAlpcBasicInfo(
     )
 {
     PEPROCESS process;
+    PVOID portObjectLock;

     PAGED_PASSIVE();

     RtlZeroMemory(Info, sizeof(*Info));

-    if (KphDynAlpcOwnerProcess == ULONG_MAX)
+    if ((KphDynAlpcOwnerProcess == ULONG_MAX) ||
+        (KphDynAlpcPortObjectLock == ULONG_MAX))
     {
         return STATUS_NOINTERFACE;
     }

+    //
+    // The OS uses the first bit of the OwnerProcess to denote if it is valid,
+    // if the first bit of the OwnerProcess is set is it invalid. Checking the
+    // bit should be done under the PortObjectLock.
+    // See: ntoskrnl!AlpcpPortQueryServerSessionInfo
+    //
+
+    portObjectLock = Add2Ptr(Port, KphDynAlpcPortObjectLock);
+    FltAcquirePushLockShared(portObjectLock);
+
     process = *(PEPROCESS*)Add2Ptr(Port, KphDynAlpcOwnerProcess);
-    if (process)
+    if (process && (((ULONG_PTR)process & 1) == 0))
     {
         Info->OwnerProcessId = PsGetProcessId(process);
     }

+    FltReleasePushLock(portObjectLock);
+
     if ((KphDynAlpcAttributes != ULONG_MAX) &&
         (KphDynAlpcAttributesFlags != ULONG_MAX))
     {

This will include changes to the dynamic data structure which will increment the revision of the dynamic data blob. I have another branch going to address another issue in that area. This patch will have to wait until after those other changes go in.

ge0rdi commented 1 year ago

I've had just encountered the same BSOD on Win11 21H2. I was searching for DLLs and the stack matches (well at least the system part as I don't have symbols for driver).

I'd really appreciate fixed driver. Hopefully it will happen soon :)

SolarTheory commented 1 year ago

I also just encountered two similar BSOD errors within the last 24 hours. I don't recall what I was doing when the first BSOD occurred, but for the second one, which just occurred, I was also searching for the process locking a file (System -> Find Handles or DLLs) when it occurred.

Both memory dump I ran through WinDbg seem to indicate the bugcheck error was triggered by systeminformer.exe / systemInformer.sys? I don't understand the output, but System Informer is being referenced.

Here is the WinDbg analysis from the first BSOD: Mini Dump-01-03-23_12-58-AM.zip

Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [E:\ScratchTemp\DebugDiag 2-Debug Diagnostic Tool-Output Directory\Crash Dumps\MEMORY-01-03-23_12-58-AM.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

***** Path validation summary ** Response Time (ms) Location OK C:\Symbols Symbol search path is: C:\Symbols Executable search path is: Windows 10 Kernel Version 19041 MP (12 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 19041.1.amd64fre.vb_release.191206-1406 Machine Name: Kernel base = 0xfffff80244a00000 PsLoadedModuleList = 0xfffff8024562a290 Debug session time: Tue Jan 3 00:51:15.638 2023 (UTC - 5:00) System Uptime: 0 days 9:00:19.281 Loading Kernel Symbols ............................................................... ................................................................ ................................................................ ....................Page 283f35 not present in the dump file. Type ".hh dbgerr004" for details ............................................ ....................................... Loading User Symbols PEB is paged out (Peb.Ldr = 0000003c`7f0b2018). Type ".hh dbgerr001" for details Loading unloaded module list .................................................. For analysis of this file, run !analyze -v 0: kd> !analyze -v

PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffa602762e24c1, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff80244d0a680, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000002, (reserved)

Debugging Details:

Page 283f35 not present in the dump file. Type ".hh dbgerr004" for details Page 190e5f not present in the dump file. Type ".hh dbgerr004" for details Page 283f35 not present in the dump file. Type ".hh dbgerr004" for details

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 4

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on SPECTREI7

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 4

Key  : Analysis.Memory.CommitPeak.Mb
Value: 86

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 50

BUGCHECK_P1: ffffa602762e24c1

BUGCHECK_P2: 0

BUGCHECK_P3: fffff80244d0a680

BUGCHECK_P4: 2

READ_ADDRESS: ffffa602762e24c1 Nonpaged pool

MM_INTERNAL_CODE: 2

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME: SystemInformer.exe

DEVICE_OBJECT: 00000000000001a8

TRAP_FRAME: fffff48f2b487290 -- (.trap 0xfffff48f2b487290) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000018 rbx=0000000000000000 rcx=ffffa602762e2081 rdx=0000003c00eff3d0 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80244d0a680 rsp=fffff48f2b487428 rbp=0000000000000000 r8=00000000ffffffff r9=7fffbc8ada3d11f0 r10=fffff80244d0a680 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc nt!PsGetProcessId: fffff80244d0a680 488b8140040000 mov rax,qword ptr [rcx+440h] ds:ffffa602762e24c1=???????????????? Resetting default scope

STACK_TEXT:
fffff48f2b486fe8 fffff80244e3421d : 0000000000000050 ffffa602762e24c1 0000000000000000 fffff48f2b487290 : nt!KeBugCheckEx fffff48f2b486ff0 fffff80244c39a40 : 0000000000000000 0000000000000000 fffff48f2b487310 0000000000000000 : nt!MiSystemFault+0x1dc7ad fffff48f2b4870f0 fffff80244e08dd8 : 0000000000000000 0000000000000000 ffffbc8a00000000 0000000000000000 : nt!MmAccessFault+0x400 fffff48f2b487290 fffff80244d0a680 : fffff8027e4ea660 0000000000001c18 0000003c00eff3d0 ffffbc8b084ebce0 : nt!KiPageFault+0x358 fffff48f2b487428 fffff8027e4ea660 : 0000000000001c18 0000003c00eff3d0 ffffbc8b084ebce0 000000000000003c : nt!PsGetProcessId fffff48f2b487430 fffff8027e4ea76d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : SystemInformer+0xa660 fffff48f2b487460 fffff8027e4ea544 : 0000000000000000 0000003c00eff3d0 ffffa6026b608aa0 0000000000000000 : SystemInformer+0xa76d fffff48f2b4874a0 fffff8027e4ee0c3 : 000001f9b44107d0 ffffbc8abc668140 fffff8027e4e7000 fffff8027e4fc58c : SystemInformer+0xa544 fffff48f2b487560 fffff8027e4ed3b5 : 0000000000000000 0000000000000ce0 0000000000000000 0000000000000000 : SystemInformer+0xe0c3 fffff48f2b4875b0 fffff8024872bc4b : ffffbc8ac3ac9010 0000000000000000 0000000000000ce0 0000000000000000 : SystemInformer+0xd3b5 fffff48f2b487610 fffff80248761819 : ffffa60275d05c20 ffffa60275d05b50 0000000000000000 0000000000000000 : FLTMGR!FltpFilterMessage+0xdb fffff48f2b487670 fffff80248724a40 : ffffa6024345a740 0000000000000002 0000000000000000 ffffa60275d05b50 : FLTMGR!FltpMsgDispatch+0x179 fffff48f2b4876e0 fffff80244c2a715 : ffffa60275d05b50 0000000000000000 fffff48f2b487ac0 0000000000000ce0 : FLTMGR!FltpDispatch+0xe0 fffff48f2b487740 fffff802450195c8 : ffffa60275d05b50 0000000000000000 0000000000000000 0000000000000000 : nt!IofCallDriver+0x55 fffff48f2b487780 fffff802450193c7 : 00000000000001a8 0000000000000000 0000000000000000 fffff48f2b487ac0 : nt!IopSynchronousServiceTail+0x1a8 fffff48f2b487820 fffff80245018746 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0xc67 fffff48f2b487960 fffff80244e0caf5 : 00000000000007cc 0000000000001c00 0000000000000102 ffffa6026b02d340 : nt!NtDeviceIoControlFile+0x56 fffff48f2b4879d0 00007ffc23fed1a4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25 0000003c00eff038 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffc`23fed1a4

SYMBOL_NAME: SystemInformer+a660

MODULE_NAME: SystemInformer

IMAGE_NAME: SystemInformer.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: a660

FAILURE_BUCKET_ID: AV_R_INVALID_SystemInformer!unknown_function

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {3c22572d-d4b5-9512-6a6d-dc82a77e1bd8}

Followup: MachineOwner

Here is the analysis from the 2nd BSOD that just occurred: Mini Dump-01-03-23_9-18-PM.zip

Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [E:\ScratchTemp\DebugDiag 2-Debug Diagnostic Tool-Output Directory\Crash Dumps\MEMORY-01-03-23_9-18-PM.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

***** Path validation summary ** Response Time (ms) Location OK C:\Symbols Symbol search path is: C:\Symbols Executable search path is: Windows 10 Kernel Version 19041 MP (12 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 19041.1.amd64fre.vb_release.191206-1406 Machine Name: Kernel base = 0xfffff80576600000 PsLoadedModuleList = 0xfffff8057722a290 Debug session time: Tue Jan 3 21:13:46.942 2023 (UTC - 5:00) System Uptime: 0 days 20:15:40.468 Loading Kernel Symbols ............................................................... ................................................................ ................................................................ ................................................................ ................................... Loading User Symbols PEB is paged out (Peb.Ldr = 00000090`368fb018). Type ".hh dbgerr001" for details Loading unloaded module list .................................................. For analysis of this file, run !analyze -v 2: kd> !analyze -v

SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff8061e426806, Address of the instruction which caused the bugcheck Arg3: fffff38538046630, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero.

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 2

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on SPECTREI7

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 2

Key  : Analysis.Memory.CommitPeak.Mb
Value: 84

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8061e426806

BUGCHECK_P3: fffff38538046630

BUGCHECK_P4: 0

CONTEXT: fffff38538046630 -- (.cxr 0xfffff38538046630) rax=0020006d00610072 rbx=0000000000000000 rcx=0020006d00610072 rdx=00000000746c6644 rsi=ffffc5823636a290 rdi=000000000000002c rip=fffff8061e426806 rsp=fffff38538047030 rbp=ffffd58321d56d8c r8=00000000ffffffff r9=7fffd582cd23faa0 r10=7ffffffffffffffc r11=0069007600650044 r12=fffff38538047398 r13=0000000000000210 r14=ffffd58321d56d60 r15=000000000000007a iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050206 SystemInformer+0x16806: fffff8061e426806 0fb74158 movzx eax,word ptr [rcx+58h] ds:002b:0020006d006100ca=???? Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME: SystemInformer.exe

DEVICE_OBJECT: 00000000000001b0

STACK_TEXT:
fffff38538047030 fffff8061e4261bd : ffffc5823636a290 0000000000000000 0000000000000210 fffff80576fb5094 : SystemInformer+0x16806 fffff385380470b0 fffff8061e426235 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : SystemInformer+0x161bd fffff38538047120 fffff8061e4255b7 : 0000000000000000 0000000000000000 ffffd58321d56d60 0000000000000000 : SystemInformer+0x16235 fffff38538047150 fffff8061e41df03 : 0000025daf4107d0 ffffd582faad8b90 ffffd582d5724050 fffff8061e42c587 : SystemInformer+0x155b7 fffff38538047560 fffff8061e41d3b5 : 0000000000000000 0000000000000ce0 0000000000000000 0000000000000000 : SystemInformer+0xdf03 fffff385380475b0 fffff8057992bc4b : ffffd582d5724050 0000000000000000 ffffc58200000ce0 ffffc5822b4fb620 : SystemInformer+0xd3b5 fffff38538047610 fffff80579961819 : ffffc5822b4fb620 ffffc5822b4fb550 0000000000000000 fffff80576be7e39 : FLTMGR!FltpFilterMessage+0xdb fffff38538047670 fffff80579924a40 : ffffc58206f03290 0000000000000002 0000000000000000 ffffc5822b4fb550 : FLTMGR!FltpMsgDispatch+0x179 fffff385380476e0 fffff8057682a715 : ffffc5822b4fb550 0000000000000000 fffff38538047ac0 0000000000000ce0 : FLTMGR!FltpDispatch+0xe0 fffff38538047740 fffff80576c195c8 : ffffc5822b4fb550 0000000000000000 0000000000000000 0000000000000000 : nt!IofCallDriver+0x55 fffff38538047780 fffff80576c193c7 : 00000000000001b0 0000000000000000 0000000000000000 fffff38538047ac0 : nt!IopSynchronousServiceTail+0x1a8 fffff38538047820 fffff80576c18746 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0xc67 fffff38538047960 fffff80576a0caf5 : 0000000000001778 0000000000000000 0000000000000102 ffffc5821da52140 : nt!NtDeviceIoControlFile+0x56 fffff385380479d0 00007ff886aed1a4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25 00000090385ff268 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff8`86aed1a4

SYMBOL_NAME: SystemInformer+16806

MODULE_NAME: SystemInformer

IMAGE_NAME: SystemInformer.sys

STACK_COMMAND: .cxr 0xfffff38538046630 ; kb

BUCKET_ID_FUNC_OFFSET: 16806

FAILURE_BUCKET_ID: 0x3B_c0000005_SystemInformer!unknown_function

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {7ef224b6-cc5f-b0ba-47a2-a7292cc6d48b}

Followup: MachineOwner

gettysburg commented 1 year ago

https://github.com/winsiderss/systeminformer/issues/1523#issuecomment-1397072976

jxy-s commented 1 year ago

Staging branch was merged. New driver release soon™️. I greatly appreciate everyone's patience.

dmex commented 1 year ago

Fixed in latest nightly build 🥳

gettysburg commented 1 year ago

@dmex What a timing, just as I switched to Windows 11 Enterprise..