Windows Driver Model (WDM) or Windows Kernel Mode Driver Framework (KMDF)

Copper Contributor

Hello Experts,

Our team recently received an installation package from an older project team. This package installs a Windows service named "octobot_driver." Unfortunately, we lack information about the Windows version and OS patch level for which the installation package was developed.

The service is designed to communicate with the Windows Kernel to capture specific events or actions occurring on the Windows system, such as modifying the Windows registry or changing file permissions. Upon starting the service, we encountered a Blue Screen Of Death (BSOD) issue when someone attempted to modify the Windows registry. The associated error and stack trace file are attached here.

Could someone provide guidance on how to investigate and address this issue?

 

Thank you.

 

 

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

REGISTRY_FILTER_DRIVER_EXCEPTION (135)
This BugCheck is caused by an unhandled exception in a registry filtering driver.
This BugCheck indicates that a registry filtering driver didn't handle exception inside
its notification routine. One can identify the driver by the 3rd parameter.
Arguments:
Arg1: ffffffffc0000005, ExceptionCode
Arg2: ffff8500a8c24570, Address of the context record for the exception that caused the BugCheck
Arg3: fffff80e85e417a0, The driver's callback routine address
Arg4: ffffac829afae3b0, Internal

Debugging Details:
------------------

Unable to load image \SystemRoot\system32\DRIVERS\octobot-driver.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2780

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 5342

Key : Analysis.Init.CPU.mSec
Value: 9874

Key : Analysis.Init.Elapsed.mSec
Value: 36023

Key : Analysis.Memory.CommitPeak.Mb
Value: 74

Key : WER.OS.Branch
Value: rs1_release

Key : WER.OS.Timestamp
Value: 2023-09-13T17:27:00Z

Key : WER.OS.Version
Value: 10.0.14393.6343


FILE_IN_CAB: MEMORY-DBP01.DMP

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 135

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: ffff8500a8c24570

BUGCHECK_P3: fffff80e85e417a0

BUGCHECK_P4: ffffac829afae3b0

PROCESS_NAME: WmiPrvSE.exe

STACK_TEXT:
ffff8500`a8c23cf8 fffff803`4808f198 : 00000000`00000135 ffffffff`c0000005 ffff8500`a8c24570 fffff80e`85e417a0 : nt!KeBugCheckEx
ffff8500`a8c23d00 fffff803`48027ec9 : ffffd203`ba925890 ffffd203`bd5ac920 00000000`00000000 fffff80e`83583b69 : nt!CmpFatalFilter+0x24
ffff8500`a8c23d40 fffff803`47bdf7bf : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`c0000016 : nt!CmpCallCallBacks$filt$0+0x19
ffff8500`a8c23d70 fffff803`47bec5ea : fffff803`47d61ec8 ffff8500`a8c24d28 ffff8500`a8c267d0 ffffd203`bd6e3c60 : nt!_C_specific_handler+0x9f
ffff8500`a8c23de0 fffff803`47bfa02d : ffff8500`a8c27000 ffff8500`a8c23f40 00000000`00000000 ffff8500`a8c21000 : nt!_GSHandlerCheck_SEH+0x76
ffff8500`a8c23e10 fffff803`47b882a1 : ffff8500`a8c27000 00000000`00000000 ffff8500`a8c21000 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
ffff8500`a8c23e40 fffff803`47b870c4 : ffff8500`a8c24d28 ffff8500`a8c24a70 ffff8500`a8c24d28 ffff8500`a8c24bf0 : nt!RtlDispatchException+0x421
ffff8500`a8c24540 fffff803`47c02482 : ffffd203`bd76b080 ffffd203`bd76b080 ffffd203`b9c26700 fffff803`47a93000 : nt!KiDispatchException+0x1e4
ffff8500`a8c24bf0 fffff803`47bfeb9c : ffff8500`a8c25000 ffff8998`b15b6900 ffffac82`957e2060 00000000`00001b40 : nt!KiExceptionDispatch+0xc2
ffff8500`a8c24dd0 fffff803`47be31e4 : 00000000`00000000 fffff803`47fabdf6 ffff8500`a8c25000 00000000`00000200 : nt!KiGeneralProtectionFault+0x2dc
ffff8500`a8c24f60 fffff803`47be2e9c : 006b0073`00690064 ffff8500`a8c25490 00000000`00000800 00000000`00000000 : nt!write_string+0x38
ffff8500`a8c24f90 fffff803`47bdf9fd : ffff8500`a8c25478 ffffd203`b9c08000 ffff8500`a8c255e8 00000000`00000040 : nt!woutput_l+0x66c
ffff8500`a8c25460 fffff803`47bdf975 : 00000000`00000000 00000000`00000000 00000000`00000002 fffff803`47bf4960 : nt!vsnwprintf_l+0x81
ffff8500`a8c254d0 fffff80e`85e4177a : ffff8500`a8c25660 fffff80e`85e42037 00000000`00000000 00000000`0000002c : nt!vsnwprintf+0x11
ffff8500`a8c25510 fffff80e`85e4190b : 00000000`00000000 ffff8500`0000002c fffff80e`85e43100 ffffac82`95730d00 : octobot_driver+0x177a
ffff8500`a8c25560 fffff803`47fb26be : ffff8500`a8c269e0 ffff8500`a8c26b80 ffffac82`950a94b0 ffffd203`bd76b3a0 : octobot_driver+0x190b
ffff8500`a8c267d0 fffff803`47edc67a : 00000234`8fc451a0 00000000`00000020 ffffac82`9527cd01 ffff8500`a8c26988 : nt!CmpCallCallBacks+0x20e
ffff8500`a8c26920 fffff803`47c01c03 : 00000000`00000440 fffff803`47f9862b 00000000`00000000 00000000`00000050 : nt!NtQueryMultipleValueKey+0x2fe
ffff8500`a8c26a90 00007ff8`1a508634 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000057`a307c788 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff8`1a508634


SYMBOL_NAME: nt!CmpFatalFilter+24

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 24

FAILURE_BUCKET_ID: 0x135_nt!CmpFatalFilter

OS_VERSION: 10.0.14393.6343

BUILDLAB_STR: rs1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {a987ac65-c260-eef6-be14-be6e8ef95490}

Followup: MachineOwner
---------

0 Replies