Windows Driver Model (WDM) or Windows Kernel Mode Driver Framework (KMDF)
Hello Experts, Our team recently received an installation package from an older project team. This package installs a Windows service named "octobot_driver." Unfortunately, we lack information about the Windows version and OS patch level for which the installation package was developed. The service is designed to communicate with the Windows Kernel to capture specific events or actions occurring on the Windows system, such as modifying the Windows registry or changing file permissions. Upon starting the service, we encountered a Blue Screen Of Death (BSOD) issue when someone attempted to modify the Windows registry. The associated error and stack trace file are attached here. Could someone provide guidance on how to investigate and address this issue? Thank you. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* REGISTRY_FILTER_DRIVER_EXCEPTION (135) This BugCheck is caused by an unhandled exception in a registry filtering driver. This BugCheck indicates that a registry filtering driver didn't handle exception inside its notification routine. One can identify the driver by the 3rd parameter. Arguments: Arg1: ffffffffc0000005, ExceptionCode Arg2: ffff8500a8c24570, Address of the context record for the exception that caused the BugCheck Arg3: fffff80e85e417a0, The driver's callback routine address Arg4: ffffac829afae3b0, Internal Debugging Details: ------------------ Unable to load image \SystemRoot\system32\DRIVERS\octobot-driver.sys, Win32 error 0n2 KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 2780 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 5342 Key : Analysis.Init.CPU.mSec Value: 9874 Key : Analysis.Init.Elapsed.mSec Value: 36023 Key : Analysis.Memory.CommitPeak.Mb Value: 74 Key : WER.OS.Branch Value: rs1_release Key : WER.OS.Timestamp Value: 2023-09-13T17:27:00Z Key : WER.OS.Version Value: 10.0.14393.6343 FILE_IN_CAB: MEMORY-DBP01.DMP VIRTUAL_MACHINE: VMware BUGCHECK_CODE: 135 BUGCHECK_P1: ffffffffc0000005 BUGCHECK_P2: ffff8500a8c24570 BUGCHECK_P3: fffff80e85e417a0 BUGCHECK_P4: ffffac829afae3b0 PROCESS_NAME: WmiPrvSE.exe STACK_TEXT: ffff8500`a8c23cf8 fffff803`4808f198 : 00000000`00000135 ffffffff`c0000005 ffff8500`a8c24570 fffff80e`85e417a0 : nt!KeBugCheckEx ffff8500`a8c23d00 fffff803`48027ec9 : ffffd203`ba925890 ffffd203`bd5ac920 00000000`00000000 fffff80e`83583b69 : nt!CmpFatalFilter+0x24 ffff8500`a8c23d40 fffff803`47bdf7bf : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`c0000016 : nt!CmpCallCallBacks$filt$0+0x19 ffff8500`a8c23d70 fffff803`47bec5ea : fffff803`47d61ec8 ffff8500`a8c24d28 ffff8500`a8c267d0 ffffd203`bd6e3c60 : nt!_C_specific_handler+0x9f ffff8500`a8c23de0 fffff803`47bfa02d : ffff8500`a8c27000 ffff8500`a8c23f40 00000000`00000000 ffff8500`a8c21000 : nt!_GSHandlerCheck_SEH+0x76 ffff8500`a8c23e10 fffff803`47b882a1 : ffff8500`a8c27000 00000000`00000000 ffff8500`a8c21000 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd ffff8500`a8c23e40 fffff803`47b870c4 : ffff8500`a8c24d28 ffff8500`a8c24a70 ffff8500`a8c24d28 ffff8500`a8c24bf0 : nt!RtlDispatchException+0x421 ffff8500`a8c24540 fffff803`47c02482 : ffffd203`bd76b080 ffffd203`bd76b080 ffffd203`b9c26700 fffff803`47a93000 : nt!KiDispatchException+0x1e4 ffff8500`a8c24bf0 fffff803`47bfeb9c : ffff8500`a8c25000 ffff8998`b15b6900 ffffac82`957e2060 00000000`00001b40 : nt!KiExceptionDispatch+0xc2 ffff8500`a8c24dd0 fffff803`47be31e4 : 00000000`00000000 fffff803`47fabdf6 ffff8500`a8c25000 00000000`00000200 : nt!KiGeneralProtectionFault+0x2dc ffff8500`a8c24f60 fffff803`47be2e9c : 006b0073`00690064 ffff8500`a8c25490 00000000`00000800 00000000`00000000 : nt!write_string+0x38 ffff8500`a8c24f90 fffff803`47bdf9fd : ffff8500`a8c25478 ffffd203`b9c08000 ffff8500`a8c255e8 00000000`00000040 : nt!woutput_l+0x66c ffff8500`a8c25460 fffff803`47bdf975 : 00000000`00000000 00000000`00000000 00000000`00000002 fffff803`47bf4960 : nt!vsnwprintf_l+0x81 ffff8500`a8c254d0 fffff80e`85e4177a : ffff8500`a8c25660 fffff80e`85e42037 00000000`00000000 00000000`0000002c : nt!vsnwprintf+0x11 ffff8500`a8c25510 fffff80e`85e4190b : 00000000`00000000 ffff8500`0000002c fffff80e`85e43100 ffffac82`95730d00 : octobot_driver+0x177a ffff8500`a8c25560 fffff803`47fb26be : ffff8500`a8c269e0 ffff8500`a8c26b80 ffffac82`950a94b0 ffffd203`bd76b3a0 : octobot_driver+0x190b ffff8500`a8c267d0 fffff803`47edc67a : 00000234`8fc451a0 00000000`00000020 ffffac82`9527cd01 ffff8500`a8c26988 : nt!CmpCallCallBacks+0x20e ffff8500`a8c26920 fffff803`47c01c03 : 00000000`00000440 fffff803`47f9862b 00000000`00000000 00000000`00000050 : nt!NtQueryMultipleValueKey+0x2fe ffff8500`a8c26a90 00007ff8`1a508634 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000057`a307c788 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff8`1a508634 SYMBOL_NAME: nt!CmpFatalFilter+24 MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe STACK_COMMAND: .cxr; .ecxr ; kb BUCKET_ID_FUNC_OFFSET: 24 FAILURE_BUCKET_ID: 0x135_nt!CmpFatalFilter OS_VERSION: 10.0.14393.6343 BUILDLAB_STR: rs1_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {a987ac65-c260-eef6-be14-be6e8ef95490} Followup: MachineOwner ---------