Showing results for 
Search instead for 
Did you mean: 

mfehidk.sys BSODs when "shadow file object" mini-filter drivers are present

I have a simple minifilter which attaches at a very low altitude and creates virtual file objects which are passed back up the filter driver stack.  The driver uses the FsContext2 pointer to store a piece of data.  McAfee's mfehidk.sys driver which is part of total protection appears to pass the virtual file object directly to the NTFS driver which causes a crash.  This is incorrect behavior because it should be passing the request to the owner of the file object, which in this case would be the filter manager.  If I modify this component to put a NULL value into the FsContext2 pointer, then McAfee does not crash.  Presumably, this means that it is checking for a valid value in the FsContext2 field and assuming that a non-null value implies that it is a real FILE_OBJECT from NTFS.

In any case, I attached a minidump showing the crash.

0: kd> !analyze -v


*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *



Invalid system memory was referenced.  This cannot be protected by try-except,

it must be protected by a Probe.  Typically the address is just plain bad or it

is pointing at freed memory.


Arg1: cab1e034, memory referenced.  (this is a special dummy address (0xcab1e000) placed in FsContext2 of a shadow file object created by a mini-filter to detect components which violate the filter driver stacking rules)

Arg2: 00000000, value 0 = read operation, 1 = write operation(

Arg3: 86c3e82b, If non-zero, the instruction address which referenced the bad memory


Arg4: 00000002, (reserved)

Debugging Details:


READ_ADDRESS:  cab1e034



86c3e82b 0fb64034        movzx   eax,byte ptr [eax+34h]


IMAGE_NAME:  mfeavfk.sys


MODULE_NAME: mfeavfk

FAULTING_MODULE: 86c31000 Ntfs



PROCESS_NAME:  mfevtps.exe


TRAP_FRAME:  9136f3f4 -- (.trap 0xffffffff9136f3f4)

ErrCode = 00000000

eax=cab1e000 ebx=00000000 ecx=84d7b0d8 edx=102a1001 esi=925ec000 edi=00000000

eip=86c3e82b esp=9136f468 ebp=9136f46c iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00210286


86c3e82b 0fb64034        movzx   eax,byte ptr [eax+34h]     ds:0023:cab1e034=??

Resetting default scope

LAST_CONTROL_TRANSFER:  from 828efe71 to 8287e394


9136ef3c 828efe71 00000003 9ec821aa 00000065 nt!RtlpBreakWithStatusInstruction

9136ef8c 828f096d 00000003 00003ff8 cab1e034 nt!KiBugCheckDebugBreak+0x1c

9136f350 828988e3 00000050 cab1e034 00000000 nt!KeBugCheck2+0x68b

9136f3dc 828595f8 00000000 cab1e034 00000000 nt!MmAccessFault+0x106

9136f3dc 86c3e82b 00000000 cab1e034 00000000 nt!KiTrap0E+0xdc

9136f46c 86cc8ef1 9136f55c 8209ea30 9136f4ac Ntfs!NtfsDecodeFileObject+0x6e

9136f4e4 86ccea4d 9136f55c 820ad008 17f00c77 Ntfs!NtfsCommonQueryInformation+0x56

9136f548 86cdcd53 9136f55c 820ad008 00000001 Ntfs!NtfsFsdDispatchSwitch+0x17b

9136f67c 8284f4bc 84d7b020 820ad008 925ec000 Ntfs!NtfsFsdDispatchWait+0x1c

9136f694 8dba1365 820f0938 00000000 836f9154 nt!IofCallDriver+0x63

WARNING: Stack unwind information not available. Following frames may be wrong.

9136f6c4 8dba1a8b 84d7b020 820ad198 9136f710 mfeavfk+0x17365

9136f8c4 836cefa9 f0000001 0000006a 820daed8 mfeavfk+0x17a8b

9136f9d0 836d4b6a 820daed8 820d94f0 00000001 mfehidk+0x2ffa9

9136f9f0 836c38e9 820daed8 820d94f0 00000001 mfehidk+0x35b6a

9136fa30 836d3a6f 00000001 820d937c 84cede00 mfehidk+0x248e9

9136fa7c 836a64eb 820d937c 00000000 00000000 mfehidk+0x34a6f

9136fa9c 836a6c8d 00000200 00000000 0000077c mfehidk+0x74eb

9136fbc0 836ec700 820f3e00 00000001 00000000 mfehidk+0x7c8d

9136fc28 82a6d8f7 000f3e00 00000001 00000000 mfehidk+0x4d700

9136fcd0 82a704ac 84ced030 00000000 00000000 nt!IopXxxControlFile+0x2d0

9136fd04 8285642a 00000084 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

9136fd04 777d64f4 00000084 00000000 00000000 nt!KiFastCallEntry+0x12a

0031f97c 777d4cac 75b9a08f 00000084 00000000 ntdll!KiFastSystemCallRet

0031f980 75b9a08f 00000084 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc

0031f9e0 7755ec25 00000084 00422800 00000000 KERNELBASE!DeviceIoControl+0xf6

0031fa0c 001e23c4 00000084 00422800 00000000 kernel32!DeviceIoControlImplementation+0x80

0031fa44 001e272a 00000001 0058ce20 0031fa70 mfevtps+0x23c4

0031fa64 762e75a8 00000001 0058ce20 00000000 mfevtps+0x272a

0031fa78 77561174 0058ce10 0031fac4 777eb3f5 sechost!ScSvcctrlThreadA+0x21

0031fa84 777eb3f5 0058ce10 77b7d10a 00000000 kernel32!BaseThreadInitThunk+0xe

0031fac4 777eb3c8 762e7587 0058ce10 00000000 ntdll!__RtlUserThreadStart+0x70

0031fadc 00000000 762e7587 0058ce10 00000000 ntdll!_RtlUserThreadStart+0x1b




8dba1365 3d03010000      cmp     eax,103h


SYMBOL_NAME:  mfeavfk+17365

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0x50_mfeavfk+17365

BUCKET_ID:  0x50_mfeavfk+17365

3 Replies
Report Inappropriate Content
Message 2 of 4

Re: mfehidk.sys BSODs when "shadow file object" mini-filter drivers are present

Hi tpurtell,

We are currently discussing this issue with our Senior Technical Support, we will get back to you with a permanent solution to fix the issue that you are experiencing.


Pritish. P.

Report Inappropriate Content
Message 3 of 4

Re: mfehidk.sys BSODs when "shadow file object" mini-filter drivers are present

Hi Tpurtell,

We really apologize for the time taken to contact you back.

Regarding the issue that you are facing with McAfee, we have sent you a PM asking for a few details. Please reply back with the details requested.


Pritish P.

Re: mfehidk.sys BSODs when "shadow file object" mini-filter drivers are present