It seems if a driver opens and closes a process early enough in Windows 7, it could trigger a destruction before process creation is even completed, leading to a blue screen of death.

One of the ways this happens is, if a page fault happens during NtCreateUserProcess and in the paging path a driver or system attempts to access registry. Now if you or someone else is watching registry activity, by setting up Object Manager callback, the callback will get called.

If the callback opens a handle to the process1, perhaps to characterize the registry access further — this open would be before the process has had a chance to initialize completely i.e. before NtCreateUserProcess has returned.

Assuming no one else has opened handle(s)/reference(s) to this nascent process, when the callback closes the process handle, handle count would drop down to zero. Object Manager will consequently invoke process destruction on the process by calling PspProcessClose.

When control returns from page fault handler back to NtCreateUserProcess, it will find itself working with a destroyed process object leading to eventual system demise2.

The word from Microsoft is that this may be fixed in next release of Windows but not in a service pack to Window 7. So if you have a Windows 7 driver that has registry monitoring and you do open source process in your callback, here are some things you need to assess to work around this –

  1. Check if you can get around the issue by ignoring registry events triggered in kernel mode opens. Depending on what your functionality is and how you are hitting this issue, you may avoid the crash by ignoring all kernel mode registry access3. Kernel mode access is indicated by presence of OBJ_KERNEL_HANDLE flag in REG_OPEN_KEY_INFORMATION_V1.Attributes.
  2. Check if you can get around by accounting the registry access against the parent process instead of the new process. PsGetThreadProcessId call on PsGetCurrentThread may help by returning the parent pid4.

1working off of process returned by PsGetCurrentProcess

2I have seen this crash in PspInsertProcess which is where the new process is in the throes of getting inserted into the system active process list

3This assumes that you could have ignored kernel mode events but somehow decided to watch them anyway – not a very logical assumption but could be your case especially if you have not taken a hard look at all your processing.

4which may be different from the process you will get by calling PsGetCurrentProcess or the pid you will get if you call PsGetProcessId on PsGetCurrentProcess

Tagged with →  
Share →

One Response to Windows 7 may crash in NtCreateUserProcess

  1. T800 says:

    No fix for 7?
    A classic example of corporate incompetence.
    This isn’t some obscure hacking, we’re talking about registry access and processes, a very real-life situations, even for kernel-mode apps/drivers.

Leave a Reply

Your email address will not be published. Required fields are marked *


Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop us a note so we can take care of it!

Visit our friends!

A few highly recommended friends...

Set your Twitter account name in your settings to use the TwitterBar Section.