reproducible blue sceen with ewf in conjunction with USB 2.0 mass storrage devices

[gerros]

Sometimes some customers reports us a blue screen when they push/pull
USB mass storage device to our XPE-Systems.

After a long search i found the following reproducible situation.

The blue screens occurs only under the following situation:
1. The system has only USB 1.1 interfaces.
2. The ewf driver must be included in the image, but it is not
necessary to enable the writefilter.
3. You have to connect/reconnect a USB 2.0 Memorystick between 1 and
100 times to this system with an intervall of 1 second.

After that the sytem crashes with different blue screen e.g.
-BAD_POOL_CALLER 0xC2 (0x07,0xCD4,0x01,0x82598170)
-IRQ_NOT_LESS_OR_EQUAL ...
-STOP: 0x7E ...
-STOP: 0x8E ...

In the images there are all avaliable QFE's from the MS-OEM sites
implemented.

The bluesceen occurs on different hardware plattforms and different
usb 2.0 memorysticks, when the above 3 points are given.


The blue sceens occurs not :
1. when an identical image without ewf components is used.
2. when usb 1.1 Memorysticks is used instead of the USB 2.0
Memorysticks for the test.
3. the system has an USB 2.0 interface.

If one of the points is fulfil, the systems are running stable.

The stange behavior is the the bluescreen occurs also if ewf is
disabled, only an image without ewf components let work the system
stable.
So it seems the the EWF driver has problems together USB 2.0 mass
storage devices on USB 1.1 interfaces.

An interesting question is, what the ewf-driver is doing when it is
disabled?
Normally it sould do nothing, but it seems that is not right.

 

[Slobodan Brcin \(eMVP\)]

Hi Gerros,

I have not seen the problem but I guess that I know the solution to it.

An interesting question is, what the ewf-driver is doing when it is
disabled?
Normally it sould do nothing, but it seems that is not right.

Right and mostly wrong. EWF driver is upper filter driver for every volume on every disk.
So when you plug USB device PnP will call AddDevice function in EWF driver which should determine whether EWF will hook to the
driver stack and initialize or ignore certain device.

If it choose not to hook then problem should not happen since there would not be a huge PnP process active inside of driver.

According to your case my guess is that EWF will hook to each volume and only after complete PnP init is done it will choose only to
do pass-trough for all requests. (But this is far from driver being disabled).

Only way would be to manually (in registry) make EWF upper filter of specific volumes instead of all volumes. This would solve your
problems for sure.

Best regards,
Slobodan

 

[Guest]

Hello Slobodan,
According to you answer i don't know if i understand your correct:

Only way would be to manually (in registry) make EWF upper filter of specific volumes instead of all volumes. This would solve your
problems for sure.

In my configuration in the registry under
"HKLM\CurrenctControlSet\System\Services\EWF\Parameters\Protected" the
following volume is configured for write Protection.
multi(0)disk(0)rdisk(0)partition(1)

Is this the value in my configuration what i should change in your opinion
manually, or do you mean something else?

Can you give me an example how i should configure the ewf in registry?

Thanks and regards

gerros

 

[Slobodan Brcin \(eMVP\)]

Hi Gerros,

I can't test image with EWF right now to be available to see this for my self, but:

SYSTEM\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\UpperFilters EWF

This key should be removed and you should place UpperFilter to more appropriate place. For instance analyze driver stack and use DDK
to determine if you should use LowerFilter or upper filter to some other driver nodes.
You will have to include this new entry to more than one volume. (For all volumes that you are planning to protect in future).
Please note that this new paths values are GUID like so you will have to write application or to do things manually.

Best regards,
Slobodan

 

[Nandini Shenoy]

This issue has been addressed in EWF for SP2. There has been some
improvements made with respect to
EWF handling PnP and removable media.

You can wait until SP2 comes out in a few months or please contact product
support services.

 

[Slobodan Brcin \(eMVP\)]

Hi,

I forgot to ask about EWF QFE number that you are using, it might be important. Can you tell us?

Best regards,
Slobodan

 

[Guest]

Hi,
I've used the following EWF QFE's in my Image:
- Enhanced Write Filter - Hotfix Q823025 [Version 2.0.1902.2,R1901]
- EWF Manager Console application [Version 5.1.2600.1106, R1507]
- EWF NTLDR - Hotfix Q832662 [Version 5.1.2600.1106, R1900]

Best regards,
Gerros