none
Prefetch conflicts with driver load. RRS feed

  • Question

  • Hi,

    I'm facing an issue with my driver on some computers. 

    When I install my app and try to start my driver, I get ERROR_INVALID_PARAMETER. Internally, kernel loader raises STATUS_INVALID_PAGE_PROTECTION. 

    The driver is compiled with /INTEGRITYCHECK because I need to use ObRegisterCallback. Also the issue only happens when UEFI Secure Boot is enabled (so I cannot attach kernel debugger) 

    After trial and error, if found if I copy the.driver to other location and then back to system32\drivers, the driver loads fine. Also loads fine if I reboot the OS. 

    Also lowering procmon's minifilter I could see, at MiCreateImageOrDataSection function, MiCreateNewSection is called when load succeedes and MiShareExistingControlArea when fails. (Based on what I saw, these are the paths depending if a CONTROL_AREA is being created or shared)

    I started suspecting about shared sections and my first shot was to disable Windows Defender completely without success.

    Then I saw a prefetch code in kernel also was creating a section so I disabled it too by setting EnablePrefetcher and SfTracingStateto 0 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

    Now my driver loads!!

    Any hint on what can be going on?

    Regards, Mauro.

    Tuesday, April 16, 2019 2:31 PM

Answers

All replies