-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The request could not be performed because of an I/O device error (4.0rc1) #9
Comments
Thanks for reporting - can you please capture kernel debug log using https://docs.microsoft.com/en-us/sysinternals/downloads/debugview - select capture kernel messages and try the acquisition again? |
Hi |
This is a successfully catched but real error. Though it never occurred on my system and I have 2004. I need the precise ntstatus error to know what went wrong. 1.) Can you use Dbgview[1], to directly see the message from the driver? You must do it elevated, with all verbose kernel capure settings enabled. (in menu), and put me the debug print output here. Current diagnosis: @ edit: Did you do this on a barebone machine? In case of a BSOD, the exception codes would also help a lot. [1] https://docs.microsoft.com/en-us/sysinternals/downloads/debugview |
sorry but now i have a blue screen of death.... |
and it is not on a VM machine |
There is something really strange going on. My 2004 was a VM, not a barebone. Did you try with or without memory compression? Does anyone of you have a 1) Dbgview (does not help against BSOD), or better, 2), WinDbg[2]? With Windbg, you load the crashdump (I think in c:\windows\memory.dmp per default) that was made when the OS crashed and launch a In case it gets really weird, I have to organize a win10 2004 barebone and must hope to reproduce it. @ edit: already trying that. [2] The most easiest way to get WinDbg is via the app store of Microsoft: type "Windbg preview" (Microsoft Corporation) to find it. That should do the job. Does not need a Microsoft online account to download it. Alternatively, it's in any SDK, and it's also in the WDK10 or WDK7600. Windbg can load the post-mortem crashdump that should be "c:\windows\memory.dmp" to tell what went wrong (using |
I cannot reproduce it on a Win10 2004 x64. It simply worked. But then again it that was a self-compiled driver. @edit: collegue reported to run normally on a Win10 2004 x64, using both PTE and phsyical memory methods. Everything runs completely normal. (He self-compiled & testsigned from this git-cloned source.) |
reproduced it. Happens only one real barebone machines, which makes it difficult to study. That needs to wait until tomorrow. |
Hi guys, Yes, this is a real machine, not a VM. But Hyper-V service is enabled. I use VMware and Windows Sandbox sometimes. I'm trying the 2nd method (PTE remapping). Please see the logs from DebugView attached. This is the command that I'm running: It works fine on the second machine which I haven't updated to 2004 yet. I'm going to update it soon and check if it works there. |
Ok I think the error is related to VSM mode. When running in this mode, winpmem driver literally can not read the protected memory range and needs to break up the buffer and read around the holes. We did have code to do this in here but this has not been replicated in the very simple mini imager. Maybe I will prepare another release of the old aff4 imager to get around this issue. It would also be nice to be able to write an elf image so we can skip all the padding regions - a machine i tested with had a couple gb of padding. |
Update: I have upgraded my older desktop PC to Win10 2004 and 4.0rc1 works fine there, no issues. 3.3rc2 doesn't work on this PC because of this issue - Velocidex/c-aff4#144 So, the only issue that remains is being able to capture RAM on a PC that has both Win10 2004 and VSM mode.
Thanks, that would be great! |
It was also fine on my gaming PC, which has no virtualization at all. :D Approach: I think we might be able to catch the error and leave out the VSM-failing page, and return a sufficient amount of zero bytes instead. I also need a better securing. There is VSM interference to be taken into account. |
Here is a physical read one, before I fixed it:
I think I fixed all three now. I am testing myself and then will put it on my repo & PR... |
I added a slow read path when buffers can not be read in #14 . Can you please test the rc2 binary with VSM enabled? You can find the binary in the releases. It will now fall back to a slow read where it gets read errors from the driver. This will display an x in the progress instead of . (each character corresponds to 16mb buffers). |
You don't need that, just see my patch.
|
Which patch? |
well, since I have no write access to your repo, here :
https://github.com/vivianezw/WinPmem
I did not PR yet, because I need to terminate all tests on barebone first.
With all methods.
|
My solution does not report the errors back.That's not good.
|
We tested 4.0rc2 on a physical device with Win10 Build 2004. Unfortunately, we still get an BSOD (Memory management) when we try to access memory. If it is helpful, we have a mini-dump and full-dump of the crash available. |
Yes, that's exactly why I pushed my update. Currently please use my testsigned drivers in the pull request! For convenience, here: https://github.com/Velocidex/WinPmem/files/5386510/winpmem_testsigned_15_okt_2020_2.zip I fixed that already! (But only in the testsigned drivers.) |
Does this crash occur with the -2 flag? Using PTE mode? When you say "trying to access memory" - are you trying to take an image or are you trying to use the driver in your own code? If so - the only stable access method is the PTE mode which you will need to switch to using the required ioctrl. This is the only mode that captures the hyper V page faults correctly. Vivian added those same checks for the other modes in a later PR but that is not present in the signed driver. |
I'm pretty sure he used the old signed drivers. My patched current build is pretty invisible right now. (Hanging in a closed pull request.) The physmem method ist also safe but only in my testsigned build. The iospace method is safe if no kernel debugger is attached (only in my latest testsigned build). @scudette: pleeease put my testsigned nice driver to a more visible place. :-) |
Hello,
I've just tried the new 4.0rc1 release on my laptop, but it produced an error while trying to capture RAM.
I've tried all three methods, but all of them either produced the above error or sent my computer to BSOD.
This is Windows 10 Pro x64 with 2004 update (exact version is 10.0.19041.508). Full output is attached.
method_2_output.txt
The text was updated successfully, but these errors were encountered: