In Windows Vista, nearly all of the crash dump stack related code was moved from the kernel to a new driver, crashdmp.sys.  The crashdmp.sys driver is the key component in the crash/hibernate process responsible for all pre-initialization and post-initialization tasks, including:

  • maintaining crash dump state
  • loading and unloading dump stack drivers
  • generating crash dump files
  • brokering I/O requests between the kernel, dump filter drivers and the dump port driver
  • various housekeeping duties such as dump stack logging and error simulation

Crashdmp.sys acts as a middle-man of sorts: maintaining internal dump stack state and brokering crash read/write requests between the kernel, crash dump filter drivers, and the lower-level dump port driver.

In Windows 8, the driver was modified to include a logging capability.  These logging functions combined with how the crashdmp.sys passes state to crash dump filter drivers allows the filter drivers to read and write through the crash dump path, something they should not be able to do.  This flaw is the foundation for the file patching technique described on this website, which is one of two known ways to use the crash dump stack to read/write to disk outside normal operating system usage.

%d bloggers like this: