The Windows operating system maintains two separate I/O paths to the boot device – one for normal system operation, the normal I/O path, which consists of components such as the file system, volume manager, partition manager, and so on; and a second path, the crash dump I/O path, which is used exclusively for writing a crash dump file to the boot device when the system crashes and for writing hibernation data to the hiberfil.sys file when the system hibernates. These two I/O paths are illustrated in Figure 1 below.
Figure 1: The Normal and Crash Dump I/O Paths
Each of these paths consists of a series of layered drivers (or “driver stack”) that pass I/O requests back and forth to complete operations. The crash dump driver stack consists of a dump port driver, a dump miniport driver, one or more crash dump filter drivers, and a special driver named crashdmp.sys that serves as a crash state manager for the kernel (technically, it lives outside the driver stack). Read more about driver stacks. There are many reasons for maintaining two paths; here are a few:
- When a system crash occurs, the operating system needs to write a crash dump file to disk, but this might not be possible if the bug that caused the crash is in a driver in the normal path.
- The crash I/O path is highly optimized and lightweight, thus it is useful for intensive disk operations that must complete quickly, like hibernation
- In Windows 8, the crash I/O path is used for faster “hybrid boot”
As shown in Figure 1, the crash dump driver stack is almost a mirror copy of the lowest portion of the normal path’s driver stack, with a few twists. The crash dump port driver, provided by Microsoft as part of the operating system, is a special copy of the normal I/O path’s disk port driver, altered to completely bypass the normal I/O path during a system crash. The crash dump miniport driver, provided by the manufacturer, is pre-programmed to operate in conjunction with this special dump port driver in a restricted crash dump environment. These two low-level drivers, in conjunction with the kernel and the crashdmp.sys driver, work together to operate the crash dump I/O path completely separate from the normal I/O path.
The table below summarizes key differences between the two paths.
|Normal I/O Path||Crash Dump I/O Path|
|Primary drivers||Many, layered||Modified port and miniport|
|Filter drivers||Many, layered||Crash dump filters only|
|Controlled by||I/O manager||Kernel or crashdmp.sys|
Only the operating system uses this special “backdoor” path to disk, but it is possible to use the crash dump driver stack outside of this intended use to arbitrarily read or write to disk via a driver that implements a bypass technique [4,5]. Follow-up research revealed changes to the crash dump stack in Windows 8 that introduced inherent read functionality [1,2]. It was shown that the bypass technique was no longer relevant or functional in Windows 8 and that a new technique made it even easier to use the dump stack to read or write to disk.