Http.sys makes the news (not in a good way)

InformationWeek has an article about a reliability update posted to Windows Update for http.sys. The problem was that http.sys plus a recent update to a certain vendor's anti-virus software leads to a blue screen. Because of the type of failure, it took a while for the Windows Error Reporting crashes to get debugged back to us. We released a fix for the bug and attached it to the Error Reporting bucket. This meant that after the crash occured and you reported it to Microsoft, the UI would inform you of a patch, and let you install it. Still the crashes continued to come in, in bigger numbers. It was time to do something more, so we decided that the best thing for our customers was to get it released on windows update for everyone.

Comments (6)

  1. . says:

    The mind boggles why this is in kernel mode, IE shouldnt BSOD the platform.


  2. anyhow,

    http.sys and the related IIS6 architecture is a fantastic piece of software, if not the best ever to come out of Microsoft

  3. Ari Pernick says:

    Responding to the first comment: http.sys isn’t part of IE, it is a server http stack. In windows XP, it is used by UPNP.

  4. zzz says:

    I would like to know who’s bug was it? Was the 3rd party doing something ‘surprising/you shouldnt have done that’ that caused the http.sys to ‘crap’, or was the fault at MS.

    So does the fix any real bug, or just create a ‘hack’ to allow the AV-vendors pos code to not crash the system.

  5. Ari Pernick says:

    The KB article has it right, there was a code path that has never returned asyncronously, and the coding error was in http.sys. The antivirus driver works by inserting itself into driver stack, intercepting and inspecting every call. However they turn a normal syncronous call into an asyc call. This is completly legal but it exposed a small bit of code in http.sys that we hadn’t been able to reach before. This async return handler had a stack corruption bug in it.

    I guess that if either sp2 or the virus-detection vendor’s product or we had shipped a month or two earlier then it did, we or they would have found the issue in testing, but that’s just speculation.

    We are updating our test tools to be able to force these sort of conditions, and hopefully we can get this type of test into driververifier so that we can kill off this type of issue from windows completly. (Driververifier is a test product in the DDK to help detect driver coding and interaction issues)

  6. Jason Haley says:

    Interesting finds this week

Skip to main content