请教蓝屏的原因，已贴出dump file.

此问题已解决.谢谢!

加入ntfs.sys的path到image file path后的Bugcheck Analysis:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {7346744e, 2, 1, 804e9955}

*** ERROR: Module load completed but symbols could not be loaded for Ntfs.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for KSecDD.sys -
Probably caused by : KSecDD.sys ( KSecDD!UnsealMessage+446d )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 7346744e, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804e9955, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  7346744e

CURRENT_IRQL:  2

FAULTING_IP:
nt!MiMakeOutswappedPageResident+d4
804e9955 890a            mov     dword ptr [edx],ecx

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  wuauclt.exe

LAST_CONTROL_TRANSFER:  from 8056b1a5 to 804e9955

STACK_TEXT:  
a929a08c 8056b1a5 004c1700 00000000 00000000 nt!MiMakeOutswappedPageResident+0xd4
a929a0f4 f7361a6e 8653e2e0 a929a124 00001000 nt!CcSetBcbOwnerPointer+0x2e
WARNING: Stack unwind information not available. Following frames may be wrong.
a929a114 f736245f 8637f500 e15bcd20 00000000 Ntfs+0x26a6e
a929a144 f73665b8 8637f500 0000000c 00000000 Ntfs+0x2745f
a929a2bc f7366792 8637f500 e15bcd20 e1577c38 Ntfs+0x2b5b8
a929a3b8 f7367499 8637f500 e1577988 e1577be8 Ntfs+0x2b792
a929a41c f7366f58 8637f500 e1577988 e1577ba8 Ntfs+0x2c499
a929a4f8 f7366d6b 8637f500 8654e6d0 85c3a310 Ntfs+0x2bf58
a929a568 f733eb3b 8637f500 85c3a310 86509240 Ntfs+0x2bd6b
a929a5d0 804f019e 86558020 85c3a310 86530348 Ntfs+0x3b3b
a929a608 804f019e 86509240 85c3a310 85c3a4c4 nt!IopUpdateReadOperationCount+0x2d
a929a62c 804f019e 865c2ca8 e181a240 85c3a320 nt!IopUpdateReadOperationCount+0x2d
a929a6c4 8054262c 80000698 a929a778 a929a788 nt!IopUpdateReadOperationCount+0x2d
a929a6e0 80501ecd badb0d00 a929a758 00000000 nt!RtlpTraceDatabaseInternalAdd+0x24
a929a790 8063c910 e188ab01 00000001 00003000 nt!RtlpBitsClearTotal+0x125
a929a7a8 8063a9f8 e188ab60 00000001 00003000 nt!VdmpPrinterDirectIoClose+0x15e
a929a7c8 8063b6f5 e188ab60 00000008 006f08ac nt!SeMarkLogonSessionForTerminationNotification+0x8f
a929a8ac f73d65d1 a929a90c e1051176 00000014 nt!SepDequeueWorkItem+0x49
a929a8cc f73d11ff a929a8f4 a929ab00 00000000 KSecDD!UnsealMessage+0x446d
a929a994 f73d0d7c 800006ac a929a9b4 00000000 KSecDD!SecMakeSPN+0x1069
a929a9c0 f73d0765 a929ab18 00000050 00000000 KSecDD!SecMakeSPN+0xbe6
a929abbc f73d09a6 00000000 00000000 85bded28 KSecDD!SecMakeSPN+0x5cf
a929abe0 f73cecf9 a929ac00 85bded28 00000100 KSecDD!SecMakeSPN+0x810
a929ac14 f73cee7a 00000000 00000100 85bded28 KSecDD!CredMarshalTargetInfo+0x8df
a929ac40 804f019e 8656be20 00000100 806e7410 KSecDD!CredMarshalTargetInfo+0xa60
a929ac64 805817f7 8656be20 85ba5328 85c64320 nt!IopUpdateReadOperationCount+0x2d
a929ad00 8057a274 00000040 00000000 00000000 nt!NtSetInformationProcess+0x139
a929ad34 8054262c 00000040 00000000 00000000 nt!RtlMultiByteToUnicodeN+0x161
a929ad64 7c92e4f4 badb0d00 0007f610 00000000 nt!RtlpTraceDatabaseInternalAdd+0x24
a929ad78 00000000 00000000 00000000 00000000 0x7c92e4f4


STACK_COMMAND:  kb

FOLLOWUP_IP:
KSecDD!UnsealMessage+446d
f73d65d1 8b550c          mov     edx,dword ptr [ebp+0Ch]

SYMBOL_STACK_INDEX:  12

SYMBOL_NAME:  KSecDD!UnsealMessage+446d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: KSecDD

IMAGE_NAME:  KSecDD.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4802518c

FAILURE_BUCKET_ID:  0xA_KSecDD!UnsealMessage+446d

BUCKET_ID:  0xA_KSecDD!UnsealMessage+446d

Followup: MachineOwner
---------

IRP_MJ_READ/IRP_MJ_WRITE  routine的IRQL不会高于passive, 是不正确的.
read/write 是可能发生在 APC_LEVEL, 甚至DISPATCH_LEVEL上的. filedisk 的处理是没有问题的, 因为在read/write中仅仅是将IRP排队就返回了.在另一个系统线程中才会真正处理.

有一点不明白,既然是共享的光驱, 为什么是ntfs.sys 而不是 cdfs.sys呢?

treeyan 说得对，我log过read/write routine的IRQL, 有时是会高于PASSIVE_LEVEL.
但和filedisk一样,此IRP被排入一个系统线程的queue中去了，IRQL不会高于PASSIVE_LEVEL.

此问题已经解决.是我把buffer写越界了.谢谢!