Home Library Learn Samples Downloads Support Community Forums
1 out of 1 rated this helpful - Rate this topic

Automatic Checks

Driver Verifier performs the following checks whenever it is verifying one or more drivers. You cannot activate or deactivate these checks.

Monitoring IRQL and Memory Routines

Driver Verifier monitors the selected driver for the following forbidden actions:

  • Raising IRQL by calling KeLowerIrql

  • Lowering IRQL by calling KeRaiseIrql

  • Requesting a size zero memory allocation

  • Allocating or freeing paged pool with IRQL > APC_LEVEL

  • Allocating or freeing nonpaged pool with IRQL > DISPATCH_LEVEL

  • Trying to free an address that was not returned from a previous allocation

  • Trying to free an address that was already freed

  • Acquiring or releasing a fast mutex with IRQL > APC_LEVEL

  • Acquiring or releasing a spin lock with IRQL not equal to DISPATCH_LEVEL

  • Double-releasing a spin lock.

  • Marking an allocation request MUST_SUCCEED. No such requests are ever permissible.

If Driver Verifier is not active, these violations might not cause an immediate system crash in all cases. Driver Verifier monitors the driver's behavior and issues bug check 0xC4 if any of these violations occur. See Bug Check 0xC4 (DRIVER_VERIFIER_DETECTED_VIOLATION) for a list of the bug check parameters.

Monitoring Stack Switching

Driver Verifier monitors stack usage by the driver being verified. If the driver switches its stack, and the new stack is neither a thread stack nor a DPC stack, then a bug check is issued. (This will be bug check 0xC4 with the first parameter equal to 0x90.) The stack displayed by the KB debugger command will usually reveal the driver that performed this operation.

Checking on Driver Unload

After a driver that is being verified unloads, Driver Verifier performs several checks to make sure that the driver has cleaned up.

In particular, Driver Verifier looks for:

  • Undeleted timers

  • Pending deferred procedure calls (DPCs)

  • Undeleted lookaside lists

  • Undeleted worker threads

  • Undeleted queues

  • Other similar resources

Problems such as these can potentially cause system bug checks to be issued a while after the driver unloads, and the cause of these bug checks can be hard to determine. When Driver Verifier is active, such violations will result in bug check 0xC7 being issued immediately after the driver is unloaded. See Bug Check 0xC7 (TIMER_OR_DPC_INVALID) for a list of the bug check parameters.

Monitoring Driver Dispatch Routines

In Windows Vista, Driver Verifier also monitors the selected driver for the following forbidden actions:

  • Calling IoCallDriver with interrupts disabled.

  • Calling IoCallDriver at IRQL greater than DISPATCH_LEVEL.

  • Returning from a driver dispatch routine with interrupts disabled.

  • Returning from a driver dispatch routine with a changed IRQL.

  • Returning from a driver dispatch routine with APCs disabled. In this case, the driver might have called KeEnterCriticalRegion more times than KeLeaveCriticalRegion, which is the primary cause for Bug Check 0x20 (KERNEL_APC_PENDING_DURING_EXIT) and Bug Check 0x1 (APC_INDEX_MISMATCH).

If Driver Verifier is not active, these violations might not cause the system to stop responding immediately in all cases. Driver Verifier monitors the driver's behavior and issues bug check 0xC4 if any of these violations occur. See Bug Check 0xC4 (DRIVER_VERIFIER_DETECTED_VIOLATION) for a list of the bug check parameters.

Monitoring Memory Descriptor List (MDL) Usage

In Windows Vista, Driver Verifier also monitors the selected driver for the following forbidden actions:

  • Calling MmProbeAndLockPages or MmProbeAndLockProcessPages on an MDL that does not have the appropriate flags. For example, it is incorrect to call MmProbeAndLockPages for an MDL that has been created by using MmBuildMdlForNonPagedPool.

  • Calling MmMapLockedPages on an MDL that does not have the appropriate flags. For example, it is incorrect to call MmMapLockedPages for an MDL that is already mapped to a system address or and MDL that is not locked.

  • Calling MmUnlockPages or MmUnmapLockedPages on a partial MDL, that is, and MDL created by using IoBuildPartialMdl.

  • Calling MmUnmapLockedPages on an MDL that is not mapped to a system address.

If Driver Verifier is not active, these violations might not cause the system to stop responding immediately in all cases. Driver Verifier monitors the driver's behavior and issues bug check 0xC4 if any of these violations occur. See Bug Check 0xC4 (DRIVER_VERIFIER_DETECTED_VIOLATION) for a list of the bug check parameters.

 

 

Send comments about this topic to Microsoft

Build date: 5/7/2013

Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft. All rights reserved.
|
Site Feedback
© 2013 Microsoft. All rights reserved.