The Miscellaneous Checks option of Driver Verifier monitors the driver for common errors that cause the driver or system to crash, such as freeing memory that still contains active kernel objects.
Specifically, the Miscellaneous Checks option looks for the following improper driver behavior:
Active work items in freed memory. The driver calls ExFreePool to free a pool block that contains work items that were queued by using IoQueueWorkItem.. (This check is enabled by default in the checked build of Windows Server 2003.)
Active resources in freed memory. The driver calls ExFreePool to free a pool block that contains active ERESOURCE structures. The driver should call ExDeleteResource to delete ERESOURCE objects before calling ExFreePool.
Active lookaside lists in freed memory. The driver calls ExFreePool to free a pool block that still contains active lookaside lists (NPAGED_LOOKASIDE_LIST or PAGED_LOOKASIDE_LIST structures. The driver should call ExDeleteNPagedLookasideList or ExDeletePagedLookasideList to delete the lookaside lists before calling ExFreePool.
- Windows Management Instrumentation (WMI) and Event Tracing for Windows (ETW) registration issues. Such issues detected by Driver Verifier include:
- A driver that attempts to unload without unregistering its WMI callback.
- A driver that attempts to delete a device object that has not been unregistered from WMI.
- A driver that attempts to unload without unregistering its ETW kernel-mode providers.
- A driver that attempts to unregister a provider that is already unregistered.
Kernel handle errors. (Windows Vista and later versions) Enabling the Miscellaneous Checks option will also enable handle tracing for the system process to aid in investigating kernel handle leaks and Bug Check 0x93: INVALID_KERNEL_HANDLE. With handle tracing enabled, the kernel will collect stack traces for recent handle open and close operations. The stack traces can be displayed in the kernel debugger using the !htrace debugger extension. For more information about !htrace, see the Debugging Tools for Windows documentation.
User-mode handle with kernel mode access (Starting with Windows 7) Enabling the Miscellaneous Checks option also enables additional checks on calls to ObReferenceObjectByHandle. You cannot pass a user-mode handle with kernel mode access. If such an operation occurs, Driver Verifier issues Bug Check 0xC4, with a parameter 1 value of 0xF6.
You can activate the Miscellaneous Checks option for one or more drivers by using Driver Verifier Manager or the Verifier.exe command line. For details, see Selecting Driver Verifier Options.
- At the command line
At the command line, the Miscellaneous Checks option is represented by Bit 11 (0x800). To activate Miscellaneous Checks, use a flag value of 0x800 or add 0x800 to the flag value. For example:
verifier /flags 0x800 /driver MyDriver.sys
The option will be active after the next boot.
On Windows Vista and later versions of Windows, you can also activate and deactivate Miscellaneous Checks without rebooting the computer by adding the /volatile parameter to the command. For example:
verifier /volatile /flags 0x800 /adddriver MyDriver.sys
This setting is effective immediately, but is lost when you shut down or reboot the computer. For details, see Using Volatile Settings.
The Miscellaneous Checks option is also included in the standard settings. For example:
verifier /standard /driver MyDriver.sys
- Using Driver Verifier Manager
- Start Driver Verifier Manager. Type Verifier in a Command Prompt window.
- Select Create custom settings (for code developers), and then click Next.
- Select Select individual settings from a full list.
- Select Miscellaneous Checks.
The Miscellaneous Checks feature is also included in the standard settings. To use this feature, in Driver Verifier Manager, click Create Standard Settings.
To view the results of the Miscellaneous Checks option, use the !verifier extension in the kernel debugger. (For information about !verifier, see the Debugging Tools for Windows documentation.)
In the following example, the Miscellaneous Checks option detected an active ERESOURCE structure in memory that the driver was trying to free, resulting in Bug Check 0xC4: DRIVER_VERIFIER_DETECTED_VIOLATION. The Bug Check 0xC4 display includes the address of the ERESOURCE and the affected memory.
1: kd> !verifier 1 Verify Level 800 ... enabled options are: Miscellaneous checks enabled Summary of All Verifier Statistics RaiseIrqls 0x0 AcquireSpinLocks 0x0 Synch Executions 0x0 Trims 0x0 Pool Allocations Attempted 0x1 Pool Allocations Succeeded 0x1 Pool Allocations Succeeded SpecialPool 0x0 Pool Allocations With NO TAG 0x0 Pool Allocations Failed 0x0 Resource Allocations Failed Deliberately 0x0 Current paged pool allocations 0x0 for 00000000 bytes Peak paged pool allocations 0x0 for 00000000 bytes Current nonpaged pool allocations 0x0 for 00000000 bytes Peak nonpaged pool allocations 0x0 for 00000000 bytes Driver Verification List Entry State NonPagedPool PagedPool Module 8459ca50 Loaded 00000000 00000000 buggy.sys *** Fatal System Error: 0x000000c4 (0x000000D2,0x9655D4A8,0x9655D468,0x000000B0) 0xD2 : Freeing pool allocation that contains active ERESOURCE. 2 - ERESOURCE address. 3 - Pool allocation start address. 4 - Pool allocation size.
To investigate the pool allocation, use the !pool debugger extension with the starting address of the pool allocation, 9655D468. (The 2 flag displays header information only for the pool that contains the specified address. Header information for other pools is suppressed.)
1: kd> !pool 9655d468 2 Pool page 9655d468 region is Paged pool *9655d468 size: b0 previous size: 8 (Allocated) *Bug_
To find information about the ERESOURCE, use the !locks (!kdext*.locks) debugger extension with the address of the structure.
1: kd> !locks 0x9655D4A8 <<<<<- ERESOURCE @0x9655D4A8 lives inside the pool block being freed Resource @ 0x9655d4a8 Available 1 total locks
You can also use the kb debugger command to display a stack trace of the calls that led to the failure. The following example shows the stack, including the call to ExFreePoolWithTag that Driver Verifier intercepted.
1: kd> kb ChildEBP RetAddr Args to Child 92f6374c 82c2c95a 00000003 92f68cdc 00000000 nt!RtlpBreakWithStatusInstruction 92f6379c 82c2d345 00000003 9655d468 000000c4 nt!KiBugCheckDebugBreak+0x1c 92f63b48 82c2c804 000000c4 000000d2 9655d4a8 nt!KeBugCheck2+0x5a9 92f63b6c 82e73bae 000000c4 000000d2 9655d4a8 nt!KeBugCheckEx+0x1e 92f63b88 82e78c32 9655d4a8 9655d468 000000b0 nt!VerifierBugCheckIfAppropriate+0x3c 92f63ba4 82ca7dcb 9655d468 000000b0 00000000 nt!VfCheckForResource+0x52 92f63bc8 82e7fb2d 000000b0 00000190 9655d470 nt!ExpCheckForResource+0x21 92f63be4 82e6dc6c 9655d470 92f63c18 89b6c58c nt!ExFreePoolSanityChecks+0x1fb 92f63bf0 89b6c58c 9655d470 00000000 89b74194 nt!VerifierExFreePoolWithTag+0x28 92f63c00 89b6c0f6 846550c8 846550c8 846e2200 buggy!MmTestProbeLockForEverStress+0x2e 92f63c18 82e6c5f1 846e2200 846550c8 85362e30 buggy!TdDeviceControl+0xc4 92f63c38 82c1fd81 82d4d148 846550c8 846e2200 nt!IovCallDriver+0x251 92f63c4c 82d4d148 85362e30 846550c8 84655138 nt!IofCallDriver+0x1b 92f63c6c 82d4df9e 846e2200 85362e30 00000000 nt!IopSynchronousServiceTail+0x1e6 92f63d00 82d527be 00000001 846550c8 00000000 nt!IopXxxControlFile+0x684 92f63d34 82cb9efc 0000004c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 92f63d34 6a22b204 0000004c 00000000 00000000 nt!KiFastCallEntry+0x12c
Build date: 5/7/2013