This topic has not yet been rated - Rate this topic

Miscellaneous Checks

The Miscellaneous Checks option of Driver Verifier monitors the driver for common errors that cause the driver or system to crash, such as freeing memory that still contains active kernel objects.

Specifically, the Miscellaneous Checks option looks for the following improper driver behavior:

Active work items in freed memory. The driver calls ExFreePool to free a pool block that contains work items that were queued by using IoQueueWorkItem.. (This check is enabled by default in the checked build of Windows Server 2003.)
Active resources in freed memory. The driver calls ExFreePool to free a pool block that contains active ERESOURCE structures. The driver should call ExDeleteResource to delete ERESOURCE objects before calling ExFreePool.
Active lookaside lists in freed memory. The driver calls ExFreePool to free a pool block that still contains active lookaside lists (NPAGED_LOOKASIDE_LIST or PAGED_LOOKASIDE_LIST structures. The driver should call ExDeleteNPagedLookasideList or ExDeletePagedLookasideList to delete the lookaside lists before calling ExFreePool.
Windows Management Instrumentation (WMI) and Event Tracing for Windows (ETW) registration issues. Such issues detected by Driver Verifier include:
- A driver that attempts to unload without unregistering its WMI callback.
- A driver that attempts to delete a device object that has not been unregistered from WMI.
- A driver that attempts to unload without unregistering its ETW kernel-mode providers.
- A driver that attempts to unregister a provider that is already unregistered.
Kernel handle errors. (Windows Vista and later versions) Enabling the Miscellaneous Checks option will also enable handle tracing for the system process to aid in investigating kernel handle leaks and Bug Check 0x93: INVALID_KERNEL_HANDLE. With handle tracing enabled, the kernel will collect stack traces for recent handle open and close operations. The stack traces can be displayed in the kernel debugger using the !htrace debugger extension. For more information about !htrace, see the Debugging Tools for Windows documentation.
User-mode handle with kernel mode access (Starting with Windows 7) Enabling the Miscellaneous Checks option also enables additional checks on calls to ObReferenceObjectByHandle. You cannot pass a user-mode handle with kernel mode access. If such an operation occurs, Driver Verifier issues Bug Check 0xC4, with a parameter 1 value of 0xF6.

Activating This Option

You can activate the Miscellaneous Checks option for one or more drivers by using Driver Verifier Manager or the Verifier.exe command line. For details, see Selecting Driver Verifier Options.

At the command line
At the command line, the Miscellaneous Checks option is represented by Bit 11 (0x800). To activate Miscellaneous Checks, use a flag value of 0x800 or add 0x800 to the flag value. For example:
Copy
verifier /flags 0x800 /driver MyDriver.sys
The option will be active after the next boot.

On Windows Vista and later versions of Windows, you can also activate and deactivate Miscellaneous Checks without rebooting the computer by adding the /volatile parameter to the command. For example:
Copy
verifier /volatile /flags 0x800 /adddriver MyDriver.sys
This setting is effective immediately, but is lost when you shut down or reboot the computer. For details, see Using Volatile Settings.

The Miscellaneous Checks option is also included in the standard settings. For example:
Copy
verifier /standard /driver MyDriver.sys
Using Driver Verifier Manager
1. Start Driver Verifier Manager. Type Verifier in a Command Prompt window.
2. Select Create custom settings (for code developers), and then click Next.
3. Select Select individual settings from a full list.
4. Select Miscellaneous Checks.
The Miscellaneous Checks feature is also included in the standard settings. To use this feature, in Driver Verifier Manager, click Create Standard Settings.

Viewing the Results

To view the results of the Miscellaneous Checks option, use the !verifier extension in the kernel debugger. (For information about !verifier, see the Debugging Tools for Windows documentation.)

In the following example, the Miscellaneous Checks option detected an active ERESOURCE structure in memory that the driver was trying to free, resulting in Bug Check 0xC4: DRIVER_VERIFIER_DETECTED_VIOLATION. The Bug Check 0xC4 display includes the address of the ERESOURCE and the affected memory.

1: kd> !verifier 1

Verify Level 800 ... enabled options are:
 Miscellaneous checks enabled

Summary of All Verifier Statistics

RaiseIrqls                             0x0
AcquireSpinLocks                       0x0
Synch Executions                       0x0
Trims                                  0x0

Pool Allocations Attempted             0x1
Pool Allocations Succeeded             0x1
Pool Allocations Succeeded SpecialPool 0x0
Pool Allocations With NO TAG           0x0
Pool Allocations Failed                0x0
Resource Allocations Failed Deliberately   0x0

Current paged pool allocations         0x0 for 00000000 bytes
Peak paged pool allocations            0x0 for 00000000 bytes
Current nonpaged pool allocations      0x0 for 00000000 bytes
Peak nonpaged pool allocations         0x0 for 00000000 bytes

Driver Verification List

Entry     State           NonPagedPool   PagedPool   Module

8459ca50 Loaded           00000000       00000000    buggy.sys



*** Fatal System Error: 0x000000c4
 (0x000000D2,0x9655D4A8,0x9655D468,0x000000B0)


        0xD2 : Freeing pool allocation that contains active ERESOURCE.
               2 -  ERESOURCE address.
               3 -  Pool allocation start address.
               4 -  Pool allocation size.

To investigate the pool allocation, use the !pool debugger extension with the starting address of the pool allocation, 9655D468. (The 2 flag displays header information only for the pool that contains the specified address. Header information for other pools is suppressed.)


1: kd> !pool 9655d468  2
Pool page 9655d468 region is Paged pool
*9655d468 size:   b0 previous size:    8  (Allocated) *Bug_

To find information about the ERESOURCE, use the !locks (!kdext*.locks) debugger extension with the address of the structure.

1: kd> !locks 0x9655D4A8     <<<<<- ERESOURCE @0x9655D4A8 lives inside the pool block being freed

Resource @ 0x9655d4a8    Available
1 total locks

You can also use the kb debugger command to display a stack trace of the calls that led to the failure. The following example shows the stack, including the call to ExFreePoolWithTag that Driver Verifier intercepted.

1: kd> kb
ChildEBP RetAddr  Args to Child
92f6374c 82c2c95a 00000003 92f68cdc 00000000 nt!RtlpBreakWithStatusInstruction 
92f6379c 82c2d345 00000003 9655d468 000000c4 nt!KiBugCheckDebugBreak+0x1c 
92f63b48 82c2c804 000000c4 000000d2 9655d4a8 nt!KeBugCheck2+0x5a9 
92f63b6c 82e73bae 000000c4 000000d2 9655d4a8 nt!KeBugCheckEx+0x1e 
92f63b88 82e78c32 9655d4a8 9655d468 000000b0 nt!VerifierBugCheckIfAppropriate+0x3c 
92f63ba4 82ca7dcb 9655d468 000000b0 00000000 nt!VfCheckForResource+0x52 
92f63bc8 82e7fb2d 000000b0 00000190 9655d470 nt!ExpCheckForResource+0x21 
92f63be4 82e6dc6c 9655d470 92f63c18 89b6c58c nt!ExFreePoolSanityChecks+0x1fb 
92f63bf0 89b6c58c 9655d470 00000000 89b74194 nt!VerifierExFreePoolWithTag+0x28 
92f63c00 89b6c0f6 846550c8 846550c8 846e2200 buggy!MmTestProbeLockForEverStress+0x2e 
92f63c18 82e6c5f1 846e2200 846550c8 85362e30 buggy!TdDeviceControl+0xc4 
92f63c38 82c1fd81 82d4d148 846550c8 846e2200 nt!IovCallDriver+0x251 
92f63c4c 82d4d148 85362e30 846550c8 84655138 nt!IofCallDriver+0x1b 
92f63c6c 82d4df9e 846e2200 85362e30 00000000 nt!IopSynchronousServiceTail+0x1e6 
92f63d00 82d527be 00000001 846550c8 00000000 nt!IopXxxControlFile+0x684 
92f63d34 82cb9efc 0000004c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 
92f63d34 6a22b204 0000004c 00000000 00000000 nt!KiFastCallEntry+0x12c

Send comments about this topic to Microsoft

Build date: 5/7/2013

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)