Author: danmcleran
Subject: bugcheck in process explorer
Posted: 03 January 2013 at 8:24pm
Turned on verifier for PROCEXP141.SYS
Subject: bugcheck in process explorer
Posted: 03 January 2013 at 8:24pm
Turned on verifier for PROCEXP141.SYS
1: kd> !verifier
Verify Level 209bb ... enabled options are:
Special pool
Special irql
All pool allocations checked on unload
Io subsystem checking enabled
Deadlock detection enabled
DMA checking enabled
Security checks enabled
Miscellaneous checks enabled
Summary of All Verifier Statistics
RaiseIrqls 0x0
AcquireSpinLocks 0x0
Synch Executions 0x0
Trims 0x72c
Pool Allocations Attempted 0x17762
Pool Allocations Succeeded 0x17762
Pool Allocations Succeeded SpecialPool 0x17762
Pool Allocations With NO TAG 0x0
Pool Allocations Failed 0x0
Resource Allocations Failed Deliberately 0x0
Current paged pool allocations 0x0 for 00000000 bytes
Peak paged pool allocations 0x2 for 000000B0 bytes
Current nonpaged pool allocations 0x0 for 00000000 bytes
Peak nonpaged pool allocations 0x0 for 00000000 bytes
Now I get a bugcheck when I try and launch the program (procexp64.exe) as admin:
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 00000000000002cc, Handle value being referenced.
Arg3: fffffa8008677940, Address of the current process.
Arg4: fffff880172bbbb7, Address inside the driver that is performing the incorrect reference.
Debugging Details:
------------------
BUGCHECK_STR: 0xc4_f6
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: procexp64.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff803cc9f40ea to fffff803cc8f3930
STACK_TEXT:
fffff880`17796d58 fffff803`cc9f40ea : 00000000`00000000 00000000`000000c4 fffff880`17796ec0 fffff803`cc9784b8 : nt!RtlpBreakWithStatusInstruction
fffff880`17796d60 fffff803`cc9f3742 : 00000000`00000003 fffff880`17796ec0 fffff803`cc978e90 00000000`000000c4 : nt!KiBugCheckDebugBreak+0x12
fffff880`17796dc0 fffff803`cc8f9144 : 00000000`000002cc 00000000`00000003 00000000`00000008 00000000`000002cc : nt!KeBugCheck2+0x79f
fffff880`177974e0 fffff803`ccec4fa0 : 00000000`000000c4 00000000`000000f6 00000000`000002cc fffffa80`08677940 : nt!KeBugCheckEx+0x104
fffff880`17797520 fffff803`ccecca78 : fffffa80`08677940 00000000`00000000 00000000`00000000 00000000`00000001 : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`17797560 fffff803`cce7ebb5 : 00000000`00000000 00000000`00000000 fffff880`177977d0 00000000`00000000 : nt!VfCheckUserHandle+0x1b8
fffff880`17797640 fffff803`ccc64484 : 00000000`00000000 00000000`00001000 fffffa80`04eecf20 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x37e4c
fffff880`177976d0 fffff803`cc8f8053 : fffffa80`085bc080 fffff980`02c10ff0 00000000`00000000 fffffa80`05a130b8 : nt!NtOpenProcessTokenEx+0xa4
fffff880`17797750 fffff803`cc8fd230 : fffff880`172bbbb7 fffff980`065f0f10 fffff980`02c10ff0 fffff803`ccbcd3c0 : nt!KiSystemServiceCopyEnd+0x13
fffff880`177978e8 fffff880`172bbbb7 : fffff980`065f0f10 fffff980`02c10ff0 fffff803`ccbcd3c0 00000000`0000001f : nt!KiServiceLinkage
fffff880`177978f0 fffff880`172bc073 : 00000000`00000000 fffffa80`0863dbc0 fffff803`ccb1c400 00000000`00000000 : PROCEXP141+0x1bb7
fffff880`17797ae0 fffff803`ccebbd26 : fffff980`065f0ee0 00000000`00000002 fffffa80`086b15d0 fffffa80`0501e298 : PROCEXP141+0x2073
fffff880`17797b80 fffff803`ccce242f : fffff980`065f0ee0 fffff880`17797ec0 fffff980`065f0ff8 fffffa80`05a13010 : nt!IovCallDriver+0x3e6
fffff880`17797bd0 fffff803`ccce2db6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7dd
fffff880`17797d60 fffff803`cc8f8053 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000b18 : nt!NtDeviceIoControlFile+0x56
fffff880`17797dd0 000007fe`3ce52c1a : 000007fe`3a0e3579 00000000`00e442d0 00000000`00000000 00000000`00000001 : nt!KiSystemServiceCopyEnd+0x13
00000000`00d6da68 000007fe`3a0e3579 : 00000000`00e442d0 00000000`00000000 00000000`00000001 000007fe`3c96a783 : ntdll!ZwDeviceIoControlFile+0xa
00000000`00d6da70 000007fe`3c431880 : 00000000`8335000c 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!DeviceIoControl+0x75
00000000`00d6dae0 000007f6`f874d8de : 00000000`00000000 00000000`00000000 00000000`00000104 00000000`00000b18 : KERNEL32!DeviceIoControlImplementation+0x74
00000000`00d6db30 000007f6`f875919d : 00000000`00d6e2d8 000007f6`f87b0879 00000000`00000b18 00000000`000002cc : procexp64+0x3d8de
00000000`00d6db90 000007f6`f87492c0 : 00000000`00000000 00000000`00000000 00000000`00070227 000007f6`f87d2c80 : procexp64+0x4919d
00000000`00d6e540 000007f6`f871fe46 : 00000000`00000000 00000000`00d6f000 00000000`00000001 00000000`000301a8 : procexp64+0x392c0
00000000`00d6ed60 000007f6`f8748a66 : 00000000`00000001 00000000`000301a8 00000000`00000000 00000000`000301a8 : procexp64+0xfe46
00000000`00d6eda0 000007fe`3a2c3e95 : 00000000`00000001 00000000`00d6f200 00000000`00000000 000007fe`3ce5541f : procexp64+0x38a66
00000000`00d6ede0 000007fe`3a2c2a62 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x18d
00000000`00d6eea0 000007fe`3a2caa7c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!DispatchClientMessage+0xf8
00000000`00d6ef00 000007fe`3ce54b47 : ffffffff`ffffffff 000007fe`3a2c1690 000007fe`3a2c1742 000007fe`3a2c1690 : USER32!_fnINLPCREATESTRUCT+0x98
00000000`00d6ef60 000007fe`3a2cc35a : 000007fe`3a2cc2dc 00000000`00d6f200 00000000`00d6f510 00000000`00000000 : ntdll!KiUserCallbackDispatcherContinue
00000000`00d6f0f8 000007fe`3a2cc2dc : 00000000`00d6f200 00000000`00d6f510 00000000`00000000 000007fe`06000006 : USER32!ZwUserCreateWindowEx+0xa
00000000`00d6f100 000007fe`3a2cc55c : 00000000`00000012 000007f6`f87b3fe0 00000000`00d6f580 00000000`00000000 : USER32!VerNtUserCreateWindowEx+0x21c
00000000`00d6f480 000007fe`3a2d62df : 00005e14`00000226 00000000`00000001 00000000`00000001 00000000`00cf0000 : USER32!CreateWindowInternal+0x1ed
00000000`00d6f5e0 000007f6`f8724f6b : 00000000`00000010 00000000`00000010 00000000`00000001 000007f6`f8710000 : USER32!CreateWindowExA+0x7f
00000000`00d6f670 000007f6`f877bc0b : 00000000`00000000 00000000`00de2625 000007f6`f8710000 00000000`00000000 : procexp64+0x14f6b
00000000`00d6f740 000007f6`f8784c3f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x6bc0b
00000000`00d6f8b0 000007fe`3c43167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x74c3f
00000000`00d6f960 000007fe`3ce6c3f1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1a
00000000`00d6f990 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
STACK_COMMAND: kb
FOLLOWUP_IP:
PROCEXP141+1bb7
fffff880`172bbbb7 e93b020000 jmp PROCEXP141+0x1df7 (fffff880`172bbdf7)
SYMBOL_STACK_INDEX: a
SYMBOL_NAME: PROCEXP141+1bb7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PROCEXP141
IMAGE_NAME: PROCEXP141.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4bc6db36
FAILURE_BUCKET_ID: X64_0xc4_f6_VRF_PROCEXP141+1bb7
BUCKET_ID: X64_0xc4_f6_VRF_PROCEXP141+1bb7
Followup: MachineOwner
---------