Author: omrsafetyo
Subject: ** Process Explorer Bugs **
Posted: 10 September 2014 at 3:39pm
I am having a similar issue as to what Scherrit is having.
Subject: ** Process Explorer Bugs **
Posted: 10 September 2014 at 3:39pm
I am having a similar issue as to what Scherrit is having.
This is actually with handle.exe, but there is no handle.exe specific forum, and the faulting driver is actually a procexp component.
I am running Handle v3.51 as well. I was seeing similar hangs, so on a non-production system, I have enabled driver verifier. When driver verifier is running, if I run handle.exe v3.51 it BSOD every time. I have a copy of handle.exe v3.42 - this uses a different version of procexp.sys, procexp113.sys instead of procexp152.sys. I can run that version of handle.exe without any issue.
WinDbg output for the crash:
Use !analyze -v to get detailed debugging information.
BugCheck C4, {f6, 90, fffffa8028c2eb30, fffff8800739f5b6}
*** ERROR: Module load completed but symbols could not be loaded for PROCEXP152.SYS
Probably caused by : PROCEXP152.SYS ( PROCEXP152+15b6 )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 0000000000000090, Handle value being referenced.
Arg3: fffffa8028c2eb30, Address of the current process.
Arg4: fffff8800739f5b6, Address inside the driver that is performing the incorrect reference.
Debugging Details:
------------------
BUGCHECK_STR: 0xc4_f6
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: handle64.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80001b604ec to fffff800016d2b80
STACK_TEXT:
fffff880`07d910b8 fffff800`01b604ec : 00000000`000000c4 00000000`000000f6 00000000`00000090 fffffa80`28c2eb30 : nt!KeBugCheckEx
fffff880`07d910c0 fffff800`01b75bf4 : 00000000`00000090 fffffa80`28c2eb30 00000000`00000004 00000000`00000000 : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`07d91100 fffff800`0192cb10 : 00000000`00000000 fffff880`07d91390 fffff880`07d91400 fffff880`07d915e8 : nt!VfCheckUserHandle+0x1b4
fffff880`07d911e0 fffff800`019b47c6 : fffff880`07d92000 fffff880`00000000 00000000`00000000 fffff800`00000000 : nt! ?? ::NNGAKEGL::`string'+0x2026e
fffff880`07d912b0 fffff800`016d1e13 : fffffa80`28c2e620 fffff880`07d915e8 fffff880`07d913d8 00000000`00000002 : nt!NtQueryObject+0x14c
fffff880`07d913c0 fffff800`016ce3d0 : fffff800`01b65033 fffffa80`28c2e620 fffff800`019a5be2 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
fffff880`07d915c8 fffff800`01b65033 : fffffa80`28c2e620 fffff800`019a5be2 00000000`00000000 fffffa80`28c354e0 : nt!KiServiceLinkage
fffff880`07d915d0 fffff880`0739f5b6 : fffff980`0e21eee0 00000000`00000002 fffffa80`28c354e0 00000000`00000000 : nt!VfZwQueryObject+0x63
fffff880`07d91620 fffff880`073a0d94 : fffff880`07d91701 fffff980`259e0f70 fffff980`259e0f70 fffff980`0e21ef18 : PROCEXP152+0x15b6
fffff880`07d916f0 fffff880`073a12cd : fffffa80`2752d290 fffffa80`2879d201 fffff980`259e0f70 00000000`00000020 : PROCEXP152+0x2d94
fffff880`07d918e0 fffff800`01b7cd26 : fffffa80`28c354e0 fffff980`0e21eee0 fffffa80`2752d290 fffffa80`2503bc18 : PROCEXP152+0x32cd
fffff880`07d919b0 fffff800`019f0cc7 : fffffa80`2752d290 fffff880`07d91ca0 fffffa80`2752d290 fffffa80`27592820 : nt!IovCallDriver+0x566
fffff880`07d91a10 fffff800`019f1526 : fffffa80`28c2eb30 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607
fffff880`07d91b40 fffff800`016d1e13 : fffffa80`28c2eb30 00000000`00000001 fffffa80`28c2e620 fffff800`019cb604 : nt!NtDeviceIoControlFile+0x56
fffff880`07d91bb0 00000000`7750132a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0012d348 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7750132a
STACK_COMMAND: kb
FOLLOWUP_IP:
PROCEXP152+15b6
fffff880`0739f5b6 89842498000000 mov dword ptr [rsp+98h],eax
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: PROCEXP152+15b6
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PROCEXP152
IMAGE_NAME: PROCEXP152.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 50c7fe0b
FAILURE_BUCKET_ID: X64_0xc4_f6_VRF_PROCEXP152+15b6
BUCKET_ID: X64_0xc4_f6_VRF_PROCEXP152+15b6
Followup: MachineOwner
---------
3: kd> lmvm PROCEXP152
start end module name
fffff880`0739e000 fffff880`073ab000 PROCEXP152 (no symbols)
Loaded symbol image file: PROCEXP152.SYS
Image path: \??\C:\Windows\system32\Drivers\PROCEXP152.SYS
Image name: PROCEXP152.SYS
Timestamp: Tue Dec 11 22:46:19 2012 (50C7FE0B)
CheckSum: 00010494
ImageSize: 0000D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4