verifier & wdf

NTDEV
1

Hey guys,

I’ve just enabled verifier.exe for my driver using the following settings:

  1. Special pool
  2. Pool tracking

I’m encountering this on boot:

kd> !analyze -v
Connected to Windows 7 7601 x64 target at (Wed Sep 9 11:01:51.425 2015 (UTC + 1:00)), ptr64 TRUE
Loading Kernel Symbols


Loading User Symbols

Loading unloaded module list
.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

**ALOT OF INFO ABOUT MISSING SYMBOLS**

FAULTING_IP:
nt!DbgBreakPoint+0
fffff800`028863d0 cc int 3

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

EXCEPTION_PARAMETER1: 0000000000000000

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0x0

CURRENT_IRQL: 0

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

LAST_CONTROL_TRANSFER: from fffff88000f20dfc to fffff800028863d0

STACK_TEXT:
fffff88002fa3f48 fffff88000f20dfc : fffffa8001bc6ab0 fffffa8001bc6ab0 0000000000000000 fffff88000f82610 : nt!DbgBreakPoint
fffff88002fa3f50 fffff88003f05bb3 : fffffa8001eea980 0000057ffe01df78 fffff88002fa4270 fffffa8001ef99c0 : Wdf01000!imp_WdfControlFinishInitializing+0x158
fffff88002fa3fa0 fffff88003f051b5 : 0000057ffe115678 fffff88003f0a178 0000000000000000 000000000000000a : MYDriver!WdfControlFinishInitializing+0x33 [c:\program files (x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h @ 143]
fffff88002fa3fe0 fffff88000f1799a : 0000057ffe01df78 0000000000000000 0000000000000000 0000000000000000 : MYDriver!EvtDeviceAdd+0xb5 [d:\wfpprototype0\MYDriver\driver.c @ 128]
fffff88002fa4170 fffff8000298f7d5 : fffff88002fa4720 fffff88002fa46e8 0000000000000000 fffff88002fa45c4 : Wdf01000!FxDriver::AddDevice+0xc6
fffff88002fa45a0 fffff80002c74365 : 0000000000000000 fffffa8001ef99c0 0000000000000002 fffffa8000d2fd90 : nt!PpvUtilCallAddDevice+0x45
fffff88002fa45e0 fffff80002c77f91 : fffffa8000d2fd90 fffffa8000d2fd90 0000000000000000 0000000000000000 : nt!PnpCallAddDevice+0xd5
fffff88002fa4660 fffff80002c79522 : fffffa8000cf2d90 fffffa8000d2fd90 0000000000000002 fffffa8000cf2bb0 : nt!PipCallDriverAddDevice+0x661
fffff88002fa4810 fffff80002c799bc : fffff80002a96500 0000000000000000 0000000000000000 0000000000000000 : nt!PipProcessDevNodeTree+0x2b2
fffff88002fa4a80 fffff80002990292 : 0000000100000003 0000000000000000 0000000032706e50 0000000000000084 : nt!PiProcessStartSystemDevices+0x7c
fffff88002fa4ad0 fffff800028981b5 : fffff8000298ff90 fffff80002b84c01 fffffa8000cd3600 0000000000000000 : nt!PnpDeviceActionWorker+0x302
fffff88002fa4b70 fffff80002b278e2 : 0000000000000000 fffffa8000cd3660 0000000000000080 fffffa8000cb9040 : nt!ExpWorkerThread+0x111
fffff88002fa4c00 fffff8000287ff46 : fffff80002a0ee80 fffffa8000cd3660 fffffa8000cd3b50 0000000000000000 : nt!PspSystemThreadStartup+0x5a
fffff88002fa4c40 0000000000000000 : fffff88002fa5000 fffff88002f9f000 fffff88002fa3ab0 0000000000000000 : nt!KxStartSystemThread+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
MYDriver!WdfControlFinishInitializing+33 [c:\program files (x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h @ 143]
fffff880`03f05bb3 4883c438 add rsp,38h

FAULTING_SOURCE_LINE: c:\program files (x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h

FAULTING_SOURCE_LINE_NUMBER: 143

FAULTING_SOURCE_CODE:
139: WDFDEVICE Device
140: )
141: {
142: ((PFN_WDFCONTROLFINISHINITIALIZING) WdfFunctions[WdfControlFinishInitializingTableIndex])(WdfDriverGlobals, Device);

143: }
144:
145:
146:
147: #endif // (NTDDI_VERSION >= NTDDI_WIN2K)
148:

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: MYDriver!WdfControlFinishInitializing+33

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MYDriver

IMAGE_NAME: MYDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 55ef179e

FAILURE_BUCKET_ID: X64_0x0_VRF_MYDriver!WdfControlFinishInitializing+33

BUCKET_ID: X64_0x0_VRF_MYDriver!WdfControlFinishInitializing+33

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_0x0_vrf_MYDriver!wdfcontrolfinishinitializing+33

FAILURE_ID_HASH: {ee30e0b8-dc3c-4372-2e9e-7828fabed14b}

Followup: MachineOwner

Initially I suspected that I was passing a NULL device or something into WDFControlFinishInitializing, however I don’t see how that is possible given the code:

Function_class(EVT_WDF_DRIVER_DEVICE_ADD) IRQL_requires_same IRQL_requires_max(PASSIVE_LEVEL)
NTSTATUS EvtDeviceAdd(In WDFDRIVER driver, Inout PWDFDEVICE_INIT pDeviceInit)
{
UNREFERENCED_PARAMETER(driver);

/* We are a network device type */
WdfDeviceInitSetDeviceType(pDeviceInit, FILE_DEVICE_NETWORK);

/* We want an auto generated name */
WdfDeviceInitSetCharacteristics(pDeviceInit, FILE_AUTOGENERATED_DEVICE_NAME, TRUE);

/* Associate some context with the device */
WDF_OBJECT_ATTRIBUTES deviceAttribs;
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttribs, DEVICE_CONTEXT);

WDFDEVICE device;
NTSTATUS status = WdfDeviceCreate(&pDeviceInit, &deviceAttribs, &device);
if (NT_SUCCESS(status))
{
status = WdfDeviceCreateDeviceInterface(device, &DEVICE_AGENT_DRIVER_INTERFACE, NULL);
if (NT_SUCCESS(status))
{
/* Inform driver finished initialising. No IRP’s will be sent to this device unless this is called. */
WdfControlFinishInitializing(device);

Any ideas would be appreciated
Jason

2

I suspect you’ve hit one of these (see https://github.com/Microsoft/Windows-Driver-Frameworks/blob/master/src/framework/shared/inc/private/common/fxverifier.h )

when FxVerifierDbgBreakOnError is true.

====================

//
// FxVerifierDbgBreakPoint and FxVerifierBreakOnDeviceStateError are mapped
// to FX_VERIFY in UMDF and break regardless of any flags
//
FORCEINLINE
VOID
FxVerifierDbgBreakPoint(
__in PFX_DRIVER_GLOBALS FxDriverGlobals
)
{
#if FX_CORE_MODE == FX_CORE_KERNEL_MODE
CHAR ext = “sys”;
#else
CHAR ext = “dll”;
#endif

Mx::MxDbgPrint("WDF detected potentially invalid operation by %s.%s "
“Dump the driver log (!wdflogdump %s.%s) for more information.\n”,
FxDriverGlobals->Public.DriverName, ext,
FxDriverGlobals->Public.DriverName, ext
);

if (FxDriverGlobals->FxVerifierDbgBreakOnError) {
Mx::MxDbgBreakPoint();
} else {
Mx::MxDbgPrint("Turn on framework verifier for %s.%s to automatically "
“break into the debugger next time it happens.\n”,
FxDriverGlobals->Public.DriverName, ext);
}
}

=================

Suggestions:

a) ensure Debug Print messages are turned on ( http://www.osronline.com/article.cfm?article=295 )
b) try to turn off the FxVerifierDbgBreakOnError and see what happens next …

David.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-590795-
xxxxx@lists.osr.com] On Behalf Of xxxxx@live.co.uk
Sent: 09 September 2015 11:24
To: Windows System Software Devs Interest List
Subject: [ntdev] verifier & wdf

Hey guys,

I’ve just enabled verifier.exe for my driver using the following
settings:

  1. Special pool
  2. Pool tracking

I’m encountering this on boot:

kd> !analyze -v
Connected to Windows 7 7601 x64 target at (Wed Sep 9 11:01:51.425 2015
(UTC + 1:00)), ptr64 TRUE Loading Kernel Symbols


Loading User Symbols

Loading unloaded module list
.

***********************************************************************
********
*
*
* Bugcheck Analysis
*
*
*
***********************************************************************
********

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

**ALOT OF INFO ABOUT MISSING SYMBOLS**

FAULTING_IP:
nt!DbgBreakPoint+0
fffff800`028863d0 cc int 3

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A
breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more
arguments are invalid

EXCEPTION_PARAMETER1: 0000000000000000

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0x0

CURRENT_IRQL: 0

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

LAST_CONTROL_TRANSFER: from fffff88000f20dfc to fffff800028863d0

STACK_TEXT:
fffff88002fa3f48 fffff88000f20dfc : fffffa8001bc6ab0 fffffa8001bc6ab0 0000000000000000 fffff88000f82610 :
nt!DbgBreakPoint
fffff88002fa3f50 fffff88003f05bb3 : fffffa8001eea980 0000057ffe01df78 fffff88002fa4270 fffffa8001ef99c0 :
Wdf01000!imp_WdfControlFinishInitializing+0x158
fffff88002fa3fa0 fffff88003f051b5 : 0000057ffe115678 fffff88003f0a178 0000000000000000 000000000000000a :
MYDriver!WdfControlFinishInitializing+0x33 [c:\program files
(x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h @ 143]
fffff88002fa3fe0 fffff88000f1799a : 0000057ffe01df78 0000000000000000 0000000000000000 0000000000000000 :
MYDriver!EvtDeviceAdd+0xb5 [d:\wfpprototype0\MYDriver\driver.c @ 128]
fffff88002fa4170 fffff8000298f7d5 : fffff88002fa4720 fffff88002fa46e8 0000000000000000 fffff88002fa45c4 :
Wdf01000!FxDriver::AddDevice+0xc6
fffff88002fa45a0 fffff80002c74365 : 0000000000000000 fffffa8001ef99c0 0000000000000002 fffffa8000d2fd90 :
nt!PpvUtilCallAddDevice+0x45
fffff88002fa45e0 fffff80002c77f91 : fffffa8000d2fd90 fffffa8000d2fd90 0000000000000000 0000000000000000 :
nt!PnpCallAddDevice+0xd5
fffff88002fa4660 fffff80002c79522 : fffffa8000cf2d90 fffffa8000d2fd90 0000000000000002 fffffa8000cf2bb0 :
nt!PipCallDriverAddDevice+0x661
fffff88002fa4810 fffff80002c799bc : fffff80002a96500 0000000000000000 0000000000000000 0000000000000000 :
nt!PipProcessDevNodeTree+0x2b2
fffff88002fa4a80 fffff80002990292 : 0000000100000003 0000000000000000 0000000032706e50 0000000000000084 :
nt!PiProcessStartSystemDevices+0x7c
fffff88002fa4ad0 fffff800028981b5 : fffff8000298ff90 fffff80002b84c01 fffffa8000cd3600 0000000000000000 :
nt!PnpDeviceActionWorker+0x302
fffff88002fa4b70 fffff80002b278e2 : 0000000000000000 fffffa8000cd3660 0000000000000080 fffffa8000cb9040 :
nt!ExpWorkerThread+0x111
fffff88002fa4c00 fffff8000287ff46 : fffff80002a0ee80 fffffa8000cd3660 fffffa8000cd3b50 0000000000000000 :
nt!PspSystemThreadStartup+0x5a
fffff88002fa4c40 0000000000000000 : fffff88002fa5000 fffff88002f9f000 fffff88002fa3ab0 0000000000000000 :
nt!KxStartSystemThread+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
MYDriver!WdfControlFinishInitializing+33 [c:\program files
(x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h @ 143]
fffff880`03f05bb3 4883c438 add rsp,38h

FAULTING_SOURCE_LINE: c:\program files (x86)\windows
kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows
kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h

FAULTING_SOURCE_LINE_NUMBER: 143

FAULTING_SOURCE_CODE:
139: WDFDEVICE Device
140: )
141: {
142: ((PFN_WDFCONTROLFINISHINITIALIZING)
WdfFunctions[WdfControlFinishInitializingTableIndex])(WdfDriverGlobals,
Device);
> 143: }
144:
145:
146:
147: #endif // (NTDDI_VERSION >= NTDDI_WIN2K)
148:

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: MYDriver!WdfControlFinishInitializing+33

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MYDriver

IMAGE_NAME: MYDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 55ef179e

FAILURE_BUCKET_ID:
X64_0x0_VRF_MYDriver!WdfControlFinishInitializing+33

BUCKET_ID: X64_0x0_VRF_MYDriver!WdfControlFinishInitializing+33

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING:
km:x64_0x0_vrf_MYDriver!wdfcontrolfinishinitializing+33

FAILURE_ID_HASH: {ee30e0b8-dc3c-4372-2e9e-7828fabed14b}

Followup: MachineOwner

Initially I suspected that I was passing a NULL device or something
into WDFControlFinishInitializing, however I don’t see how that is
possible given the code:

Function_class(EVT_WDF_DRIVER_DEVICE_ADD) IRQL_requires_same
IRQL_requires_max(PASSIVE_LEVEL)
NTSTATUS EvtDeviceAdd(In WDFDRIVER driver, Inout PWDFDEVICE_INIT
pDeviceInit) {
UNREFERENCED_PARAMETER(driver);

/* We are a network device type */
WdfDeviceInitSetDeviceType(pDeviceInit, FILE_DEVICE_NETWORK);

/* We want an auto generated name */
WdfDeviceInitSetCharacteristics(pDeviceInit,
FILE_AUTOGENERATED_DEVICE_NAME, TRUE);

/* Associate some context with the device */
WDF_OBJECT_ATTRIBUTES deviceAttribs;
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttribs,
DEVICE_CONTEXT);

WDFDEVICE device;
NTSTATUS status = WdfDeviceCreate(&pDeviceInit, &deviceAttribs,
&device);
if (NT_SUCCESS(status))
{
status = WdfDeviceCreateDeviceInterface(device,
&DEVICE_AGENT_DRIVER_INTERFACE, NULL);
if (NT_SUCCESS(status))
{
/* Inform driver finished initialising. No IRP’s will be
sent to this device unless this is called. */
WdfControlFinishInitializing(device);

Any ideas would be appreciated
Jason

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.com

3

!wdfkd.wdflogdump (your driver name)

Will tell you why the bp was hit

Sent from Outlook Mailhttp: for Windows 10

From: xxxxx@live.co.uk
Sent: Wednesday, September 9, 2015 3:24 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] verifier & wdf

Hey guys,

I’ve just enabled verifier.exe for my driver using the following settings:

1. Special pool
2. Pool tracking

I’m encountering this on boot:

kd> !analyze -v
Connected to Windows 7 7601 x64 target at (Wed Sep 9 11:01:51.425 2015 (UTC + 1:00)), ptr64 TRUE
Loading Kernel Symbols


Loading User Symbols

Loading unloaded module list
.
Bugcheck Analysis



Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------

ALOT OF INFO ABOUT MISSING SYMBOLS

FAULTING_IP:
nt!DbgBreakPoint+0
fffff800028863d0 cc int 3<br><br>ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.<br><br>EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid<br><br>EXCEPTION_PARAMETER1: 0000000000000000<br><br>DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT<br><br>BUGCHECK_STR: 0x0<br><br>CURRENT_IRQL: 0<br><br>ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre<br><br>LAST_CONTROL_TRANSFER: from fffff88000f20dfc to fffff800028863d0<br><br>STACK_TEXT:<br>fffff88002fa3f48 fffff88000f20dfc : fffffa8001bc6ab0 fffffa8001bc6ab0 0000000000000000 fffff88000f82610 : nt!DbgBreakPoint<br>fffff88002fa3f50 fffff88003f05bb3 : fffffa8001eea980 0000057ffe01df78 fffff88002fa4270 fffffa8001ef99c0 : Wdf01000!imp_WdfControlFinishInitializing+0x158<br>fffff88002fa3fa0 fffff88003f051b5 : 0000057ffe115678 fffff88003f0a178 0000000000000000 000000000000000a : MYDriver!WdfControlFinishInitializing+0x33 [c:\program files (x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h @ 143]<br>fffff88002fa3fe0 fffff88000f1799a : 0000057ffe01df78 0000000000000000 0000000000000000 0000000000000000 : MYDriver!EvtDeviceAdd+0xb5 [d:\wfpprototype0\MYDriver\driver.c @ 128]<br>fffff88002fa4170 fffff8000298f7d5 : fffff88002fa4720 fffff88002fa46e8 0000000000000000 fffff88002fa45c4 : Wdf01000!FxDriver::AddDevice+0xc6<br>fffff88002fa45a0 fffff80002c74365 : 0000000000000000 fffffa8001ef99c0 0000000000000002 fffffa8000d2fd90 : nt!PpvUtilCallAddDevice+0x45<br>fffff88002fa45e0 fffff80002c77f91 : fffffa8000d2fd90 fffffa8000d2fd90 0000000000000000 0000000000000000 : nt!PnpCallAddDevice+0xd5<br>fffff88002fa4660 fffff80002c79522 : fffffa8000cf2d90 fffffa8000d2fd90 0000000000000002 fffffa8000cf2bb0 : nt!PipCallDriverAddDevice+0x661<br>fffff88002fa4810 fffff80002c799bc : fffff80002a96500 0000000000000000 0000000000000000 0000000000000000 : nt!PipProcessDevNodeTree+0x2b2<br>fffff88002fa4a80 fffff80002990292 : 0000000100000003 0000000000000000 0000000032706e50 0000000000000084 : nt!PiProcessStartSystemDevices+0x7c<br>fffff88002fa4ad0 fffff800028981b5 : fffff8000298ff90 fffff80002b84c01 fffffa8000cd3600 0000000000000000 : nt!PnpDeviceActionWorker+0x302<br>fffff88002fa4b70 fffff80002b278e2 : 0000000000000000 fffffa8000cd3660 0000000000000080 fffffa8000cb9040 : nt!ExpWorkerThread+0x111<br>fffff88002fa4c00 fffff8000287ff46 : fffff80002a0ee80 fffffa8000cd3660 fffffa8000cd3b50 0000000000000000 : nt!PspSystemThreadStartup+0x5a<br>fffff88002fa4c40 0000000000000000 : fffff88002fa5000 fffff88002f9f000 fffff88002fa3ab0 0000000000000000 : nt!KxStartSystemThread+0x16<br><br>STACK_COMMAND: kb<br><br>FOLLOWUP_IP:<br>MYDriver!WdfControlFinishInitializing+33 [c:\program files (x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h @ 143]<br>fffff88003f05bb3 4883c438 add rsp,38h

FAULTING_SOURCE_LINE: c:\program files (x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows kits\8.1\include\wdf\kmdf\1.11\wdfcontrol.h

FAULTING_SOURCE_LINE_NUMBER: 143

FAULTING_SOURCE_CODE:
139: WDFDEVICE Device
140: )
141: {
142: ((PFN_WDFCONTROLFINISHINITIALIZING) WdfFunctions[WdfControlFinishInitializingTableIndex])(WdfDriverGlobals, Device);
> 143: }
144:
145:
146:
147: #endif // (NTDDI_VERSION >= NTDDI_WIN2K)
148:

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: MYDriver!WdfControlFinishInitializing+33

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MYDriver

IMAGE_NAME: MYDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 55ef179e

FAILURE_BUCKET_ID: X64_0x0_VRF_MYDriver!WdfControlFinishInitializing+33

BUCKET_ID: X64_0x0_VRF_MYDriver!WdfControlFinishInitializing+33

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_0x0_vrf_MYDriver!wdfcontrolfinishinitializing+33

FAILURE_ID_HASH: {ee30e0b8-dc3c-4372-2e9e-7828fabed14b}

Followup: MachineOwner
---------

Initially I suspected that I was passing a NULL device or something into WDFControlFinishInitializing, however I don’t see how that is possible given the code:

Function_class(EVT_WDF_DRIVER_DEVICE_ADD) IRQL_requires_same IRQL_requires_max(PASSIVE_LEVEL)
NTSTATUS EvtDeviceAdd(In WDFDRIVER driver, Inout PWDFDEVICE_INIT pDeviceInit)
{
UNREFERENCED_PARAMETER(driver);

/* We are a network device type /
WdfDeviceInitSetDeviceType(pDeviceInit, FILE_DEVICE_NETWORK);

/ We want an auto generated name /
WdfDeviceInitSetCharacteristics(pDeviceInit, FILE_AUTOGENERATED_DEVICE_NAME, TRUE);

/ Associate some context with the device /
WDF_OBJECT_ATTRIBUTES deviceAttribs;
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttribs, DEVICE_CONTEXT);

WDFDEVICE device;
NTSTATUS status = WdfDeviceCreate(&pDeviceInit, &deviceAttribs, &device);
if (NT_SUCCESS(status))
{
status = WdfDeviceCreateDeviceInterface(device, &DEVICE_AGENT_DRIVER_INTERFACE, NULL);
if (NT_SUCCESS(status))
{
/ Inform driver finished initialising. No IRP’s will be sent to this device unless this is called. */
WdfControlFinishInitializing(device);

Any ideas would be appreciated
Jason


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:>

4

xxxxx@live.co.uk wrote:

Function_class(EVT_WDF_DRIVER_DEVICE_ADD) IRQL_requires_same IRQL_requires_max(PASSIVE_LEVEL)
NTSTATUS EvtDeviceAdd(In WDFDRIVER driver, Inout PWDFDEVICE_INIT pDeviceInit)
{
UNREFERENCED_PARAMETER(driver);

/* We are a network device type */
WdfDeviceInitSetDeviceType(pDeviceInit, FILE_DEVICE_NETWORK);

/* We want an auto generated name */
WdfDeviceInitSetCharacteristics(pDeviceInit, FILE_AUTOGENERATED_DEVICE_NAME, TRUE);

/* Associate some context with the device */
WDF_OBJECT_ATTRIBUTES deviceAttribs;
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttribs, DEVICE_CONTEXT);

WDFDEVICE device;
NTSTATUS status = WdfDeviceCreate(&pDeviceInit, &deviceAttribs, &device);
if (NT_SUCCESS(status))
{
status = WdfDeviceCreateDeviceInterface(device, &DEVICE_AGENT_DRIVER_INTERFACE, NULL);
if (NT_SUCCESS(status))
{
/* Inform driver finished initialising. No IRP’s will be sent to this device unless this is called. */
WdfControlFinishInitializing(device);

Are you actually creating a control device object in DeviceEntry?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

5

@DavidBoyce - Thanks for pointing me towards the article about turning on Dbg output & kd. Unfortunately there isn’t anything useful spat out. Even with 0xF.

@DoranHolan - I’m getting “Could not find MyDriver in client list” with output mentioning incorrect symbols. Not sure why as I’m using the ms symbol server. I’ve also ensured I’ve got symbols (via !lmi) for wdfldr.sys and wdf01000.sys as per another one of your replies on osr.

@TimeRoberts - Yes, I believe so. This is the call to WdfDeviceCreate?

Thanks for your replies
Jason

6

Post your debugger command and the resulting output. You really want to get
this working, it will pay off in the long run.

You only need to call WdfControlDeviceFinishInitializing after
WdfDeviceCreate if you allocated the associated PWDFDEVICE_INIT structure
with WdfControlDeviceInitAllocate. Do you call this in your code?

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

@DavidBoyce - Thanks for pointing me towards the article about turning on
Dbg output & kd. Unfortunately there isn’t anything useful spat out. Even
with 0xF.

@DoranHolan - I’m getting “Could not find MyDriver in client list” with
output mentioning incorrect symbols. Not sure why as I’m using the ms symbol
server. I’ve also ensured I’ve got symbols (via !lmi) for wdfldr.sys and
wdf01000.sys as per another one of your replies on osr.

@TimeRoberts - Yes, I believe so. This is the call to WdfDeviceCreate?

Thanks for your replies
Jason

7

kd> !wdfkd.wdflogdump MYDriver
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_UNICODE_STRING ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_UNICODE_STRING ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_UNICODE_STRING ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_UNICODE_STRING ***
*** ***
*************************************************************************
<jason: truncated>

hint: Are symbols available for this driver?
hint: Did you provide the correct .sys/.dll extension in the drivername parameter?

Could not find MYDriver in client list

I also get output similar to the above when running: !verifier 3 MyDriver.sys
Is this because I’m working on a free build, as opposed to a checked build of windows?

No I wasn’t calling WdfControlDeviceInitAllocate. I was calling WdfControlDeviceFinishInitializing from within the EvtDeviceAdd callback, which I’m now guessing is incorrect.
I’ll explore this avenue further.

Thanks for your time
Jason</jason:>

8

No, it’s because your Windows kernel (“nt”) symbols are wrong for some
reason. Do the following:

.symfix
!sym noisy
.reload
!sym quiet

And try again. If it still doesn’t work, post the output generated by the
.reload command above.

Correct, that is incorrect :slight_smile: You do not need to call this API if you use
the passed in PWDFDEVICE_INIT to create the WDFDEVICE.

What led you to add this call? If there is documentation or a sample that
suggests it we should get it fixed.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

kd> !wdfkd.wdflogdump MYDriver
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_UNICODE_STRING ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_UNICODE_STRING ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_UNICODE_STRING ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_UNICODE_STRING ***
*** ***
*************************************************************************
<jason: truncated>

hint: Are symbols available for this driver?
hint: Did you provide the correct .sys/.dll extension in the drivername
parameter?

Could not find MYDriver in client list

I also get output similar to the above when running: !verifier 3
MyDriver.sys
Is this because I’m working on a free build, as opposed to a checked build
of windows?

No I wasn’t calling WdfControlDeviceInitAllocate. I was calling
WdfControlDeviceFinishInitializing from within the EvtDeviceAdd callback,
which I’m now guessing is incorrect.
I’ll explore this avenue further.

Thanks for your time
Jason</jason:>

9

kd> .symfix
kd> !sym noisy
noisy mode - symbol prompts on
kd> .reload
Connected to Windows 7 7601 x64 target at (Thu Sep 10 16:18:17.285 2015 (UTC + 1:00)), ptr64 TRUE
DBGHELP: C:\ProgramData\dbg\sym\ntkrnlmp.pdb\6ECA9A4801E74C44A2021EA387E737FA2\ntkrnlmp.pdb already cached
DBGHELP: C:\ProgramData\dbg\sym\ntkrnlmp.pdb\6ECA9A4801E74C44A2021EA387E737FA2\ntkrnlmp.pdb already cached

DBGHELP: nt - public symbols
C:\ProgramData\dbg\sym\ntkrnlmp.pdb\6ECA9A4801E74C44A2021EA387E737FA2\ntkrnlmp.pdb
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list
…Unable to enumerate user-mode unloaded modules, Win32 error 0n30
kd> !sym quiet
quiet mode - symbol prompts on

I can’t actually see ntkrnlmp.exe in %systemroot%\system32\ (not sure if this is normal)
I only seem to be able to find ntoskrnl.exe (on both host & target vm), despite the following:

kd> lmv mnt
start end module name
fffff80002856000 fffff80002e41000 nt (pdb symbols) C:\ProgramData\dbg\sym\ntkrnlmp.pdb\6ECA9A4801E74C44A2021EA387E737FA2\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Wed Jul 15 17:53:51 2015 (55A6901F)
CheckSum: 00556CB2
ImageSize: 005EB000
File version: 6.1.7601.18933
Product version: 6.1.7601.18933
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft? Windows? Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18933
FileVersion: 6.1.7601.18933 (win7sp1_gdr.150715-0600)
FileDescription: NT Kernel & System
LegalCopyright: ? Microsoft Corporation. All rights reserved.

Unable to enumerate user-mode unloaded modules, Win32 error 0n30

10

Also I believe I tripped up on the WdfControlFinishInitializing call as I was working through a number of different samples when building MYDriver. Some of which where PnP (PWDFDEVICE_INIT from EvtDeviceAdd) and some weren’t (PWDFDEVICE_INIT via WdfControlDeviceInitAllocate).

I would also have read “The system will not send I/O requests or Windows Management Instrumentation (WMI) requests to a control device object unless the driver has called WdfControlFinishInitializing.” from https://msdn.microsoft.com/en-us/library/windows/hardware/ff545854(v=vs.85).aspx and naively believed I should be calling it.

It would have been nice to have a “If you haven’t explicitly created the PWDFDEVICE_INIT structure using WdfControlDeviceInitAllocate, a call to WdfControlFinishInitializing is not necessary” in the remarks section of the documentation, but I guess this error is probably easily identified if symbols are setup correctly, which mine evidently aren’t.

11

xxxxx@live.co.uk wrote:

Also I believe I tripped up on the WdfControlFinishInitializing call as I was working through a number of different samples when building MYDriver. Some of which where PnP (PWDFDEVICE_INIT from EvtDeviceAdd) and some weren’t (PWDFDEVICE_INIT via WdfControlDeviceInitAllocate).

It’s more complicated than that. You need to do some reading about the
different kinds of device objects. There are cases where a PnP driver
needs to have a “back door” to allow applications to submit requests
that wouldn’t ordinarily be allowed through its PnP stack. That’s when
the driver creates control device object (CDO). This is different from
a non-PnP driver creating its only device object at DriverEntry time.

A CDO is a special beast because it is a non-PnP object being managed by
an otherwise PnP driver. That’s why it has some special interfaces.

I would also have read “The system will not send I/O requests or Windows Management Instrumentation (WMI) requests to a control device object unless the driver has called WdfControlFinishInitializing.” from https://msdn.microsoft.com/en-us/library/windows/hardware/ff545854(v=vs.85).aspx and naively believed I should be calling it.

No, because you have not created a Control Device Object.

It would have been nice to have a “If you haven’t explicitly created the PWDFDEVICE_INIT structure using WdfControlDeviceInitAllocate, a call to WdfControlFinishInitializing is not necessary” in the remarks section of the documentation,

But that’s not the criteria. You should be using any of the WdfControl
interfaces unless you are actually creating a CDO. If you are creating
a CDO, then you need WdfControlFinishInitializing.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

12

You’ve stumbled upon an unfortunate problem…The PDBs shipped for that
particular version of Windows 7 are completely broken. They have ALL type
information removed, which effectively means you can’t debug that version of
Windows. There isn’t anything you can do about this but use a different
version of Windows. See this recent thread:

http://www.osronline.com/showThread.CFM?link=269221

Per the thread, you could try uninstalling KB3071756 and KB3060716.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

kd> .symfix
kd> !sym noisy
noisy mode - symbol prompts on
kd> .reload
Connected to Windows 7 7601 x64 target at (Thu Sep 10 16:18:17.285 2015 (UTC

  • 1:00)), ptr64 TRUE
    DBGHELP:
    C:\ProgramData\dbg\sym\ntkrnlmp.pdb\6ECA9A4801E74C44A2021EA387E737FA2\ntkrnlmp.pdb
    already cached
    DBGHELP:
    C:\ProgramData\dbg\sym\ntkrnlmp.pdb\6ECA9A4801E74C44A2021EA387E737FA2\ntkrnlmp.pdb
    already cached

DBGHELP: nt - public symbols
C:\ProgramData\dbg\sym\ntkrnlmp.pdb\6ECA9A4801E74C44A2021EA387E737FA2\ntkrnlmp.pdb
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list
…Unable to enumerate user-mode unloaded modules, Win32 error 0n30
kd> !sym quiet
quiet mode - symbol prompts on

I can’t actually see ntkrnlmp.exe in %systemroot%\system32\ (not sure if
this is normal)
I only seem to be able to find ntoskrnl.exe (on both host & target vm),
despite the following:

kd> lmv mnt
start end module name
fffff80002856000 fffff80002e41000 nt (pdb symbols)
C:\ProgramData\dbg\sym\ntkrnlmp.pdb\6ECA9A4801E74C44A2021EA387E737FA2\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Wed Jul 15 17:53:51 2015 (55A6901F)
CheckSum: 00556CB2
ImageSize: 005EB000
File version: 6.1.7601.18933
Product version: 6.1.7601.18933
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18933
FileVersion: 6.1.7601.18933 (win7sp1_gdr.150715-0600)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.

Unable to enumerate user-mode unloaded modules, Win32 error 0n30