USB Device refcount 11, no handles

I have a USB thumbstick formatted in FAT. When I try to eject it it errors that the drive is still in-use.
I’ve tried multiple methods of finding what is using the device and then gave in to doing a forced complete dump of the entire system.

I see the device with a refcount of 11:

1: kd> !driveinfo F:
Drive F:, DriveObject fffff8a011d3cb60
Directory Object: fffff8a000008bc0 Name: F:
Target String is ‘\Device\HarddiskVolume5’
Drive Letter Index is 6 (F:)
Volume DevObj: fffffa8007190060
Vpb: fffffa800e1ee670 DeviceObject: fffffa80109dd970
FileSystem: \FileSystem\fastfat

1: kd> !devstack fffffa8007190060
!DevObj !DrvObj !DevExt ObjectName
fffffa800733a040 \Driver\volsnap fffffa800733a190
fffffa8010a46a40 \Driver\fvevol fffffa8010a46b90

fffffa8007190060 \Driver\volmgr fffffa80071901b0 HarddiskVolume5

1: kd> !devobj fffffa8007190060
Device object (fffffa8007190060) is for:
HarddiskVolume5 \Driver\volmgr DriverObject fffffa80070eb7c0
Current Irp 00000000 RefCount 11 Type 00000007 Flags 00003050
Vpb fffffa800e1ee670 Dacl fffff9a11241fdc0 DevExt fffffa80071901b0 DevObjExt fffffa8007190318 Dope fffffa800c3ff520 DevNode fffffa80109541b0
ExtensionFlags (0000000000)
Characteristics (0x00000001) FILE_REMOVABLE_MEDIA
AttachedDevice (Upper) fffffa8010a46a40 \Driver\fvevol
Device queue is not busy.

1: kd> !vpb fffffa800e1ee670
Vpb at 0xfffffa800e1ee670
Flags: 0x1 mounted
DeviceObject: 0xfffffa80109dd970
RealDevice: 0xfffffa8007190060
RefCount: 11
Volume Label: STORE N GO

But !devhandles runs for about 30-45 minutes and doesn’t turn up a single handle.
The only refcount I see is for vpb fffffa800e1ee670 and the realdevice 0xfffffa8007190060. None of the other filters or devices have a refcount.

How can I find what these references are?

Since it appears I have a fundamental lack of knowledge of what a reference is, can anyone point me to some documentation that defines the difference between a reference and a handle?

Any help would be greatly appreciated!

!devhandles will run for quiet long time it checks each and every
process for the input handle
in the handle table

for example the first handle 0x004 in the process explorer will take
so much work for comparing your handle input to !devhandles
so if you have n process and m handles in each process
then it has to navigate and compare the object for n * m entries

kd> !process 0 0 explorer.exe
PROCESS 86482920 SessionId: 1 Cid: 05d4 Peb: 7ffd4000 ParentCid: 05c0
DirBase: 7e27e2c0 ObjectTable: 961b4468 HandleCount: 850.
Image: explorer.exe

kd> dd 961b4468 l4
961b4468 ab57d001 86482920 000005d4 00000000 < -object table

kd> dd 0xab57d001 &0xfffffff0 l4

ab57d000 961c7000 ab599000 b116a000 00000000 TableCode

kd> dd 961c7000 + 8 l4

961c7008 90c2c999 00000003 86481669 00100020 < table entry

kd> !object (90c2c999 & 0xfffffff8) + 18 < object in the first table entry
Object: 90c2c9b0 Type: (8482b990) Directory
ObjectHeader: 90c2c998 (new version)
HandleCount: 37 PointerCount: 75
Directory Object: 89805e00 Name: KnownDlls

Hash Address Type Name


00 93f86ba8 Section gdi32.dll
93fd2160 Section KERNELBASE.dll
90c610d8 Section IMAGEHLP.dll

and so on

refcount will always be = | > handle count (kernel can take reference
without opening a handle

On 2/29/16, xxxxx@gmail.com wrote:
> I have a USB thumbstick formatted in FAT. When I try to eject it it errors
> that the drive is still in-use.
> I’ve tried multiple methods of finding what is using the device and then
> gave in to doing a forced complete dump of the entire system.
>
> I see the device with a refcount of 11:
>
> 1: kd> !driveinfo F:
> Drive F:, DriveObject fffff8a011d3cb60
> Directory Object: fffff8a000008bc0 Name: F:
> Target String is ‘\Device\HarddiskVolume5’
> Drive Letter Index is 6 (F:)
> Volume DevObj: fffffa8007190060
> Vpb: fffffa800e1ee670 DeviceObject: fffffa80109dd970
> FileSystem: \FileSystem\fastfat
>
> 1: kd> !devstack fffffa8007190060
> !DevObj !DrvObj !DevExt ObjectName
> fffffa800733a040 \Driver\volsnap fffffa800733a190
> fffffa8010a46a40 \Driver\fvevol fffffa8010a46b90
>> fffffa8007190060 \Driver\volmgr fffffa80071901b0 HarddiskVolume5
>
> 1: kd> !devobj fffffa8007190060
> Device object (fffffa8007190060) is for:
> HarddiskVolume5 \Driver\volmgr DriverObject fffffa80070eb7c0
> Current Irp 00000000 RefCount 11 Type 00000007 Flags 00003050
> Vpb fffffa800e1ee670 Dacl fffff9a11241fdc0 DevExt fffffa80071901b0 DevObjExt
> fffffa8007190318 Dope fffffa800c3ff520 DevNode fffffa80109541b0
> ExtensionFlags (0000000000)
> Characteristics (0x00000001) FILE_REMOVABLE_MEDIA
> AttachedDevice (Upper) fffffa8010a46a40 \Driver\fvevol
> Device queue is not busy.
>
> 1: kd> !vpb fffffa800e1ee670
> Vpb at 0xfffffa800e1ee670
> Flags: 0x1 mounted
> DeviceObject: 0xfffffa80109dd970
> RealDevice: 0xfffffa8007190060
> RefCount: 11
> Volume Label: STORE N GO
>
> But !devhandles runs for about 30-45 minutes and doesn’t turn up a single
> handle.
> The only refcount I see is for vpb fffffa800e1ee670 and the realdevice
> 0xfffffa8007190060. None of the other filters or devices have a refcount.
>
> How can I find what these references are?
>
> Since it appears I have a fundamental lack of knowledge of what a reference
> is, can anyone point me to some documentation that defines the difference
> between a reference and a handle?
>
> Any help would be greatly appreciated!
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:>

Thanks Raj,

Is it unusual for the !devhandles command to end prematurely at a terminated process?

Checking handle table for process 0xfffffa800ede5060
00000000: Unable to read handle table

No active threads
THREAD fffffa800ed986f0 Cid 0bcc.0bd0 Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED

If no handles are involved this might be a garbage collection issue then, right? If I had a few processes I was suspicious of would there be any way to tell if they have references open to the device?

There are also custom minifilters with instances in this device - is it possible to identify if one of these are responsible for the references? (!fltkd maybe?)

i am not sure if devhandles continue or not upon an error many of
these extensions are quite fragile and may misbehave in extreme
corner cases (most of the long running commands fall in this category
as they are rarely let to run thier life cycle 99% simply ctrl+break
the execution after a puff or two) in many cases you can put the
command in a .catch {} block and see if it continues on an error

in os later than vista you could setup gflags to trace an object with
a pooltag and use
!obtrace command to track objects

i am not sure if you can track objects on a dead system (forensic or dump)

object tracking will require pre planning

|
This email has been sent from a virus-free
computer protected by Avast.
href=“https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
target=“_blank” style=“color: #4453ea;”>www.avast.com
|

height=“1”>

On 3/1/16, xxxxx@gmail.com wrote:
> Thanks Raj,
>
> Is it unusual for the !devhandles command to end prematurely at a terminated
> process?
>
> Checking handle table for process 0xfffffa800ede5060
> 00000000: Unable to read handle table
>
> No active threads
> THREAD fffffa800ed986f0 Cid 0bcc.0bd0 Teb: 0000000000000000
> Win32Thread: 0000000000000000 TERMINATED
>
> If no handles are involved this might be a garbage collection issue then,
> right? If I had a few processes I was suspicious of would there be any way
> to tell if they have references open to the device?
>
> There are also custom minifilters with instances in this device - is it
> possible to identify if one of these are responsible for the references?
> (!fltkd maybe?)
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:>