DRIVER_VERIFIER_DETECTED_VIOLATION c4 in original Bluetooth Echo L2CAP Profile Driver

Dear All,

I complied and installed Bluetooth Echo L2CAP Profile Driver (BthEchoSampleSrv.sys) from below mentioned link.
https://code.msdn.microsoft.com/windowshardware/Bluetooth-Echo-Sample-6f0a62d6

It installed and i am able to test the functionality.

But when i try to uninstall this driver from device manager i get BSOD every time.

Below is the crash dump from windbg.

Has anyone face this issue and if yes how do i resolve this issue?

Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred symsrv*symsrv.dll*d:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: symsrv*symsrv.dll*d:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.16404.amd64fre.winblue_gdr.130913-2141
Machine Name:
Kernel base = 0xfffff802ea009000 PsLoadedModuleList = 0xfffff802ea2cd990
Debug session time: Wed Feb 4 12:13:31.642 2015 (UTC + 5:30)
System Uptime: 0 days 0:10:02.450
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C4, {dd, fffff80002fb44d3, fffff80002fab000, ffffe00003c757e0}

Probably caused by : BthEchoSampleSrv.sys ( BthEchoSampleSrv!WppInitKm+4b )

Followup: MachineOwner

3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000dd, Unloading driver that forgot to call EtwUnregister.
Arg2: fffff80002fb44d3, Address where the culprit driver called EtwRegister.
Arg3: fffff80002fab000, Start address of the culprit driver.
Arg4: ffffe00003c757e0, Address of the leaked ETW_REG_ENTRY structure.

Debugging Details:

OVERLAPPED_MODULE: Address regions for ‘BthEchoSampleSrv’ and ‘mfeavfk01.sys’ overlap

BUGCHECK_STR: 0xc4_dd

IMAGE_NAME: BthEchoSampleSrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 54d1beff

MODULE_NAME: BthEchoSampleSrv

FAULTING_MODULE: fffff80002fab000 BthEchoSampleSrv

FAULTING_IP:
BthEchoSampleSrv!WppInitKm+4b [d:\winbt\org-l2cap-driver\c++\bthsrv\sys\x64\win8.1release\driver.tmh @ 1725]
fffff800`02fb44d3 488b5b10 mov rbx,qword ptr [rbx+10h]

FOLLOWUP_IP:
BthEchoSampleSrv!WppInitKm+4b [d:\winbt\org-l2cap-driver\c++\bthsrv\sys\x64\win8.1release\driver.tmh @ 1725]
fffff800`02fb44d3 488b5b10 mov rbx,qword ptr [rbx+10h]

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 2

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

LAST_CONTROL_TRANSFER: from fffff802ea6756a8 to fffff802ea156ca0

STACK_TEXT:
ffffd0002089b488 fffff802ea6756a8 : 00000000000000c4 00000000000000dd fffff80002fb44d3 fffff80002fab000 : nt!KeBugCheckEx
ffffd0002089b490 fffff802ea67989c : fffff80002fab000 ffffe0000475ae40 0000000000000015 00000000ffffffff : nt!VerifierBugCheckIfAppropriate+0x3c
ffffd0002089b4d0 fffff802ea1b1cd5 : 0000000000000000 ffffe0000007cc30 0000000000000001 ffffe00004f60e10 : nt!ViTargetRemovingCheckEtwWmi+0x70
ffffd0002089b510 fffff802ea667060 : fffff802ea2b2d50 fffff802ea2b2d50 ffffe0000475ae40 0000000000000000 : nt! ?? ::FNODOBFM::string'+0x4ab45 ffffd0002089b5a0 fffff802ea4da6c2 : 0000000000000000 ffffe0000475ae40 ffffc0000d32d7d0 ffffe000021d67b0 : nt!VfDriverUnloadImage+0x34 ffffd0002089b5d0 fffff802ea4da62c : 0000000000000000 ffffe0000475ae40 ffffe000021d67b0 ffffe000021d67b0 : nt!MiUnloadSystemImage+0x7e ffffd0002089b650 fffff802ea4da574 : 0000000000000000 ffffe00000185dc0 ffffe000021d67b0 ffffe00076697244 : nt!MmUnloadSystemImage+0x20 ffffd0002089b680 fffff802ea3a8cb8 : 0000000000000000 ffffe000021d67b0 ffffe00000185dc0 ffffe000021c1550 : nt!IopDeleteDriver+0x40 ffffd0002089b6c0 fffff802ea06915f : 0000000000000000 ffffe000021c1550 ffffe000021d67b0 ffffe000021c1520 : nt!ObpRemoveObjectRoutine+0x64 ffffd0002089b720 fffff802ea48e147 : ffffe000021c1550 ffffe00000185f20 ffffd0002089b650 ffffe00000000004 : nt!ObfDereferenceObject+0x8f ffffd0002089b760 fffff802ea3a8cb8 : ffffcf8003720fd0 0000000000000030 ffffe0000503f080 ffffe00002082930 : nt!IopDeleteDevice+0x47 ffffd0002089b790 fffff802ea06915f : 0000000000000000 0000000000000000 ffffe000021c1550 ffffe00002082920 : nt!ObpRemoveObjectRoutine+0x64 ffffd0002089b7f0 fffff802ea0f2395 : ffffe0000503fd30 ffffe0000b2aaeb0 ffffe0000502d360 0000000000000001 : nt!ObfDereferenceObject+0x8f ffffd0002089b830 fffff802ea490af9 : ffffe0000503f080 ffffe0000503fd30 ffffc0000d816350 ffffe0000503f080 : nt!PnpRemoveLockedDeviceNode+0x245 ffffd0002089b890 fffff802ea490a72 : 0000000000000000 ffffc0000d816350 ffffe0000503fd30 000000003f051397 : nt!PnpDeleteLockedDeviceNode+0x4d ffffd0002089b8d0 fffff802ea48fc7f : ffffe0000503f080 ffffd00000000002 0000000000000000 0000000000000000 : nt!PnpDeleteLockedDeviceNodes+0x9a ffffd0002089b950 fffff802ea4341fd : ffffc0000d1f8600 0000000000000001 ffffc00000000000 ffffe000ffffffff : nt!PnpProcessQueryRemoveAndEject+0x4ef ffffd0002089bab0 fffff802ea434537 : ffffc0000d1f86d0 0000000000000000 0000000000000000 fffff802ea434218 : nt!PnpProcessTargetDeviceEvent+0x9d ffffd0002089baf0 fffff802ea04365d : fffff802ea434218 ffffc0000d8299d0 ffffd0002089bbd0 ffffe00002194be0 : nt!PnpDeviceEventWorker+0x31f ffffd0002089bb50 fffff802ea0ecc80 : 0000000000000000 ffffe00001a02040 ffffe00001a02040 ffffe0000008f040 : nt!ExpWorkerThread+0x2b5 ffffd0002089bc00 fffff802ea15d2c6 : fffff802ea2f7180 ffffe00001a02040 fffff802ea34fa80 0000000000000000 : nt!PspSystemThreadStartup+0x58 ffffd0002089bc60 0000000000000000 : ffffd0002089c000 ffffd00020896000 0000000000000000 00000000`00000000 : nt!KiStartSystemThread+0x16

STACK_COMMAND: .bugcheck ; kb

FAULTING_SOURCE_LINE: d:\winbt\org-l2cap-driver\c++\bthsrv\sys\x64\win8.1release\driver.tmh

FAULTING_SOURCE_FILE: d:\winbt\org-l2cap-driver\c++\bthsrv\sys\x64\win8.1release\driver.tmh

FAULTING_SOURCE_LINE_NUMBER: 1725

FAULTING_SOURCE_CODE:
1721: if (!NT_SUCCESS(Status)) {
1722: WppDebug(0,(“EtwRegisterClassicProvider Status = %d, ControlBlock = %p.\n”, Status, WppReg));
1723: }
1724:

1725: WppReg = WppReg->Next;
1726: }
1727:
1728: } else if (WppTraceWinXP == WPPTraceSuite) {
1729:
1730:

SYMBOL_NAME: BthEchoSampleSrv!WppInitKm+4b

FOLLOWUP_NAME: MachineOwner

BUCKET_ID_FUNC_OFFSET: 4b

FAILURE_BUCKET_ID: 0xc4_dd_VRF_BthEchoSampleSrv!WppInitKm

BUCKET_ID: 0xc4_dd_VRF_BthEchoSampleSrv!WppInitKm

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc4_dd_vrf_bthechosamplesrv!wppinitkm

FAILURE_ID_HASH: {ecb13fdf-a6f3-62cf-2684-89b3b82c1455}

Followup: MachineOwner

Sure, make sure you unregister ETW in DriverUnload

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, February 03, 2015 11:09 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] DRIVER_VERIFIER_DETECTED_VIOLATION c4 in original Bluetooth Echo L2CAP Profile Driver

Dear All,

I complied and installed Bluetooth Echo L2CAP Profile Driver (BthEchoSampleSrv.sys) from below mentioned link.
https://code.msdn.microsoft.com/windowshardware/Bluetooth-Echo-Sample-6f0a62d6

It installed and i am able to test the functionality.

But when i try to uninstall this driver from device manager i get BSOD every time.

Below is the crash dump from windbg.

Has anyone face this issue and if yes how do i resolve this issue?

Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP] Kernel Bitmap Dump File: Only kernel address space is available

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred symsrv*symsrv.dll*d:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: symsrv*symsrv.dll*d:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9600.16404.amd64fre.winblue_gdr.130913-2141
Machine Name:
Kernel base = 0xfffff802ea009000 PsLoadedModuleList = 0xfffff802ea2cd990 Debug session time: Wed Feb 4 12:13:31.642 2015 (UTC + 5:30) System Uptime: 0 days 0:10:02.450 Loading Kernel Symbols …


Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C4, {dd, fffff80002fb44d3, fffff80002fab000, ffffe00003c757e0}

Probably caused by : BthEchoSampleSrv.sys ( BthEchoSampleSrv!WppInitKm+4b )

Followup: MachineOwner

3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000dd, Unloading driver that forgot to call EtwUnregister.
Arg2: fffff80002fb44d3, Address where the culprit driver called EtwRegister.
Arg3: fffff80002fab000, Start address of the culprit driver.
Arg4: ffffe00003c757e0, Address of the leaked ETW_REG_ENTRY structure.

Debugging Details:

OVERLAPPED_MODULE: Address regions for ‘BthEchoSampleSrv’ and ‘mfeavfk01.sys’ overlap

BUGCHECK_STR: 0xc4_dd

IMAGE_NAME: BthEchoSampleSrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 54d1beff

MODULE_NAME: BthEchoSampleSrv

FAULTING_MODULE: fffff80002fab000 BthEchoSampleSrv

FAULTING_IP:
BthEchoSampleSrv!WppInitKm+4b [d:\winbt\org-l2cap-driver\c++\bthsrv\sys\x64\win8.1release\driver.tmh @ 1725]
fffff800`02fb44d3 488b5b10 mov rbx,qword ptr [rbx+10h]

FOLLOWUP_IP:
BthEchoSampleSrv!WppInitKm+4b [d:\winbt\org-l2cap-driver\c++\bthsrv\sys\x64\win8.1release\driver.tmh @ 1725]
fffff800`02fb44d3 488b5b10 mov rbx,qword ptr [rbx+10h]

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 2

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

LAST_CONTROL_TRANSFER: from fffff802ea6756a8 to fffff802ea156ca0

STACK_TEXT:
ffffd0002089b488 fffff802ea6756a8 : 00000000000000c4 00000000000000dd fffff80002fb44d3 fffff80002fab000 : nt!KeBugCheckEx
ffffd0002089b490 fffff802ea67989c : fffff80002fab000 ffffe0000475ae40 0000000000000015 00000000ffffffff : nt!VerifierBugCheckIfAppropriate+0x3c
ffffd0002089b4d0 fffff802ea1b1cd5 : 0000000000000000 ffffe0000007cc30 0000000000000001 ffffe00004f60e10 : nt!ViTargetRemovingCheckEtwWmi+0x70
ffffd0002089b510 fffff802ea667060 : fffff802ea2b2d50 fffff802ea2b2d50 ffffe0000475ae40 0000000000000000 : nt! ?? ::FNODOBFM::string'+0x4ab45 ffffd0002089b5a0 fffff802ea4da6c2 : 0000000000000000 ffffe0000475ae40 ffffc0000d32d7d0 ffffe000021d67b0 : nt!VfDriverUnloadImage+0x34 ffffd0002089b5d0 fffff802ea4da62c : 0000000000000000 ffffe0000475ae40 ffffe000021d67b0 ffffe000021d67b0 : nt!MiUnloadSystemImage+0x7e ffffd0002089b650 fffff802ea4da574 : 0000000000000000 ffffe00000185dc0 ffffe000021d67b0 ffffe00076697244 : nt!MmUnloadSystemImage+0x20 ffffd0002089b680 fffff802ea3a8cb8 : 0000000000000000 ffffe000021d67b0 ffffe00000185dc0 ffffe000021c1550 : nt!IopDeleteDriver+0x40 ffffd0002089b6c0 fffff802ea06915f : 0000000000000000 ffffe000021c1550 ffffe000021d67b0 ffffe000021c1520 : nt!ObpRemoveObjectRoutine+0x64 ffffd0002089b720 fffff802ea48e147 : ffffe000021c1550 ffffe00000185f20 ffffd0002089b650 ffffe00000000004 : nt!ObfDereferenceObject+0x8f ffffd0002089b760 fffff802ea3a8cb8 : ffffcf8003720fd0 0000000000000030 ffffe0000503f080 ffffe00002082930 : nt!IopDeleteDevice+0x47 ffffd0002089b790 fffff802ea06915f : 0000000000000000 0000000000000000 ffffe000021c1550 ffffe00002082920 : nt!ObpRemoveObjectRoutine+0x64 ffffd0002089b7f0 fffff802ea0f2395 : ffffe0000503fd30 ffffe0000b2aaeb0 ffffe0000502d360 0000000000000001 : nt!ObfDereferenceObject+0x8f ffffd0002089b830 fffff802ea490af9 : ffffe0000503f080 ffffe0000503fd30 ffffc0000d816350 ffffe0000503f080 : nt!PnpRemoveLockedDeviceNode+0x245 ffffd0002089b890 fffff802ea490a72 : 0000000000000000 ffffc0000d816350 ffffe0000503fd30 000000003f051397 : nt!PnpDeleteLockedDeviceNode+0x4d ffffd0002089b8d0 fffff802ea48fc7f : ffffe0000503f080 ffffd00000000002 0000000000000000 0000000000000000 : nt!PnpDeleteLockedDeviceNodes+0x9a ffffd0002089b950 fffff802ea4341fd : ffffc0000d1f8600 0000000000000001 ffffc00000000000 ffffe000ffffffff : nt!PnpProcessQueryRemoveAndEject+0x4ef ffffd0002089bab0 fffff802ea434537 : ffffc0000d1f86d0 0000000000000000 0000000000000000 fffff802ea434218 : nt!PnpProcessTargetDeviceEvent+0x9d ffffd0002089baf0 fffff802ea04365d : fffff802ea434218 ffffc0000d8299d0 ffffd0002089bbd0 ffffe00002194be0 : nt!PnpDeviceEventWorker+0x31f ffffd0002089bb50 fffff802ea0ecc80 : 0000000000000000 ffffe00001a02040 ffffe00001a02040 ffffe0000008f040 : nt!ExpWorkerThread+0x2b5 ffffd0002089bc00 fffff802ea15d2c6 : fffff802ea2f7180 ffffe00001a02040 fffff802ea34fa80 0000000000000000 : nt!PspSystemThreadStartup+0x58 ffffd0002089bc60 0000000000000000 : ffffd0002089c000 ffffd00020896000 0000000000000000 00000000`00000000 : nt!KiStartSystemThread+0x16

STACK_COMMAND: .bugcheck ; kb

FAULTING_SOURCE_LINE: d:\winbt\org-l2cap-driver\c++\bthsrv\sys\x64\win8.1release\driver.tmh

FAULTING_SOURCE_FILE: d:\winbt\org-l2cap-driver\c++\bthsrv\sys\x64\win8.1release\driver.tmh

FAULTING_SOURCE_LINE_NUMBER: 1725

FAULTING_SOURCE_CODE:
1721: if (!NT_SUCCESS(Status)) {
1722: WppDebug(0,(“EtwRegisterClassicProvider Status = %d, ControlBlock = %p.\n”, Status, WppReg));
1723: }
1724:

1725: WppReg = WppReg->Next;
1726: }
1727:
1728: } else if (WppTraceWinXP == WPPTraceSuite) {
1729:
1730:

SYMBOL_NAME: BthEchoSampleSrv!WppInitKm+4b

FOLLOWUP_NAME: MachineOwner

BUCKET_ID_FUNC_OFFSET: 4b

FAILURE_BUCKET_ID: 0xc4_dd_VRF_BthEchoSampleSrv!WppInitKm

BUCKET_ID: 0xc4_dd_VRF_BthEchoSampleSrv!WppInitKm

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc4_dd_vrf_bthechosamplesrv!wppinitkm

FAILURE_ID_HASH: {ecb13fdf-a6f3-62cf-2684-89b3b82c1455}

Followup: MachineOwner


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

++Additional Information

If i disable driver verifier by deleting existing settings i don’t get the BSOD that i mentioned in my previous message.

Hi Doron,

Thanks for the reply.

I am calling WPP_INIT_TRACING in DriverEntry and WPP_CLEANUP in EvtCleanupCallback.

Is WPP_CLEANUP will unregister ETW or Should i need to call EtwUnregister in another place?

Hi Doron,

Any solution for above BSOD.
I am still getting above BSOD every time . where I need to call unregister ETW?
I still don’t understand what is the problem.

Well, sure. As the bugcheck description says, it’s Driver Verifier that’s causing the crash, because it detected your driver was doing something wrong (or NOT doing something it should).

If you call EtwRegister in your code, you need to call EtwUnregister. If you call WPP_INIT_TRACING you need to call WPP_CLEANUP.

If you use both facilities, you need to call both the Unregister and CLEANUP functions… before your driver exits.

You can do this in your WDF_DRIVER object cleanup Event Processing Callback.

Peter
OSR
@OSRDrivers