Saturday 30 November 2013

Debugging Stop 0xC4 - Invalid Handle [Updated Version]

Again, this is a updated version of a previous blog post, since I will able to show things in more depth. This is a bugcheck caused by Driver Verifier finding a violation, it indicates that a process or driver has used a User-Mode handle in Kernel-Mode.

I've highlighted the two parameters which are the most important in this bugcheck. The value of the handle, and the address of the current process. Since this is a Driver Verifier bugcheck, the driver is most likely going to be displayed, so this post is more about understanding what it references and what it did wrong.

By using the !process extension, we can dump some information about the process, and view the number of handles it currently holds.

Using the !handle extension with the value of the handle being referenced in parameter 3, gives some information about the object which the handle is currently referencing. It seems to be a registry key.

Let's take a closer look into the registry key, just for academic and nerdy interest, use the !reg findkcb extension with the entire path of the registry key.

Using the address of the KCB (Key Control Block), use the !reg kcb extension, and should get output similar to this:

The reference count is 1, therefore only one process has a handle open to that registry key. The Flags indicates the name of the key is in a compressed form, and the registry key is current 9 levels deep into the registry. \REGISTRY\MACHINE\SYSTEM would be 3 levels.

The nVidia graphics card driver seemed to be causing problems. The registry key being referenced is also related to nVidia.