Catch a misbehaving driver with verifier

Today I wanted to mix it up a little.  I want to talk a little about debugging, more specifically about using driver verifier.  If you have seen a Windows bug check, aka the blue screen of death, then you have probably seen a DRIVER_IRQL_NOT_LESS_OR_EQUAL.  This particular bug check has two codes associated with it; 0x0000000A and 0x000000D1.  In the majority of cases, this bug check is caused by a 3rd party driver that is misbehaving.  Most of the time the cause can be identified by debugging the kernel memory dump.  Sometimes however the problematic driver is paged out and is no longer present in the memory dump.  In this case we can use driver verifier to catch this misbehaving driver and force a bug check to happen before the driver is paged out.  The rest of this article will discuss how to enable driver verifier for this scenario.

  1. Click Start, or in Windows 2012 and higher right-click Start, and choose Run.  Type in verifier and click OK.
  2. From the select a task options, select “Create custom settings (for code developers)” and click Next.
    select a task
  3. From the select individual settings from this full list, tick the check box for Special pool and click Next.
    special pool
  4. From the select what drivers to verify options, select “Select driver names from a list” and click Next.
    select drivers to verify
  5. Sort the driver list by provider.  Tick the check box for all drivers that are not provided by Microsoft, and click Finish.  We do this so that we can monitor all 3rd party drivers.
    driver list
  6. Reboot the server.

After the server is rebooted all 3rd party drivers will be monitored.  If one of them should misbehave, driver verifier will force the system to bug check.  It should then be fairly simple to find the problem driver in the memory dump.

If you have any suggestions for this article, please leave a comment below.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s