Query regarding BSOD?
Hi,
I have query regarding system crash observed with bugcheck “INVALID_KERNEL_HANDLE (93)”
I suspect this crash is observed due to invalid handle close. Checked loaded modules, my driver is exited.
INVALID_KERNEL_HANDLE (93)
This message occurs if kernel code (server, redirector, other driver, etc.)
attempts to close a handle that is not a valid handle.
Arguments:
Arg1: 00000000000018c4, The handle that NtClose was called with.
Arg2: 0000000000000001, means an invalid handle was closed.
Arg3: 0000000000000000
Arg4: 0000000000000000
This is the stack for crash,
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x93
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80003781307 to fffff800034c6f00
STACK_TEXT:
fffff88006692528 fffff800
03781307 : 0000000000000093 00000000
000018c4 0000000000000001 00000000
00000000 : nt!KeBugCheckEx
fffff88006692530 fffff800
034c6153 : fffffa80020f4b60 fffff880
06692600 fffff88006692770 00000000
00000000 : nt! ?? ::NNGAKEGL::string'+0x34fdb fffff880
06692580 fffff800034c26f0 : fffff880
0117366c 0000000000000001 fffffa80
02ea0070 fffff88006692770 : nt!KiSystemServiceCopyEnd+0x13 fffff880
06692718 fffff8800117366c : 00000000
00000001 fffffa8002ea0070 fffff880
06692770 00000000000000a8 : nt!KiServiceLinkage fffff880
06692720 fffff80003836ce5 : fffffa80
06144a30 0000000000000004 00000000
00000000 ffffffff8000187c : fileinfo!FIPfInterfaceClose+0x48 fffff880
06692750 fffff800038c56e1 : fffff880
06692800 00000000c000009a fffff8a0
07000000 0000000000000004 : nt!PfpOpenHandleClose+0x55 fffff880
066927a0 fffff8000392bc3c : 00000000
00000000 00000000c0000017 00000000
c000009a fffff8a000000001 : nt!PfpPrefetchVolumesCleanup+0x71 fffff880
066927d0 fffff8000392c7b7 : 00000000
00000000 fffff88006692c60 fffff880
066929c8 fffff8a0027bc060 : nt!PfpPrefetchRequestPerform+0x32c fffff880
06692920 fffff80003938d8e : fffff880
066929c8 fffff88006692a01 fffffa80
04666540 0000000000000000 : nt!PfpPrefetchRequest+0x176 fffff880
06692990 fffff8000393d4be : 00000000
00000000 000000000382f930 00000000
0000004f 0000000006164001 : nt!PfSetSuperfetchInformation+0x1ad fffff880
06692a70 fffff800034c6153 : fffffa80
020f4b60 0000000000000000 00000000
00000001 0000000000000001 : nt!NtSetSystemInformation+0xb91 fffff880
06692be0 00000000770c15aa : 000007fe
f7bf89cc 000000000382f9e0 00000000
0382f988 000000000000289f : nt!KiSystemServiceCopyEnd+0x13 00000000
0382f908 000007fef7bf89cc : 00000000
0382f9e0 000000000382f988 00000000
0000289f 0000000000000000 : ntdll!NtSetSystemInformation+0xa 00000000
0382f910 000007fef7bf8799 : 00000000
0382fbe0 0000000006415c50 00000000
061b2510 0000000000000000 : sysmain!PfListPrefetch+0xfa 00000000
0382f980 000007fef7bf8688 : 00000000
022c8c01 00000000022c8f18 00000000
0382fbe0 0000000006153960 : sysmain!PfDbDatabasePrefetchPerform+0xdb1 00000000
0382fb20 000007fef7bf9fc8 : 00000000
022c8c90 00000000022c8f18 00000000
00000001 000007fe00000000 : sysmain!PfDbDatabasePrefetchExWithInterface+0x1a8 00000000
0382fbc0 000007fef7bf7b92 : 00000000
022c8c58 00000000022c8c58 00000000
00000000 0000000000000564 : sysmain!PfRbPrefetchCore+0x10d 00000000
0382fc70 0000000076e6f56d : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : sysmain!PfRbPrefetchWorker+0xdb 00000000
0382fca0 00000000770a3281 : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd 00000000
0382fcd0 0000000000000000 : 00000000
00000000 0000000000000000 00000000
00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
I think handle “00000000000018c4” might be closed by my driver that has not been opened/owned by my driver.
Same bugchek has been observed on different systems for NtClose.
Is there any way to check narrow down illegal handle close by my driver before unload?
Thanks,
Sachin