Windows Drivers Documentation

Driver Verifier

Driver Verifier is a powerful tool that helps you debug Windows drivers. It runs in the background, monitoring kernel-mode code. If it detects behavior that could indicate a bug in a driver, it causes the system to crash. This crash provides a memory dump, which can then be analyzed to pinpoint the problem.

What is Driver Verifier?

Driver Verifier works by monitoring driver activity for common error conditions. It stresses drivers in various ways, making it more likely that subtle bugs will be exposed. When an error is detected, Driver Verifier immediately stops the system, preventing the potential corruption of data or system instability that might otherwise occur.

How it Works

  • Rule Enforcement: Driver Verifier applies a set of rules to kernel-mode code. Violating these rules triggers a bug check (crash).
  • Memory Corruption Detection: It can detect invalid memory accesses, such as buffer overflows or use of uninitialized memory.
  • Deadlock Detection: Driver Verifier monitors the use of I/O request packet (IRP) locks and other synchronization primitives to detect potential deadlocks.
  • IRQL Checking: It verifies that drivers are accessing hardware and memory at appropriate Interrupt Request Levels (IRQLs).
  • Pool Usage Monitoring: Tracks the allocation and freeing of memory pools to detect leaks or corruption.

Important: Always enable Driver Verifier on a test system, not on a production machine. Enabling it can cause system instability if your drivers contain bugs.

Enabling Driver Verifier

Driver Verifier can be enabled and configured using the verifier.exe command-line tool or through its graphical interface.

Using the Command Line (`verifier.exe`)

Open an elevated Command Prompt or PowerShell and run:

verifier.exe /flags 0x37bff /driver your_driver.sys

Common flags include:

  • 0x00000001: Standard Verifier (basic checks)
  • 0x00000002: I/O Verification
  • 0x00000004: Driver Verifier DMA Verification
  • 0x00000008: Security Checks
  • 0x00000010: Force IRQL Checking
  • 0x00000020: Pool Tracking
  • 0x00000040: Deadlock Detection
  • 0x00000080: WMI Integrity Checks
  • 0x00000100: DDI Compliance Checking
  • 0x00000200: IFR Logging
  • 0x00000400: Antimalware Access Verification
  • 0x00000800: Registry Access Checks
  • 0x00001000: Reserved
  • 0x00002000: Reserved
  • 0x00004000: Reserved
  • 0x00008000: Reserved
  • 0x00010000: Reserved
  • 0x00020000: Reserved
  • 0x00040000: Reserved
  • 0x00080000: Reserved
  • 0x00100000: Reserved
  • 0x00200000: Reserved
  • 0x00400000: Reserved
  • 0x00800000: Reserved
  • 0x01000000: Reserved
  • 0x02000000: Reserved
  • 0x04000000: Reserved
  • 0x08000000: Reserved
  • 0x10000000: Reserved
  • 0x20000000: Reserved
  • 0x40000000: Reserved
  • 0x80000000: Reserved

To enable all checks for a specific driver:

verifier.exe /volatile /all /driver your_driver.sys

Using the Graphical Interface (`verifiergui.exe`)

Run verifiergui.exe from an elevated Command Prompt or PowerShell.

  1. Select "Create custom settings" and click "Next".
  2. Choose the specific drivers you want to verify or select "Select all drivers installed in the system".
  3. Under "Settings", check the desired verification levels. "Standard" and "I/O Verification" are commonly used.
  4. Click "Finish".

Disabling Driver Verifier

Driver Verifier settings persist across reboots. To disable it:

Run verifier.exe /reset from an elevated Command Prompt or PowerShell and then reboot the system.

Analyzing Crashes

When Driver Verifier detects an error, it causes a bug check (Blue Screen of Death). The crash screen will typically indicate that Driver Verifier detected the issue. The subsequent memory dump (minidump or full dump) should be analyzed using a debugger like WinDbg, focusing on the driver that was being verified.

Common Bug Check Codes related to Driver Verifier

  • 0xC4: Multiple potential causes related to Driver Verifier checks.
  • 0xC1: Specific memory corruption detected by Driver Verifier.
  • 0xA0: Driver Verifier I/O verification error.

Best Practices

  • Isolate Drivers: Verify one driver at a time if possible to make debugging easier.
  • Use Test Systems: Never enable Driver Verifier on production machines.
  • Enable Verbose Logging: If available, enable logging to capture more details about the driver's actions.
  • Reboot After Changes: Changes to Driver Verifier settings require a reboot to take effect.
  • Analyze Dumps Thoroughly: Use debugging tools to analyze memory dumps after a crash.