Identify the User-Mode Drivers Loaded into a WUDFHost.exe Instance

February 8, 2013

one comment

Once upon a time, it was fairly challenging to determine which services were running in an individual svchost.exe process. Today, with Process Explorer, there’s nothing easier – just hover over the svchost.exe process and you get a list of services, or double-click an svchost.exe process and go to the Services tab:


A similar problem can arise with user-mode drivers (UMDF). User-mode drivers are COM DLLs loaded into WUDFHost.exe processes, and some WUDFHost.exe processes may contain more than one user-mode driver. Process Explorer does not help in identifying which user-mode drivers are loaded into a WUDFHost.exe process, and although you can look at the list of DLLs and try to identify the ones that represent drivers, a more reliable way is desired. One option is to look at the list of threads inside the process, and identify command threads for UMDF drivers, such as this one:


A more reliable approach that will give you additional information on the driver and the device stack is the following:

  1. Run WinDbg as an administrator and attach (File > Attach to Process) to the WUDFHost.exe process in which you are interested.
  2. Type .load wudfext
  3. Type !umdevstacks

The resulting output will be similar to the following, and allow you to identify which device stacks (and hence user-mode drivers) are hosted in that process:

0:009> .load wudfext
0:009> !umdevstacks
Number of device stacks: 1
  Device Stack: 0x0000009d88ad5810    Pdo Name: \Device\0000001c
    Active: Yes
    Number of UM devices: 1
    Device 0
      Driver Config Registry Path: SensorsSimulatorDriver
      UMDriver Image Path: C:\Windows\system32\DRIVERS\UMDF\SensorsSimulatorDriver.dll
      Fx Driver: IWDFDriver 0x9d88d39e28
      Fx Device: IWDFDevice 0x9d88d3a118
        IDriverEntry: (unknown type) 0x0000009d88af21b0
      Open UM files (use !umfile <addr> for details): <None>
      Device XFerMode: CopyImmediately RW: Buffered CTL: Buffered
      Object Tracker Address: 0x0000000000000000
        Object   Tracking OFF
        Refcount Tracking OFF
    DevStack XFerMode: CopyImmediately RW: Buffered CTL: Buffered

This gives you enough information to identify everything that’s going on inside that process. By the way, if you’re into UMDF development, you should certainly check out other commands from the wudfext extension, that will give you insight into specific I/O requests, queues, and other UMDF objects.

I am posting short links and updates on Twitter as well as on this blog. You can follow me: @goldshtn

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


one comment

  1. BarakFebruary 11, 2013 ב 3:03 AM

    Wdf Verifier will also be a good place to look in this case.