When ViShutdownWatchdogDpc DPC routine runs, it updates an internal count that keeps track of how many times it has been called (which would be set to 1 in this call). It then clears Force IRQL Checking1 verifier bit before calling VfShutdownScheduleWatchdog again. VfShutdownScheduleWatchdog sets up the 10 minute timer again so ViShutdownWatchdogDpc is set to be called again upon timer expiry.

When ViShutdownWatchdogDpc DPC routine runs a second time, verifier knows shutdown has taken more than 20 minutes and so if a kernel debugger is present, prints the message above and breaks into the debugger. If no debugger is present, verifier does a DRIVER_VERIFIER_DETECTED_VIOLATION (0xc4) bugcheck with first parameter set to 0x115 and parameter 2 set to the shutdown thread address.

Note that the shutdown thread reported by verifier is not the thread that initiated shutdown last from user mode2. It is the kernel worker thread that does kernel mode shutdown processing such as shutting down kernel subcomponents like Transaction Manager,  registry, I/O Manager and PnP Manager.

1consequently it may be ok during system shutdown if !verifier output in debugger does not exactly match verifier settings you thought you had set. As to why Force IRQL Checking is disabled when shutdown watchdog times out the first time, your guess is probably as good as mine.

2and of course it is not the original user-mode thread that initiated the shutdown process.

Tagged with →  
Share →

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop us a note so we can take care of it!

Visit our friends!

A few highly recommended friends...

Set your Twitter account name in your settings to use the TwitterBar Section.