How do i figure out which host contains my driver?

  • Article

Let's say you're luck enough to have more than one user-mode driver running on your system.  How would you figure out which is running your driver?

Let's take my laptop.  By luck i happen to have installed both the UMDF skeleton and echo drivers.  I'm interested in debugging the echo driver (the skeleton does almost nothing so it's not really worth debugging :) ).  Device manager shows me this:

And there are two host processes:

     tasklist | findstr -i wudfhost.exe
    WUDFHost.exe 4668 Services 0 3,572 K
    WUDFHost.exe 4296 Services 0 3,540 K

How do i know which is which?

Praveen found a really good trick for this.  Tasklist has a /M flag which lets you look for processes with a particular module loaded.  So i if i want to know which host has wudfechodriver.dll loaded i can simply run:

     tasklist /m wudfechodriver.dll
    Image Name    PID   Modules
    WUDFHost.exe 4668   WUDFEchoDriver.dll

Note that you need to do this from an elevated command window on Vista - WUDFHost runs as LocalService in session 0 and isn't normally visible to an unelevated process.

Also if you're a PowerShell sort of person (as i'm rapidly becoming) you could run:

 foreach($p in get-process wudfhost) {
    $p | format-table
    $p.Modules | 
        ? {$_.FileName -like "$env:windir\system32\drivers\umdf\*"} | 
        format-table -autosize
}

to get:

 Handles NPM(K) PM(K) WS(K) VM(M) CPU(s)   Id ProcessName
------- ------ ----- ----- ----- ------   -- -----------
    124      3  2092  3508    31   0.05 4296 WUDFHost 

Size(K) ModuleName       FileName
------- ----------       --------
24      UMDFSkeleton.dll C:\Windows\System32\drivers\UMDF\UMDFSkeleton.dll 

Handles NPM(K) PM(K) WS(K) VM(M) CPU(s)   Id ProcessName
------- ------ ----- ----- ----- ------   -- -----------
    124      3  2100  3568    31   0.03 4668 WUDFHost 

Size(K) ModuleName         FileName
------- ----------         --------
28      WUDFEchoDriver.dll C:\Windows\System32\drivers\UMDF\WUDFEchoDriver.dll

I like this technique a little more because it shows all the hosts and lists every UMDF driver that's loaded in that host, not just the one you were asking about.  But it requires you to use PowerShell.

Comments