How to trace who closes a file handle?
with Driver Verifier enabled (verifier.exe /standard /driver
mydriver.sys), Handle Tracing will be enabled for the System process. You might
be able to find who closed the handle this way:
1. Find the address of the System process:
0: kd> !process 4 0
Searching for Process with Cid == 4
Cid Handle table at 948ef000 with 620 Entries in use
PROCESS 843edd40 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00185000 ObjectTable: 89201df0 HandleCount: 480.
Image: System
843edd40 is the System process' address on my machine.
2. Check if someone closed that handle recently:
0: kd> !htrace 0xcc8 843edd40