Troubleshooting Windows Event Viewer USB error 0x26 status 0xc000038e

Question

I need some guidance in how to troubleshoot a low level issue I am facing with some USB devices.

Background: I have a .NET Windows Service that, scans connected USB devices via WMI queries + reads low level USB data using external C code.

Although happening seldomly, once in a while a USB device (keyboard, mouse or smart card reader) stops functioning. Looking at Windows's Device Manager, the device shows with a yellow triangle with an exclamation mark. Looking at Event Viewer's Microsoft-Windows-Kernel PnP, I see the following error (for mouse, in this case)

XML View:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Kernel-PnP" Guid="{9c205a39-1250-487d-abd7-e831c6290539}" /> 
  <EventID>411</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2022-12-22T08:15:21.1540378Z" /> 
  <EventRecordID>300</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="3780" /> 
  <Channel>Microsoft-Windows-Kernel-PnP/Configuration</Channel> 
  <Computer>MyComputerName</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="DeviceInstanceId">USB\VID_03F0&PID_094A\6&1ab5e341&0&2</Data> 
  <Data Name="DriverName">input.inf</Data> 
  <Data Name="ClassGuid">{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</Data> 
  <Data Name="ServiceName">HidUsb</Data> 
  <Data Name="LowerFilters" /> 
  <Data Name="UpperFilters" /> 
  <Data Name="Problem">0x26</Data> 
  <Data Name="Status">0xc000038e</Data> 
  </EventData>
  </Event>

How does one proceed from here?

There is no clear indication that the error is caused by the interactions with my .NET Service. In any case, I guess I need to figure out how are such messages written to Windows' ETW. From there, try to locate where in the C code there is a hook or piece of code that feeds the given ETW listener.

1. Is this the right track? Are there shorter alternatives? Am I missing anything else?
2. Could not find conclusive info on what does the 0x26 error/0xc000038e status codes mean. Is there a specific resource for that?
3. Is there a way I can dump data from such error instances into a tool like Windows Debugger so it loads the the state of all the parts involved - and perhaps help ?
4. Identify the installed driver for this specific device - and search for logs it eventually writes?

Answer 1

as i commented the error seems to be propagated from
IopLoadDriver / IopUnloadDriver Paths Especially @
nt!PipCallDriverAddDeviceQueryRoutine

if you can setup a kd connection Set a bp on these routines and get a stacktrace to analyze it better

0: kd> # c000038e fffff807`33000000 L?(fffff807`34046000-fffff807`33000000)

returns

nt!IopLoadUnloadDriver+0x60:
fffff807`33777b30 81fb8e0300c0    cmp     ebx,0C000038Eh
nt!IopLoadDriver+0xec759:
fffff807`3381d661 41be8e0300c0    mov     r14d,0C000038Eh
nt!PipCallDriverAddDeviceQueryRoutine+0xeb73b:
fffff807`3381e2f3 41b88e0300c0    mov     r8d,0C000038Eh

a cursory glance in ghidra shows 26 being assigned to a variable

  uVar11 = 0xc000038e;
  if (iVar7 == 0xc000038e) {
    uVar16 = 0x26;

or in disassembly

   14081e2f3 41 b8 8e        MOV        param_3,0xc000038e
             03 00 c0
   14081e2f9 41 3b d8        CMP        iVar7,param_3
   14081e2fc 74 b9           JZ         LAB_14081e2b7

which jumps to

14081e2b7 ba 26 00 00 00         MOV        param_2,0x26
14081e2bc e8 13 1d f2 ff         CALL       PipSetDevNodeProblem 

A DeviceNodeproblem will normally be reflected in an yellow bang or eventlog being written

so you should probably check where your code might try to prevent unloading , loading or keep a handle open