Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
verifier.exe /bootmode resetonbootfail
Yes, it is an EV certificate.
I was away for a few days working on application level software. Got that release out today and came back to the driver. I had already tried /tr, but hadn't tried the /fd SHA256. I added that and the sign file uploaded. I was close, but left out one flag.
I didn't find those links in my searching. In the page where they give you the file to sign, they give you a link to the documentation for the sign tool, but no indication of which flags you're supposed to use. Microsoft frequently provides links that aren't very helpful. It's massively annoying.
Perhaps review https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-cert-manage.
You haven't explicitly said you're selecting an EV certificate to sign SignableFile.bin with, but that's what we're assuming.
However, in addition, you need to force the digest to SHA256 using the "/fd sha256" switch to signtool.exe, and you also need to use an SHA256 time stamping service using /TR instead of /T.
Some example command lines for you in https://www.digicert.com/kb/code-signing/ev-authenticode-certificates.htm as well.
I too do not expect for company name to require an exact match to provided certificate(s), at least based on past experience.
My guess is that the WDK and SDK are not compatible with (3). The only ways I know that work are EWDK or full VS install with WDK+SDK.
And don't forget to set the magic DmaRemappingCompatible registry value:
Nice! Did it actually show the legacy filter?
Yes it was a third party app that was not fully removed, removing it solved the problem.
One interesting observation: It seems like that the split of frames happens based on the group of the legacy filter, so for example if the group is "FSFilter Continuous Backup", and there are minifilters that have higher and lower altitude than this, it will cause a split (which makes sense). In this case the minifilters above this legacy filter will have their own frame (which is similar to another legacy filter), and the same goes with the lower minifilters.
But the funny part is, if the legacy filter doesn't have a group in its service key (meaning its INF file), windows gives it a random altitude uppon first installation (I think it was ~280000), which most of the time would cause a frame split. BUT, after the first reboot, there will be no longer a split, since it seems like after the reboot, Windows will now give it the highest altitude possible in order to stop the split! Not sure what is happening exactly.
there is a similar issue reported but with no reply from MS. https://social.msdn.microsoft.com/Forums/sqlserver/en-US/3d7e45ee-d3dd-49cf-8599-743cdac76097/fwpsflowremovecontext-returns-statusunsuccessful?forum=wfp
Right! I am writing a volume filter driver and was thinking fast I/O concepts come in volume level too. Now its clear to me. Thanks for the lead.
You can do the reading about this. That first section is from an INF for a specific device. The "HKR" symbol in that case means "the registry key for this device". You are installing a class filter using a non-PnP INF, which is essentially a lightweight installer application. Your INF is not for a specific device, so there isn't any place for "HKR" to point to.
And you are using the magic number 0x00010000, which indicates that the value should REG_MULTI_SZ. Most people define symbols for those, so they don't have to remember the magic numbers each time. In the string section, you'll find
REG_MULTI_SZ = 0x00010000