Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/

Best Of

Re: Is it possible to automatically turn off driver verifier after the reboot?

verifier.exe /bootmode resetonbootfail

tnodir

Re: Azure Account Setup Problem

Yes, it is an EV certificate.

I was away for a few days working on application level software. Got that release out today and came back to the driver. I had already tried /tr, but hadn't tried the /fd SHA256. I added that and the sign file uploaded. I was close, but left out one flag.

I didn't find those links in my searching. In the page where they give you the file to sign, they give you a link to the documentation for the sign tool, but no indication of which flags you're supposed to use. Microsoft frequently provides links that aren't very helpful. It's massively annoying.

Thank you

Bill_Olson

Re: Azure Account Setup Problem

Perhaps review https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-cert-manage.

You haven't explicitly said you're selecting an EV certificate to sign SignableFile.bin with, but that's what we're assuming.

However, in addition, you need to force the digest to SHA256 using the "/fd sha256" switch to signtool.exe, and you also need to use an SHA256 time stamping service using /TR instead of /T.

Some example command lines for you in https://www.digicert.com/kb/code-signing/ev-authenticode-certificates.htm as well.

I too do not expect for company name to require an exact match to provided certificate(s), at least based on past experience.

Alan_Adams

Re: WDK 2022 with VS 2022 Build Tools?

My guess is that the WDK and SDK are not compatible with (3). The only ways I know that work are EWDK or full VS install with WDK+SDK.

Mark_Roddy

Re: IOMMU fault in KMDF driver when pcie device dma reads the MmAllocateContiguousMemory buffer

And don't forget to set the magic DmaRemappingCompatible registry value:

https://learn.microsoft.com/en-us/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers

Scott_Noone_(OSR)

Re: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED after calling FltStartFiltering on a system with multiple frames

@Scott_Noone_(OSR) said:
Nice! Did it actually show the legacy filter?

Yes it was a third party app that was not fully removed, removing it solved the problem.

One interesting observation: It seems like that the split of frames happens based on the group of the legacy filter, so for example if the group is "FSFilter Continuous Backup", and there are minifilters that have higher and lower altitude than this, it will cause a split (which makes sense). In this case the minifilters above this legacy filter will have their own frame (which is similar to another legacy filter), and the same goes with the lower minifilters.

But the funny part is, if the legacy filter doesn't have a group in its service key (meaning its INF file), windows gives it a random altitude uppon first installation (I think it was ~280000), which most of the time would cause a frame split. BUT, after the first reboot, there will be no longer a split, since it seems like after the reboot, Windows will now give it the highest altitude possible in order to stop the split! Not sure what is happening exactly.

brad_H

Re: How to tell if a file has had a write operation in the pre-cleanup callback routine

Just to add: BypassIo can also bypass write filters completely, but this
you can detect and veto.

Dejan_Maksimovic

Re: WFP callout unload/load problem when using FwpsFlowAssociateContext0(...) function

john-7

Re: How can I retrieve the disk offset to where a PFAST_IO_WRITE is being sent to?

Right! I am writing a volume filter driver and was thinking fast I/O concepts come in volume level too. Now its clear to me. Thanks for the lead.

sbhat

Re: Creating a mouse filter with an INF

You can do the reading about this. That first section is from an INF for a specific device. The "HKR" symbol in that case means "the registry key for this device". You are installing a class filter using a non-PnP INF, which is essentially a lightweight installer application. Your INF is not for a specific device, so there isn't any place for "HKR" to point to.

And you are using the magic number 0x00010000, which indicates that the value should REG_MULTI_SZ. Most people define symbols for those, so they don't have to remember the magic numbers each time. In the string section, you'll find

REG_MULTI_SZ = 0x00010000

Tim_Roberts