Well it has been years since I used ObRegisterCallbacks but you do not specify the process you are monitoring, it basically calls for all CREATES or DUPLICATES of handles of type either process or thread. So you don't set the call on a specific process, you create a callback that has to determine if this is a process you are concerned about.

Not it is not best practice to look at other softwares state. If you want your installed software to configure the driver, the app should either set that state by communicating with the driver at runtime or configuring the driver ah install time.

Does the statement hold true for UMDF driver as well?

Nope.

When you're running in user-mode, you're always at IRQL DISPATCH_LEVEL in your driver. So, you should be fine.

For good measure, you might want to set a ExecutionLevel constraint of WdfExecutionLevelPassive...

Peter

When running in user mode you are always at PASSIVE_LEVEL, never above.

I am actively trying to get an updated, definitive, answer to what the precise plan is for driver signing for Windows OS versions prior to Win10. I think this is a very important issue.

I’ll let you all know when/if I hear anything definitive.

Peter

just tested, it's work perfect with ZwQuerySystemInformation

The problem with having a service do your signing is liability. The WHOLE POINT of driver signing is legal liability. The company who issues you a certificate is asserting, legally, "I believe this company is who they say they are." When you sign a driver package, you are saying "I wrote this, and I stand by the testing" (and that IS what you are saying -- read the fine print when you make your account).

Thus, if your driver causes a blue screen in a hospital monitor that ends up injuring someone, the lawyers can hold you legally liable, with a traceable path that will stand up in court. They know you wrote it, because it was signed with your certificate.

No third party with any brains will be willing to take on that liability for another company.

In my office there is a poster from the 1980's entitled 'Murphy's computer law'. One of the tenants is that it is morally wrong to let naive end users keep their money. This discussion reminded me of that.

THINK about what you're asking. The layers below you have no clue whether the request came from you or from above you. It's just an IRP.

Yes. You could... ah... try it in less time than it takes to ask the question, don’t you think.

Peter