WMI Filter driver

OSR_Community_User · October 30, 2016, 8:03am

is it possible to write a wmi minifilter driver?
For example, receiving any call made to any wmi class or specific name-spaces?
If so, what is the relevant msdn documentation \ code examples that do just that?

I want to alter and read data sent and received by these wmi classes and i did not find any (simple) method to do that in usermode, only through dllproxying which is terrible, i’m looking for a more infrastructure-like solution

Thanks in advanced.

Doron_Holan · October 30, 2016, 10:11am

There is no supported way to do what you want.

Bent by my phone

From: xxxxx@lists.osr.com on behalf of xxxxx@seculert.com
Sent: Sunday, October 30, 2016 5:03:11 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] WMI Filter driver

is it possible to write a wmi minifilter driver?
For example, receiving any call made to any wmi class or specific name-spaces?
If so, what is the relevant msdn documentation \ code examples that do just that?

I want to alter and read data sent and received by these wmi classes and i did not find any (simple) method to do that in usermode, only through dllproxying which is terrible, i’m looking for a more infrastructure-like solution

Thanks in advanced.

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

OSR_Community_User · October 31, 2016, 4:56am

alright, could you at least tell me which driver.sys \ mechanism is
responsible for accepting the wmi query requests?

On Sun, Oct 30, 2016 at 4:11 PM, Doron Holan
wrote:

> There is no supported way to do what you want.
>
> Bent by my phone
> ------------------------------
> From: xxxxx@lists.osr.com > osr.com> on behalf of xxxxx@seculert.com
> Sent: Sunday, October 30, 2016 5:03:11 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WMI Filter driver
>
> is it possible to write a wmi minifilter driver?
> For example, receiving any call made to any wmi class or specific
> name-spaces?
> If so, what is the relevant msdn documentation \ code examples that do
> just that?
>
> I want to alter and read data sent and received by these wmi classes and i
> did not find any (simple) method to do that in usermode, only through
> dllproxying which is terrible, i’m looking for a more infrastructure-like
> solution
>
> Thanks in advanced.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:></http:></http:>

Doron_Holan · October 31, 2016, 9:50am

Each driver register any number of providers, the um to km transition is over an Nt API. Most of the db is in user mode iirc, the containing component changes over time

Bent by my phone

From: xxxxx@lists.osr.com on behalf of Ariel Koren
Sent: Monday, October 31, 2016 1:55:40 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] WMI Filter driver

alright, could you at least tell me which driver.sys \ mechanism is responsible for accepting the wmi query requests?

On Sun, Oct 30, 2016 at 4:11 PM, Doron Holan > wrote:

There is no supported way to do what you want.

Bent by my phone

________________________________
From: xxxxx@lists.osr.com mailto:xxxxx > on behalf of xxxxx@seculert.com mailto:xxxxx >
Sent: Sunday, October 30, 2016 5:03:11 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] WMI Filter driver

is it possible to write a wmi minifilter driver?
For example, receiving any call made to any wmi class or specific name-spaces?
If so, what is the relevant msdn documentation \ code examples that do just that?

I want to alter and read data sent and received by these wmi classes and i did not find any (simple) method to do that in usermode, only through dllproxying which is terrible, i’m looking for a more infrastructure-like solution

Thanks in advanced.

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx>

Tim_Roberts · October 31, 2016, 11:24am

Ariel Koren wrote:

alright, could you at least tell me which driver.sys \ mechanism is
responsible for accepting the wmi query requests?

That’s what IRP_MJ_SYSTEM_CONTROL is for.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.