Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

saving persistent registry information for a filter driver

makrurisan_makkelnmakrurisan_makkeln Member - All Emails Posts: 99
What is the recommend place to save persistent information for a filter driver or others?
I have seen that some places are changing over restart and repair.

Is this good:
"\\Registry\\Machine\\System\\CurrentControlSet\\Enum\\" {Class}

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,714
    On Mar 12, 2018, at 11:40 PM, xxxxx@x-publisher.com <xxxxx@lists.osr.com> wrote:
    >
    > What is the recommend place to save persistent information for a filter driver or others?
    > I have seen that some places are changing over restart and repair.
    >
    > Is this good:
    > "\\Registry\\Machine\\System\\CurrentControlSet\\Enum\\" {Class}

    You don't ever specify the path directly. Use WdfDeviceOpenRegistryKey to get the proper key.

    It depends. Is this information that is common to all instances? If so, then you'd put it in the "Services" key by using PLUGPLAY_REGKEY_DRIVER. If the information is specific to each device, then you'd put in the "Enum" key by using PLUGPLAY_REGKEY_DEVICE.

    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • makrurisan_makkelnmakrurisan_makkeln Member - All Emails Posts: 99
    thank you Tim,
    Using WdfDeviceOpenRegistryKey we get WDFKEY. Is this castable to HANDLE to use with ZwEnumerateKey?
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,379
    Wdf handles are not castable to anything else. They have Get or Retrieve functions to return the underlying properties. WdfRegistryWdmGetHandle

    d

    Bent from my phone
    ________________________________
    From: xxxxx@lists.osr.com on behalf of xxxxx@x-publisher.com
    Sent: Tuesday, March 13, 2018 5:11:46 AM
    To: Windows System Software Devs Interest List
    Subject: RE:[ntdev] saving persistent registry information for a filter driver

    thank you Tim,
    Using WdfDeviceOpenRegistryKey we get WDFKEY. Is this castable to HANDLE to use with ZwEnumerateKey?

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at

    To unsubscribe, visit the List Server section of OSR Online at
  • makrurisan_makkelnmakrurisan_makkeln Member - All Emails Posts: 99
    If I do the following:
    WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER...
    I see that the variable are written to:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0025
    What does "0025" and what does "ControlSet001" mean?
    @Tim: I don't see Services in the name.

    I am a little bit confused. I want to save some information under my filter driver and my driver class starts with "{A3E32DBA..."
    How can or should I do this if I shouldnt use the path directly?
  • Don_BurnDon_Burn Member - All Emails Posts: 1,630
    There are multiple ControlSet00x one of which is pointed to by the symbolic
    line CurrentControlSet which is all you should ever worry about.

    At Tim Roberts already said:
    " It depends. Is this information that is common to all instances? If so,
    then you'd put it in the "Services" key by using PLUGPLAY_REGKEY_DRIVER. If
    the information is specific to each device, then you'd put in the "Enum" key
    by using PLUGPLAY_REGKEY_DEVICE."

    Under the services key, of the CurrentControlSet is a name for your drivers
    service, that is specified in the INX file. Under the Enum key is a key
    for the key for the specific class of device, and under it the specific
    device instance.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of
    xxxxx@x-publisher.com
    Sent: Tuesday, March 13, 2018 12:13 PM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: RE:[ntdev] saving persistent registry information for a filter
    driver

    If I do the following:
    WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER...
    I see that the variable are written to:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96b-e325-11ce-bf
    c1-08002be10318}\0025
    What does "0025" and what does "ControlSet001" mean?
    @Tim: I don't see Services in the name.

    I am a little bit confused. I want to save some information under my filter
    driver and my driver class starts with "{A3E32DBA..."
    How can or should I do this if I shouldnt use the path directly?

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:
    <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,714
    xxxxx@x-publisher.com wrote:
    > thank you Tim,
    > Using WdfDeviceOpenRegistryKey we get WDFKEY. Is this castable to HANDLE to use with ZwEnumerateKey?

    Google would have told you this.  There are "get" and "set" functions
    within KMDF directly: WdfRegistryAssignXxx and WdfRegistryQueryXxx.  If
    you're persisting data, you don't usually need to enumerate the subkeys,
    but as Doron said, WdfRegisterWdmGetHandle will let you do that.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,714
    xxxxx@x-publisher.com wrote:
    > If I do the following:
    > WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER...
    > I see that the variable are written to:
    > HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0025
    > What does "0025" and what does "ControlSet001" mean?

    Windows keeps several copies of the driver/device configuration
    information in the registry, for recoverability purposes, called
    ControlSet001, ControlSet002, etc.  There is an alias called
    CurrentControlSet that points to the one currently active.  You don't
    see it much any more, but at boot time you have the option to boot to
    the "last known good configuration"; all that does is switch the
    CurrentControlSet link to the previous one.  As a coder, you will always
    use CurrentControlSet.

    {4d36e96b-e325-11ce-bfc1-08002be10318} is the ClassGuid for keyboard
    drivers, as you apparently specified in your INF file.

    The 0025 simply means that yours is the 26th keyboard driver to be
    enumerated on this computer.  If you go into regedit, you should be able
    to see the other 25 entries.


    > @Tim: I don't see Services in the name.

    Hmmm.  I thought PLUGPLAY_REGKEY_DRIVER points to the Services key.  It
    may be you need to open that key directly.  That would give you a key
    for your filter, independent of the devices you are filtering.  I
    presume you know the service name of your filter driver.  Note that your
    custom entries go in the Parameters subkey of the Services entry.


    > I am a little bit confused. I want to save some information under my filter driver and my driver class starts with "{A3E32DBA..."
    > How can or should I do this if I shouldnt use the path directly?

    What do you mean by "my driver class starts with {A3E32DBA..."?  Where
    do you see that GUID?

    The concept "under my filter driver" doesn't really mean anything. 
    There are several places in the registry where device/driver data get
    stored.  The Enum tree is "per device", and uses the device's hardware
    ID as its key.  The Control\Class tree is per driver installation, and
    uses the INF ClassGuid as its key.  The Services tree is "per driver",
    and uses the driver's service name as its key.  A filter driver is a bit
    like a parasite, because you are borrowing several of those locations. 
    The Services tree belongs strictly to the driver -- not device related
    -- but that means you need to be careful to make sure the information
    isn't specific to any one device.  Always think "what happens if I'm
    filtering three keyboards?"

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • makrurisan_makkelnmakrurisan_makkeln Member - All Emails Posts: 99
    Sorry, I want
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\"myfilterdriver"
    and I do
    WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER...
    but dont get the above. What is wrong?
  • makrurisan_makkelnmakrurisan_makkeln Member - All Emails Posts: 99
    The Driver is created with WdfDriverCreate and at this moment the RegistryPath is set to services. Should I save the RegistryPath or are a better method because PLUGPLAY_REGKEY_DRIVER from a device gives me an other hive.
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,714
    xxxxx@x-publisher.com wrote:
    > Sorry, I want
    > Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\"myfilterdriver"
    > and I do
    > WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER...
    > but dont get the above. What is wrong?

    My advice was wrong.  PLUGPLAY_REGKEY_DRIVER goes to the Control\Class tree.

    You can use WdfDriverOpenParametersRegistryKey to get to the
    Services\xxx\Parameters tree.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,714
    xxxxx@x-publisher.com wrote:
    > The Driver is created with WdfDriverCreate and at this moment the RegistryPath is set to services. Should I save the RegistryPath or are a better method because PLUGPLAY_REGKEY_DRIVER from a device gives me an other hive.

    You know, it only took me 15 seconds with Google to find the answer to
    this, as I just posted.  Searching for "driver registry keys" took me to
    the article entitled "Introduction to Registry Keys for Drivers", and
    the first subsection describes how a KMDF driver gets to the Services key.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • makrurisan_makkelnmakrurisan_makkeln Member - All Emails Posts: 99
    @Tim: Thank you for your detailed explanation.

    What do mean by this:
    "...you're persisting data, you don't usually need to enumerate the subkeys,"
    If I save data to different subkeys like "setting 1", "setting 2" what is the way to access them?
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,714
    xxxxx@x-publisher.com wrote:
    > @Tim: Thank you for your detailed explanation.
    >
    > What do mean by this:
    > "...you're persisting data, you don't usually need to enumerate the subkeys,"
    > If I save data to different subkeys like "setting 1", "setting 2" what is the way to access them?

    You just open the keys by name, with WdfRegistryOpenKey.  Enumeration is
    only necessary if you don't know what subkeys to expect.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!