Legacy driver unload problem

Sergey_Konovalov · May 1, 2018, 5:20am

I am working on a legacy (nonPnP) KMDF driver that implements WFP callouts.
The user mode app communicates with the driver through the file handle (CreateFile and DeviceIoControl).

The problem is that the system does not allow to unload the driver with ?net stop? command if there is an opened file handle. If I CloseHandle or exit the user mode app, it stops properly. Still I would like to have an option to stop the driver regardless of the opened handles to it.

So my questions:

Is there a way to catch “net stop” event in the driver. EvtDriverUnload does not get called.
What is the proper way for the driver to forcibly close all file handles on demand? Is it safe?

Thanks!

Doron_Holan · May 1, 2018, 10:01am

The system is behaving as designed and there is not a way to force the unload with an open handle.

Bent from my phone

From: xxxxx@initex.com
Sent: Tuesday, May 1, 2018 2:20 AM
Subject: [ntdev] Legacy driver unload problem
To: Windows System Software Devs Interest List

I am working on a legacy (nonPnP) KMDF driver that implements WFP callouts.
The user mode app communicates with the driver through the file handle (CreateFile and DeviceIoControl).

The problem is that the system does not allow to unload the driver with ?net stop? command if there is an opened file handle. If I CloseHandle or exit the user mode app, it stops properly. Still I would like to have an option to stop the driver regardless of the opened handles to it.

So my questions:
1. Is there a way to catch “net stop” event in the driver. EvtDriverUnload does not get called.
2. What is the proper way for the driver to forcibly close all file handles on demand? Is it safe?

Thanks!

—
NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

Sergey_Konovalov · May 4, 2018, 5:22am

>>The system is behaving as designed and there is not a way to force the unload with an open handle.

>
This is correct.

I am wondering whether it is possible to close the handle FROM the driver?

Tim_Roberts · May 4, 2018, 1:09pm

xxxxx@initex.com wrote:

>> The system is behaving as designed and there is not a way to force the unload with an open handle.
This is correct.

I am wondering whether it is possible to close the handle FROM the driver?

No.Â What do you think the application would do?Â You can’t just pull
the rug out from applications without their knowledge.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.