Under what circumstances is the EvtDriverUnload callback executed for a NonPnp kernel driver?
I have registered the callback, but do not see it being called during Windows shutdown OR when I disable the driver (also leading to shutdown).
Drivers are not unloaded during system shutdown/reboot. DriverUnload will be called either when
- your DriverEntry does not create any device objects and you are not a pnp driver
- some external agent stops your driver (using the service control manager APIs)
d
I’m creating threads in my driver which periodically make write calls on a file.
How can I detect the Windows shutdown event in order to kill these threads gracefully?
Also, what happens if I don’t exit the threads on Windows shutdown?
Thanks
I have a similar situation and would appreciate if anyone shares any knowledge on how to identify a windows shutdown event within a driver? I can’t seem to find any information on this anywhere… Is there anything similar to WM_ENDSESSION/WM_QUERYENDSESSION messages on an application level?
Look at EvtDeviceD0Exit, this can tell you. Or if you have a control device look at EvtDeviceShutdownNotification.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
In the WDM work, you need to call IoRegisterLastChanceShutdownNotification and then handle IRP_MJ_SHUTDOWN. In that context, you should wait for your threads to exit and creating new file system operations.
d
Thank you, Don and Doron. I will look into all suggested options.