Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Make window explorer and mouse not in wait icon while processing callback function

tanda996tanda996 Member Posts: 12

hello, here is my problem in detail:
My driver program registered a callback function with PsSetCreateProcessNotifyRoutineEx. And in case a new process in "D:\" drive starting (exe file) by double click, the callback function just "wait" the user's reply by KeWaitForSingleObject or FltSendMessage, that will allow or block the process.
While the callback waiting user's decision, the Explorer's window (at file path) keep spinning, flicker and displays wait cursor. And i don't like it, i want that window execute like normal.
I don't know this can be done in Kernelmode or Usermode. I've reversed some drivers from AVs but they are too complicated and got no clue.
Could you give me any suggestion or solution? Thank you. :blush:

Comments

  • MBond2MBond2 Member Posts: 144

    without looking at all, i'd say this is likely impossible

    Windows Explorer presumably uses the ShellExecute function when you click on the file. one way or another it will turn into a CreateProcess call. AFAIK there is no option for this to by async or overlapped so Windows Explorer will block. one of the things that happens as part of this call is calling your notify routine, so if you block, Explorer remains blocked too. if you don't block, then you loose your opertunity to abort process creation. the only thing you might be able to do is to always abort process creation and then if you later decide that it should have been allowed, redo that operation somehow - presumably from UM and somehow detect that this call should not be aborted in your notify routine

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA