Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


USB device detection, device classification, and files handling for USB storage dev (Win 10 IoT Ent)

mhtmht Member Posts: 23

Hi Dear Team,
Need some help in identifying and validating the approach for one of our following requirement:

We have a Pentium x64 based single board computer appliance with few USB interface.

We want to write the software (kernel or user mode) to:
1) Detect after USB device get connected to USB interface
2) After detection we want to identify the type of device connected (keyboard, mouse, storage device etc)
3) a) If USB device connected is USB storage device, we want to scan the files on the connected USB storage drive
b) Delete black listed file (e.g. executable files) if available on usb device.

For above requirement we think we can do following:
1) Write USB host controller filter driver to detect and identify the the usb device connected
2) For usb storage device, write the file system filter driver to scan the files and delete the black listed files

Is this high level approach for the above requirement correct?
Is this doable in user mode using UMDF?

We know the WDF framework (KMDF and UMDF) at high-level and wrote few sample filter drivers earlier.
We have osr learning kit (usb and pci) and we are trying to get some hands on on USB driver with the sample driver available.

Seeking expert comments on the approach or if possible any alternative approaches will be of great help to validate the same.

Thanks in advance.

--mht

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,109

    Nope... I don't think you have the right approach at all.

    Let's step back one step: As so many posters here, you've asked us HOW to implement something, not how to solve your basic problem. We refer to this as the "pigs and wings problem" here.

    Ignoring what you asked, I'm going to guess that you want to implement some sort of automatic scanning for USB storage devices. If that's NOT what you want to do, post here and tell us what you're trying to accomplish.

    HOW you want to implement this depends a lot on the specific of what you want to do, and how you want to do it.

    You way that you want to scan the drive when it's attached (and, presumably, block access to the device before the scan has been completed). If you think about this a bit, you might decide that this isn't nearly as nice a solution as you initially thought: Scanning all the files on a flash drive can take a LONG time.

    But, you could do all this with a file system minifilter. Have the filter determine if the volume is connected via USB. Yes, this can be tricky, but this is really the only place that you have much work to do. Do the scanning itself in a user-mode app (like a service). Don't even THINK of doing the scanning in kernel mode.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,642

    The problem as you have described it does not require a driver at all. You could do all of that with a simple applications that registers for device interface changes, scans any newly arrived mass storage devices, and does your deletes. However, that's going to make it more difficult to install updated apps and drivers or run diagnostics.

    And, of course, it won't work at all with read-only USB drives.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,109

    You could do all of that with a simple applications that registers for device interface changes

    Oh, that could be a good approach, Mr. Roberts! I didn't think of that one.

    The only DISadvantage to that approach that I can see is that you can't block access to the drive until the scan has been completed. If that's in fact one of the user's requirements.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • MBond2MBond2 Member Posts: 200

    A lot depends on where this product is intended to be installed. Appropriate solutions for mass market consumer products can be much different than for a closed system - especially in the area of security software.

    for consumer grade distribution, deleting files off of the USB drive will frustrate and infuriate users. They may understand files that are 'blocked for security' but to actually remove them without any confirmation will bring you no end of trouble I think.

    and the point about read only media is another important one.

    you probably can 'effectively' block access using a UM solution that registers callbacks as long as you are content to unmount the filesystem and open the disk as raw. race conditions galore, and you have to hope that you can understand what FS the drive is formatted with, but it probably could be done.

    instead of all of this, probably what you want is a file system filter that rejects access to certain files based on the pattern of the file name. Don't even attempt to scan the drive or do anything else, but just fail the create request with a suitable error (access denied or similar)

    I don't know enough about how to tell the difference between USB storage and other kinds to recommend any way to check the pattern of the file name (I do mostly networking) but there is probably a way

  • mhtmht Member Posts: 23

    Thank you Tim, Peter, MBond2 for your valuable inputs.

    As suggested by Tim, as of now I am exploring on developing user application using device interface change notification apis.

    actually the user is supposed to connect usb storage device to bring update/upgrade packages to system. And other usb devices like keyboard, mouse etc can be connected on need basis. We are planning to log the details of files deleted or not able to delete the files due to appropriate reason

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,374
    via Email
    A minifilter would be able to do what you want.

    Mark Roddy
  • mhtmht Member Posts: 23

    Hi Mark,

    A minifilter would be able to do what you want.

    do you mean mini filter over USB host controller driver?

    As Tim suggested, with device interface change notification I am able to capture the arrival/ removal of usb device. but still exploring on how to proceed to next thing of getting handle to the files on the usb storage and then eventually deleting it.

    Thanks for all valuable inputs.
    ---mht

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,374
    via Email
    no a filesystem minifilter that figures out if it has been attached to a
    usb volume and does your file filtering requirements.

    This:
    "3) a) If USB device connected is USB storage device, we want to scan the
    files on the connected USB storage drive

    b) Delete black listed file (e.g. executable files) if available on usb
    device. "

    Could easily be done using a filesystem minifilter.


    Mark Roddy
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,109

    but still exploring on how to proceed to next thing of getting handle to the files on the usb storage

    How about by... ah... programmatically doing a directory listing? What am I missing?

    Could easily be done using a filesystem minifilter

    And, again, the actual scanning and deleting would be done in user mode (see FltCreateSectionForDataScan, as one possible way to go).

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE