Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Tracking Minifilter Operation
I wanna know which filter driver has passed or denied specific operation? i'm looking for filter driver that returned with access_denied the operation.
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 30 January 2023 | Live, Online |
| Developing Minifilters | 20 March 2023 | Live, Online |
| Writing WDF Drivers | TBD 2023 | Live, Online |
| Internals & Software Drivers | 17 April 2023 | Live, Online |
Comments
This appears some kind of general. Do you have any specific operation?
looking for access_denied on PreCreate Operation
What comes to my mind, but hopefully someone with more experience can point you in a better direction, are two possible approaches.
I am not aware of tracking functions, especially for other filter drivers which are out of your control, but this does not mean they do not exist.
So I would try to
1) Disabling minifilters using the fltmgr command to identify the culprit. This only works if the minifilter in question can be disabled on your target system and is not mandatory for the OS.
or a little more drastic:
2) If you are able in your minifilter, I assume in your PostCreate Operation, to detect that the PreCreate operation was terminated with a "access_denied", you could trigger now a BSOD and create a kernel dump. In the kernel dump you should have the stack of the called functions and might be able to determine the minifilter which blocked the operation.
I hope that this helps you. Maybe someone else here has a better idea.
Is this a reproducible test case and you're trying to debug it? Or are you asking in general?
-scott
OSR
No, it's not a special case. I'm developing a product and I want to know how other products work.
I used the @blange method before, but I did not get a general and precise answer.