Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Inf File

ArsenArsen Member Posts: 61

Hello everybody. I have some problem conserning to the driver installation inf. file. I want to hava an ImagePath for windows driver (ServiceBinary entry in the driver's INF file) to be in custom directory (on USB flash); I have writen like this
DefaultDestDir=-1; E:\path
NdisCopyfilessys=-1; E:\path

[... copyfiles.sys]


What is wrong. Thank You;


  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,735
    What does say? How is it failing? The driver binary cannot reside on removable media….I can’t find the specific INF doc page that states this requirement (and the copy dest DIR might be more restrictive).
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,445

    Right. Think about what that would mean. What if the drive is not present on boot? What if the drive enumerates as F:? What if you yank the drive during operation? You can't put a driver on removable media.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • ArsenArsen Member Posts: 61

    Thank You for Your reply. At first - It says "Could not add the requested future. The error is: A service installation section in this inf is invalid" . Second. I tryed to write StartType=3 (SERVICE_DEMAND_START). It also dont work; Third. Well. Windows dont allow me to have a driver image in removable disk. But Windows is not allow me to have a driver image alsow in eny random directory on hard disk, for example in myoun directory "C:\MyDir", exept some predefined system catalogs. Thank You.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,445

    Drivers belong in C:\Windows\System32\Drivers. If this is a non-PnP driver, then you don't need an INF at all. You can put the driver where you want (on a non-removable disk) and use the Service Manager APIs to create the Services entry to point wherever you want. This is how most of the SysInternals tools work. They have their drivers stored in the application's resources, and they install on the fly.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • ArsenArsen Member Posts: 61

    Thank You Dear Tim_Roberts. A will try to do what You sey.

  • ArsenArsen Member Posts: 61

    Sorry, I did as You said, but nothing happend.

  • ArsenArsen Member Posts: 61

    I only want to have my drivers image in another dyrectory. No at Windows\System32\drivers

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 9,055
    It’s not clear how the %-1% syntax is used. At least, not to me.

    Try %24%\mydir\ to use a directory on the system disk and see if that works. Absolute drive letters are a problem, as Mr Roberts mentioned.

    Peter Viscarola

  • ArsenArsen Member Posts: 61

    Thank You Mr. Peter_Viscarola. But that also not works. I looked to the windows policy rules, but nothing found there. My goal is to hide my net filter driver in the flash drive so that it is impossible to copy it.

  • ArsenArsen Member Posts: 61
    edited December 2022

    Now I am trying to pass outgoing traffic to user mode, and to do some modifications there in user mode context. But it is not optimal, because the very large amount of data will be circulate from driver to user mode application and after from user mode to nic.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 9,055
    You can NOT, under any circumstances, put a driver on a removable drive. Full stop. I think Mr Roberts made that clear earlier.

    If %24% doesn’t work for the serviceBinary key, you’re doing something wrong.

    Post the exact syntax you’re using, please.


    Peter Viscarola

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,735
    Are you running the INF verification tool to validate your INF?
  • ArsenArsen Member Posts: 61
    edited December 2022

    No, I am not running any verification tool. Well. Thank You very mach.
    ; NdisEncrypt.INF -- NDIS LightWeight Filter Driver
    ; TODO: Search for comments marked "TODO:", and follow their instructions to
    ; customize this INF for your driver. Then delete the "TODO:" comments.

    ; Do not change these values
    Signature = "$Windows NT$"
    Class = NetService
    ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}
    ; TODO: Customize this string for your company name
    Provider = %Msft%
    DriverVer =
    CatalogFile =
    PnpLockdown = 1

    ;Include each architecture for which your driver package contains a compiled binary.
    ;If you do not supply a driver compiled for ia64, delete the NTia64 section.


    ; MS_NdisEncrypt can be used with netcfg.exe to install/uninstall the driver.
    %NdisEncrypt_Desc%=Install, MS_NdisEncrypt

    %NdisEncrypt_Desc%=Install, MS_NdisEncrypt

    %NdisEncrypt_Desc%=Install, MS_NdisEncrypt

    %NdisEncrypt_Desc%=Install, MS_NdisEncrypt

    %NdisEncrypt_Desc%=Install, MS_NdisEncrypt

    ; Installation Section
    Characteristics=0x40000 ;All LWFs must include the 0x40000 bit (NCF_LW_FILTER). Unlike miniports, you don't usually need to customize this value.
    NetCfgInstanceId="{c0ba22b4-bb4a-4996-b2c9-e4399062c7f1}" ; This must be a random, unique value.FILTER_UNIQUE_NAME in filter.h must match this GUID identically.
    Copyfiles = NdisEncrypt.copyfiles.sys



    DefaultDestDir = -1, f:\mdir
    NdisEncrypt.copyfiles.sys = -1, f:\mdir


    ; Ndi installation support
    HKR, Ndi,Service,,"NdisEncrypt"
    HKR, Ndi,CoServices,0x00010000,"NdisEncrypt"
    HKR, Ndi,HelpText,,%NdisEncrypt_HelpText%

    ;Set the FilterClass here.The FilterClass controls the order in which filte rs are bound to the underlying miniport.
    ;Possible options include: Custom, Diagnostic, Failover, Loadbalance, Vpn, Compression, Encryption, Scheduler
    HKR, Ndi,FilterClass,, Encryption

    ;Specify whether you have a Modifying or Monitoring filter.
    ; For a Monitoring filter, use this: HKR, Ndi,FilterType,0x00010001, 1 ; Monitoring filter
    ; For a Modifying filter, use this: HKR, Ndi,FilterType,0x00010001, 2 ; Modifying filter
    HKR, Ndi,FilterType,0x00010001,2

    ; Do not change these values
    HKR, Ndi\Interfaces,UpperRange,,"noupper"
    HKR, Ndi\Interfaces,LowerRange,,"nolower"

    ;Ensure that the list of media types below is correct. Typically, filters include "ethernet".
    ;Filters may also include "ppip" to include native WWAN stacks, but you must be prepared to handle the packet framing.
    ;Possible values are listed on MSDN, but common values include: ethernet, wan, ppip, ;wlan
    HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip"
    HKR, Ndi,FilterRunType,0x00010001, 1 ; Mandatory filter

    ; Service installation support
    ; TODO: You may want to add the SPSVCINST_STARTSERVICE flag, like this:
    ; AddService=NdisEncrypt,0x800,NdisEncrypt_Service_Inst ; SPSVCINST_STARTSERVICE

    DisplayName = %NdisEncrypt_Desc%
    ServiceType = 1 ; 2
    ErrorControl = 1 ;SERVICE_ERROR_NORMAL

    ServiceBinary = %-1\NdisEncrypt.sys
    ;ServiceBinary = c:\Windows\System32\drivers\NdisEncrypt.sys

    LoadOrderGroup = NDIS
    Description = %NdisEncrypt_Desc%
    AddReg = Common.Params.reg, NdisImPlatformBindingOptions.reg
    DelService=NdisEncrypt,0x200 ; SPSVCINST_STOPSERVICE

    ; The SPSVCINST_STOPSERVICE flag instructs SCM to stop the NT service
    ; before uninstalling the driver.
    DelService=NdisEncrypt,0x200 ; SPSVCINST_STOPSERVICE

    ;You can add any sort of NDIS parameters here. Filter drivers don't always need NDIS parameters, so it's okay to have nothing here.

    ; Sample 1: "DriverParam" is a per-driver parameter.
    HKR, FilterDriverParams\DriverParam, ParamDesc, , "Driverparam for lwf"
    HKR, FilterDriverParams\DriverParam, default, , "5"
    HKR, FilterDriverParams\DriverParam, type, , "int"

    ; Sample 2: "AdapterParam" is a per-module parameter.
    HKR, FilterAdapterParams\AdapterParam, ParamDesc, , "Adapterparam for lwf"
    HKR, FilterAdapterParams\AdapterParam, default, , "10"
    HKR, FilterAdapterParams\AdapterParam, type, , "int"

    ; By default, when an LBFO team or Bridge is created, all filters will be
    ; unbound from the underlying members and bound to the TNic(s). This keyword
    ; allows a component to opt out of the default behavior
    ; To prevent binding this filter to the TNic(s):
    ; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,1 ; Do not bind to TNic
    ; To prevent unbinding this filter from underlying members:
    ; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2 ; Do not unbind from Members
    ; To prevent both binding to TNic and unbinding from members:
    ; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,3 ; Do not bind to TNic or ;unbind from Members
    HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,0 ; Subscribe to default behavior

    ; TODO: Customize these strings.
    Msft = "" ;TODO: Replace with your manufacturer name
    NdisEncrypt_Desc = "NdisEncrypt NDIS LightWeight Filter"
    NdisEncrypt_HelpText = "NdisEncrypt NDIS LightWeight Filter"

    Post edited by Arsen on
  • MBond2MBond2 Member Posts: 515

    I'm not sure that you have thought through the reason why you want the driver file to reside in some custom location. There really is no argument for wanting to use a different location

    FYI driver image files, like other PE images, use the .SYS file to satisfy page faults. So the .SYS file must be available all the time or the OS can crash. This behavior is different on different versions of Windows.

  • ArsenArsen Member Posts: 61

    Thank you. I'm already going the other way. The reason for hiding my driver was because it contains a secret encryption algorithm. Okay. I now solve this problem by putting this algorithm in a user mode program and connecting it to my driver. Thanks to everyone who is trying to help me.

  • ArsenArsen Member Posts: 61
    edited December 2022

    I want to ask another question. I want to send outgoing packets from NDIS filter driver to user mode program for modifying. I can not understand what mechanism is more compatible here. Can I do it with IRP packets or by another way. If the best way is to use IRPs, then how can I respond to an IRP, coming from user mode, from some drivers function (FilterSendNetBufferList, FilterReceiveNetBufferList ...), not from StartIo or DeviceIoControl.

    I want to ask one more question. I want to send outgoing packets from an NDIS filter driver to a user mode program for modification. I can't figure out which mechanism is more compatible here. Can I do it with IRPs or some other way. If it's best to use an IRP, then how can I respond to an IRP coming from user mode from some driver function (FilterSendNetBufferList, FilterReceiveNetBufferList...) but not from StartIo or DeviceIoControl. (This second variant translated by Google) .

    How to send outgoing packets from NDIS filter driver to user mode application for doing some modifications in user mode. And after get that packets already ready.

    Thank You.

  • MBond2MBond2 Member Posts: 515

    lookup inverted call

    but you should also understand that you can't hide your code. If the CPU can execute it, then someone can find it. And while there is some value to using obscure algorithms, obscurity itself is not a form of security

  • ArsenArsen Member Posts: 61

    Thank You for responce.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 January 2023 Live, Online
Developing Minifilters 20 March 2023 Live, Online
Internals & Software Drivers 17 April 2023 Live, Online
Writing WDF Drivers 22 May 2023 Live, Online