Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
How to generate system sequence to get the IRP_MN_CANCEL_REMOVE_DEVICE
We have FS MiniFilter which caused a crash on user's system when it receives IRP_MN_CANCEL_REMOVE_DEVICE. Though I was able to identify the cause of crash and fix, the BIG issue remains that we are not able to test our driver by sending this particular IRP. I tried to create a VHD, attach it and remove it. My question is how we can make system send this IRP to our driver for testing purpose or are there any other mechanism to achieve this. Any comment is highly appreciated. Thanks.
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 13-17 May 2024 | Live, Online |
| Developing Minifilters | 1-5 Apr 2024 | Live, Online |
| Internals & Software Drivers | 11-15 Mar 2024 | Live, Online |
| Writing WDF Drivers | 26 Feb - 1 Mar 2024 | Live, Online |
Comments
Well that is an ugly problem. In general FS minifilters are not directly involved in pnp operations, so I assume your problem was a side effect of the cancel. Anyhow, offhand, you could create a filter driver for one of the storage stacks and have that explicitly reject an IRP_MN_QUERY_REMOVE request. That seems like a lot of work. There also might be something usable in the HLK test programs. In particular you could probably use DF - PNP Cancel Remove Device Test - see https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/53c9e4a3-147a-4590-be9a-de6104f8d84b, but as always there is a lot of setup and other stuff with these tests that can be time consuming to get right.
OK... I'll ask: Why not? I mean... you're not SUPPOSED to do so, but what prevents you from building the IRP and sending it? I've done that a lot, for diagnostic reasons, for OTHER "reserved to the system" IRPs in the past and it DID work just fine...
Peter
Peter Viscarola
OSR
@OSRDrivers
The WDK used to have the pnpdtest utility which made this incredibly easy to test. Now it's wrapped up in DevFund somewhere so it's no longer incredibly easy to test...Progress!
Anyhow:
You should be able to see the IRP_MN_CANCEL_REMOVE if you have a file open when you try and disable/remove the volume. Probably cheap out using PowerShell and DevCon (from the WDK):
Open a file:
$file = [System.IO.File]::Open("f:\foo.txt", "OpenOrCreate", "Read")
Try to disable all volumes (because I'm lazy):
If all goes according to plan you should see a query remove followed by the cancel...Then make sure you enable the volumes again 😂
-scott
OSR
Thanks for your answers. I have used Scott's response for now. but I am in process of doing this via IRP building and then will go to HLK. Thanks once again for support.