Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Can't attach a second/separate instance of a filter on only one computer?

Doug_NDoug_N Member - All Emails Posts: 120

I have a minifilter with two instances. The first one is manually attached via a call to FilterAttach, and the second one auto-attaches to all volumes (instance Flags registry value is set to 0).

I have come across a Server 2016 computer where the auto-attaching is failing - the second instance doesn't show it is attached to any volumes if I check in fltmc.exe. Fine, I'll just manually call FilterAttach on this instance like I do for the first instance. Except in this case FilterAttach is failing with 0x80070032 which is apparently "The request is not supported".

These two instances have been working fine everywhere else I've tried them. Manually calling FilterAttach on the failing instance (after first changing the registry so it doesn't auto-attach) works fine on other Windows servers. On the Server 2016 computer the parameters to the FilterAttach are the same (i.e. just attaching to the basic \Device\HarddiskVolume1) in working and non-working cases, other than the instance name.

It seems like perhaps there is some sort of configuration setting on this Server 2016 that is preventing the second instance from attaching, but nothing is coming up in any searches I can think of. Other filters like WdFilter are able to have multiple attachments.

Is there any way to get more information about why the attachment is failing other than that error code?

Thanks for any help!

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,631
    Is your InstanceSetup being called?

    -scott
    OSR

  • Doug_NDoug_N Member - All Emails Posts: 120

    No, InstanceSetup is not called for the failing instance. I tried attaching directly with fltmc.exe attach [driver] [volume] [-i instance] and get the same 0x80070032 error code. Works great with the other instance, and both are completely implemented within the same driver .sys file.

    Can't imagine what is different with this one server.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,258

    SWAGS: Is there another instance of the same name declared somewhere? Is the registry corrupted?

  • Doug_NDoug_N Member - All Emails Posts: 120

    Rod, I was wondering the same thing as I drifted off to sleep last night, but forgot to check until I read your guess above, so thanks for the reminder. Unfortunately, I can't see anything wrong in the registry :(

    Just to be sure I understand about the altitudes, my main/working instance has altitude 12345 (don't remember the actual value), and the second instance that doesn't work is using 12345.100. That's OK, right?

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,258

    That's OK, right?

    Yes, I see to recall that FltMgr (or maybe the usermode stuff) actually renders these numbers as a float....

    I suppose what I'd do next is watch the fltmc process with procmon and hope for something weird to jump out.

    Or I might start turning off other layered products..

    But I'd be straw-grasping

  • Doug_NDoug_N Member - All Emails Posts: 120

    The procmon idea lead to something even stranger - as soon as procmon starts, the failing instance is able to load. I thought that seemed unlikely so rebooted and sure enough, the instance won't load until I start procmon, then it attaches to the volume like normal.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 589
    via Email
    Can autoattach instaces attach via manual attach? I never tried, frankly.


    What exactly is the volume your instance won't autoattach to?
    Does it autoattach after ProcMon is run or do you manually do it?
  • Doug_NDoug_N Member - All Emails Posts: 120

    I'm just trying to attach it to \Device\HarddiskVolume1 (C: drive)

    Just found out something really interesting - maybe a bug?

    On the server where I'm seeing this my filter ends up being the highest filter (it's pretty high because it's an activity monitor). All the computers where everything works fine have a higher filter (backup filter like veeam or something else even higher). Importantly, ProcMon's filter also loads higher when it is there.

    Recall that the altitude of WorkingFilter is X, and FailingFilter is X.1. If I change FailingFilter's altitude to X-1, then it loads fine. If I change it to X+1, it fails.

    But if there is some other filter loaded above it, X.1, X+1 and X-1 all work fine. So my hypothesis is that a filter instance can't load if the filter is the highest, and the instance's altitude is higher than the default instance's altitude.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,631

    Can you reproduce this with one of the example filters? That should make a fairly compelling bug

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 16-20 October 2023 Live, Online
Developing Minifilters 13-17 November 2023 Live, Online
Internals & Software Drivers 4-8 Dec 2023 Live, Online
Writing WDF Drivers 10-14 July 2023 Live, Online