Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
how to stop / start windows protected service which is started by ELAM driver
Hi team,
I have created an ELAM driver ( definitely from sample code ) which is used to start my Windows service in order to prevent user to stop / start it. But , there is a use case where I need to stop/start from user mode application.
Kindly help me to how to do?
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
| Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
I'm curious, what sample did you use?
As for stopping it, I wonder if you specified dwControlsAccepted=SERVICE_ACCEPT_STOP when you called SetServiceStatus. In that case wouldn't Microsoft's default services.msc allow a user to stop it? Although, tbh allowing an ELAM service to be stopped from a user-mode process running with just the admin rights kinda defeats the purpose of ELAM.
I am using Microsoft sample ELAM driver.
As my Windows service is started in protected mode by ELAM driver, it is not allowing to stop the service by the user mode application even SERVCE_CCEPT_STOP specified in dwControlsAccepted.
What I understand from your suggestion is that first I will have to stop the ELAM driver through Admin rights and try to stop the service.
( I suspect it may need system restart )
Also, is it possible to expose any API in the driver for stop service and will it be invoked by the user mode application ?
Sure, you can try to stop it from the inside. I've never done that, but I would try to issue SetServiceStatus with dwCurrentState=SERVICE_STOPPED to self. After that the SCM will attempt to stop it. If that doesn't work, try to spawn another PPL process (you have a driver, right) and issue the SetServiceStatus to your service from there. But again, my guess is that ELAM service is not supposed to be stopped.
Thank you for the suggestions. I will try the same.
I learned now that ELAM driver is not running continuously and is unloaded once the boot process is completed. Hence, I can not write any function inside the driver and can only stop inside the protected service.