Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Filter ESP

0mWindyBug0mWindyBug Member Posts: 29
Will I/O to the EFI system partition go through the standard file system device stack? Is it possible to filter on it?

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 636
    via Email
    EFI is FAT, so yes.
    But not as early as you think if that is your question.
  • 0mWindyBug0mWindyBug Member Posts: 29

    @Dejan_Maksimovic said:
    EFI is FAT, so yes.
    But not as early as you think if that is your question.

    so the filter manager sits on both the fat32 file system device stack and the ntfs file system device stack? do we even have a device stack for each file system or simply one file system device stack?

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 636
    via Email
    What do you mean by "file system device stack"?
  • 0mWindyBug0mWindyBug Member Posts: 29
    > @Dejan_Maksimovic said:
    > What do you mean by "file system device stack"?
    The device stack where IO initiated from functions like ReadFile and WriteFile is going to initially (there’s an article on OSR as well explaining the flow of ReadFile where it first reaches the file system device stack, then the volume , disk , storage etc
    (In that case ntfs.sys was on the “file system device stack” I’m referring to)
  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 636
    via Email
    The stack is per volume. Not a common NTFS or FAT in general for all
    volumes.
  • 0mWindyBug0mWindyBug Member Posts: 29

    @Dejan_Maksimovic said:
    The stack is per volume. Not a common NTFS or FAT in general for all
    volumes.

    makes sense, so when sending an I/O I believe its the responsability of the I/O manager to navigate it to the correct stack ? and each stack will have the fltmgr device object present - correct?

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 636
    via Email
    Exactly.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online