Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Trouble with minifilter in Visual Studio 2022 (CE)

OleOle Member Posts: 2

Dear OSR community,

a few weeks ago, I dove freshly into the exciting, yet deep, ocean of minifilter drivers. As I am new to the topic, I had to rely on the few tips I found on the internet and the driver development documentation on the Microsoft website.
Despite all efforts, I am still unable to load even the "nullfilter" sample that is provided on GitHub (which is basically an empty minifilter with no Pre-/PostOperationCallbacks). I can tell that the .inf-file provided there is not up to date as it does not contain architecture decoration for the install section.
Sadly, I am unable to dive any deeper into the matter, since Visual Studio 2022 (Community Edition) with installed SDK&WDK (Version: 10.0.22621) does not contain a template for minifilter drivers, which appears to be crucial for me to keep on testing.
I installed VS2019 (with appropriate SDK&WDK) and found a minifilter template there, but that template is not suited for my versions of Windows (Windows 10 Pro Build 19045 and Windows 11 Pro Build 22631, both 64-bit) as it also produces an .inf file that doesn’t contain architecture decoration. Besides the incorrect .inf-file, I can imagine that there are other settings that are outdated in the minifilter template from VS2019.

I created my own .inf file with (to my knowledge) accurate settings.
[content of .inf file is provided at the end of my post; nullfilter source code can be found here: https://github.com/microsoft/Windows-driver-samples/tree/main/filesys/miniFilter/nullFilter]
With this .inf, installation of the nullfilter minifilter driver I compiled with VS2019 works fine and the registry entries are successfully made, too.
Unfortunately, when I try to load the minifilter with fltmc load nullfilter, the system crashes with the error SYSTEM_THREAD _EXCEPTION _NOT_HANDLED. Before I get too engaged with kernel debugging with WinDbg, I would love to have a working nullfilter sample from which I can start my experiments and there must be a way to get the minifilter template from Visual Studio working.

First of all, thanks for bearing with me so far! Now I have the following questions:

  1. Does anybody have VS2022 (incl. SDK&WDK) installed and has a minifilter template available at all? I tried so many varieties of installation processess that I can't imagine that the template is actually available.

  2. (How) Can I modify the VS2019 minifilter template so the compiled driver would work on my OS?

  3. Does my selfmade .inf file contain any mistakes?

Please send help! And let me know if you require further information to do so.

Best regards,
Ole

Content of .inf file:

[Version]
Signature = "$Windows NT$"
Class = "ActivityMonitor"
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider = %ManufacturerName%
DriverVer = 01/03/2024,15.22.32.172
CatalogFile = nullfilter.cat

[DestinationDirs]
DefaultDestDir = 13
MiniFilter.DriverFiles = 13

[DefaultInstall.NTamd64]
OptionDesc = %ServiceDescription%
CopyFiles = MiniFilter.DriverFiles

[DefaultInstall.NTamd64.Services]
AddService = %ServiceName%,,MiniFilter.Service

[MiniFilter.Service]
DisplayName = %ServiceName%
Description = %ServiceDescription%
ServiceBinary = %13%\%DriverName%.sys
ServiceType = 2
StartType = 3
ErrorControl = 1
LoadOrderGroup = "FSFilter Activity Monitor"
AddReg = MiniFilter.AddRegistry
Dependencies = FltMgr

[MiniFilter.AddRegistry]
HKR,,"DebugFlags",0x00010001,0x0
HKR,,"SupportedFeatures",0x00010001,0x3
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\%Instance1.Name%","Altitude",0x00000000,%Instance1.Altitude%
HKR,"Instances\%Instance1.Name%","Flags",0x00010001,%Instance1.Flags%

[MiniFilter.DriverFiles]
%DriverName%.sys

[SourceDisksFiles]
nullfilter.sys = 1,,

[SourceDisksNames]
1 = %DiskId1%,,,

[Strings]
ManufacturerName = "Ole"
ServiceDescription = "nullfilter_MiniFilter_Driver"
ServiceName = "nullfilter"
DriverName = "nullfilter"
DiskId1 = "nullfilter_Device_Installation_Disk"
DefaultInstance = "nullfilter_Default_Instance"
Instance1.Name = "nullfilter_Instance"
Instance1.Altitude = 370080
Instance1.Flags = 0x0

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,678

    The minifilter template was removed at some point. It generated a lot of not terribly useful template code IMO so not sad to see it go, but should have been replaced with an "empty minifilter" template or something. Also annoying that they haven't updated the INFs yet in the samples...

    This would be my recommendation:

    1. Go back to VS2022 and the latest WDK
    2. Replace the nullFilter.inf with the attached version. I just made the edits and confirmed that I was able to build and install it successfully on a Win11 x64 target
    3. Take the time to get the debugger set up now. You're going to need it 😂

    -scott
    OSR

  • OleOle Member Posts: 2

    This was very helpful advice, I managed to load the nullfilter with the .inf you provided while using an empty WDM template in VS2022 where I also made the following steps:
    Put nullfilter.c as source file and nullfilter.rc as resource file. Edit the .inf file of the project. Add "fltmgr.lib" and "fltlib.lib" under Properties > Linker > General > Additional Library Directories.
    Thank you very much, dear Scott, for your quick reply!

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online