About ObRegisterCallbacks.

I applied the ObRegisterCallbacks function to filter process related operations on the Windows Server 2008.
I called RegisterCallbackFunction() in the DriverEntry.
I met BSOD(7e, SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) when the ObRegisterCallbacks function was called.
RegisterCallbackFunction is following.

NTSTATUS RegisterCallbackFunction()
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING Altitude;
USHORT filterVersion = ObGetFilterVersion();
USHORT registrationCount = 2;
OB_OPERATION_REGISTRATION RegisterOperation;
OB_CALLBACK_REGISTRATION RegisterCallBack;
REG_CONTEXT RegistrationContext;

memset(&RegisterOperation, 0 , sizeof(OB_OPERATION_REGISTRATION));
memset(&RegisterCallBack, 0 , sizeof(OB_CALLBACK_REGISTRATION));
memset(&RegistrationContext, 0 , sizeof(REG_CONTEXT));
RegistrationContext.ulIndex = 1;
RegistrationContext.Version = 120;

if (filterVersion == OB_FLT_REGISTRATION_VERSION) {
DbgPrint(“Filter Version is correct.\n”);
RegisterOperation.ObjectType = PsProcessType;
RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
RegisterOperation.PreOperation = PreProcCreateRoutine;
RegisterOperation.PostOperation = PostProcCreateRoutine;
RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
RegisterCallBack.OperationRegistrationCount = registrationCount;
RtlInitUnicodeString(&Altitude, L"XXXXXXX");
RegisterCallBack.Altitude = Altitude;
RegisterCallBack.RegistrationContext = &RegistrationContext;
RegisterCallBack.OperationRegistration = &RegisterOperation;
DbgPrint(“Register Callback Function Entry!..\n”);

ntStatus = ObRegisterCallbacks(&RegisterCallBack, g_hProcCreateHandle);
if (ntStatus == STATUS_SUCCESS) {
DbgPrint(“Register Callback Function Successful…\n”);
} else {
if (ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
DbgPrint(“Status Filter Instance Altitude Collision \n”);
}
if (ntStatus == STATUS_INVALID_PARAMETER) {
DbgPrint(“Status Invalid Parameter \n”);
}
if (ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
DbgPrint(“Status Allocate Memory Failed. \n”);
}
DbgPrint(“Register Callback Function Failed with 0x%08x \n”, ntStatus);
}
} else {
DbgPrint("Filter Version is not supported.\n ");
}
return ntStatus;
}

What is the cause of this problem?
How should I solve this problem?
Ask advice!

On 8/26/2010 7:26 PM, xxxxx@korea.com wrote:

ntStatus = ObRegisterCallbacks(&RegisterCallBack, g_hProcCreateHandle);
if (ntStatus == STATUS_SUCCESS) {

Just a stab but should this be &g_hProcCreateHandle where the declaration is

void *g_hProcCreateHandle = NULL;

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

Thanks for your advice.
But I’ve already declared like this.

void *g_hProcCreateHandle = NULL;

Jung.

You need the indirection that Pete mentioned - & g_hProcCreateHandle (not g_hProcCreateHandle).

mm

Thank you.
I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
My source code is following.
Need help!

void *g_hProcCreateHandle = NULL;
typedef struct _OB_REG_CONTEXT {
__in USHORT Version;
__in UNICODE_STRING Altitude;
__in USHORT ulIndex;
} REG_CONTEXT, *PREG_CONTEXT;
//
// PRE OPERATION
//
OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation)
{

//OB_PRE_OPERATION_INFORMATION OpInfo;
DbgPrint(“PreProcCreateRoutine()\n”);
return OB_PREOP_SUCCESS;
}
//
// POST OPERATION
//
VOID PostProcCreateRoutine(
IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation)
{
DbgPrint(“PostProcCreateRoutine.\n”);
}
//
// REGISTE CALLBACK FUNCTION
//
NTSTATUS RegisterCallbackFunction()
{
NTSTATUS ntStatus = STATUS_SUCCESS;

UNICODE_STRING Altitude;

USHORT filterVersion = ObGetFilterVersion();
USHORT registrationCount = 2;

OB_OPERATION_REGISTRATION RegisterOperation;
OB_CALLBACK_REGISTRATION RegisterCallBack;
REG_CONTEXT RegistrationContext;

memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));

RegistrationContext.ulIndex = 1;
RegistrationContext.Version = 120;

if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
DbgPrint(“Filter Version is correct.\n”);

RegisterOperation.ObjectType = PsProcessType;
RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
RegisterOperation.PreOperation = PreProcCreateRoutine;
RegisterOperation.PostOperation = PostProcCreateRoutine;

RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
RegisterCallBack.OperationRegistrationCount = registrationCount;

RtlInitUnicodeString(&Altitude, L"XXXXXXX");
RegisterCallBack.Altitude = Altitude;

RegisterCallBack.RegistrationContext = &RegistrationContext;
RegisterCallBack.OperationRegistration = &RegisterOperation;
DbgPrint(“Register Callback Function Entry!!!\n”);

ntStatus = ObRegisterCallbacks(&RegisterCallBack, &g_hProcCreateHandle);
if(ntStatus == STATUS_SUCCESS) {
DbgPrint(“Register Callback Function Successful\n”);
} else {
if(ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
DbgPrint(“Status Filter Instance Altitude Collision\n”);
}
if(ntStatus == STATUS_INVALID_PARAMETER) {
DbgPrint(“Status Invalid Parameter\n”);
}
if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
DbgPrint(“Status Allocate Memory Failed\n”);
}
DbgPrint(“Register Callback Function Failed with 0x%08x\n”, ntStatus);
}
} else {
DbgPrint(“Filter Version is not supported.\n”);
}

return ntStatus;
}
//
// FREE PROC FILTER
//
NTSTATUS FreeProcFilter()
{
if(NULL != &g_hProcCreateHandle) {
ObUnRegisterCallbacks(&g_hProcCreateHandle);
}
return STATUS_SUCCESS;
}

How about posting the !analyze -v output.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@korea.com
Sent: Friday, August 27, 2010 1:43 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] About ObRegisterCallbacks.

Thank you.
I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
My source code is following.
Need help!

void *g_hProcCreateHandle = NULL;
typedef struct _OB_REG_CONTEXT {
__in USHORT Version;
__in UNICODE_STRING Altitude;
__in USHORT ulIndex;
} REG_CONTEXT, *PREG_CONTEXT;
//
// PRE OPERATION
//
OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION
OperationInformation) {

//OB_PRE_OPERATION_INFORMATION OpInfo;
DbgPrint(“PreProcCreateRoutine()\n”);
return OB_PREOP_SUCCESS;
}
//
// POST OPERATION
//
VOID PostProcCreateRoutine(
IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION
OperationInformation) {
DbgPrint(“PostProcCreateRoutine.\n”);
}
//
// REGISTE CALLBACK FUNCTION
//
NTSTATUS RegisterCallbackFunction()
{
NTSTATUS ntStatus = STATUS_SUCCESS;

UNICODE_STRING Altitude;

USHORT filterVersion = ObGetFilterVersion();
USHORT registrationCount = 2;

OB_OPERATION_REGISTRATION RegisterOperation;
OB_CALLBACK_REGISTRATION RegisterCallBack;
REG_CONTEXT RegistrationContext;

memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));

RegistrationContext.ulIndex = 1;
RegistrationContext.Version = 120;

if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
DbgPrint(“Filter Version is correct.\n”);

RegisterOperation.ObjectType = PsProcessType;
RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
RegisterOperation.PreOperation = PreProcCreateRoutine;
RegisterOperation.PostOperation = PostProcCreateRoutine;

RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
RegisterCallBack.OperationRegistrationCount =
registrationCount;

RtlInitUnicodeString(&Altitude, L"XXXXXXX");
RegisterCallBack.Altitude = Altitude;

RegisterCallBack.RegistrationContext = &RegistrationContext;
RegisterCallBack.OperationRegistration = &RegisterOperation;
DbgPrint(“Register Callback Function Entry!!!\n”);

ntStatus = ObRegisterCallbacks(&RegisterCallBack,
&g_hProcCreateHandle);
if(ntStatus == STATUS_SUCCESS) {
DbgPrint(“Register Callback Function Successful\n”);
} else {
if(ntStatus ==
STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
DbgPrint(“Status Filter Instance Altitude
Collision\n”);
}
if(ntStatus == STATUS_INVALID_PARAMETER) {
DbgPrint(“Status Invalid Parameter\n”);
}
if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
DbgPrint(“Status Allocate Memory Failed\n”);
}
DbgPrint(“Register Callback Function Failed with
0x%08x\n”, ntStatus);
}
} else {
DbgPrint(“Filter Version is not supported.\n”);
}

return ntStatus;
}
//
// FREE PROC FILTER
//
NTSTATUS FreeProcFilter()
{
if(NULL != &g_hProcCreateHandle) {
ObUnRegisterCallbacks(&g_hProcCreateHandle);
}
return STATUS_SUCCESS;
}


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars (including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

The result of !analyze -v is following.

*** Fatal System Error: 0x0000007e
(0xC0000005,0x818BECB5,0x83D7995C,0x83D79658)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2008 6001 x86 compatible target, ptr64 FALSE

Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 818becb5, 83d7995c, 83d79658}

Probably caused by : mydriver.sys ( mydriver!RegisterCallbackFunction+bc )

Followup: MachineOwner

nt!DbgBreakPointWithStatus+0x4:
816eb514 cc int 3
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 818becb5, The address that the exception occurred at
Arg3: 83d7995c, Exception Record Address
Arg4: 83d79658, Context Record Address

Debugging Details:

FAULTING_MODULE: 81633000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4c774e38

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - “0x%08lx”

FAULTING_IP:
nt!ObRegisterCallbacks+c3
818becb5 8b00 mov eax,dword ptr [eax]

EXCEPTION_RECORD: 83d7995c – (.exr 0xffffffff83d7995c)
ExceptionAddress: 818becb5 (nt!ObRegisterCallbacks+0x000000c3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0010000e
Attempt to read from address 0010000e

CONTEXT: 83d79658 – (.cxr 0xffffffff83d79658)
eax=0010000e ebx=83d79a50 ecx=83d79a84 edx=83e17f70 esi=90754db8 edi=90754e0c
eip=818becb5 esp=83d79a24 ebp=83d79a38 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
nt!ObRegisterCallbacks+0xc3:
818becb5 8b00 mov eax,dword ptr [eax] ds:0023:0010000e=???
Resetting default scope

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from 8d8accf0 to 818becb5

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
83d79a38 8d8accf0 00000001 8d8b2414 8d8b8f04 nt!ObRegisterCallbacks+0xc3
83d79a8c 8d8acd5f 8d8bb818 86b68918 8ed56000 mydriver!RegisterCallbackFunction+0xbc [xxx.c @ 75]
83d79a90 8d8bb818 86b68918 8ed56000 00000000 mydriver!Install+0x5 [xxx.c @ 110]
83d79b18 817a2376 00000000 8d8b45a0 00000000 mydriver!DriverEntry+0x6ae [main.c @ 2107]
83d79cfc 817a2d0b 00000001 00000000 83d79d24 nt!IoRegisterFileSystem+0x1566
83d79d44 8166b41d 841a1d00 00000000 82bffd78 nt!IoRegisterFileSystem+0x1efb
83d79d7c 81808a1c 841a1d00 36043969 00000000 nt!KeQuerySystemTime+0x14d
83d79dc0 81661a3e 8166b320 00000001 00000000 nt!RtlDestroyAtomTable+0x4fe
00000000 00000000 00000000 00000000 00000000 nt!RtlSubAuthorityCountSid+0x3c4

FOLLOWUP_IP:
mydriver!RegisterCallbackFunction+bc [xxx.c @ 75]
8d8accf0 8bf0 mov esi,eax

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: mydriver!RegisterCallbackFunction+bc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: mydriver

IMAGE_NAME: mydriver.sys

STACK_COMMAND: .cxr 0xffffffff83d79658 ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

>DEFAULT_BUCKET_ID: WRONG_SYMBOLS

Are you sure that your symbols are correct?

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@korea.com
Sent: Friday, August 27, 2010 3:29 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] About ObRegisterCallbacks.

The result of !analyze -v is following.

*** Fatal System Error: 0x0000007e
(0xC0000005,0x818BECB5,0x83D7995C,0x83D79658)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2008 6001 x86 compatible target, ptr64 FALSE


Loading User Symbols

Loading unloaded module list

****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 818becb5, 83d7995c, 83d79658}

Probably caused by : mydriver.sys ( mydriver!RegisterCallbackFunction+bc )

Followup: MachineOwner

nt!DbgBreakPointWithStatus+0x4:
816eb514 cc int 3
0: kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck.
Usually the exception address pinpoints the driver/function that caused the
problem. Always note this address as well as the link date of the
driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 818becb5, The address that the exception occurred at
Arg3: 83d7995c, Exception Record Address
Arg4: 83d79658, Context Record Address

Debugging Details:

FAULTING_MODULE: 81633000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4c774e38

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - “0x%08lx”

FAULTING_IP:
nt!ObRegisterCallbacks+c3
818becb5 8b00 mov eax,dword ptr [eax]

EXCEPTION_RECORD: 83d7995c – (.exr 0xffffffff83d7995c)
ExceptionAddress: 818becb5 (nt!ObRegisterCallbacks+0x000000c3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0010000e
Attempt to read from address 0010000e

CONTEXT: 83d79658 – (.cxr 0xffffffff83d79658) eax=0010000e ebx=83d79a50
ecx=83d79a84 edx=83e17f70 esi=90754db8 edi=90754e0c
eip=818becb5 esp=83d79a24 ebp=83d79a38 iopl=0 nv up ei ng nz na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282
nt!ObRegisterCallbacks+0xc3:
818becb5 8b00 mov eax,dword ptr [eax]
ds:0023:0010000e=???
Resetting default scope

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from 8d8accf0 to 818becb5

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
83d79a38 8d8accf0 00000001 8d8b2414 8d8b8f04 nt!ObRegisterCallbacks+0xc3
83d79a8c 8d8acd5f 8d8bb818 86b68918 8ed56000
mydriver!RegisterCallbackFunction+0xbc [xxx.c @ 75]
83d79a90 8d8bb818 86b68918 8ed56000 00000000 mydriver!Install+0x5 [xxx.c @
110]
83d79b18 817a2376 00000000 8d8b45a0 00000000 mydriver!DriverEntry+0x6ae
[main.c @ 2107] 83d79cfc 817a2d0b 00000001 00000000 83d79d24
nt!IoRegisterFileSystem+0x1566
83d79d44 8166b41d 841a1d00 00000000 82bffd78 nt!IoRegisterFileSystem+0x1efb
83d79d7c 81808a1c 841a1d00 36043969 00000000 nt!KeQuerySystemTime+0x14d
83d79dc0 81661a3e 8166b320 00000001 00000000 nt!RtlDestroyAtomTable+0x4fe
00000000 00000000 00000000 00000000 00000000
nt!RtlSubAuthorityCountSid+0x3c4

FOLLOWUP_IP:
mydriver!RegisterCallbackFunction+bc [xxx.c @ 75]
8d8accf0 8bf0 mov esi,eax

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: mydriver!RegisterCallbackFunction+bc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: mydriver

IMAGE_NAME: mydriver.sys

STACK_COMMAND: .cxr 0xffffffff83d79658 ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars (including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Can I ask some question here ??
I need to use ObRegisterCallbacks too. But I don’t know where to add “/integritycheck” .
Where should I add it?

Hi. Modify your code like this:

USHORT registrationCount = 1;

Even if you have two callback-routines … there’s only *one*
OB_CALLBACK_REGISTRATION element.

erote news:xxxxx@ntfsd…
> Thank you.
> I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
> My source code is following.
> Need help!
>
> void *g_hProcCreateHandle = NULL;
> typedef struct _OB_REG_CONTEXT {
> in USHORT Version;
>
in UNICODE_STRING Altitude;
> __in USHORT ulIndex;
> } REG_CONTEXT, *PREG_CONTEXT;
> //
> // PRE OPERATION
> //
> OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
> IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION
> OperationInformation)
> {
>
> //OB_PRE_OPERATION_INFORMATION OpInfo;
> DbgPrint(“PreProcCreateRoutine()\n”);
> return OB_PREOP_SUCCESS;
> }
> //
> // POST OPERATION
> //
> VOID PostProcCreateRoutine(
> IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION
> OperationInformation)
> {
> DbgPrint(“PostProcCreateRoutine.\n”);
> }
> //
> // REGISTE CALLBACK FUNCTION
> //
> NTSTATUS RegisterCallbackFunction()
> {
> NTSTATUS ntStatus = STATUS_SUCCESS;
>
> UNICODE_STRING Altitude;
>
> USHORT filterVersion = ObGetFilterVersion();
> USHORT registrationCount = 2;
>
> OB_OPERATION_REGISTRATION RegisterOperation;
> OB_CALLBACK_REGISTRATION RegisterCallBack;
> REG_CONTEXT RegistrationContext;
>
> memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
> memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
> memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));
>
> RegistrationContext.ulIndex = 1;
> RegistrationContext.Version = 120;
>
> if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
> DbgPrint(“Filter Version is correct.\n”);
>
> RegisterOperation.ObjectType = PsProcessType;
> RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
> RegisterOperation.PreOperation = PreProcCreateRoutine;
> RegisterOperation.PostOperation = PostProcCreateRoutine;
>
> RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
> RegisterCallBack.OperationRegistrationCount = registrationCount;
>
> RtlInitUnicodeString(&Altitude, L"XXXXXXX");
> RegisterCallBack.Altitude = Altitude;
>
> RegisterCallBack.RegistrationContext = &RegistrationContext;
> RegisterCallBack.OperationRegistration = &RegisterOperation;
> DbgPrint(“Register Callback Function Entry!!!\n”);
>
> ntStatus = ObRegisterCallbacks(&RegisterCallBack, &g_hProcCreateHandle);
> if(ntStatus == STATUS_SUCCESS) {
> DbgPrint(“Register Callback Function Successful\n”);
> } else {
> if(ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
> DbgPrint(“Status Filter Instance Altitude Collision\n”);
> }
> if(ntStatus == STATUS_INVALID_PARAMETER) {
> DbgPrint(“Status Invalid Parameter\n”);
> }
> if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
> DbgPrint(“Status Allocate Memory Failed\n”);
> }
> DbgPrint(“Register Callback Function Failed with 0x%08x\n”, ntStatus);
> }
> } else {
> DbgPrint(“Filter Version is not supported.\n”);
> }
>
> return ntStatus;
> }
> //
> // FREE PROC FILTER
> //
> NTSTATUS FreeProcFilter()
> {
> if(NULL != &g_hProcCreateHandle) {
> ObUnRegisterCallbacks(&g_hProcCreateHandle);
> }
> return STATUS_SUCCESS;
> }
>

In your soueces file. LINKER _FLAGS=/INTEGRITYCHECK
Along with this your driver will need to be signed.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of dcg1981@163.com
Sent: Friday, August 27, 2010 4:39 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] About ObRegisterCallbacks.

Can I ask some question here ??
I need to use ObRegisterCallbacks too. But I don’t know where to add
“/integritycheck” .
Where should I add it?


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars (including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

In your SOURCES:

LINKER_FLAGS=/integritycheck

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntfsd…
> Can I ask some question here ??
> I need to use ObRegisterCallbacks too. But I don’t know where to add
> “/integritycheck” .
> Where should I add it?
>

Thanks. :smiley: