Mouclass upper filter with RDP

> Maxim S. Shatskih wrote:

At least “kbdfiltr” from the samples have the code both for generic PnP keyboard
filter (between kbdclass and the port driver), as also for PS/2 i8042prt plugin
callbacks.

I mean the following:

WDK 7.1/moufiltr/Moufiltr.htm:

“The .inf file included in this sample is designed to filter a PS/2 mouse”.

Doron Holan wrote:

for the vast majority of people, you want your filter before mouclass. After
is not the best place for it. The amount of complexity you deal with being
before is much smaller than after

Yes, may be.

> I mean the following:

> WDK 7.1/moufiltr/Moufiltr.htm:

And I mean the code.

The code (when I was last looking into it years ago) contains both i8042prt plugin (PS/2 only) and the generic PnP mouse filter, below mouclass and above the port.

You only filter only the “register callback” IRP and wrap a decorator around the callback.

The callback sees the array of mouse message structures and head/tail pointers in it.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

I am using wdf. Is that an issue?

No it is not

Sent from Outlook Mailhttp: for Windows 10 phone

From: xxxxx@heinostenkoti.com
Sent: Monday, October 19, 2015 10:05 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Mouclass upper filter with RDP

I am using wdf. Is that an issue?

—
NTDEV is sponsored by OSR

Visit the list at: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%2Fshowlists.cfm%3Flist%3Dntdev&data=01|01|Doron.Holan%40microsoft.com|5832e33ccf0243a7e58008d2d8a789c3|72f988bf86f141af91ab2d7cd011db47|1&sdata=pDqyW5V5WHP%2FYoeibitYdQsP1kzPvsOlRuxDqWHxZME%3D

OSR is HIRING!! See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fcareers&data=01|01|Doron.Holan%40microsoft.com|5832e33ccf0243a7e58008d2d8a789c3|72f988bf86f141af91ab2d7cd011db47|1&sdata=q9zrDbxdawWs9hYfGdQ6%2Bcl%2BccpmESYcEGgG5u2d1Xk%3D

For our schedule of WDF, WDM, debugging and other seminars visit:
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fseminars&data=01|01|Doron.Holan%40microsoft.com|5832e33ccf0243a7e58008d2d8a789c3|72f988bf86f141af91ab2d7cd011db47|1&sdata=8NSGynFmNtJLl%2BqrKxK%2BQvjFV1uwcgEWFa5XldzRniw%3D

To unsubscribe, visit the List Server section of OSR Online at https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%2Fpage.cfm%3Fname%3DListServer&amp;data=01|01|Doron.Holan%40microsoft.com|5832e33ccf0243a7e58008d2d8a789c3|72f988bf86f141af91ab2d7cd011db47|1&amp;sdata=LGwGC%2FvrQ5MKpZAIprtv4sB96z6A38Hs418jyEetN%2FI%3D</http:>

I am using SC CREATE moufiltr binPath=C:\windows… type= kernel to install the service. Then I added UpperFilters=moufiltr mouclass to registry.
Now I get message: “Trying to disable physical device not enabled in this session” and the mouse is not working in rdp.
Please help… I am new to driver programming… I will buy you a beer if you come to Finland!

What specific operation is returning the “Tryng to disable…” message? Neither adding the registry value or SC registration will result in that type of message.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@heinostenkoti.com
Sent: Monday, October 19, 2015 11:00 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Mouclass upper filter with RDP

I am using SC CREATE moufiltr binPath=C:\windows… type= kernel to install the service. Then I added UpperFilters=moufiltr mouclass to registry.
Now I get message: “Trying to disable physical device not enabled in this session” and the mouse is not working in rdp.
Please help… I am new to driver programming… I will buy you a beer if you come to Finland!

—
NTDEV is sponsored by OSR

Visit the list at: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%2Fshowlists.cfm%3Flist%3Dntdev&amp;data=01|01|Doron.Holan%40microsoft.com|e01494b2bce04993ddcd08d2d8af2b0a|72f988bf86f141af91ab2d7cd011db47|1&amp;sdata=hRQnMTb518RU4nAsytagGtkTEMh0TkC7Pc4BtwL6Qes%3D

OSR is HIRING!! See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fcareers&amp;data=01|01|Doron.Holan%40microsoft.com|e01494b2bce04993ddcd08d2d8af2b0a|72f988bf86f141af91ab2d7cd011db47|1&amp;sdata=GO4H1QVbxX%2FrCW5K580ftsI3qQ%2FkNB1E4Idaz7NT2B0%3D

For our schedule of WDF, WDM, debugging and other seminars visit:
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fseminars&amp;data=01|01|Doron.Holan%40microsoft.com|e01494b2bce04993ddcd08d2d8af2b0a|72f988bf86f141af91ab2d7cd011db47|1&amp;sdata=dQvUvKFJUvLIRRX2xHHBDBqsLoDEzqYpeBd%2FOjzXkz8%3D

To unsubscribe, visit the List Server section of OSR Online at https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%2Fpage.cfm%3Fname%3DListServer&amp;data=01|01|Doron.Holan%40microsoft.com|e01494b2bce04993ddcd08d2d8af2b0a|72f988bf86f141af91ab2d7cd011db47|1&amp;sdata=IdYL3gG48lfN15LwSgOgtW9qy3gL3G4z4sdr17kWIgY%3D

That is what I saw in debugview. I thought it was telling me something went wrong.
Is it enough, if I just use SC CREATE and then add my filter to UpperFilters section?
I am using windows driver frameworks sample to do this… I am trying to fing how I can debug my source.
I think I have seen my _DeviceAdd entry but nothing more after that…

xxxxx@heinostenkoti.com wrote:

That is what I saw in debugview. I thought it was telling me something went wrong.
Is it enough, if I just use SC CREATE and then add my filter to UpperFilters section?

Copy the driver into place, create the service, add the filter to
UpperFilters, then restart the device. That’s what it takes.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

FIlter driver is running in rdp fine. Now I should know the username of the rdp connection to be sure that this user is the one with the touchpad that needs to be corrected. It should do nothing for users with normal windows remote desktop connection.

Any api to get user in DriverEntry/DeviceAdd ?

User SID, not user name.

Forget user names in the kmode code.

LookupAccountName SID->name resolution sometimes requires an RPC/XML/SOAP query to the AD domain controller, which is surely out of the scope of the kmode code.

DriverEntry/DeviceAdd, even for RDP input stack, run in a system thread, and you cannot get any user SIDs there.

In kmode, you can get the IRP’s originating thread, and then thread’s token object, and then query the SID from the token.

Also note that the same logon/UI session can continue across several RDP connections from different clients, or switch from RDP to physical display/input and back. Do not forget this in your design.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> FIlter driver is running in rdp fine. Now I should know the username of the rdp connection to be sure that this user is the one with the touchpad that needs to be corrected. It should do nothing for users with normal windows remote desktop connection.
>
> Any api to get user in DriverEntry/DeviceAdd ?
>

I recently stumbled up GetSecurityUserData() which I think will return this
information at least for some scenarios. Never used it and I agree with Max
that you want to use a SID, but I had no idea that it existed at all.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Tuesday, October 20, 2015 6:50 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Mouclass upper filter with RDP

User SID, not user name.

Forget user names in the kmode code.

LookupAccountName SID->name resolution sometimes requires an
RPC/XML/SOAP query to the AD domain controller, which is surely out of the
scope of the kmode code.

DriverEntry/DeviceAdd, even for RDP input stack, run in a system thread,
and you cannot get any user SIDs there.

In kmode, you can get the IRP’s originating thread, and then thread’s
token object, and then query the SID from the token.

Also note that the same logon/UI session can continue across several RDP
connections from different clients, or switch from RDP to physical
display/input and back. Do not forget this in your design.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> FIlter driver is running in rdp fine. Now I should know the username of
the rdp connection to be sure that this user is the one with the touchpad
that needs to be corrected. It should do nothing for users with normal
windows remote desktop connection.
>
> Any api to get user in DriverEntry/DeviceAdd ?
>

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I have my mouclass upper filter running and it works fine with windows remote clients. With Blackbox invisaPC and industrial touchscreen it works fine until the windows login screen. But when I actually log in it stops working…
I can debug that it adds a device (or two) while connecting with rdp. But it also adds two times while logging in… And the last one is the only one with NO “Trying to disable physical device not enabled in this session.” And after that the filter driver is not receiving input…

Any idea what to do? Thanks!

Can somebody help me?
Mouclass upper filter works fine until I enter my username and password to log in…

First connection works fine with IOCTL_INTERNAL_MOUSE_CONNECT, IRP_MJ_CREATE and IOCTL_MOUSE_QUERY_ATTRIBUTES, but when I actually login with my remote I only get IOCTL_MOUSE_CONNECT… and after that the filter driver is no longer working.
What should I do to solve this?

xxxxx@heinostenkoti.com wrote:

First connection works fine with IOCTL_INTERNAL_MOUSE_CONNECT, IRP_MJ_CREATE and IOCTL_MOUSE_QUERY_ATTRIBUTES, but when I actually login with my remote I only get IOCTL_MOUSE_CONNECT… and after that the filter driver is no longer working.
What should I do to solve this?

Did you miss this reply from Doron two weeks ago (who used to work on
the HID stack in Windows), or are you simply choosing to ignore it?

Rdp input does not go through a PnP stack so your
filter is not involved. Rdp input is not designed to be filtered

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Allow me to reformat:

Tim Roberts wrote:

xxxxx@heinostenkoti.com wrote:
> First connection works fine with IOCTL_INTERNAL_MOUSE_CONNECT, IRP_MJ_CREATE and IOCTL_MOUSE_QUERY_ATTRIBUTES, but when I actually login with my remote I only get IOCTL_MOUSE_CONNECT… and after that the filter driver is no longer working.
> What should I do to solve this?
Did you miss this reply from Doron two weeks ago (who used to work on
the HID stack in Windows), or are you simply choosing to ignore it?

> Rdp input does not go through a PnP stack so your
> filter is not involved. Rdp input is not designed to be filtered

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

“Rdp input does not go through a PnP stack so your
filter is not involved. Rdp input is not designed to be filtered”

I don’t agree with that. Windows Server 2012R2 supports that.

I have the filter working in rdp connection. I can get the login screen through rdp connection ( with IOCTL_INTERNAL_MOUSE_CONNECT, IRP_MJ_CREATE
and IOCTL_MOUSE_QUERY_ATTRIBUTES).

But after entering password I only get IOCTL_MOUSE_CONNECT.

So I think it has something to do with the “double connecting”…

And it works fine with Windows client…

Heinis,
can you see any IRP_MJ_READ requests for the mouclass driver when you
logon remotely and the “Black Box InvisaPC” is plugged ? Check it.
This is an important step to analyse problem. Perhaps the touchscreen
is mapped on the keyboard device, not mouse, and you need to write a
keyboard filter instead a mouse filter. Perhaps InvisaPC bypasses the RDP
input stack although I cannot imagine this.

For example, locate the mouclass driver object (use ObReferenceObjectByName
with device “\Driver\mouclass”) and replace it’s IRP_MJ_READ handler
with your own function:

PDRIVER_DISPATCH OriginalFunction;
int Counter = 0;

NTSTATUS HookFunction(DEVICE_OBJECT * pDeviceObj, IRP * pIrp)
{
DbgPrint(“%d\r\n”, Counter++);
return (OriginalFunction(pDeviceObj, pIrp));
}

InvisaPC must be already plugged at this time.
Now logon remotely and try to move a mouse. If you do not see any debug
messages (are you see debug messages normally ?) the game is over
(or you need to go deeper).

As a next stage, test your driver with the physical mouse, i.e. in the
console environment only. Use driver verifier, static asserts, and,
if you have, checked builds of Windows. Follow the common driver
development guidelines, check return values, do not use paged memory
on a high IRQL, implement all standard routines correctly and so on.

Also, and this is very important, try to plug and unplug other mouse,
touchscreen and touchpad devices during testing. In all cases your driver
must intercept all input without any hangs, loses and any other “anomalies”.
Check that a filter always correctly attached to the all input stacks.
Use !drvobj, !devobj, !devstack commands of the WinDBG. Also you may
call IoRegisterPlugPlayNotification and see every attach and detach events
related to the mouse stack (you need GUID_DEVICE_INTERFACE_ARRIVAL/REMOVAL
on a GUID_DEVINTERFACE_MOUSE).

WinDBG, MSDN and W.Oney (see the chapter “Filter drivers”) will help you.

Now you are ready to intercept the RDP input.

Unfortunately, I never write a filters for the RDP that are attached
to the input stack below the class driver (kbdclass/mouclass). And I can’t
promise that a moufltr code sample will works in the RDP session, especially
with the third-party device installed.

So, try to attach your filter over a mouclass.
This is a pretty simple solution: all of you need is implement AddDevice,
PnP and the Power handlers. And, obviously, you need a read handler.
Other requests may be passed down without any processing (“forward and forget”).

I have positive experience with this technique: everything works fine on
all Windows versions starting from the Windows XP.

Thanks Aleh!

I will try.
But the fact that I am getting the windows login screen and that time the filter driver is working fine. So I think the filter works fine with rdp ( as it does if I use a normal mouse with InvisaPC or if I am using a windows rdp client).