saving persistent registry information for a filter driver

What is the recommend place to save persistent information for a filter driver or others?
I have seen that some places are changing over restart and repair.

Is this good:
“\Registry\Machine\System\CurrentControlSet\Enum\” {Class}

On Mar 12, 2018, at 11:40 PM, xxxxx@x-publisher.com wrote:
>
> What is the recommend place to save persistent information for a filter driver or others?
> I have seen that some places are changing over restart and repair.
>
> Is this good:
> “\Registry\Machine\System\CurrentControlSet\Enum\” {Class}

You don’t ever specify the path directly. Use WdfDeviceOpenRegistryKey to get the proper key.

It depends. Is this information that is common to all instances? If so, then you’d put it in the “Services” key by using PLUGPLAY_REGKEY_DRIVER. If the information is specific to each device, then you’d put in the “Enum” key by using PLUGPLAY_REGKEY_DEVICE.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

thank you Tim,
Using WdfDeviceOpenRegistryKey we get WDFKEY. Is this castable to HANDLE to use with ZwEnumerateKey?

Wdf handles are not castable to anything else. They have Get or Retrieve functions to return the underlying properties. WdfRegistryWdmGetHandle

d

Bent from my phone


From: xxxxx@lists.osr.com on behalf of xxxxx@x-publisher.com
Sent: Tuesday, March 13, 2018 5:11:46 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] saving persistent registry information for a filter driver

thank you Tim,
Using WdfDeviceOpenRegistryKey we get WDFKEY. Is this castable to HANDLE to use with ZwEnumerateKey?


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

If I do the following:
WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER…
I see that the variable are written to:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4d36e96b-e325-11ce-bfc1-08002be10318}\0025
What does “0025” and what does “ControlSet001” mean?
@Tim: I don’t see Services in the name.

I am a little bit confused. I want to save some information under my filter driver and my driver class starts with “{A3E32DBA…”
How can or should I do this if I shouldnt use the path directly?

There are multiple ControlSet00x one of which is pointed to by the symbolic
line CurrentControlSet which is all you should ever worry about.

At Tim Roberts already said:
" It depends. Is this information that is common to all instances? If so,
then you’d put it in the “Services” key by using PLUGPLAY_REGKEY_DRIVER. If
the information is specific to each device, then you’d put in the “Enum” key
by using PLUGPLAY_REGKEY_DEVICE."

Under the services key, of the CurrentControlSet is a name for your drivers
service, that is specified in the INX file. Under the Enum key is a key
for the key for the specific class of device, and under it the specific
device instance.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@x-publisher.com
Sent: Tuesday, March 13, 2018 12:13 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] saving persistent registry information for a filter
driver

If I do the following:
WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER…
I see that the variable are written to:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4d36e96b-e325-11ce-bf
c1-08002be10318}\0025
What does “0025” and what does “ControlSet001” mean?
@Tim: I don’t see Services in the name.

I am a little bit confused. I want to save some information under my filter
driver and my driver class starts with “{A3E32DBA…”
How can or should I do this if I shouldnt use the path directly?


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

xxxxx@x-publisher.com wrote:

thank you Tim,
Using WdfDeviceOpenRegistryKey we get WDFKEY. Is this castable to HANDLE to use with ZwEnumerateKey?

Google would have told you this.  There are “get” and “set” functions
within KMDF directly: WdfRegistryAssignXxx and WdfRegistryQueryXxx.  If
you’re persisting data, you don’t usually need to enumerate the subkeys,
but as Doron said, WdfRegisterWdmGetHandle will let you do that.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

xxxxx@x-publisher.com wrote:

If I do the following:
WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER…
I see that the variable are written to:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4d36e96b-e325-11ce-bfc1-08002be10318}\0025
What does “0025” and what does “ControlSet001” mean?

Windows keeps several copies of the driver/device configuration
information in the registry, for recoverability purposes, called
ControlSet001, ControlSet002, etc.  There is an alias called
CurrentControlSet that points to the one currently active.  You don’t
see it much any more, but at boot time you have the option to boot to
the “last known good configuration”; all that does is switch the
CurrentControlSet link to the previous one.  As a coder, you will always
use CurrentControlSet.

{4d36e96b-e325-11ce-bfc1-08002be10318} is the ClassGuid for keyboard
drivers, as you apparently specified in your INF file.

The 0025 simply means that yours is the 26th keyboard driver to be
enumerated on this computer.  If you go into regedit, you should be able
to see the other 25 entries.

@Tim: I don’t see Services in the name.

Hmmm.  I thought PLUGPLAY_REGKEY_DRIVER points to the Services key.  It
may be you need to open that key directly.  That would give you a key
for your filter, independent of the devices you are filtering.  I
presume you know the service name of your filter driver.  Note that your
custom entries go in the Parameters subkey of the Services entry.

I am a little bit confused. I want to save some information under my filter driver and my driver class starts with “{A3E32DBA…”
How can or should I do this if I shouldnt use the path directly?

What do you mean by “my driver class starts with {A3E32DBA…”?  Where
do you see that GUID?

The concept “under my filter driver” doesn’t really mean anything. 
There are several places in the registry where device/driver data get
stored.  The Enum tree is “per device”, and uses the device’s hardware
ID as its key.  The Control\Class tree is per driver installation, and
uses the INF ClassGuid as its key.  The Services tree is “per driver”,
and uses the driver’s service name as its key.  A filter driver is a bit
like a parasite, because you are borrowing several of those locations. 
The Services tree belongs strictly to the driver – not device related
– but that means you need to be careful to make sure the information
isn’t specific to any one device.  Always think “what happens if I’m
filtering three keyboards?”


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Sorry, I want
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"myfilterdriver"
and I do
WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER…
but dont get the above. What is wrong?

The Driver is created with WdfDriverCreate and at this moment the RegistryPath is set to services. Should I save the RegistryPath or are a better method because PLUGPLAY_REGKEY_DRIVER from a device gives me an other hive.

xxxxx@x-publisher.com wrote:

Sorry, I want
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"myfilterdriver"
and I do
WdfDeviceOpenRegistryKey(device, PLUGPLAY_REGKEY_DRIVER…
but dont get the above. What is wrong?

My advice was wrong.  PLUGPLAY_REGKEY_DRIVER goes to the Control\Class tree.

You can use WdfDriverOpenParametersRegistryKey to get to the
Services\xxx\Parameters tree.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

xxxxx@x-publisher.com wrote:

The Driver is created with WdfDriverCreate and at this moment the RegistryPath is set to services. Should I save the RegistryPath or are a better method because PLUGPLAY_REGKEY_DRIVER from a device gives me an other hive.

You know, it only took me 15 seconds with Google to find the answer to
this, as I just posted.  Searching for “driver registry keys” took me to
the article entitled “Introduction to Registry Keys for Drivers”, and
the first subsection describes how a KMDF driver gets to the Services key.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

@Tim: Thank you for your detailed explanation.

What do mean by this:
“…you’re persisting data, you don’t usually need to enumerate the subkeys,”
If I save data to different subkeys like “setting 1”, “setting 2” what is the way to access them?

xxxxx@x-publisher.com wrote:

@Tim: Thank you for your detailed explanation.

What do mean by this:
“…you’re persisting data, you don’t usually need to enumerate the subkeys,”
If I save data to different subkeys like “setting 1”, “setting 2” what is the way to access them?

You just open the keys by name, with WdfRegistryOpenKey.  Enumeration is
only necessary if you don’t know what subkeys to expect.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.