Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Determining Boot Volume from DriverEntry() in Boot Start minifilter

rstruempfrstruempf Member Posts: 103
edited April 19 in NTFSD

Is there a means to reliably determine the system root and/or boot volume in DriverEntry() in a boot start driver?

Details:
Our driver currently determines the boot volume using FltGetVolumeFromName("\SystemRoot"), and then using FltGetVolumeName() on the volume that is returned. That method doesn't work for a boot start driver. I figure if I can get the driver's image name, that I will have what I need, but I haven't found a way to get that.

I tried the registry entry for the service, but it has a string value, ImagePath, that gives only "system32\DRIVERS\mydriver.sys", less the actual system root.

I tried ObQueryNameString() on the DriverObject, but it returns "\FileSystem\mydriver"

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,142

    The system and boot volumes aren't created yet when you're called at DriverEntry for boot start.

    You need to wait for InstanceSetup and check the Flags field in the FltGetDiskDeviceObject device object:

    • DO_SYSTEM_BOOT_PARTITION - \Windows directory
    • DO_SYSTEM_SYSTEM_PARTITION - Boot manager
    • DO_SYSTEM_CRITICAL_PARTITION - OEM stuff

    -scott
    OSR

  • rstruempfrstruempf Member Posts: 103

    Thanks Scott! I figured they were not known yet, but then it knew where to find my driver, so I wasn't sure.

    _Ron

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA