Determining Boot Volume from DriverEntry() in Boot Start minifilter

Is there a means to reliably determine the system root and/or boot volume in DriverEntry() in a boot start driver?

Details:
Our driver currently determines the boot volume using FltGetVolumeFromName(“\SystemRoot”), and then using FltGetVolumeName() on the volume that is returned. That method doesn’t work for a boot start driver. I figure if I can get the driver’s image name, that I will have what I need, but I haven’t found a way to get that.

I tried the registry entry for the service, but it has a string value, ImagePath, that gives only “system32\DRIVERS\mydriver.sys”, less the actual system root.

I tried ObQueryNameString() on the DriverObject, but it returns “\FileSystem\mydriver”

The system and boot volumes aren’t created yet when you’re called at DriverEntry for boot start.

You need to wait for InstanceSetup and check the Flags field in the FltGetDiskDeviceObject device object:

  • DO_SYSTEM_BOOT_PARTITION - \Windows directory
  • DO_SYSTEM_SYSTEM_PARTITION - Boot manager
  • DO_SYSTEM_CRITICAL_PARTITION - OEM stuff

Thanks Scott! I figured they were not known yet, but then it knew where to find my driver, so I wasn’t sure.

_Ron