Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

WFP Drivers conflitcs

A_botA_bot Member Posts: 2

Hello everyone,

I am facing a problem with a WFP driver, based on the inspect example shared by Microsoft.

My driver only monitors connections, nothing is blocked, no modification are performed on the packets, and this driver works well everyday since a year.

But when a specific software (with WFP driver) is installed on the same machine, the network connection is totally cut, and I need some help to debug this.

This issue is encountered with Checkpoint VPN Client, or Kaspersky total security for example, and I bet the issue is the same if I start 2 WFP drivers (didn't test yet).

After multiple test I see the problem occurs in TLInspectCloneReinjectOutbound.

I don't know why, but when an other WFP driver is present, the packet netBufferList is NULL when the ReinjectOutbound is called.

And this make fail FwpsAllocateCloneNetBufferList with error STATUS_FWP_NULL_POINTER.

Here is the begining of the function if it helps (the original source code in on github, wfp inspect by Microsoft)

NTSTATUS TLInspectCloneReinjectOutbound(_Inout TL_INSPECT_PENDED_PACKET* packet)

NET_BUFFER_LIST* clonedNetBufferList = NULL;

if (debugLog) DbgPrint("DEBUG %d Start TLInspectCloneReinjectOutbound\n", PsGetCurrentThreadId());

if (packet->netBufferList == NULL)
    if (debugLog) DbgPrint("WARNING %d netBufferList is null\n", PsGetCurrentThreadId());

status = FwpsAllocateCloneNetBufferList(packet->netBufferList, NULL, NULL, 0, &clonedNetBufferList);
if (!NT_SUCCESS(status))
    if (debugLog) DbgPrint("ERROR %d FwpsAllocateCloneNetBufferList Failed, error: 0x%x\n", PsGetCurrentThreadId(), status);
    goto Exit;


Thanks for your help,


  • Jason_StephensonJason_Stephenson Member Posts: 72

    My driver only monitors connections, nothing is blocked, no modification are performed on the packets, and this driver works well everyday since a year.

    Not sure this statement is correct if you're cloning and re-injecting. You're not just passively monitoring.

    In terms of next steps I'd use:
    netsh wfp show filters netsh wfp show state

    To see exactly what the state of the system is, then take it from there.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA