I’m trying to install my minifilter on the fly via the SCM without an INF file. In my DriverEntry I’m getting 0xc0000034 when I call FltRegisterFilter. My guess is the registry settings are not correct. What exactly should they be?
…Yes I know I should be using an INF , but in the case I need to make it work without one.
Thanks
Larry
The Instances key is probably missing or doesn’t point to the default Instance. Check the Minispy.inf, that is the minimal amount of registry keys that have to be present.
xxxxx@sbcglobal.net wrote:
I’m trying to install my minifilter on the fly via the SCM without an INF file. In my DriverEntry I’m getting 0xc0000034 when I call FltRegisterFilter. My guess is the registry settings are not correct. What exactly should they be?
…Yes I know I should be using an INF , but in the case I need to make it work without one.
Thanks
Larry
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
I wound up pushing the reg keys in and making the call, so this may be another method if you wish to use it. I’m sure there may be different opinions on doing this, but this is just an example and of course you will select the path that best suits your needs. This works well with xp / vista (32/64) with and without UAC as well with permissions.
Under HKLM\System\CurrentControlSet\Services\(your driver’s name)
_stprintf(szKeyName,_T(“System\CurrentControlSet\Services\%s”), pszDriverName) ;
RegCreateKeyEx(hKey, szKeyName, 0, _T(“”), 0, KEY_SET_VALUE | KEY_CREATE_SUB_KEY | KEY_ENUMERATE_SUB_KEYS, NULL, &hSubKey, &dwDisposition)
RegSetValueEx(hSubKey, _T(“DisplayName”), NULL, REG_SZ, …)
RegSetValueEx(hSubKey, _T(“ErrorControl”), NULL, REG_DWORD, …)
RegSetValueEx(hSubKey, _T(“ImagePath”), NULL, REG_SZ, …)
RegSetValueEx(hSubKey, _T(“Start”), NULL, REG_DWORD, …)
RegSetValueEx(hSubKey, _T(“Type”), NULL, REG_DWORD, …)
RegSetValueEx(hSubKey, _T(“Tag”), NULL, REG_DWORD, …)
RegSetValueEx(hSubKey, _T(“DependOnService”), NULL, REG_MULTI_SZ, …) “FltMgr” for minifilter
RegSetValueEx(hSubKey, _T(“Group”), NULL, REG_MULTI_SZ, …) Whatever group you are going under. My case it was “FsFilter Activity Monitor”
Also, you will want to set your altitude(s).
Create a key under: HKLM\System\CurrentControlSet\Services\(your driver’s name)\Instances
RegSetValueEx(hSubKey, _T(“DefaultInstance”), NULL, REG_SZ, …) (goes under the key above with a value of: (yourdriver’s name) - Top instance as created below)
Create a key under: HKLM\System\CurrentControlSet\Services\(your driver’s name)\Instances\(yourdriver’s name) - Top instance (or whatever you want to call it)
(Goes inside of the instance above)
RegSetValueEx(hSubKey, _T(“Altitude”), NULL, REG_SZ, …)
RegSetValueEx(hSubKey, _T(“Flags”), NULL, REG_DWORD, …)
You should also refer here for further info as it defines many of the keys and values:
http://msdn2.microsoft.com/en-us/library/ms793586.aspx
http://msdn2.microsoft.com/en-us/library/aa488218.aspx
And of course there is always the winnt.h defines. If you get it all correct, when you go to register/load it up, windows will be nice enough to enumerate it for you and fill in the security info as well (enum/security keys will be created)