AddDevice for Volume filter is not colled for Boot Partition

Hi, Guys!

I have one problem and I really don’t know how to solve it. I have Volume filter and on my PC there are 2 disks with 4 partitions. When system starts AddDevice called only 3 times. I figured out that AddDevice is not called for Boot Volume. In debugger I see that ftdisk.sys created 5 devices(1 control and 4 PDO’s). For 3 of them AddDevice was called and stacks were constracted but it is not so for System Volume.

Later i see that ntfs.sys creates devices and attaches it to Boot volume pdo throught VPB.

Can you please help me why it can be so.

Thanks in advance.

Wrong newsgroup.

wrote in message news:xxxxx@ntfsd…
> Hi, Guys!
>
> I have one problem and I really don’t know how to solve it. I have Volume
> filter and on my PC there are 2 disks with 4 partitions. When system
> starts AddDevice called only 3 times. I figured out that AddDevice is not
> called for Boot Volume. In debugger I see that ftdisk.sys created 5
> devices(1 control and 4 PDO’s). For 3 of them AddDevice was called and
> stacks were constracted but it is not so for System Volume.
>
> Later i see that ntfs.sys creates devices and attaches it to Boot volume
> pdo throught VPB.
>
> Can you please help me why it can be so.
>
> Thanks in advance.
>

Something is not right.
The first Adddevice should have been for boot volume.
Check your logic of registering the (upper I assume!) volume filter.

Is it WDM based or KMDF?
Harish

-----Original Message-----
From: xxxxx@rambler.ru [mailto:xxxxx@rambler.ru]
Sent: Tuesday, February 10, 2009 6:34 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] AddDevice for Volume filter is not colled for Boot
Partition

Hi, Guys!

I have one problem and I really don’t know how to solve it. I have
Volume filter and on my PC there are 2 disks with 4 partitions. When
system starts AddDevice called only 3 times. I figured out that
AddDevice is not called for Boot Volume. In debugger I see that
ftdisk.sys created 5 devices(1 control and 4 PDO’s). For 3 of them
AddDevice was called and stacks were constracted but it is not so for
System Volume.

Later i see that ntfs.sys creates devices and attaches it to Boot volume
pdo throught VPB.

Can you please help me why it can be so.

Thanks in advance.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

It is WDM based. Interesting is that AddDevice is called for all other volumes. My Boot volume is HarddiskVolume2 and I see during receiving AddDevice following sequence for what it called:
HarddiskVolume1
HarddiskVolume3
HarddiskVolume4

and it is everything. HarddiskVolume2 is just skipped.

One question: can Enum\Storage\Volume.… <- changes of ther registry key affect on AddVolume calling. I think it is used only when drivers are loading. class GUID is not changed.

As was pointed out earlier this is the wrong newsgroup move it to NTDEV.
How are you determining the AddDevice sequence, could it be you missed the
volume it comes awfully early in the boot?


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntfsd…
> It is WDM based. Interesting is that AddDevice is called for all other
> volumes. My Boot volume is HarddiskVolume2 and I see during receiving
> AddDevice following sequence for what it called:
> HarddiskVolume1
> HarddiskVolume3
> HarddiskVolume4
>
> and it is everything. HarddiskVolume2 is just skipped.
>
> One question: can Enum\Storage\Volume.… <- changes of ther registry key
> affect on AddVolume calling. I think it is used only when drivers are
> loading. class GUID is not changed.
>

I’m sorry for posting here. Regarding AddDevice(), as i’m is volume filter i must be called every time when ftdisk creates his PDO.

First, how is your driver setup in the INF file, i.e. are you sure you are
early enough to be put in the boot stack? Second, how do you know you are,
or are not in the stack?


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
> I’m sorry for posting here. Regarding AddDevice(), as i’m is volume filter
> i must be called every time when ftdisk creates his PDO.
>

I’m changing registry in boottime before Windows kernel loads and adds to registry in VOLUME class upper lever filter and register my driver as Service. After that i jmp to bootsector code and it loads Windows Kernel. So, my driver loads and AddDevice called, but not for system volume.

I’ know that i’m in stack because i see which PDO comes in AddDevice parameters.

I don’t know, perhaps, problem is in the boot sequence and Boot Volume created earlier than others, but i don’t think so…

How are you changing the registry before the system loads, sorry that sounds
like a terrible hack that MALWARE uses. The boot volume is created very
early, you should be able to attach to it, but your scheme sounds like a
kludge.


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
> I’m changing registry in boottime before Windows kernel loads and adds to
> registry in VOLUME class upper lever filter and register my driver as
> Service. After that i jmp to bootsector code and it loads Windows Kernel.
> So, my driver loads and AddDevice called, but not for system volume.
>
> I’ know that i’m in stack because i see which PDO comes in AddDevice
> parameters.
>
> I don’t know, perhaps, problem is in the boot sequence and Boot Volume
> created earlier than others, but i don’t think so…
>

I developed loader, that loads from MBR and does some implementation, after that it adds my volume filter to registry as Service and as filter for Volume. Don’t worry about, i’m not a hacker:)

I suspect your loader is the culprit. It is likely that your loader is not
getting things setup correctly or in time. Why can’t you just make this a
class filter like most people do?


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
>I developed loader, that loads from MBR and does some implementation, after
>that it adds my volume filter to registry as Service and as filter for
>Volume. Don’t worry about, i’m not a hacker:)
>

It is needed by feature requironments to be non visible in the system. Just to say(it is a special protection system).

This thread has been moved to NTDEV.

Please no further postings on this thread.

Peter
OSR