Fastfat sample

NTFSD
1

Does anyone know how to make a build of the FastFAT sample driver work on
XP?

I naively tried copying the newly built driver to windows\system32\drivers
thinking that it would be loaded instead of the original one. In fact the
original driver just simply reappeared overwriting the debug version.

Thanks


Steven Braggs, Software Engineer, Sophos Anti-Virus
Email: xxxxx@sophos.com, Tel: 01235 559933, Web: www.sophos.com
Add live virus info to your website: http://www.sophos.com/link/vfeed

2

You have discovered System File Protection.

Try using the debugger - it will replace the driver (using .kdfiles) and
bypass the whole system file protection model.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@sophos.com [mailto:xxxxx@sophos.com]
Sent: Wednesday, May 14, 2003 11:08 AM
To: File Systems Developers
Subject: [ntfsd] Fastfat sample

Does anyone know how to make a build of the FastFAT sample driver work on
XP?

I naively tried copying the newly built driver to windows\system32\drivers
thinking that it would be loaded instead of the original one. In fact the
original driver just simply reappeared overwriting the debug version.

Thanks


Steven Braggs, Software Engineer, Sophos Anti-Virus
Email: xxxxx@sophos.com, Tel: 01235 559933, Web: www.sophos.com
Add live virus info to your website: http://www.sophos.com/link/vfeed

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

“Tony Mason” wrote in message news:xxxxx@ntfsd…
>
> You have discovered System File Protection.
>
> Try using the debugger - it will replace the driver (using .kdfiles) and
> bypass the whole system file protection model.

Is the FS driver loaded late enough to replace by .kdfiles? Boot start
drivers are loaded by NTLDR, and can’t be replaced by the kernel debugger.
Only drivers loaded by the kernel can. We went over this ad nauseum on
Windbg last year.

Some potential good news is that the latest Windbg beta (6.2.7.4) docs say
that boot start drivers can be replaced by booting with a special debug
enabled NTLDR. It says this NTLDR only works with COM1 @ 115200, and
apparently bypasses the boot.ini entirely. I’ve not tested it to see if it
really works yet.

Phil

Philip D. Barila
Seagate Technology, LLC
(720) 684-1842
As if I need to say it: Not speaking for Seagate.

4

If FastFAT is your boot driver, you have to do this via the bootstrap loader
debugging (documented in the WinDBG docs for 6.2.7.4). Otherwise, you can
use the normal debugging.

If *I* were debugging and playing games with FASTFAT, I’d be booting off
NTFS. But I’m paranoid.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Phil Barila [mailto:xxxxx@Seagate.com]
Sent: Wednesday, May 14, 2003 12:10 PM
To: File Systems Developers
Subject: [ntfsd] Re: Fastfat sample

“Tony Mason” wrote in message news:xxxxx@ntfsd…
>
> You have discovered System File Protection.
>
> Try using the debugger - it will replace the driver (using .kdfiles) and
> bypass the whole system file protection model.

Is the FS driver loaded late enough to replace by .kdfiles? Boot start
drivers are loaded by NTLDR, and can’t be replaced by the kernel debugger.
Only drivers loaded by the kernel can. We went over this ad nauseum on
Windbg last year.

Some potential good news is that the latest Windbg beta (6.2.7.4) docs say
that boot start drivers can be replaced by booting with a special debug
enabled NTLDR. It says this NTLDR only works with COM1 @ 115200, and
apparently bypasses the boot.ini entirely. I’ve not tested it to see if it
really works yet.

Phil

Philip D. Barila
Seagate Technology, LLC
(720) 684-1842
As if I need to say it: Not speaking for Seagate.


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com