File system filter driver unload problem!

NTFSD
1

Hi,ntfsd!

i have a file system filter driver to intercept file operations, the
problem is that when tried to unload it i got a crash. i wonder if
there’s a save way to install and unload a file system filter driver
dynamically. i use scm to install and unload it.

by the way, it seems that filemonNt does not have this problem, here
is some log:
when i reboot the system and start filemonNt for the first time, i got
its action as following:
file operation:
Filemon.exe OverwriteIf C:\WINDOWS\system32\Drivers
\FILEM701.SYS
Filemon.exe Write C:\WINDOWS\system32\Drivers\FILEM701.SYS
Filemon.exe Write C:\WINDOWS\system32\Drivers\FILEM701.SYS
Filemon.exe Delete C:\WINDOWS\system32\Drivers\FILEM701.SYS

registry operation:
Filemon.exe CreateKey HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701 Key: 0xE1C1F920 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\Type 0x1 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\ErrorControl 0x1 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\Start 0x3 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\ImagePath “??\C:\WINDOWS\system32\Drivers
\FILEM701.SYS” SUCCESS

Filemon.exe DeleteKey HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701 Key: 0xE1C1F920 SUCCESS

Filemon.exe CreateKey HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701 Key: 0xE1C1F920 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\Type 0x1 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\ErrorControl 0x1 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\Start 0x3 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\ImagePath “??\C:\WINDOWS\system32\Drivers
\FILEM701.SYS” SUCCESS

Filemon.exe DeleteKey
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FILEMON701\Enum
Key: 0xE1C1F920 SUCCESS

Filemon.exe DeleteKey HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701 Key: 0xE1C1F920 SUCCESS

it is obviously that it do use a driver “filemon701.sys”, and install
it as an service, but how can it delete the service key right after
installing it and can still fuction properly?

when i run it for the second time, it does no file operations any
more, and directly create a service key. does it means that filemon
did not unload its driver when terminates?

Best Regards,
Yt.G
2007-03-21

2

So called legacy file system filter drivers cannot be unloaded safely. I
believe the subject matter has been covered on this list at least once over
time and a search will provide more information for you.

In contrast mini-filter drivers can unload; this is just one of the great
reasons to write a mini-filter driver instead of a so called legacy filter
driver.

Cheers
Lyndon

“Yuntao Guan” wrote in message news:xxxxx@ntfsd…
Hi,ntfsd!

i have a file system filter driver to intercept file operations, the
problem is that when tried to unload it i got a crash. i wonder if
there’s a save way to install and unload a file system filter driver
dynamically. i use scm to install and unload it.

by the way, it seems that filemonNt does not have this problem, here
is some log:
when i reboot the system and start filemonNt for the first time, i got
its action as following:
file operation:
Filemon.exe OverwriteIf C:\WINDOWS\system32\Drivers
\FILEM701.SYS
Filemon.exe Write C:\WINDOWS\system32\Drivers\FILEM701.SYS
Filemon.exe Write C:\WINDOWS\system32\Drivers\FILEM701.SYS
Filemon.exe Delete C:\WINDOWS\system32\Drivers\FILEM701.SYS

registry operation:
Filemon.exe CreateKey HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701 Key: 0xE1C1F920 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\Type 0x1 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\ErrorControl 0x1 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\Start 0x3 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\ImagePath “??\C:\WINDOWS\system32\Drivers
\FILEM701.SYS” SUCCESS

Filemon.exe DeleteKey HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701 Key: 0xE1C1F920 SUCCESS

Filemon.exe CreateKey HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701 Key: 0xE1C1F920 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\Type 0x1 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\ErrorControl 0x1 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\Start 0x3 SUCCESS

Filemon.exe SetValue HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701\ImagePath “??\C:\WINDOWS\system32\Drivers
\FILEM701.SYS” SUCCESS

Filemon.exe DeleteKey
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FILEMON701\Enum
Key: 0xE1C1F920 SUCCESS

Filemon.exe DeleteKey HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\FILEMON701 Key: 0xE1C1F920 SUCCESS

it is obviously that it do use a driver “filemon701.sys”, and install
it as an service, but how can it delete the service key right after
installing it and can still fuction properly?

when i run it for the second time, it does no file operations any
more, and directly create a service key. does it means that filemon
did not unload its driver when terminates?

Best Regards,
Yt.G
2007-03-21

3

Thanks for the reply, i’ll have a try.

Best Regards,
Yt.G
2007-03-21

From: Lyndon J Clarke
Date: 2007-03-21 21:09:26
To: Windows File Systems Devs Interest List
Cc:
Subject: Re:[ntfsd] File system filter driver unload problem!

So called legacy file system filter drivers cannot be unloaded safely. I
believe the subject matter has been covered on this list at least once over
time and a search will provide more information for you.

In contrast mini-filter drivers can unload; this is just one of the great
reasons to write a mini-filter driver instead of a so called legacy filter
driver.

Cheers
Lyndon