Filter Driver Recovery Mode Question

OSR_Community_User · January 9, 2004, 1:15pm

Hi Guys,

I am trying to add a feature to my filter to protect the system in the event
that a ropey filter driver gets installed after me. I was thinking of
storing information within the registry about whether the machine started
ok, and was shutdown cleanly etc.

I was just wondering what the last opportunity that a driver has to write to
the registry. I Tried registering for shutdown notification because I
thought I would be able to do it there, but WinDBG moans about my driver
trying to write to the registry after shutdown. Sometimes the data is
written, other times it isn’t.

Any thoughts?

Ben Curley
DESlock+ Lead Programmer
Data Encryption Systems Ltd.

Tel: +44 (0)1823 352357 (Main)
Tel: +44 (0)1823 358320 (Direct Dial)

Web: http://www.deslock.com

OSR_Community_User · January 9, 2004, 4:18pm

Might the KeRegisterBugCheckCallback be better? IIRC, the data would be stored in
the memory dump, but that can be useful.
I am doing registry writes during shutdown, they always worked.

Regards, Dejan.

xxxxx@des.co.uk wrote:

Hi Guys,

I am trying to add a feature to my filter to protect the system in the event
that a ropey filter driver gets installed after me. I was thinking of
storing information within the registry about whether the machine started
ok, and was shutdown cleanly etc.

I was just wondering what the last opportunity that a driver has to write to
the registry. I Tried registering for shutdown notification because I
thought I would be able to do it there, but WinDBG moans about my driver
trying to write to the registry after shutdown. Sometimes the data is
written, other times it isn’t.

Any thoughts?

Ben Curley
DESlock+ Lead Programmer
Data Encryption Systems Ltd.

Tel: +44 (0)1823 352357 (Main)
Tel: +44 (0)1823 358320 (Direct Dial)

Web: http://www.deslock.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · January 11, 2004, 8:27am

Dejan,

Thanks for your reply, strange that your registry writes work and mine seem
flaky!

KeRegisterBugCheckCallback is an option but that would require our end users
generating a crash dump and then sending it to us!. The problem with that
is that in order for the crash dump to be of any use we would require at
least a kernel memory dump, this would too large for a lot of our customers
to send.

I will try and investigate why writes to the registry during shutdown don`t
seem to work as this is my prefered choice.

Regards

Ben

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: 09 January 2004 21:18
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Filter Driver Recovery Mode Question

Might the KeRegisterBugCheckCallback be better? IIRC, the data would be
stored in
the memory dump, but that can be useful.
I am doing registry writes during shutdown, they always worked.

Regards, Dejan.

xxxxx@des.co.uk wrote:

Hi Guys,

I am trying to add a feature to my filter to protect the system in the
event
that a ropey filter driver gets installed after me. I was thinking of
storing information within the registry about whether the machine started
ok, and was shutdown cleanly etc.

I was just wondering what the last opportunity that a driver has to write
to
the registry. I Tried registering for shutdown notification because I
thought I would be able to do it there, but WinDBG moans about my driver
trying to write to the registry after shutdown. Sometimes the data is
written, other times it isn’t.

Any thoughts?

Ben Curley
DESlock+ Lead Programmer
Data Encryption Systems Ltd.

Tel: +44 (0)1823 352357 (Main)
Tel: +44 (0)1823 358320 (Direct Dial)

Web: http://www.deslock.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 11, 2004, 10:55am

There are several memory dump modes: small, kernel, and complete. The
small one tries to capture most of the pertinent details, such as stack
frames.

There’s really no reason not to use kernel memory dumps. And there is
definitely no use in trying to duplicate the value they provide.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@des.co.uk
Sent: Sunday, January 11, 2004 8:30 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Filter Driver Recovery Mode Question

Dejan,

Thanks for your reply, strange that your registry writes work and mine
seem flaky!

KeRegisterBugCheckCallback is an option but that would require our end
users generating a crash dump and then sending it to us!. The problem
with that is that in order for the crash dump to be of any use we would
require at least a kernel memory dump, this would too large for a lot of
our customers to send.

I will try and investigate why writes to the registry during shutdown
don`t seem to work as this is my prefered choice.

Regards

Ben

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: 09 January 2004 21:18
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Filter Driver Recovery Mode Question

Might the KeRegisterBugCheckCallback be better? IIRC, the data would
be stored in the memory dump, but that can be useful.
I am doing registry writes during shutdown, they always worked.

Regards, Dejan.

xxxxx@des.co.uk wrote:

Hi Guys,

I am trying to add a feature to my filter to protect the system in the
event
that a ropey filter driver gets installed after me. I was thinking of

storing information within the registry about whether the machine
started ok, and was shutdown cleanly etc.

I was just wondering what the last opportunity that a driver has to
write
to
the registry. I Tried registering for shutdown notification because I

thought I would be able to do it there, but WinDBG moans about my
driver trying to write to the registry after shutdown. Sometimes the
data is written, other times it isn’t.

Any thoughts?

Ben Curley
DESlock+ Lead Programmer
Data Encryption Systems Ltd.

Tel: +44 (0)1823 352357 (Main)
Tel: +44 (0)1823 358320 (Direct Dial)

Web: http://www.deslock.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 11, 2004, 11:01am

Arlie,

I am well aware that there are different dump modes, hence my statement
about having to get a kernel mode dump. As I said in my post the size of a
kernel mode memory dump is way to big for a normal modem based home user to
send us.

I am going back to trying to work out why the rergistry write is not working
anyway.

Ben

-----Original Message-----
From: Arlie Davis [mailto:xxxxx@sublinear.org]
Sent: 11 January 2004 15:54
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Filter Driver Recovery Mode Question

There are several memory dump modes: small, kernel, and complete. The
small one tries to capture most of the pertinent details, such as stack
frames.

There’s really no reason not to use kernel memory dumps. And there is
definitely no use in trying to duplicate the value they provide.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@des.co.uk
Sent: Sunday, January 11, 2004 8:30 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Filter Driver Recovery Mode Question

Dejan,

Thanks for your reply, strange that your registry writes work and mine
seem flaky!

KeRegisterBugCheckCallback is an option but that would require our end
users generating a crash dump and then sending it to us!. The problem
with that is that in order for the crash dump to be of any use we would
require at least a kernel memory dump, this would too large for a lot of
our customers to send.

I will try and investigate why writes to the registry during shutdown
don`t seem to work as this is my prefered choice.

Regards

Ben

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: 09 January 2004 21:18
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Filter Driver Recovery Mode Question

Might the KeRegisterBugCheckCallback be better? IIRC, the data would
be stored in the memory dump, but that can be useful.
I am doing registry writes during shutdown, they always worked.

Regards, Dejan.

xxxxx@des.co.uk wrote:

Hi Guys,

I am trying to add a feature to my filter to protect the system in the
event
that a ropey filter driver gets installed after me. I was thinking of

storing information within the registry about whether the machine
started ok, and was shutdown cleanly etc.

I was just wondering what the last opportunity that a driver has to
write
to
the registry. I Tried registering for shutdown notification because I

thought I would be able to do it there, but WinDBG moans about my
driver trying to write to the registry after shutdown. Sometimes the
data is written, other times it isn’t.

Any thoughts?

Ben Curley
DESlock+ Lead Programmer
Data Encryption Systems Ltd.

Tel: +44 (0)1823 352357 (Main)
Tel: +44 (0)1823 358320 (Direct Dial)

Web: http://www.deslock.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 11, 2004, 11:17am

Sorry, I must have missed a few posts.

Have you tried compressing the mini dumps? There is a lot of redundancy
in them – they would probably compress quite well.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@des.co.uk
Sent: Sunday, January 11, 2004 11:03 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Filter Driver Recovery Mode Question

Arlie,

I am well aware that there are different dump modes, hence my statement
about having to get a kernel mode dump. As I said in my post the size
of a kernel mode memory dump is way to big for a normal modem based home
user to send us.

I am going back to trying to work out why the rergistry write is not
working anyway.

Ben

-----Original Message-----
From: Arlie Davis [mailto:xxxxx@sublinear.org]
Sent: 11 January 2004 15:54
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Filter Driver Recovery Mode Question

There are several memory dump modes: small, kernel, and complete. The
small one tries to capture most of the pertinent details, such as stack
frames.

There’s really no reason not to use kernel memory dumps. And there is
definitely no use in trying to duplicate the value they provide.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@des.co.uk
Sent: Sunday, January 11, 2004 8:30 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Filter Driver Recovery Mode Question

Dejan,

Thanks for your reply, strange that your registry writes work and mine
seem flaky!

KeRegisterBugCheckCallback is an option but that would require our end
users generating a crash dump and then sending it to us!. The problem
with that is that in order for the crash dump to be of any use we would
require at least a kernel memory dump, this would too large for a lot of
our customers to send.

I will try and investigate why writes to the registry during shutdown
don`t seem to work as this is my prefered choice.

Regards

Ben

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: 09 January 2004 21:18
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Filter Driver Recovery Mode Question

Might the KeRegisterBugCheckCallback be better? IIRC, the data would
be stored in the memory dump, but that can be useful.
I am doing registry writes during shutdown, they always worked.

Regards, Dejan.

xxxxx@des.co.uk wrote:

Hi Guys,

I am trying to add a feature to my filter to protect the system in the
event
that a ropey filter driver gets installed after me. I was thinking of

storing information within the registry about whether the machine
started ok, and was shutdown cleanly etc.

I was just wondering what the last opportunity that a driver has to
write
to
the registry. I Tried registering for shutdown notification because I

thought I would be able to do it there, but WinDBG moans about my
driver trying to write to the registry after shutdown. Sometimes the
data is written, other times it isn’t.

Any thoughts?

Ben Curley
DESlock+ Lead Programmer
Data Encryption Systems Ltd.

Tel: +44 (0)1823 352357 (Main)
Tel: +44 (0)1823 358320 (Direct Dial)

Web: http://www.deslock.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com

Don_Burn_1 · January 11, 2004, 11:24am

KeRegisterBugCheckCallback will only allow writing of data in OS’es pre
Win2k3. You will have to use KeRegisterBugCheckReasonCallback if you hope
to get data out in Win2k3.

This whole discussion makes me wonder if you have just considered using OCA.
If your customers are willing to report the crash to Microsoft you should
get the data you are looking for from the OCA analysis.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
To: “Windows File Systems Devs Interest List”
Sent: Sunday, January 11, 2004 8:29 AM
Subject: RE: [ntfsd] Filter Driver Recovery Mode Question

>
> Dejan,
>
> Thanks for your reply, strange that your registry writes work and mine
seem
> flaky!
>
> KeRegisterBugCheckCallback is an option but that would require our end
users
> generating a crash dump and then sending it to us!. The problem with that
> is that in order for the crash dump to be of any use we would require at
> least a kernel memory dump, this would too large for a lot of our
customers
> to send.
>
> I will try and investigate why writes to the registry during shutdown
don`t
> seem to work as this is my prefered choice.
>
> Regards
>
> Ben
>
> -----Original Message-----
> From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
> Sent: 09 January 2004 21:18
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] Filter Driver Recovery Mode Question
>
>
> Might the KeRegisterBugCheckCallback be better? IIRC, the data would
be
> stored in
> the memory dump, but that can be useful.
> I am doing registry writes during shutdown, they always worked.
>
> Regards, Dejan.
>
> xxxxx@des.co.uk wrote:
>