Filter Driver Unload

Hello All.
IS it possible to unload a Upper class filter driver to unload automatically
during boot up itself or not to allow it to load at all…
In the sense that i have to add some conditions based on which the Upper
class filter driver is to load or not.

I found a good example in Windows Device driver book saying that we can just
return STATUS_SUCCESS from the AddDevice routine so that it
does not attach toe the device stack.
But even if do that i can see that my Driver Verifier says that the filter
driver is loaded.

What i have to do is say in DriverEntry i have to add a condition like
say…

int cond()
{
if((1+1)==2)
return 1;
else
return 0;
}

DriverEntry(…)
{

if(cond())
proceed nicely;
else
unloadmenow();
}

Thanks very much
Regards
Shal

If you can determine at DriverEntry that your condition is true, then return
an error status (making sure your driver’s ErrorControl setting is
SERVICE_ERROR_IGNORE). You may want the error status to be a custom value
so you can indicate that this is an expected action.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Shalini” wrote in message news:xxxxx@ntdev…
> Hello All.
> IS it possible to unload a Upper class filter driver to unload
automatically
> during boot up itself or not to allow it to load at all…
> In the sense that i have to add some conditions based on which the Upper
> class filter driver is to load or not.
>
> I found a good example in Windows Device driver book saying that we can
just
> return STATUS_SUCCESS from the AddDevice routine so that it
> does not attach toe the device stack.
> But even if do that i can see that my Driver Verifier says that the filter
> driver is loaded.
>
> What i have to do is say in DriverEntry i have to add a condition like
> say…
>
>
> int cond()
> {
> if((1+1)==2)
> return 1;
> else
> return 0;
> }
>
>
> DriverEntry(…)
> {
>
> if(cond())
> proceed nicely;
> else
> unloadmenow();
> }
>
> Thanks very much
> Regards
> Shal
>
>
>

Hi Don
thanks for the reply…
Based on that what i did was

I set the ErrorControl setting to 0 which means SERVICE_ERROR_IGNORE…
then i created a #define STATUS_CUSTOMERROR 2453

Then in my DriverEntry i did as

DriverEntry(…)
{
if(!cond())
return STATUS_CUSTOMERROR;

}

Though my IRP_MJ_READ/WRITE and others were not mapped but still my driver
verifier says that my driver is loaded?
Is it a normal practice or am i doing something wrong?

Thanks…
Regards
Shal.

“Don Burn” wrote in message news:xxxxx@ntdev…
> If you can determine at DriverEntry that your condition is true, then
> return
> an error status (making sure your driver’s ErrorControl setting is
> SERVICE_ERROR_IGNORE). You may want the error status to be a custom value
> so you can indicate that this is an expected action.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
> “Shalini” wrote in message news:xxxxx@ntdev…
>> Hello All.
>> IS it possible to unload a Upper class filter driver to unload
> automatically
>> during boot up itself or not to allow it to load at all…
>> In the sense that i have to add some conditions based on which the Upper
>> class filter driver is to load or not.
>>
>> I found a good example in Windows Device driver book saying that we can
> just
>> return STATUS_SUCCESS from the AddDevice routine so that it
>> does not attach toe the device stack.
>> But even if do that i can see that my Driver Verifier says that the
>> filter
>> driver is loaded.
>>
>> What i have to do is say in DriverEntry i have to add a condition like
>> say…
>>
>>
>> int cond()
>> {
>> if((1+1)==2)
>> return 1;
>> else
>> return 0;
>> }
>>
>>
>> DriverEntry(…)
>> {
>>
>> if(cond())
>> proceed nicely;
>> else
>> unloadmenow();
>> }
>>
>> Thanks very much
>> Regards
>> Shal
>>
>>
>>
>
>
>

You can fail driver entry (by returning an error status) and that will
result in an unload of your driver.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
Sent: Wednesday, December 29, 2004 3:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Filter Driver Unload

Hello All.
IS it possible to unload a Upper class filter driver to
unload automatically during boot up itself or not to allow it
to load at all…
In the sense that i have to add some conditions based on
which the Upper class filter driver is to load or not.

I found a good example in Windows Device driver book saying
that we can just return STATUS_SUCCESS from the AddDevice
routine so that it does not attach toe the device stack.
But even if do that i can see that my Driver Verifier says
that the filter driver is loaded.

What i have to do is say in DriverEntry i have to add a
condition like say…

int cond()
{
if((1+1)==2)
return 1;
else
return 0;
}

DriverEntry(…)
{

if(cond())
proceed nicely;
else
unloadmenow();
}

Thanks very much
Regards
Shal

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@hollistech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Your STATUS_CUSTOMERROR is a warning code, this will allow things to be
loaded. Try STATUS_UNSUCCESSFUL. You custom status value should be of the
form 0xEhhhhhhh where h are hex digits.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Shalini” wrote in message news:xxxxx@ntdev…
> Hi Don
> thanks for the reply…
> Based on that what i did was
>
> I set the ErrorControl setting to 0 which means SERVICE_ERROR_IGNORE…
> then i created a #define STATUS_CUSTOMERROR 2453
>
> Then in my DriverEntry i did as
>
> DriverEntry(…)
> {
> if(!cond())
> return STATUS_CUSTOMERROR;
>
> }
>
> Though my IRP_MJ_READ/WRITE and others were not mapped but still my driver
> verifier says that my driver is loaded?
> Is it a normal practice or am i doing something wrong?
>
> Thanks…
> Regards
> Shal.
>
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
> > If you can determine at DriverEntry that your condition is true, then
> > return
> > an error status (making sure your driver’s ErrorControl setting is
> > SERVICE_ERROR_IGNORE). You may want the error status to be a custom
value
> > so you can indicate that this is an expected action.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> >
> > “Shalini” wrote in message news:xxxxx@ntdev…
> >> Hello All.
> >> IS it possible to unload a Upper class filter driver to unload
> > automatically
> >> during boot up itself or not to allow it to load at all…
> >> In the sense that i have to add some conditions based on which the
Upper
> >> class filter driver is to load or not.
> >>
> >> I found a good example in Windows Device driver book saying that we can
> > just
> >> return STATUS_SUCCESS from the AddDevice routine so that it
> >> does not attach toe the device stack.
> >> But even if do that i can see that my Driver Verifier says that the
> >> filter
> >> driver is loaded.
> >>
> >> What i have to do is say in DriverEntry i have to add a condition like
> >> say…
> >>
> >>
> >> int cond()
> >> {
> >> if((1+1)==2)
> >> return 1;
> >> else
> >> return 0;
> >> }
> >>
> >>
> >> DriverEntry(…)
> >> {
> >>
> >> if(cond())
> >> proceed nicely;
> >> else
> >> unloadmenow();
> >> }
> >>
> >> Thanks very much
> >> Regards
> >> Shal
> >>
> >>
> >>
> >
> >
> >
>
>
>

Hello Don and Mark

Whenever i return either STATUS_UNSUCCESSFUL or STATUS_CUSTOMERROR (where
its #defined to 0xE2222222)
i get the Bugcheck 0x000000CE. Attached is the thing that i obtained from
the debugger…

Also my DriverEntry() function looks like

DriverEntry()
{
ULONG ulIndex;
PDRIVER_DISPATCH * dispatch;

if(!Condition())
return(STATUS_CUSTOM_VALUE);

//Other info here…

}

*** Fatal System Error: 0x000000ce
(0xBFD97000,0x00000000,0x80458399,0x00000000)

The mydriver.sys driver may be at fault.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
…
Loading unloaded module list
No unloaded module list present
Loading User Symbols
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck CE, {bfd97000, 0, 80458399, 0}

Probably caused by : ntoskrnl.exe ( nt!RtlImageNtHeader+f )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
80452e70 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver’s name is displayed on the screen.
Arguments:
Arg1: bfd97000, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 80458399, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, Mm internal code.

Debugging Details:

READ_ADDRESS: bfd97000 Nonpaged pool

FAULTING_IP:
nt!RtlImageNtHeader+f
80458399 6681394d5a cmp word ptr [ecx],0x5a4d

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xCE

LAST_CONTROL_TRANSFER: from 8054dd2a to 80458399

TRAP_FRAME: eb41b7a0 – (.trap ffffffffeb41b7a0)
ErrCode = 00000000
eax=00000000 ebx=eb41b88c ecx=bfd97000 edx=00000001 esi=8007ceb8
edi=bfd97000
eip=80458399 esp=eb41b814 ebp=eb41b854 iopl=0 nv up ei ng nz ac pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010293
nt!RtlImageNtHeader+0xf:
80458399 6681394d5a cmp word ptr [ecx],0x5a4d
Resetting default scope

STACK_TEXT:
eb41b810 8054dd2a bfd97000 8007ceb8 e13793e8 nt!RtlImageNtHeader+0xf
eb41b854 8054daff 84dd06b0 8007a770 bfd97300
nt!IopInitializeBuiltinDriver+0xed
eb41b8b8 8054c574 80087000 eb41ba00 00000000
nt!IopInitializeBootDrivers+0x2d0
eb41ba58 8054b35a 80087000 00000000 00000000 nt!IoInitSystem+0x5ef
eb41bda8 804524f6 80087000 00000000 00000000 nt!Phase1Initialization+0x71b
eb41bddc 80465b62 8054aca6 80087000 00000000 nt!PspSystemThreadStartup+0x69
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nt!RtlImageNtHeader+f
80458399 6681394d5a cmp word ptr [ecx],0x5a4d

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!RtlImageNtHeader+f

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17

STACK_COMMAND: .trap ffffffffeb41b7a0 ; kb

BUCKET_ID: 0xCE_nt!RtlImageNtHeader+f

Followup: MachineOwner

“Don Burn” wrote in message news:xxxxx@ntdev…
> Your STATUS_CUSTOMERROR is a warning code, this will allow things to be
> loaded. Try STATUS_UNSUCCESSFUL. You custom status value should be of
> the
> form 0xEhhhhhhh where h are hex digits.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
> “Shalini” wrote in message news:xxxxx@ntdev…
>> Hi Don
>> thanks for the reply…
>> Based on that what i did was
>>
>> I set the ErrorControl setting to 0 which means SERVICE_ERROR_IGNORE…
>> then i created a #define STATUS_CUSTOMERROR 2453
>>
>> Then in my DriverEntry i did as
>>
>> DriverEntry(…)
>> {
>> if(!cond())
>> return STATUS_CUSTOMERROR;
>>
>> }
>>
>> Though my IRP_MJ_READ/WRITE and others were not mapped but still my
>> driver
>> verifier says that my driver is loaded?
>> Is it a normal practice or am i doing something wrong?
>>
>> Thanks…
>> Regards
>> Shal.
>>
>>
>>
>> “Don Burn” wrote in message news:xxxxx@ntdev…
>> > If you can determine at DriverEntry that your condition is true, then
>> > return
>> > an error status (making sure your driver’s ErrorControl setting is
>> > SERVICE_ERROR_IGNORE). You may want the error status to be a custom
> value
>> > so you can indicate that this is an expected action.
>> >
>> >
>> > –
>> > Don Burn (MVP, Windows DDK)
>> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> > Remove StopSpam from the email to reply
>> >
>> >
>> > “Shalini” wrote in message news:xxxxx@ntdev…
>> >> Hello All.
>> >> IS it possible to unload a Upper class filter driver to unload
>> > automatically
>> >> during boot up itself or not to allow it to load at all…
>> >> In the sense that i have to add some conditions based on which the
> Upper
>> >> class filter driver is to load or not.
>> >>
>> >> I found a good example in Windows Device driver book saying that we
>> >> can
>> > just
>> >> return STATUS_SUCCESS from the AddDevice routine so that it
>> >> does not attach toe the device stack.
>> >> But even if do that i can see that my Driver Verifier says that the
>> >> filter
>> >> driver is loaded.
>> >>
>> >> What i have to do is say in DriverEntry i have to add a condition like
>> >> say…
>> >>
>> >>
>> >> int cond()
>> >> {
>> >> if((1+1)==2)
>> >> return 1;
>> >> else
>> >> return 0;
>> >> }
>> >>
>> >>
>> >> DriverEntry(…)
>> >> {
>> >>
>> >> if(cond())
>> >> proceed nicely;
>> >> else
>> >> unloadmenow();
>> >> }
>> >>
>> >> Thanks very much
>> >> Regards
>> >> Shal
>> >>
>> >>
>> >>
>> >
>> >
>> >
>>
>>
>>
>
>
>

STATUS_CUSTOM_VALUE and STATUS_CUSTOMERROR are same…actually…I

Also replace it by STATUS_UNSUCCESSFUL it gives me the same bugcheck.

“Shalini” wrote in message news:xxxxx@ntdev…
> Hello Don and Mark
>
> Whenever i return either STATUS_UNSUCCESSFUL or STATUS_CUSTOMERROR (where
> its #defined to 0xE2222222)
> i get the Bugcheck 0x000000CE. Attached is the thing that i obtained from
> the debugger…
>
> Also my DriverEntry() function looks like
>
> DriverEntry()
> {
> ULONG ulIndex;
> PDRIVER_DISPATCH * dispatch;
>
>
>
> if(!Condition())
> return(STATUS_CUSTOM_VALUE);
>
>
> //Other info here…
>
> }
>
>
> Fatal System Error: 0x000000ce
> (0xBFD97000,0x00000000,0x80458399,0x00000000)
>
> The mydriver.sys driver may be at fault.
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
> Loading Kernel Symbols
> …
> Loading unloaded module list
> No unloaded module list present
> Loading User Symbols
>****************************************************************************
> * *
> * Bugcheck Analysis *
> * *
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck CE, {bfd97000, 0, 80458399, 0}
>
> Probably caused by : ntoskrnl.exe ( nt!RtlImageNtHeader+f )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 80452e70 cc int 3
> kd> !analyze -v
>
> * *
> * Bugcheck Analysis *
> * *
> *******************************************************************************
>
> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
> A driver unloaded without cancelling timers, DPCs, worker threads, etc.
> The broken driver’s name is displayed on the screen.
> Arguments:
> Arg1: bfd97000, memory referenced
> Arg2: 00000000, value 0 = read operation, 1 = write operation
> Arg3: 80458399, If non-zero, the instruction address which referenced the
> bad memory
> address.
> Arg4: 00000000, Mm internal code.
>
> Debugging Details:
> ------------------
>
>
> READ_ADDRESS: bfd97000 Nonpaged pool
>
> FAULTING_IP:
> nt!RtlImageNtHeader+f
> 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xCE
>
> LAST_CONTROL_TRANSFER: from 8054dd2a to 80458399
>
> TRAP_FRAME: eb41b7a0 – (.trap ffffffffeb41b7a0)
> ErrCode = 00000000
> eax=00000000 ebx=eb41b88c ecx=bfd97000 edx=00000001 esi=8007ceb8
> edi=bfd97000
> eip=80458399 esp=eb41b814 ebp=eb41b854 iopl=0 nv up ei ng nz ac pe
> cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
> nt!RtlImageNtHeader+0xf:
> 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
> Resetting default scope
>
> STACK_TEXT:
> eb41b810 8054dd2a bfd97000 8007ceb8 e13793e8 nt!RtlImageNtHeader+0xf
> eb41b854 8054daff 84dd06b0 8007a770 bfd97300
> nt!IopInitializeBuiltinDriver+0xed
> eb41b8b8 8054c574 80087000 eb41ba00 00000000
> nt!IopInitializeBootDrivers+0x2d0
> eb41ba58 8054b35a 80087000 00000000 00000000 nt!IoInitSystem+0x5ef
> eb41bda8 804524f6 80087000 00000000 00000000 nt!Phase1Initialization+0x71b
> eb41bddc 80465b62 8054aca6 80087000 00000000
> nt!PspSystemThreadStartup+0x69
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> FOLLOWUP_IP:
> nt!RtlImageNtHeader+f
> 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
>
> SYMBOL_STACK_INDEX: 0
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: nt!RtlImageNtHeader+f
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntoskrnl.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17
>
> STACK_COMMAND: .trap ffffffffeb41b7a0 ; kb
>
> BUCKET_ID: 0xCE_nt!RtlImageNtHeader+f
>
> Followup: MachineOwner
> ---------
>
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> Your STATUS_CUSTOMERROR is a warning code, this will allow things to be
>> loaded. Try STATUS_UNSUCCESSFUL. You custom status value should be of
>> the
>> form 0xEhhhhhhh where h are hex digits.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>> “Shalini” wrote in message news:xxxxx@ntdev…
>>> Hi Don
>>> thanks for the reply…
>>> Based on that what i did was
>>>
>>> I set the ErrorControl setting to 0 which means SERVICE_ERROR_IGNORE…
>>> then i created a #define STATUS_CUSTOMERROR 2453
>>>
>>> Then in my DriverEntry i did as
>>>
>>> DriverEntry(…)
>>> {
>>> if(!cond())
>>> return STATUS_CUSTOMERROR;
>>>
>>> }
>>>
>>> Though my IRP_MJ_READ/WRITE and others were not mapped but still my
>>> driver
>>> verifier says that my driver is loaded?
>>> Is it a normal practice or am i doing something wrong?
>>>
>>> Thanks…
>>> Regards
>>> Shal.
>>>
>>>
>>>
>>> “Don Burn” wrote in message news:xxxxx@ntdev…
>>> > If you can determine at DriverEntry that your condition is true, then
>>> > return
>>> > an error status (making sure your driver’s ErrorControl setting is
>>> > SERVICE_ERROR_IGNORE). You may want the error status to be a custom
>> value
>>> > so you can indicate that this is an expected action.
>>> >
>>> >
>>> > –
>>> > Don Burn (MVP, Windows DDK)
>>> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> > Remove StopSpam from the email to reply
>>> >
>>> >
>>> > “Shalini” wrote in message
>>> > news:xxxxx@ntdev…
>>> >> Hello All.
>>> >> IS it possible to unload a Upper class filter driver to unload
>>> > automatically
>>> >> during boot up itself or not to allow it to load at all…
>>> >> In the sense that i have to add some conditions based on which the
>> Upper
>>> >> class filter driver is to load or not.
>>> >>
>>> >> I found a good example in Windows Device driver book saying that we
>>> >> can
>>> > just
>>> >> return STATUS_SUCCESS from the AddDevice routine so that it
>>> >> does not attach toe the device stack.
>>> >> But even if do that i can see that my Driver Verifier says that the
>>> >> filter
>>> >> driver is loaded.
>>> >>
>>> >> What i have to do is say in DriverEntry i have to add a condition
>>> >> like
>>> >> say…
>>> >>
>>> >>
>>> >> int cond()
>>> >> {
>>> >> if((1+1)==2)
>>> >> return 1;
>>> >> else
>>> >> return 0;
>>> >> }
>>> >>
>>> >>
>>> >> DriverEntry(…)
>>> >> {
>>> >>
>>> >> if(cond())
>>> >> proceed nicely;
>>> >> else
>>> >> unloadmenow();
>>> >> }
>>> >>
>>> >> Thanks very much
>>> >> Regards
>>> >> Shal
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>>
>>>
>>>
>>
>>
>>
>
>
>

Are you entirely sure you didn’t start something in DriverEntry that you
ought to have finished before exiting with that status code? The text from
!analyze suggests something like that was forgotten.

–
James Antognini
Windows DDK Support

This posting is provided “AS IS” with no warranties, and confers no rights.

“Shalini” wrote in message news:xxxxx@ntdev…
> Hello Don and Mark
>
> Whenever i return either STATUS_UNSUCCESSFUL or STATUS_CUSTOMERROR (where
> its #defined to 0xE2222222)
> i get the Bugcheck 0x000000CE. Attached is the thing that i obtained from
> the debugger…
>
> Also my DriverEntry() function looks like
>
> DriverEntry()
> {
> ULONG ulIndex;
> PDRIVER_DISPATCH * dispatch;
>
>
>
> if(!Condition())
> return(STATUS_CUSTOM_VALUE);
>
>
> //Other info here…
>
> }
>
>
> Fatal System Error: 0x000000ce
> (0xBFD97000,0x00000000,0x80458399,0x00000000)
>
> The mydriver.sys driver may be at fault.
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
> Loading Kernel Symbols
> …
> Loading unloaded module list
> No unloaded module list present
> Loading User Symbols
>****************************************************************************
> * *
> * Bugcheck Analysis *
> * *
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck CE, {bfd97000, 0, 80458399, 0}
>
> Probably caused by : ntoskrnl.exe ( nt!RtlImageNtHeader+f )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 80452e70 cc int 3
> kd> !analyze -v
>
> * *
> * Bugcheck Analysis *
> * *
> *******************************************************************************
>
> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
> A driver unloaded without cancelling timers, DPCs, worker threads, etc.
> The broken driver’s name is displayed on the screen.
> Arguments:
> Arg1: bfd97000, memory referenced
> Arg2: 00000000, value 0 = read operation, 1 = write operation
> Arg3: 80458399, If non-zero, the instruction address which referenced the
> bad memory
> address.
> Arg4: 00000000, Mm internal code.
>
> Debugging Details:
> ------------------
>
>
> READ_ADDRESS: bfd97000 Nonpaged pool
>
> FAULTING_IP:
> nt!RtlImageNtHeader+f
> 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xCE
>
> LAST_CONTROL_TRANSFER: from 8054dd2a to 80458399
>
> TRAP_FRAME: eb41b7a0 – (.trap ffffffffeb41b7a0)
> ErrCode = 00000000
> eax=00000000 ebx=eb41b88c ecx=bfd97000 edx=00000001 esi=8007ceb8
> edi=bfd97000
> eip=80458399 esp=eb41b814 ebp=eb41b854 iopl=0 nv up ei ng nz ac pe
> cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
> nt!RtlImageNtHeader+0xf:
> 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
> Resetting default scope
>
> STACK_TEXT:
> eb41b810 8054dd2a bfd97000 8007ceb8 e13793e8 nt!RtlImageNtHeader+0xf
> eb41b854 8054daff 84dd06b0 8007a770 bfd97300
> nt!IopInitializeBuiltinDriver+0xed
> eb41b8b8 8054c574 80087000 eb41ba00 00000000
> nt!IopInitializeBootDrivers+0x2d0
> eb41ba58 8054b35a 80087000 00000000 00000000 nt!IoInitSystem+0x5ef
> eb41bda8 804524f6 80087000 00000000 00000000 nt!Phase1Initialization+0x71b
> eb41bddc 80465b62 8054aca6 80087000 00000000
> nt!PspSystemThreadStartup+0x69
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> FOLLOWUP_IP:
> nt!RtlImageNtHeader+f
> 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
>
> SYMBOL_STACK_INDEX: 0
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: nt!RtlImageNtHeader+f
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntoskrnl.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17
>
> STACK_COMMAND: .trap ffffffffeb41b7a0 ; kb
>
> BUCKET_ID: 0xCE_nt!RtlImageNtHeader+f
>
> Followup: MachineOwner
> ---------
>
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> Your STATUS_CUSTOMERROR is a warning code, this will allow things to be
>> loaded. Try STATUS_UNSUCCESSFUL. You custom status value should be of
>> the
>> form 0xEhhhhhhh where h are hex digits.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>> “Shalini” wrote in message news:xxxxx@ntdev…
>>> Hi Don
>>> thanks for the reply…
>>> Based on that what i did was
>>>
>>> I set the ErrorControl setting to 0 which means SERVICE_ERROR_IGNORE…
>>> then i created a #define STATUS_CUSTOMERROR 2453
>>>
>>> Then in my DriverEntry i did as
>>>
>>> DriverEntry(…)
>>> {
>>> if(!cond())
>>> return STATUS_CUSTOMERROR;
>>>
>>> }
>>>
>>> Though my IRP_MJ_READ/WRITE and others were not mapped but still my
>>> driver
>>> verifier says that my driver is loaded?
>>> Is it a normal practice or am i doing something wrong?
>>>
>>> Thanks…
>>> Regards
>>> Shal.
>>>
>>>
>>>
>>> “Don Burn” wrote in message news:xxxxx@ntdev…
>>> > If you can determine at DriverEntry that your condition is true, then
>>> > return
>>> > an error status (making sure your driver’s ErrorControl setting is
>>> > SERVICE_ERROR_IGNORE). You may want the error status to be a custom
>> value
>>> > so you can indicate that this is an expected action.
>>> >
>>> >
>>> > –
>>> > Don Burn (MVP, Windows DDK)
>>> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> > Remove StopSpam from the email to reply
>>> >
>>> >
>>> > “Shalini” wrote in message
>>> > news:xxxxx@ntdev…
>>> >> Hello All.
>>> >> IS it possible to unload a Upper class filter driver to unload
>>> > automatically
>>> >> during boot up itself or not to allow it to load at all…
>>> >> In the sense that i have to add some conditions based on which the
>> Upper
>>> >> class filter driver is to load or not.
>>> >>
>>> >> I found a good example in Windows Device driver book saying that we
>>> >> can
>>> > just
>>> >> return STATUS_SUCCESS from the AddDevice routine so that it
>>> >> does not attach toe the device stack.
>>> >> But even if do that i can see that my Driver Verifier says that the
>>> >> filter
>>> >> driver is loaded.
>>> >>
>>> >> What i have to do is say in DriverEntry i have to add a condition
>>> >> like
>>> >> say…
>>> >>
>>> >>
>>> >> int cond()
>>> >> {
>>> >> if((1+1)==2)
>>> >> return 1;
>>> >> else
>>> >> return 0;
>>> >> }
>>> >>
>>> >>
>>> >> DriverEntry(…)
>>> >> {
>>> >>
>>> >> if(cond())
>>> >> proceed nicely;
>>> >> else
>>> >> unloadmenow();
>>> >> }
>>> >>
>>> >> Thanks very much
>>> >> Regards
>>> >> Shal
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>>
>>>
>>>
>>
>>
>>
>
>
>

James you are the master of understatement

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of James
Antognini [MSFT]
Sent: Wednesday, December 29, 2004 5:47 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Filter Driver Unload

Are you entirely sure you didn’t start something in
DriverEntry that you ought to have finished before exiting
with that status code? The text from !analyze suggests
something like that was forgotten.

–
James Antognini
Windows DDK Support

This posting is provided “AS IS” with no warranties, and
confers no rights.

“Shalini” wrote in message
> news:xxxxx@ntdev…
> > Hello Don and Mark
> >
> > Whenever i return either STATUS_UNSUCCESSFUL or STATUS_CUSTOMERROR
> > (where its #defined to 0xE2222222) i get the Bugcheck 0x000000CE.
> > Attached is the thing that i obtained from the debugger…
> >
> > Also my DriverEntry() function looks like
> >
> > DriverEntry()
> > {
> > ULONG ulIndex;
> > PDRIVER_DISPATCH * dispatch;
> >
> >
> >
> > if(!Condition())
> > return(STATUS_CUSTOM_VALUE);
> >
> >
> > //Other info here…
> >
> > }
> >
> >
> > Fatal System Error: 0x000000ce
> > (0xBFD97000,0x00000000,0x80458399,0x00000000)
> >
> > The mydriver.sys driver may be at fault.
> > Break instruction exception - code 80000003 (first chance)
> >
> > A fatal system error has occurred.
> > Debugger entered on first try; Bugcheck callbacks have not
> been invoked.
> >
> > A fatal system error has occurred.
> >
> > Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
> > Loading Kernel Symbols …
> > Loading unloaded module list
> > No unloaded module list present
> > Loading User Symbols
> >
>
> >
> > *
> > * Bugcheck Analysis
> > *
> >
>
> >
> >
> > Use !analyze -v to get detailed debugging information.
> >
> > BugCheck CE, {bfd97000, 0, 80458399, 0}
> >
> > Probably caused by : ntoskrnl.exe ( nt!RtlImageNtHeader+f )
> >
> > Followup: MachineOwner
> > ---------
> >
> > nt!RtlpBreakWithStatusInstruction:
> > 80452e70 cc int 3
> > kd> !analyze -v
> >
>
> >
> > *
> > * Bugcheck Analysis
> > *
> >
>******
> > *********
> >
> > DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce) A driver
> > unloaded without cancelling timers, DPCs, worker threads, etc.
> > The broken driver’s name is displayed on the screen.
> > Arguments:
> > Arg1: bfd97000, memory referenced
> > Arg2: 00000000, value 0 = read operation, 1 = write operation
> > Arg3: 80458399, If non-zero, the instruction address which
> referenced
> > the bad memory address.
> > Arg4: 00000000, Mm internal code.
> >
> > Debugging Details:
> > ------------------
> >
> >
> > READ_ADDRESS: bfd97000 Nonpaged pool
> >
> > FAULTING_IP:
> > nt!RtlImageNtHeader+f
> > 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > BUGCHECK_STR: 0xCE
> >
> > LAST_CONTROL_TRANSFER: from 8054dd2a to 80458399
> >
> > TRAP_FRAME: eb41b7a0 – (.trap ffffffffeb41b7a0) ErrCode =
> 00000000
> > eax=00000000 ebx=eb41b88c ecx=bfd97000 edx=00000001 esi=8007ceb8
> > edi=bfd97000
> > eip=80458399 esp=eb41b814 ebp=eb41b854 iopl=0 nv up
> ei ng nz ac pe
> > cy
> > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
> > nt!RtlImageNtHeader+0xf:
> > 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
> > Resetting default scope
> >
> > STACK_TEXT:
> > eb41b810 8054dd2a bfd97000 8007ceb8 e13793e8 nt!RtlImageNtHeader+0xf
> > eb41b854 8054daff 84dd06b0 8007a770 bfd97300
> > nt!IopInitializeBuiltinDriver+0xed
> > eb41b8b8 8054c574 80087000 eb41ba00 00000000
> > nt!IopInitializeBootDrivers+0x2d0
> > eb41ba58 8054b35a 80087000 00000000 00000000 nt!IoInitSystem+0x5ef
> > eb41bda8 804524f6 80087000 00000000 00000000
> > nt!Phase1Initialization+0x71b eb41bddc 80465b62 8054aca6 80087000
> > 00000000
> > nt!PspSystemThreadStartup+0x69
> > 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
> >
> >
> > FOLLOWUP_IP:
> > nt!RtlImageNtHeader+f
> > 80458399 6681394d5a cmp word ptr [ecx],0x5a4d
> >
> > SYMBOL_STACK_INDEX: 0
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > SYMBOL_NAME: nt!RtlImageNtHeader+f
> >
> > MODULE_NAME: nt
> >
> > IMAGE_NAME: ntoskrnl.exe
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17
> >
> > STACK_COMMAND: .trap ffffffffeb41b7a0 ; kb
> >
> > BUCKET_ID: 0xCE_nt!RtlImageNtHeader+f
> >
> > Followup: MachineOwner
> > ---------
> >
> >
> >
> > “Don Burn” wrote in message news:xxxxx@ntdev…
> >> Your STATUS_CUSTOMERROR is a warning code, this will allow
> things to
> >> be loaded. Try STATUS_UNSUCCESSFUL. You custom status
> value should
> >> be of the form 0xEhhhhhhh where h are hex digits.
> >>
> >>
> >> –
> >> Don Burn (MVP, Windows DDK)
> >> Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam
> >> from the email to reply
> >>
> >> “Shalini” wrote in message
> news:xxxxx@ntdev…
> >>> Hi Don
> >>> thanks for the reply…
> >>> Based on that what i did was
> >>>
> >>> I set the ErrorControl setting to 0 which means
> SERVICE_ERROR_IGNORE…
> >>> then i created a #define STATUS_CUSTOMERROR 2453
> >>>
> >>> Then in my DriverEntry i did as
> >>>
> >>> DriverEntry(…)
> >>> {
> >>> if(!cond())
> >>> return STATUS_CUSTOMERROR;
> >>>
> >>> }
> >>>
> >>> Though my IRP_MJ_READ/WRITE and others were not mapped
> but still my
> >>> driver verifier says that my driver is loaded?
> >>> Is it a normal practice or am i doing something wrong?
> >>>
> >>> Thanks…
> >>> Regards
> >>> Shal.
> >>>
> >>>
> >>>
> >>> “Don Burn” wrote in message news:xxxxx@ntdev…
> >>> > If you can determine at DriverEntry that your condition
> is true,
> >>> > then return an error status (making sure your driver’s
> >>> > ErrorControl setting is SERVICE_ERROR_IGNORE). You may
> want the
> >>> > error status to be a custom
> >> value
> >>> > so you can indicate that this is an expected action.
> >>> >
> >>> >
> >>> > –
> >>> > Don Burn (MVP, Windows DDK)
> >>> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam
> >>> > from the email to reply
> >>> >
> >>> >
> >>> > “Shalini” wrote in message
> >>> > news:xxxxx@ntdev…
> >>> >> Hello All.
> >>> >> IS it possible to unload a Upper class filter driver to unload
> >>> > automatically
> >>> >> during boot up itself or not to allow it to load at all…
> >>> >> In the sense that i have to add some conditions based on which
> >>> >> the
> >> Upper
> >>> >> class filter driver is to load or not.
> >>> >>
> >>> >> I found a good example in Windows Device driver book
> saying that
> >>> >> we can
> >>> > just
> >>> >> return STATUS_SUCCESS from the AddDevice routine so
> that it does
> >>> >> not attach toe the device stack.
> >>> >> But even if do that i can see that my Driver Verifier
> says that
> >>> >> the filter driver is loaded.
> >>> >>
> >>> >> What i have to do is say in DriverEntry i have to add
> a condition
> >>> >> like say…
> >>> >>
> >>> >>
> >>> >> int cond()
> >>> >> {
> >>> >> if((1+1)==2)
> >>> >> return 1;
> >>> >> else
> >>> >> return 0;
> >>> >> }
> >>> >>
> >>> >>
> >>> >> DriverEntry(…)
> >>> >> {
> >>> >>
> >>> >> if(cond())
> >>> >> proceed nicely;
> >>> >> else
> >>> >> unloadmenow();
> >>> >> }
> >>> >>
> >>> >> Thanks very much
> >>> >> Regards
> >>> >> Shal
> >>> >>
> >>> >>
> >>> >>
> >>> >
> >>> >
> >>> >
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@hollistech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)

A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver’s name is displayed on the screen.

It seems that this is a pretty clear statement of what is probably going
wrong.

It looks like you allocated something in DriverEntry before returning the
error code, and didn’t free it before returning with the error that expected
you to be loaded.

Or perhaps you allocted it somewhere else, and didn’t clean it up by the end
of DriverUnload.

Loren

Hi
I made my condition() very simple…
Say i am just including now a if statement in my driver entry

My ErrorControl in my INF File is set to 0(0x00000000)

#define STATUS_CUSTOM_VALUE 0XE2222222

DriverEntry(…)
{
ULONG ulIndex;
PDRIVER_DISPATCH * dispatch;
if(1)
return(STATUS_CUSTOM_VALUE);

//other info these will never be callled…’

}
Still i get the BugCheck CE
Any ideas guys???
Thanks and Regards
Shal.

“Loren Wilton” wrote in message news:xxxxx@ntdev…
>> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
>> A driver unloaded without cancelling timers, DPCs, worker threads, etc.
>> The broken driver’s name is displayed on the screen.
>
> It seems that this is a pretty clear statement of what is probably going
> wrong.
>
> It looks like you allocated something in DriverEntry before returning the
> error code, and didn’t free it before returning with the error that
> expected
> you to be loaded.
>
> Or perhaps you allocted it somewhere else, and didn’t clean it up by the
> end
> of DriverUnload.
>
> Loren
>
>

Shalini wrote:

My ErrorControl in my INF File is set to 0(0x00000000)

#define STATUS_CUSTOM_VALUE 0XE2222222

DriverEntry(…)
{
ULONG ulIndex;
PDRIVER_DISPATCH * dispatch;
if(1)
return(STATUS_CUSTOM_VALUE);

//other info these will never be callled…’

}

Still i get the BugCheck CE

What O/S is this on? And please don’t say Win9x…

Peter
OSR

No its Windows 2000 Professional.
:-(((

“Peter Viscarola (OSR)” wrote in message
news:xxxxx@ntdev…
> Shalini wrote:
>>
>> My ErrorControl in my INF File is set to 0(0x00000000)
>>
>> #define STATUS_CUSTOM_VALUE 0XE2222222
>>
>> DriverEntry(…)
>> {
>> ULONG ulIndex;
>> PDRIVER_DISPATCH * dispatch;
>> if(1)
>> return(STATUS_CUSTOM_VALUE);
>>
>> //other info these will never be callled…'
>>
>> }
>
>> Still i get the BugCheck CE
>
> What O/S is this on? And please don’t say Win9x…
>
> Peter
> OSR
>

OK so the odd thing is that your crash is provoked, at least according to
you stack trace, in RtlImageNtHeader. This is called BEFORE your driver
entry routine is invoked.

Also - you are a boot start driver. I think failing driver entry on a boot
start driver is a bad idea. I can’t find anything that documents that this
is a bad idea, but I do seem to recall that the effects are unpleasant. Try
not being boot start. System start for example.

Your bug check is actually a translation of PAGE_FAULT_IN_NONPAGED_AREA, the
location accessed is a read at bfd97000, which I think is most likely your
driver image.

I seem to recall that we had a similar problem, where a driver entry routine
basically got optimized out of existence, even in the checked build, and it
also crapped out NT on load.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
Sent: Thursday, December 30, 2004 10:15 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Re:Filter Driver Unload

Hi
I made my condition() very simple…
Say i am just including now a if statement in my driver entry

My ErrorControl in my INF File is set to 0(0x00000000)
> #define STATUS_CUSTOM_VALUE 0XE2222222

DriverEntry(…)
{
ULONG ulIndex;
PDRIVER_DISPATCH * dispatch;
if(1)
return(STATUS_CUSTOM_VALUE);

//other info these will never be callled…’

}
Still i get the BugCheck CE
Any ideas guys???
Thanks and Regards
Shal.

“Loren Wilton” wrote in message
> news:xxxxx@ntdev…
> >> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
> A driver
> >> unloaded without cancelling timers, DPCs, worker threads, etc.
> >> The broken driver’s name is displayed on the screen.
> >
> > It seems that this is a pretty clear statement of what is probably
> > going wrong.
> >
> > It looks like you allocated something in DriverEntry before
> returning
> > the error code, and didn’t free it before returning with the error
> > that expected you to be loaded.
> >
> > Or perhaps you allocted it somewhere else, and didn’t clean
> it up by
> > the end of DriverUnload.
> >
> > Loren
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@hollistech.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

Hi Shalini,

I know this thread has many answers, but most are suggesting that you
fail in DriverEntry(). This works, but requires you to set the flag
that says that your driver not loading is not an error.

Another option (and one used by me since Win2k in CDAUDIO.SYS) is to
succeed DriverEntry() as normal, but to check the condition during your
AddDevice() routine. If you never create a device object in
AddDevice(), but return STATUS_SUCCESS, your driver will get unloaded.
Note that this method will result in an errlog entry in Win2k RTM (no
idea about SPs).

The above method allows you to control your driver’s load/unload
behavior conditionally on a per-device basis, which is more flexible
than the below. Also, if the condition is static for a given device
instance, the following basic logic works very well:

AddDevice:
read registry entry “DriverRequired”
if “DriverRequired” is FALSE (-1), return STATUS_SUCCESS
if “DriverRequired” is TRUE (1),
deviceExtension->Search = FALSE
deviceExtension->Required = TRUE
else deviceExtension->Search = TRUE
deviceExtension->Required = FALSE

StartDev
forward irp down stack (allows you to initiate IO)
if deviceExtension->Search
send IO down stack, examine device, etc.
(on error paths, don’t save in registry)
set deviceExtension->Search = FALSE
set deviceExtension->Required appropriately
save result in registry for future boots
If !(deviceExtension->Required)
don’t need to allocate anything for this object
else
normal allocations

Dispatch routines:
start them all with:
if (!deviceExtension->Required) ForwardIrp();

This can greatly reduce memory consumption if you have many devices that
load your driver, but don’t require it to load (such as disk filters on
large storage arrays).

Hth,
.

-----Original Message-----
From: Shalini [mailto:xxxxx@yahoo.com]
Sent: Wednesday, December 29, 2004 12:40 PM
Subject: Filter Driver Unload

Hello All.
IS it possible to unload a Upper class filter driver to unload
automatically during boot up itself or not to allow it to load at all…
In the sense that i have to add some conditions based on which the Upper
class filter driver is to load or not.

I found a good example in Windows Device driver book saying that we can
just return STATUS_SUCCESS from the AddDevice routine so that it does
not attach toe the device stack.
But even if do that i can see that my Driver Verifier says that the
filter driver is loaded.

What i have to do is say in DriverEntry i have to add a condition like
say…

int cond()
{
if((1+1)==2)
return 1;
else
return 0;
}

DriverEntry(…)
{

if(cond())
proceed nicely;
else
unloadmenow();
}

Thanks very much
Regards
Shal